International Association for Cryptologic Research

International Association
for Cryptologic Research

CryptoDB

A Distinguisher for High Rate McEliece Cryptosystems

Authors:
Jean-Charles Faugère
Ayoub Otmani
Ludovic Perret
Jean-Pierre Tillich
Download:
URL: http://eprint.iacr.org/2010/331
Search ePrint
Search Google
Abstract: The purpose of this paper is to study the difficulty of the so-called Goppa Code Distinguishing (GD) problem introduced by Courtois, Finiasz and Sendrier in Asiacrypt 2001. GD is the problem of distinguishing the public matrix in the McEliece cryptosystem from a random matrix. It is widely believed that this problem is computationally hard as proved by the increasing number of papers using this hardness assumption. To our point of view, disproving/mitigating this hardness assumption is a breakthrough in code-based cryptography and may open a new direction to attack McEliece cryptosystems. In this paper, we present an efficient distinguisher for alternant and Goppa codes of high rate over binary/non binary fields. Our distinguisher is based on a recent algebraic attack against compact variants of McEliece which reduces the key-recovery to the problem of solving an algebraic system of equations. We exploit a defect of rank in the (linear) system obtained by linearizing this algebraic system. It turns out that our distinguisher is highly discriminant. Indeed, we are able to precisely quantify the defect of rank for ``generic'' binary and non-binary random, alternant and Goppa codes. We have verified these formulas with practical experiments, and a theoretical explanation for such defect of rank is also provided. We believe that this work permits to shed some light on the choice of secure parameters for McEliece cryptosystems; a topic thoroughly investigated recently. Our technique permits to indeed distinguish a public key of the CFS signature scheme for all parameters proposed by Finiasz and Sendrier at Asiacrypt 2009. Moreover, some realistic parameters of McEliece scheme also fit in the range of validity of our distinguisher.
BibTeX
@misc{eprint-2010-23232,
  title={A Distinguisher for High Rate McEliece Cryptosystems},
  booktitle={IACR Eprint archive},
  keywords={public-key cryptography / public-key cryptography, McEliece cryptosystem, CFS signature, algebraic cryptanalysis, distinguisher.},
  url={http://eprint.iacr.org/2010/331},
  note={ ludovic.perret@lip6.fr 14764 received 4 Jun 2010},
  author={Jean-Charles Faugère and Ayoub Otmani and Ludovic Perret and Jean-Pierre Tillich},
  year=2010
}