Vidéo pédagogique
Notice
Sous-titrage
Anglais
Langue :
Anglais
Crédits
Irene Marquez-Corbella (Intervention), Nicolas Sendrier (Intervention), Matthieu Finiasz (Intervention)
Conditions d'utilisation
Ces ressources de cours sont, sauf mention contraire, diffusées sous Licence Creative Commons. L’utilisateur doit mentionner le nom de l’auteur, il peut exploiter l’œuvre sauf dans un contexte commercial et il ne peut apporter de modifications à l’œuvre originale.
DOI : 10.60527/cj79-w443
Citer cette ressource :
Irene Marquez-Corbella, Nicolas Sendrier, Matthieu Finiasz. Inria. (2015, 5 mai). 2.5. Critical Attacks - Semantic Secure Conversions , in 2: McEliece Cryptosystem. [Vidéo]. Canal-U. https://doi.org/10.60527/cj79-w443. (Consultée le 11 juillet 2025)
logo Inria
Inria - Institut national de recherche en sciences et technologies du numérique
S'abonner
Contacter

2.5. Critical Attacks - Semantic Secure Conversions

Réalisation : 5 mai 2015 - Mise en ligne : 20 février 2017
  • document 1 document 2 document 3
  • niveau 1 niveau 2 niveau 3
Descriptif

In this session, we willstudy critical attacks against the public-key cryptosystem.The partial knowledge on the plaintext reducesdrastically the computational cost of the attack to theMcEliece cryptosystem. For example, suppose that theadversary knows r bits of the plaintext. Then the difficulty ofrecovering the remaining k - r
bits in the completeMcEliece with parameters [n, k] isequivalent to that ofrecovering the full plaintext in
the McEliece withparameters [n, k - r]. This is given by this formula.You just need to observethis equation where G_I denotes the restriction of the matrix Gto the rows indexed by I. We study another attack, whichis called the reaction attack. In this attack, theadversary just needs to observe thereaction of thereceiver. So, this attack can be classified as a CCA butwith a weaker assumption.This attack rests uponthe following premise:a decoder will not attemptto correct a vector with t + 1 or more errors. The idea ofthe attack is the following:first of all, an adversaryflips one bit of the ciphertext. Then, the adversarytransmits the flipped ciphertext to the receiver andobserves his reaction. The receiver could havetwo possible reactions.
First reaction: if the flipped bit is an error-free position, thenthe ciphertext will have t + 1errors, so it isuncorrectable. The second reaction: ifi is an error position, thenthe flipped ciphertext willhave t - 1 error, and thereceiver will be able to decrypt it. We repeat this process forevery position until we have retrieved the error pattern. Another possible attack isthe resend-message attack. Note that the encryptionof the same message twice produces two differentciphertext. A message-resend condition can be easilydetected by observing the weight of the sum of the two ciphertexts.
Note that the sum of thetwo ciphertexts is the sum of the two errorvectors, what we have here. But, if the underlyingplaintexts are different, then the expected weight of the sum isabout the dimension of the code. Let

Intervention
Thème
Disciplines :
Documentation
Support de présentation au format PDF

Dans la même collection

Voir tout

Avec les mêmes intervenants et intervenantes

Sur le même thème