Vidéo pédagogique
Notice
Sous-titrage
Anglais
Langue :
Anglais
Crédits
Irene Marquez-Corbella (Intervention), Nicolas Sendrier (Intervention), Matthieu Finiasz (Intervention)
Conditions d'utilisation
Ces ressources de cours sont, sauf mention contraire, diffusées sous Licence Creative Commons. L’utilisateur doit mentionner le nom de l’auteur, il peut exploiter l’œuvre sauf dans un contexte commercial et il ne peut apporter de modifications à l’œuvre originale.
DOI : 10.60527/fhbd-b709
Citer cette ressource :
Irene Marquez-Corbella, Nicolas Sendrier, Matthieu Finiasz. Inria. (2015, 5 mai). 3.8. Becker, Joux, May, and Meurer Algorithm , in 3: Message Attacks (ISD). [Vidéo]. Canal-U. https://doi.org/10.60527/fhbd-b709. (Consultée le 3 août 2024)

# 3.8. Becker, Joux, May, and Meurer Algorithm

Réalisation : 5 mai 2015 - Mise en ligne : 20 février 2017
• document 1 document 2 document 3
• niveau 1 niveau 2 niveau 3
Descriptif

Now in session 8, we willpresent yet another evolution of information set decoding. Before presenting thisimprovement, we will first improve the Birthday Decodingalgorithm what I call a Further Improvement of Birthday Decoding. I will consider thetwo following lists. The difference betweenthose two lists and those we had before is the + ɛ that youcan find in the weight of the errors e1 and e2. Those lists depend onanother parameter ɛ. What is the meaningof that parameter? Well, the idea is thefollowing: if you add two words of weight w/2 and length n, you expect that you obtain a sum of weight w-(w²/2n). That is, in fact, thatyou expect that those two words have w²/4nnon-zero positions in common. Now, if we shift things a little bit and if wechoose ɛ such that ɛ = (w/2+ɛ)²/n, then two words of weight (w/2) + ɛ and length n are expectedto have ɛ non-zero positions in common and a sum ofweight w which is the target weight of oursyndrome decoding problem. Note that in additionto the above property with a non-zero valueof ɛ, (w,w/2)*(n-w,ɛ) different ways to write aword of weight w, a word e, as a sum of twoerror patterns e1 and e2 of weight (w/2)+ɛ, that is, thenumber of representation will increase. All of this togetherallows us to give that claim. If we choose 2^r and ɛ as described here, then anysolution e to our problem is represented in theintersection of the two sets above with the probability 1/2. And if we do that andimplement the Birthday Decoding with those two lists, theworkfactor will simplify, if I may say, into the following formula which is true up toa polynomial factor. And, I'm not going toexplain why it is a polynomial factor now and ratherthan a constant factor. Improving BirthdayDecoding has an impact on the May, Meurer and Thomaealgorithm we have just seen. Instead of the formula wehave here, in green, that is true up to a constantfactor, by using the Further Improved Birthday Decoding,we could obtain this formula which is better for anyvalue of the parameter, which is true up to a polynomial factor. This idea and thisimprovement is the embryo of the next improvement ofinformation set decoding. This improvement is due toBecker, Joux, May and Meurer. And the idea is to let ɛ, that is the increase in theweight of the half error patterns. We let ɛ grow beyond the optimal valuethat is much beyond w²/4n. If we do that and theworkfactor of the Birthday Decoding becomes this formula with L equal to the list size and2^r is the number of representative which isgiven by the formula here. We may also write theformula in the following form introducing the value μ which is the probability thatis described on the slide.

Intervention
Thème
Documentation

## Dans la même collection

• Vidéo pédagogique
00:06:36

### 3.6. Stern/Dumer Algorithm

Marquez-Corbella
Irene
Sendrier
Nicolas
Finiasz
Matthieu

In this session, we will present the Stern algorithm for decoding. In fact, the idea is to combine two algorithms that we have seen before, the Lee and Brickell algorithm and the Birthday Decoding.

• Vidéo pédagogique
00:03:57

### 3.1. From Generic Decoding to Syndrome Decoding

Marquez-Corbella
Irene
Sendrier
Nicolas
Finiasz
Matthieu

Welcome to the third week of the MOOC on code-based cryptography. This week, we will learn about message attacks. Among the ten sessions of this week, the first six will present the most essential

• Vidéo pédagogique
00:08:36

### 3.10. Decoding One Out of Many

Marquez-Corbella
Irene
Sendrier
Nicolas
Finiasz
Matthieu

The final session of this week is devoted to Decoding One Out of Many. Decoding One Out of Many is interested in solving the following variant of Syndrome Decoding. In this variant, the only

• Vidéo pédagogique
00:05:29

### 3.4. Complexity Analysis

Marquez-Corbella
Irene
Sendrier
Nicolas
Finiasz
Matthieu

In this session, I will present the main technique to make the analysis of the various algorithms presented in this course. So, Information Set Decoding refers to a family of algorithms which is

• Vidéo pédagogique
00:07:27

### 3.7. May, Meurer, and Thomae Algorithm

Marquez-Corbella
Irene
Sendrier
Nicolas
Finiasz
Matthieu

So, with the session 7 we are entering the most advanced part of that course. The idea of what I called the  Improved Birthday Decoding is to use the so-called "representation technique" introduced

• Vidéo pédagogique
00:05:16

### 3.2. Combinatorial Solutions: Exhaustive Search and Birthday Decoding

Marquez-Corbella
Irene
Sendrier
Nicolas
Finiasz
Matthieu

In this session, I will detail two combinatorial solutions to the decoding problem. The first one is the Exhaustive Search. To find our w columns, we will simply enumerate all the tuples j1 to jw

• Vidéo pédagogique
00:03:07

### 3.5. Lee and Brickell Algorithm

Marquez-Corbella
Irene
Sendrier
Nicolas
Finiasz
Matthieu

In this fifth session, we will study a variant of information set decoding proposed by Lee and Brickell. So, the main idea consists in relaxing the Prange algorithm to amortize the cost of the

• Vidéo pédagogique
00:08:26

### 3.9. Generalized Birthday Algorithm for Decoding

Marquez-Corbella
Irene
Sendrier
Nicolas
Finiasz
Matthieu

The session nine is devoted to the application of the Generalized Birthday Algorithm to decoding. The Generalized Birthday Algorithm was presented by David Wagner in 2002, in a more general

• Vidéo pédagogique
00:03:11

### 3.3. Information Set Decoding: the Power of Linear Algebra

Marquez-Corbella
Irene
Sendrier
Nicolas
Finiasz
Matthieu

In this third session, we will present the most important concept of the week: Information Set Decoding. The problem of decoding is not only a combinatorial problem. Because we are dealing with

## Avec les mêmes intervenants et intervenantes

• Vidéo pédagogique
00:05:27

### 4.6. Attack against GRS codes

Marquez-Corbella
Irene
Sendrier
Nicolas
Finiasz
Matthieu

In this session we will discuss the proposal of using generalized Reed-Solomon codes for the McEliece cryptosystem. As we have already said, generalized Reed-Solomon codes were proposed in 1986 by

• Vidéo pédagogique
00:07:11

### 5.5. Stern’s Zero-Knowledge Identification Scheme

Marquez-Corbella
Irene
Sendrier
Nicolas
Finiasz
Matthieu

In this session, we are going to have a look at Stern’s Zero-Knowledge Identification Scheme. So, what is a Zero-Knowledge Identification Scheme? An identification scheme allows a prover to prove

• Vidéo pédagogique
00:04:03

### 4.9. Goppa codes still resist

Marquez-Corbella
Irene
Sendrier
Nicolas
Finiasz
Matthieu

All the results that we have seen this week doesn't mean that code based cryptography is broken. So in this session we will see that Goppa code still resists to all these attacks. So recall that

• Vidéo pédagogique
00:03:56

### 4.4. Attack against subcodes of GRS codes

Marquez-Corbella
Irene
Sendrier
Nicolas
Finiasz
Matthieu

In this session, we will talk about using subcodes of a Generalized Reed–Solomon code for the McEliece Cryptosystem. Recall that to avoid the attack of Sidelnikov and Shestakov, Berger and

• Vidéo pédagogique
00:04:51

### 5.3. Attacks against the CFS Scheme

Marquez-Corbella
Irene
Sendrier
Nicolas
Finiasz
Matthieu

In this session, we will have a look at the attacks against the CFS signature scheme. As for public-key encryption, there are two kinds of attacks against signature schemes. First kind of attack is

• Vidéo pédagogique
00:05:47

### 4.7. Attack against Reed-Muller codes

Marquez-Corbella
Irene
Sendrier
Nicolas
Finiasz
Matthieu

In this session, we will introduce an attack against binary Reed-Muller codes. Reed-Muller codes were introduced by Muller in 1954 and, later, Reed provided the first efficient decoding algorithm

• Vidéo pédagogique
00:05:20

### 5.6. An Efficient Provably Secure One-Way Function

Marquez-Corbella
Irene
Sendrier
Nicolas
Finiasz
Matthieu

In this session, we are going to see how to build an efficient provably secure one-way function from coding theory. As you know, a one-way function is a function which is simple to evaluate and

• Vidéo pédagogique
00:04:32

### 5.1. Code-Based Digital Signatures

Marquez-Corbella
Irene
Sendrier
Nicolas
Finiasz
Matthieu

Welcome to the last week of this MOOC on code-based cryptography. This week, we will be discussing other cryptographic constructions relying on coding theory. We have seen how to do public key

• Vidéo pédagogique
00:05:31

### 4.5. Error-Correcting Pairs

Marquez-Corbella
Irene
Sendrier
Nicolas
Finiasz
Matthieu

We present in this session a general decoding method for linear codes. And we will see it in an example. Let C be a generalized Reed-Solomon code of dimension k associated to the pair (c, d). Then,

• Vidéo pédagogique
00:04:41

### 5.4. Parallel-CFS

Marquez-Corbella
Irene
Sendrier
Nicolas
Finiasz
Matthieu

In this session, I will present a variant of the CFS signature scheme called parallel-CFS. We start from a simple question: what happens if you try to use two different hash functions and compute

• Vidéo pédagogique
00:06:45

### 4.8. Attack against Algebraic Geometry codes

Marquez-Corbella
Irene
Sendrier
Nicolas
Finiasz
Matthieu

In this session, we will present an attack against Algebraic Geometry codes (AG codes). Algebraic Geometry codes is determined by a triple. First of all, an algebraic curve of genus g, then a n

• Vidéo pédagogique
00:08:21

### 5.7. The Fast Syndrome-Based (FSB) Hash Function

Marquez-Corbella
Irene
Sendrier
Nicolas
Finiasz
Matthieu

In the last session of this week, we will have a look at the FSB Hash Function which is built using the one-way function we saw in the previous session. What are the requirements for a

## Sur le même thème

• Conférence
01:00:50

### Des systèmes de numération pour le calcul modulaire

Bajard
Jean-Claude

Le calcul modulaire est utilisé dans de nombreuses applications des mathématiques, telles que la cryptographie. La réduction modulaire dans un contexte très général est coûteuse, car elle n

• Conférence
01:05:05

### Projection methods for community detection in complex networks

Litvak
Nelly

Community detection is one of most prominent tasks in the analysis of complex networks such as social networks, biological networks, and the world wide web. A community is loosely defined as a group

• Conférence
00:18:39

### Lara Croft. doing fieldwork under surveillance

Dall'Agnola
Jasmin

Lara Croft. Doing Fieldwork Under Surveillance Intervention de Jasmin Dall'Agnola (The George Washington University), dans le cadre du Colloque coorganisé par Anders Albrechtslund, professeur en

• Conférence
00:20:04

### Containing predictive tokens in the EU

Czarnocki
Jan

Containing Predictive Tokens in the EU – Mapping the Laws Against Digital Surveillance, intervention de Jan Czarnocki (KU Leuven), dans le cadre du Colloque coorganisé par Anders Albrechtslund,

• Conférence
00:22:25

### Inauguration de l'exposition - Vanessa Vitse : Nombres de Sophie Germain et codes secrets

Vitse
Vanessa

Exposé de Vanessa Vitse (Institut Fourier) : Nombres de Sophie Germain et codes secrets

• Conférence
01:06:10

### "Le mathématicien Petre (Pierre) Sergescu, historien des sciences, personnalité du XXe siècle"

Herléa
Alexandre

Alexandre HERLEA est membre de la section « Sciences, histoire des sciences et des techniques et archéologie industrielle » du CTHS. Professeur émérite des universités, membre effectif de l'Académie

• Conférence
00:40:11

### Ivan Murit - Processus de création d'images

Murit
Ivan

Je vais présenter une manière décalée d'aborder les outils d'impression. Pour cela nous ne partirons pas de l'envie d'imprimer une image préexistante, mais d'avant cela : comment se crée une forme

• Conférence
00:21:11

### Retour d'expérience sur l'utilisation croisée de plusieurs archives de fouilles

Tufféry
Christophe

Dans le cadre d'une thèse de doctorat engagée depuis 2019, une étude historiographique et épistémologique des effets des dispositifs numériques sur l'archéologie et sur les archéologues au cours des

• Conférence
01:19:36

### Information Structures for Privacy and Fairness

Palamidessi
Catuscia

Information Structures for Privacy and Fairness

• Documentaire
00:05:52

### Le Creativ’Lab, au cœur de la robotique et de l’intelligence artificielle (ASR N°18 - LORIA)

Hénaff
Patrick
Lefebvre
Sylvain

Le LORIA, laboratoire phare de la Grande Région dans le domaine de l’informatique, propose de rendre la recherche plus ouverte, plus collaborative, plus ambitieuse… en un mot, plus créative, à travers

• Conférence
01:01:22

### AI and Human Decision-Making: An Interdisciplinary Perspective

Castelluccia
Claude

This seminar will talk about some of the privacy risks of these systems and will describe some recent attacks. It will also discuss why they sometimes fail to deliver. Finally, we will also show that

• Cours/Séminaire
00:49:00

### Webinaire sur la rédaction des PGD

Louvet
Violaine

Rédaction des Plans de Gestion de Données (PGD) sous l’angle des besoins de la communauté mathématique.