Solving simultaneous modular equations of low degree
SIAM Journal on Computing - Special issue on cryptography
Secure Integration of Asymmetric and Symmetric Encryption Schemes
CRYPTO '99 Proceedings of the 19th Annual International Cryptology Conference on Advances in Cryptology
Chosen-Ciphertext Security for Any One-Way Cryptosystem
PKC '00 Proceedings of the Third International Workshop on Practice and Theory in Public Key Cryptography: Public Key Cryptography
Semantically Secure McEliece Public-Key Cryptosystems-Conversions for McEliece PKC
PKC '01 Proceedings of the 4th International Workshop on Practice and Theory in Public Key Cryptography: Public Key Cryptography
Attacking and Defending the McEliece Cryptosystem
PQCrypto '08 Proceedings of the 2nd International Workshop on Post-Quantum Cryptography
Post Quantum Cryptography
Broadcast Attacks against Lattice-Based Cryptosystems
ACNS '09 Proceedings of the 7th International Conference on Applied Cryptography and Network Security
On the equivalence of McEliece's and Niederreiter's public-key cryptosystems
IEEE Transactions on Information Theory
Hi-index | 0.00 |
Code-based cryptographic schemes are promising candidates for post-quantum cryptography since they are fast, require only basic arithmetic, and because their security is well understood. While there is strong evidence that cryptosystems like McEliece and Niederreiter are secure, they have certain weaknesses when used without semantic conversions. An example is a broadcast scenario where the same message is send to different users, encrypted with the respective keys. In this paper, we show how an attacker can use these messages to mount a broadcast attack, which allows to break the Niederreiter and the HyMES cryptosystem using only a small number of messages. While many code-based cryptosystems use certain classes of codes, e.g. binary Goppa codes, our attack is completely independent from this choice and solves the underlying problem directly. Since the number of required messages is very small and since the attack is also possible if related, not identical messages are sent, this has many implications on practical cryptosystem implementations. We discuss possible countermeasures, and provide a CCA2-secure version of the Niederreiter cryptosystem using the Kobara-Imai conversion.