A lower bound on the probability of a union
Discrete Mathematics
A method for finding codewords of small weight
Proceedings of the 3rd International Colloquium on Coding Theory and Applications
How to Achieve a McEliece-Based Digital Signature Scheme
ASIACRYPT '01 Proceedings of the 7th International Conference on the Theory and Application of Cryptology and Information Security: Advances in Cryptology
A Digital Signature Scheme Based on Random Error-Correcting Codes
Proceedings of the 6th IMA International Conference on Cryptography and Coding
Error Correcting Coding and Security for Data Networks: Analysis of the Superchannel Concept
Error Correcting Coding and Security for Data Networks: Analysis of the Superchannel Concept
On Kabatianskii-Krouk-Smeets Signatures
WAIFI '07 Proceedings of the 1st international workshop on Arithmetic of Finite Fields
Security Bounds for the Design of Code-Based Cryptosystems
ASIACRYPT '09 Proceedings of the 15th International Conference on the Theory and Application of Cryptology and Information Security: Advances in Cryptology
One-time signature scheme from syndrome decoding over generic error-correcting codes
Journal of Systems and Software
Smaller decoding exponents: ball-collision decoding
CRYPTO'11 Proceedings of the 31st annual conference on Advances in cryptology
Suboptimal decoding of linear codes: partition technique
IEEE Transactions on Information Theory - Part 1
Random codes: minimum distances and error exponents
IEEE Transactions on Information Theory
ISC'12 Proceedings of the 15th international conference on Information Security
Hi-index | 0.00 |
Kabastianskii, Krouk and Smeets proposed in 1997 a digital signature scheme based on a couple of random error-correcting codes. A variation of this scheme was proposed recently and was proved to be EUF-1CMA secure in the random oracle model. In this paper we investigate the security of these schemes and suggest a simple attack based on (essentially) Stern's algorithm for finding low weight codewords. It efficiently recovers the private key of all schemes of this type existing in the literature. This is basically due to the fact that we can define a code from the available public data with unusual properties: it has many codewords whose support is concentrated in a rather small subset. In such a case, Stern's algorithm performs much better and we provide a theoretical analysis substantiating this claim. Our analysis actually shows that the insecurity of the proposed parameters is related to the fact that the rates of the couple of random codes used in the scheme were chosen to be too close. This does not compromise the security of the whole KKS scheme. It just points out that the region of weak parameters is really much larger than previously thought.