Pierre-Louis Cayrel

Université Jean Monnet · IUT de Saint-Etienne

Code-based cryptography received attention after the NIST started the post-quantum cryptography standardization process in 2016. A central NP-hard problem is the binary syndrome decoding problem, on which the security of many code-based cryptosystems lies. The best known methods to solve this problem all stem from the information-set decoding strat...

The NIST Post-Quantum Cryptography (PQC) standardization challenge was launched in December 2016 and recently, has released its first results. The whole process has given a considerable dynamic to the research in post-quantum cryptography, in particular to practical aspects, such as the study of the vulnerabilities of post-quantum algorithms to sid...

The modern security protocols in most of our systems rely primarily on three basic functions of asymmetric cryptography: public key encryption, digital signature, and key exchange. Today, we only do key exchange (TLS 1.3) with the ECDH protocol. The confidentiality is persistent because the session keys are discarded at the end and to certify this...

In the NIST Post-Quantum Cryptography (PQC) standardization process, among 17 candidates for code-based public-key encryption (PKE), signature or key encapsulation mechanism (KEM), only three are in the 4th evaluation round. The remaining code-based candidates are Classic McEliece [CCUGLMMNPP+20], BIKE [ABBBBDGGGM+17] and HQC [MABBBBDDGL+20]. Crypt...

Among the fourth round finalists of the NIST post-quantum cryptography standardization process for public-key encryption algorithms and key encapsulation mechanisms, three rely on hard problems from coding theory. Key encapsulation mechanisms are frequently used in hybrid cryptographic systems: a public-key algorithm for key exchange and a secret k...

The NIST standardization process for post-quantum cryptography has been drawing the attention of researchers to the submitted candidates. One direction of research consists in implementing those candidates on embedded systems and that exposes them to physical attacks in return. The Classic McEliece cryptosystem, which is among the four finalists of...

The NIST standardization process for post-quantum cryptography has been drawing the attention of researchers to the submitted candidates. One direction of research consists in implementing those candidates on embedded systems and that exposes them to physical attacks in return. The Classic McEliece cryptosystem, which is among the four finalists of...

Code-based public-key cryptosystems are promising candidates for standardization as quantum-resistant public-key cryptographic algorithms. Their security is based on the hardness of the syndrome decoding problem. Computing the syndrome in a finite field, usually F2, guarantees the security of the constructions. We show in this article that the prob...

In this article, we model a variant of the well-known syndrome decoding problem as a linear optimization problem. Most common algorithms used for solving optimization problems, e.g. the simplex algorithm, fail to find a valid solution for the syndrome decoding problem over a finite field. However, our simulations prove that a slightly modified vers...

Code-based public-key cryptosystems are promising candidates for standardisation as quantum-resistant public-key cryptographic algorithms. Their security is based on the hardness of the syndrome decoding problem. Computing the syndrome in a finite field, usually F2, guarantees the security of the constructions. We show in this article that the prob...

The security of McEliece’s cryptosystem relies heavily on the hardness of decoding a random linear code. The best known generic decoding algorithms are derived from the Information-Set Decoding (ISD) algorithm. This was first proposed in 1962 by Prange and subsequently improved in 1989 by Stern and later in 1991 by Dumer. In 2001 Al Jabri introduce...

This book presents refereed proceedings of the First International Conference on Algebra, Codes and Cryptology, A2C 2019, held in Dakar, Senegal, in December 2019. The 14 full papers were carefully reviewed and selected from 35 submissions. The papers are organized in topical sections on non-associative and non-commutative algebra; code, cryptolog...

The Internet of Things (IoT) is an upcoming technology that permits to interconnect different devices and machines using heterogeneous networks. One of the most critical issues in IoT is to secure communication between IoT components. The communication between the different IoT components is insecure, which requires the design of a secure authentic...

In this paper we revisit some of the main aspects of the DAGS Key Encapsulation Mechanism, one of the code-based candidates to NIST’s standardization call for the key exchange/encryption functionalities. In particular, we modify the algorithms for key generation, encapsulation and decapsulation to fit an alternative KEM framework, and we present a...

Code-based cryptography is one of the main areas of interest for NIST’s Post-Quantum Cryptography Standardization call. In this paper, we introduce DAGS, a Key Encapsulation Mechanism (KEM) based on quasi-dyadic generalized Srivastava codes. The scheme is proved to be IND-CCA secure in both random oracle model and quantum random oracle model. We be...

Code-based cryptography is a very promising research area. It allows the construction of different cryptographic mechanisms (e.g. identification protocol, public-key cryptosystem, etc.). McEliece cryptosystem is the first code-based public-key cryptosystem; several variants of this cryptosystem were proposed to design various security protocols in...

In this paper we construct a pseudorandom number generator using only worst-case hardness assumptions for standard lattice problems. With a common technique, we can then build a stream cipher by combining the generated pseudorandom sequence with the plaintext. Moreover, as an option to gain efficiency both in terms of speed and memory, we suggest t...

In this work we present an efficient implementation of the Hybrid Encryption scheme based on the Niederreiter PCKS proposed by E. Persichetti. To achieve IND-CCA2 security (in the random oracle model), we use an HMAC function of the message and the symmetric key, and then apply AES128-CBC as the data encapsulation part of this hybrid scheme. The HM...

In this paper, we detail two side-channel attacks against the McEliece public-key cryptosystem. They are exploiting timing differences on the Patterson decoding algorithm in order to reveal one part of the secret key: the support permutation. The first one is improving two existing timing attacks and uses the correlation between two different steps...

Code-based cryptosystems are promising candidates for post-quantum cryptography since they are fast, require only basic arithmetic because their security is well understood. The increasing number of cryptographic schemes based on codes over fields other than F2 presents, however, security issues that are not relevant in the case of binary codes; th...

In 1978, the Syndrome Decoding Problem (SDP) was proven to be NP-complete for random binary codes. Since then, the security of several cryptographic applications relies on its hardness. In 2009, Finiasz extended this result by demonstrating the NP-completeness of certain sub-classes of the SDP (see [9]). In this paper, we prove the NP-completeness...

The segment of post-quantum cryptography rises its importance with increasing improvements in the quantum computing. Cryptographic post-quantum algorithms have been proposed since 1970s. However, side-channel attack vulnerabilities of these algorithms are still in focus of the recent research. In this paper, we present a differential power analysis...

It is known how to transform certain canonical three-pass identification schemes into signature schemes via the Fiat–Shamir transform. Pointcheval and Stern showed that those schemes are existentially unforgeable in the random-oracle model leveraging the, at that time, novel forking lemma. Recently, a number of 5-pass identification protocols have...

The code-based cryptography is very important research area and it is applied in different schemes (public key cryptosystem, identification protocol,etc.). In literature of design of RFID (radio frequency identification) authentication protocols, we can find several categories according to various primitives requirements. We interest by RFID authen...

Chosen ciphertext attack with simple power analysis on the syndrome computation in the decryption of the McEliece code-based cryptosystem.

Two essential problems are still posed in terms of Radio Frequency Identification (RFID) systems, including: security and limitation of resources. Recently, Li et al.'s proposed a mutual authentication scheme for RFID systems in 2014, it is based on Quasi Cyclic-Moderate Density Parity Check (QC-MDPC) McEliece cryptosystem. This cryptosystem is des...

Among the embedded systems which were quickly developed during the last years and that were used in various domains (e.g. access control, health, ...) we can cite radio frequency identification (RFID). In this paper, we propose an improved mutual authentication protocol in RFID systems based on the randomized McEliece cryptosystem. The McEliece cry...

One of the most important challenges related to Radio Frequency Identification (RFID) systems is security. In this paper, we analyze the security and performance of two recent RFID authentication protocols based on two different code-based cryptography schemes. The first one, proposed by Malek and Miri, is based on randomized McEliece cryptosystem....

One of the most important challenges related to Radio Frequency Identification (RFID) systems is security. In this paper, we analyze the security and performance of two recent RFID authentication protocols based on two different code-based cryptography schemes. The first one, proposed by Malek and Miri, is based on randomized McEliece cryptosystem....

In this paper, we present a novel countermeasure against a simple power analysis based side channel attack on a software implementation of the McEliece public key cryptosystem. First, we attack a straightforward C implementation of the Goppa codes based McEliece decryption running on an ARM Cortex-M3 microprocessor. Next, we demonstrate on a realis...

In this work, we present a survey on software implementations of two families of cryptographic primitives based on the syndrome decoding problem: hash functions and stream ciphers. We have studied different algorithms, namely, FSB, SFSB, RFSB, SYND, 2SC and XSYND, and tried to improve their performances as software implementations which are done in...

Code-based cryptographic schemes are promising candidates for post-quantum cryptography since they are fast, require only basic arithmetic, and have a well understood security. While there is strong evidence that cryptosystems like McEliece and Niederreiter are secure, they have certain weaknesses when used without semantic conversions. Critical at...

Breaking contemporary cryptographic algorithms using any binary computer has at least sub-exponential complexity. However, if a quantum computer was used effectively, then our asymmetric cryptography would not be secure anymore. Since the code-based cryptography (cryptography based on error-correcting codes) relies on different problems, it is not...

This survey provides a comparative overview of code-based signature schemes with respect to security and performance. Furthermore, we explicitly describe serveral code-based signature schemes with additional properties such as identity-based, threshold ring and blind signatures.

In this article we discus a probability problem applied in the code based cryptography. It is related to the shape of the polynomials with exactly t different roots. We will show that the structure is very dense and the probability that this type of polynomials has at least one coefficient equal to zero is extremelly low. We treated this issue in o...

The irreducible binary Goppa codes are widely used in code-based cryptography, like in the McEliece cryptosystem. The aim of this work is to design an efficient and secure hardware implementation of a Goppa decoder. We will show how to adapt a common step of all decoding algorithms to obtain a "leakage resistant" variant.

In this paper we present efficient implementations of several code-based identification schemes, namely the Stern scheme, the Véron scheme and the Cayrel-Véron-El Yousfi scheme. We also explain how to derive and implement signature schemes from the previous identification schemes using the Fiat-Shamir transformation. For a security of 80 bits and a...

The irreducible binary Goppa codes are widely used in code-based cryptography, like in the McEliece cryptosystem. The aim of this work is to design an efficient and secure hardware implementation of a Goppa decoder. Patterson proposed in 1975 an algorithm able to efficiently decode those codes. We will show how to adapt this algorithm to obtain a"...

Zero-knowledge identification schemes solve the problem of authenticating one party to another via an insecure channel without disclosing any additional information that might be used by an impersonator. In this paper we propose a scheme whose security relies on the existence of a commitment scheme and on the hardness of worst-case lattice problems...

The concept of threshold ring signature in code-based cryptography was introduced by Aguilar et al. in [1]. Their proposal uses Stern’s identification scheme as basis. In this paper we construct a novel threshold ring signature scheme built on the q-SD identification scheme recently proposed by Cayrel et al. in [14]. Our proposed scheme benefits of...

In 2007, Gaborit et al. proposed the stream cipher SYND as an improvement of the pseudo random number generator due to Fischer and Stern. This work shows how to improve considerably the efficiency the SYND cipher without using the so-called regular encoding and without compromising the security of the modified SYND stream cipher. Our proposal, call...

The well-known forking lemma by Pointcheval and Stern has been used to prove the security of the so-called generic signature schemes. These signature schemes are obtained via the Fiat-Shamir transform from three-pass identification schemes. A number of five-pass identifi-cation protocols have been proposed in the last few years. Extending the forki...

In this paper we present efficient implementations of McEliece variants using quasi-dyadic codes. We provide secure parameters for a classical McEliece encryption scheme based on quasi-dyadic generalized Srivastava codes, and successively convert our scheme to a CCA2-secure protocol in the random oracle model applying the Fujisaki-Okamoto transform...

This survey presents an overview and a comparative analysis of the state of the art in post-quantum identification schemes based on lattices. Furthermore, we propose an adaptation of the HB family of identification in a lattice context. The aspects taken into account in such a comparison are performance, security, communication costs, the underlyin...

In this paper we propose a new 5-pass zero-knowledge identification scheme with soundness error close to 1/2. We use the hardness of the Inhomogeneous Small Integer Solution problem as security basis. Our protocol achieves lower communication costs compared with previous lattice-based zeroknowledge identification schemes. Besides, our construction...

This paper presents a batch version of the lattice-based identification scheme known as CLRS. Our version consists of a method for allowing a user to authenticate himself with different levels of clearance upon the choice of a subset of keys in his possession. It bears similarity with the Schnorr batch scheme, in the sense that the communication co...

Hash functions are one of the most important cryptographic primitives. Some of the currently employed hash functions like SHA-1 or MD5 are considered broken today. Therefore, in 2007 the US National Institute of Standards and Technology announced a competition for a new family of hash functions. Keccak is one of the five final candidates to be chos...

In this article, we present a new code-based stream cipher called 2SC, based on the sponge construction. The security of the keystream generation of 2SC is reducible to the conjectured intractability of the Syndrome Decoding (SD) problem, which is believed to be hard in the average case. Our stream cipher compares favorably with other provably secu...

In this paper, we present an improved version of an identity-based identification scheme based on error-correcting codes. Our scheme combines the Courtois-Finiasz-Sendrier signature scheme using quasi-dyadic codes (QD-CFS) proposed in [2] and the identification scheme by Stern [18]. Following the construction proposed in [5], we obtain an identity-...

In 2003, Augot et al. introduced the Fast Syndrome-Based hash family (in short FSB), which follows the generic construction of Merkle-Damgård and is based on the syndrome decoding problem. In 2007, Finiasz et al. proposed an improved version of FSB. In this work, we propose a new efficient hash function, which incorporates the ideas of FSB and the...

Ring signatures were introduced by Rivest, Shamir, and Tauman in 2001. These signatures allow a signer to anonymously authenticate a message on behalf of a group of his choice. This concept was then extended by Bresson, Stern, and Szydlo into t -out-of- N (threshold) ring signatures in 2002. We propose in this article a generalization of Stern's co...

Code-based cryptographic schemes are promising candidates for post-quantum cryptography since they are fast, require only basic arithmetic, and because their security is well understood. While there is strong evidence that cryptosystems like McEliece and Niederreiter are secure, they have certain weaknesses when used without semantic conversions. A...

In this paper we present efficient implementations of several code-based identification schemes, namely the Stern scheme, the Véron scheme and the Cayrel-Véron-El Yousfi scheme. For a security of 80 bits, we obtain a signature in respectively 1.048 ms, 0.987 ms and 0.594 ms.

Code-based cryptographic schemes are promising candidates for post-quantum cryptography since they are fast, require only basic arithmetic, and because their security is well understood. Due to their main drawback of large public key sizes, there have been many proposals on how to reduce the key sizes. Many of these use highly structured matrices w...

The last three years have witnessed tremendous progress in the understanding of code-based cryptography. One of its most promising applications is the design of cryptographic schemes with exceptionally strong security guarantees and other desirable properties. In contrast to number-theoretic problems typically used in cryptography, the underlying p...

In this paper, we propose a dual version of the first identity-based scheme based on error-correcting code proposed by Cayrel et.al [CGG07]. Our scheme combines the McEliece signature and the Véron zero-knowledge identification scheme, which provide better computa-tion complexity than the Stern one. We also propose a generalization of the Véron ide...

Courtois-Finiasz-Sendrier (CFS) digital signatures critically depend on the ability to efficiently find a decodable syndrome by random sampling the syndrome space, previously restricting the class of codes upon which they could be instantiated to generic binary Goppa codes. In this paper we show how to construct t-error correcting quasi-dyadic code...

The McEliece and the Niederreiter public key cryptosystems (PKC) are supposed secure in a post quantum world (4) because there is no ecient quantum algorithm for the underlying problems upon which these cryptosystems are built. The CFS, Stern and KKS signature schemes are post-quantum secure because they are based on hard problems of coding theory....

Zero-knowledge identification schemes solve the problem of authenticating one party to another via an insecure channel without disclosing any additional information that might be used by an impersonator. In this paper we propose a scheme whose security relies on the existence of a commitment scheme and on the hardness of worst-case lattice problems...

I give a survey of new results on the Stern identification and signature scheme, I describe coding theory, its applications to cryptography and different identification and signature schemes using error correcting codes. Next, I briefly describe a secure implementation of the Stern scheme against DPA and an identity based signature scheme.

At CRYPTO’93, Stern proposed a 3-pass code-based identification scheme with a cheating probability of 2/3. In this paper, we propose a 5-pass code-based protocol with a lower communication complexity, allowing an impersonator to succeed with only a probability of 1/2. Furthermore, we propose to use double-circulant construction in order to dramatic...

A zero knowledge identification scheme based on the q-ary SD problem. Abstract. At CRYPTO'93, Stern proposed a 3-pass code-based identification scheme with a cheating probability of 2/3. In this paper, we propose a 5-pass code-based protocol with a lower communication complexity , allowing an impersonator to succeed with only a probability of 1/2....

The McEliece and Niederreiter public key cryptosystems (PKC) are presumed secure in a post quantum world because there is no efficient quantum algorithm that solves the hard problems upon which these cryptosystems are built. The present article indicates, however, a different type of vulnerability for such cryptosystems, namely fault injection. We...

Quasi-cyclic codes over a finite field are viewed as cyclic codes over a noncommutative ring of matrices over a finite field. This point of view permits to generalize some known results about linear recurring sequences and to propose a new construction of some quasi-cyclic codes and self-dual codes.

In this paper we propose two first non-generic con-structions of multisignature scheme based on coding theory. The first system make use of the CFS signature scheme and is secure in random oracle while the second scheme is based on the KKS construction and is a few times. The security of our construction relies on a difficult problems in coding the...

In this paper, we propose a dual version of the first threshold ring signature scheme based on error-correcting code proposed by Aguilar et. al in [1]. Our scheme uses an improvement of Veron zero-knowledge identification scheme, which provide smaller public and private key sizes and better computation complexity than the Stern one. This scheme is...

We revisit the 3-pass code-based identification scheme proposed by Stern at Crypto'93, and give a new 5-pass protocol for which the probability of the cheater is 1/2 (instead of 2/3 in the original Stern's proposal). Furthermore, we propose to use quasi-cyclic construction in order to dramatically reduce the size of the public key. The proposed sch...

In this article, we propose a new lattice-based threshold ring signature scheme, modifying Aguilar's code-based solution to use the short integer solution (SIS) problem as security assumption, instead of the syndrome decoding (SD) problem. By applying the CLRS identification scheme, we are also able to have a performance gain as result of the reduc...

The McEliece cryptosystem is one of the oldest public-key cryptosystem ever designated. It is also the first public-key cryptosystem based on linear error-correcting codes. The main advantage of the McEliece cryptosystem is to have a very fast encryption and decryption functions but suers from a major drawback. It requires a very large public key w...

In this paper, a new identity-based identification scheme based on error-correcting codes is proposed. Two well known code-based schemes are combined : the signature scheme by Courtois, Finiasz and Sendrier and an identification scheme by Stern. A proof of security for the scheme in the Random Oracle Model is given.

Ring signatures were introduced by Rivest, Shamir and Tauman in 2001. Bresson, Stern and Szydlo extended the ring signature concept to t-out-of-N threshold ring signatures in 2002. We present in this paper a generalization of Stern’s code based authentication (and signature) scheme to the case of t-out-of-N threshold ring signature. The size of our...

In this paper we describe the first implementation on smartcard of the code-based authentication protocol proposed by Stern at Crypto’93 and we give a securization of the scheme against side channel attacks. On the whole, this provides a secure implementation of a very practical authentication (and possibly signature) scheme which is mostly attract...

Kabastianskii, Krouk and Smeets proposed in 1997 a digital signature scheme based on random error-correcting codes. In this paper we investigate the security and the efficiency of their proposal. We show that a passive attacker who may intercept just a few signatures can recover the private key. We give precisely the number of signatures required t...

In this paper, we propose a new identity-based authentica-tion (and signature) scheme based on error-correcting codes. This scheme is up to date the first identity-based scheme not based on number theory. The scheme combines two well known code-based schemes: the signature scheme of Courtois, Finiasz and Sendrier and the zero-knowledge au-thenticat...

es (Eds.): BFCA'07 2 Abstract. Algebraic attacks have established as an impor-tant tool for cryptanalyzing LFSR-based keystream genera-tors. Crucial for an efficient attack is to find appropriate equations of a degree as low as possible. Hereby, lower degrees are possible if many keystream bits are involved in one equation. An example is the keystr...