Cryptography Stack Exchange
Cryptography Stack Exchange

Questions tagged [code-based-cryptography]

For questions about cryptosystems based on error-correcting codes. e.g. the Classic McEliece.

20 questions
12
votes
1 answer

Number of bit-operations required for information set decoding attacks on code-based cryptosystems?

This question is potentially relevant to NIST post-quantum cryptography standards, involving code-based cryptosystems such as McEliece, BIKE and HQC. This paper estimates the concrete number of bit operations required to perform the…
Ray Perlner
  • 341
  • 1
  • 5
12
votes
0 answers

Requirements for security against multi-target attacks, for McEliece and other code-based cryptosystems?

This question is potentially relevant to NIST post-quantum cryptography standards, involving code-based cryptosystems such as McEliece, BIKE and HQC. For these cryptosystems, it seems that an attacker can use a "decoding one out of many" strategy as…
Ray Perlner
  • 341
  • 1
  • 5
12
votes
3 answers

Error-correcting Code VS Lattice-based Crypto

I'm not an expert in PQ-crypto, but as I understand error-correcting code and lattice-based crypto, the cryptographic assumptions are very similar. The key difference for me is the nature of the noise. In one case, the noise is inspired by the…
Ievgeni
  • 2,653
  • 1
  • 13
  • 35
6
votes
3 answers

Why do Problems for Post-Quantum algorithms have to be NP-Hard?

The mathematical problems used for Post-Quantum Cryptography problems I came across, are NP-complete, e.g. Solving quadratic equations over finite fields short lattice vectors and close lattice vectors bounded distance decoding over finite…
Marc
  • 327
  • 1
  • 13
6
votes
2 answers

Covering codes for digital signatures

An encryption scheme should be injective in the sense that each ciphertext should only be associated with at most one message, in order that decryption is unambiguous. An efficient signature verification scheme should be surjective in the sense that…
Daniel S
  • 29,316
  • 1
  • 33
  • 73
3
votes
1 answer

dimension of Goppa codes

For the McEliece/Niederreiter cryptosystems, an efficient seemingly secure choice of code is an irreducible binary Goppa code, defined by an irreducible $g(x)\in GF(2^m)[x]$ of degree $t$ and a support vector $L=(\alpha_0,\ldots,\alpha_{n-1})$ with…
yoyo
  • 480
  • 2
  • 12
2
votes
2 answers

Cyclic codes as ideals of a quotient ring

I'm finding the algebra behind cyclic codes somewhat tricky. The starting point is easy enough: $C\subseteq \mathbb F_q^n$ is cyclic if any cyclic shift of a codeword $c\in \mathbb F_q^n$ is still in $C$. Then I got hit with this: cyclic codes…
Creeptographer
  • 69
  • 6
2
votes
1 answer

How to map the message to the vector of weight t in Niederreiter cryptosystem?

In Niederreiter cryptosystem, we require the message to be a vector of weight $t$ in $F_q^n$ in encryption, assume $t$ is the error-correction ability of the code. But what is the mapping? One possible way is mapping the message of length $k$ to a…
Laura
  • 377
  • 2
  • 11
2
votes
0 answers

A proposal for randomization of Niederreiter cryptosystem

The Niederreiter cryptosystem is a public key cryptosystem using Goppa code. Unfortunately it it is insecure unless it is a binary code. So I thought I could insert random linear codes into randomly selected columns of the public key in the parity…
cryptomania
  • 71
  • 7
2
votes
1 answer

Understanding security proof and parameter selection for Hamming Quasi Cyclic (HQC)

I am trying to understand how the parameters for HQC are chosen to achieve the desired security level. The security proof in the specification for IND-CPA shows…
Jan Lynn
  • 121
  • 2
2
votes
1 answer

Patterson's decoding algorithm for Goppa codes

From this Wiki page: given a Goppa code $\Gamma(g, L)$ and a binary word $v=(v_0,...,v_{n-1})$, its syndrome is defined as $$s(x)=\sum_{i=0}^{n-1}\frac{v_i}{x-L_i} \mod g(x).$$ To do error correction, Patterson's algorithm goes as…
Creeptographer
  • 69
  • 6
1
vote
0 answers

On the effectiveness of Sidelnikov-Shestakov attack under a bad guess

I have been studying Wieschebrink paper "Cryptanalysis of the Niederreiter Public Key Scheme Based on GRS Codes". In the paper a cryptosystem using GRS codes is exhibited with an attack proposed to the cryptosystem, this one being the…
Partizanki
  • 11
  • 2
1
vote
1 answer

Use of irreducible Goppa codes in McEliece scheme

Is there a cryptographic reason for using an irreducible Goppa polynomial $g$ in the McEliece scheme? One doesn't need irreducibility to define a usable code, so I assume there is some structural attack against reducible polynomials? [One caveat…
yoyo
  • 480
  • 2
  • 12
1
vote
1 answer

The mathematical similarity and difference between code-based PKE and multivariate DSS

In code-based public key encryption schemes, a public key is formed by matrix-multiplying 2 linear matrices to the left and right side of a easily decodeable error-correcting code, so that it'll be difficult to extract useful information that may be…
DannyNiu
  • 10,640
  • 2
  • 27
  • 64
1
vote
1 answer

Small Notation question on HQC and 2-QCSD-P Distribution

I am reading the Hamming Quasi-Cyclic (HQC) specification and just want to clarify a notation they are using. In the paragraph before Definition 2.1.14 (2-QCSD-P Distribution), for $b_1 \in \{0,1\} $ they define a set $$\mathbb{F}^{n}_{2,b1}= \{h…
grover
  • 113
  • 4
1
2