Team Secret

Overall Objectives
Application Domains
New Results
Contracts and Grants with Industry
Other Grants and Activities

Section: New Results

Keywords : decoding algorithms, quantum codes, linear cryptanalysis, algebraic attack, BCH codes, Groebner bases, LDPC codes, code reconstruction, reverse engineering.

Decoding techniques, algebraic systems solving and applications

Participants : Daniel Augot, Christophe Chabot, Mathieu Cluzeau, Maxime Cote, Cédric Faure, Matthieu Finiasz, Benoît Gérard, Jean-Pierre Tillich.

Many cryptanalyses of cryptosystems rely on approximations of these systems by simple, easier functions. For instance, one tries to approximate the system by low degree polynomials, be they in one variable over a huge finite field, or in several variables over the Boolean field. Once such an approximation has been found, the problem of finding the key or of inverting the system, which is normally intractable with a direct approach, is written into a system of simple equations, where each equation holds with some probability. The probability is as good as the approximation is close. For instance, a classical cryptanalysis of the stream ciphers which rely on linear feedback shift register filtered by a Boolean function models the attacked cipher as the result of the transmission of a linear function through a very highly noisy channel. Then, removing the noise amounts to decoding a certain linear code. This code is highly structured, and one of the most efficient methods to decode it exploits the fact that it has low density parity-check equations, and thus can be decoded as an LDPC (Low-density parity-check code)code, with iterative algorithms. Furthermore, the problem of finding such good approximations of ciphers leads also to a decoding problem. Here, finding good approximations by linear functions amounts to a decoding problem of the first order Reed-Muller code. Local decoding is then used in this context, and enables various attacks, such as correlation attacks or linear cryptanalysis.

Besides the cryptographic applications of decoding algorithms, we also investigate two new application domains for decoding algorithms: reverse engineering of communication systems, and quantum error correcting codes for which we have shown that some of them can be decoded successfully with iterative decoding algorithms.

Linear cryptanalysis and decoding Reed-Muller codes.

The first family of codes that we have studied in detail is the family of Reed-Muller codes. Being able to decode efficiently members of this family on various channels is very helpful for cryptanalysis: the decoding of first order Reed-Muller codes on the binary symmetric channel is a useful task for linear cryptanalysis whereas decoding general Reed-Muller codes on the erasure channel can be used in algebraic attacks of ciphers. In particular in his thesis [75] , Cédric Tavernier found new (local) decoding algorithms for first order Reed-Muller codes over the binary symmetric channel, which improves upon the Goldreich-Rubinfeld-Sudan algorithm. This algorithm enables him to find new linear approximations of several rounds of the DES with biases of the same order as Matsui's approximations.

Recent results:

Solving algebraic systems and applications to coding.

Gröbner bases algorithms for solving algebraic systems is an important tool which can be applied both for error-correction and in cryptography, in the context of algebraic attacks.

Recent results:

New decoding algorithm for error-correction.

We also investigate more traditional aspects of coding theory by improving some decoding algorithms for error-correction and by searching for codes with good decoding performance.

Recent results:

Quantum codes.

The knowledge we have acquired in iterative decoding techniques has also lead to study whether or not the very same techniques could also be used to decode quantum codes. Part of the old ACI project “RQ” in which we were involved and the new ANR project “COCQ” are about this topic. Notice that protecting quantum information from external noise is an issue of paramount importance for building a quantum computer. It also worthwhile to notice that all quantum error-correcting code schemes proposed up to now suffer from the very same problem that the first (classical) error-correcting codes had: there are constructions of good quantum codes, but for the best of them it is not known how to decode them in polynomial time. Our approach for overcoming this problem has been to study whether or not the family of turbo-codes and LDPC codes (and the associated iterative decoding algorithms) have a quantum counterpart. We have shown that the classical iterative decoding algorithms can be generalized to the quantum setting and have come up with some families of quantum LDPC codes and quantum serial turbo-codes with rather good performances under iterative decoding [32] , [19] , [64] , [20] .

Reverse engineering of communication systems.

To evaluate the quality of a cryptographic algorithm, it is usually assumed that its specifications are public, as, in accordance with Kerckhoffs principle (Kerckhoffs stated that principle in a paper entitled La Cryptographie militaire , published in 1883.), it would be dangerous to rely, even partially, on the fact that the adversary does not know those specifications. However, this fundamental rule does not mean that the specifications are known to the attacker. In practice, before mounting a cryptanalysis, it is necessary to strip off the data. This reverse engineering process is often subtle, even when the data formatting is not concealed on purpose. A typical case is interception; some raw data, not necessarily encrypted, is observed out of a noisy channel. To access the information, the whole communication system has first to be disassembled and every constituent reconstructed. Our activity within this domain, whose first aim is to establish the scientific and technical foundations of a discipline which does not exist yet at an academic level, has been supported by two industrial contracts driven by the DGA.

Recent results:


Logo Inria