Ayoub Otmani

Experimental constructions of self-dual codes

We give a general experimental method generalizing the codes of Carlach and Vervoux (Proceedings of the 13th Applicable Algebra in Engineering Communication and Computing (AAECC 13), Hawaii, USA, 14-19 November 1999, p. 15) to construct self-dual codes. We consider the particular fields GF(2), GF(3), GF(4) (both Euclidean and Hermitian cases), GF(5) and GF(7). We give numerical tables of the best known self-dual codes over these alphabets up to lengths where minimum distances are computable. These tables regularly fill gaps between known codes with good parameters such as the quadratic residue codes, the Pless symmetry codes (J. Combin. Theory Ser. A A12 (1972) 119) or the quadratic double circulant codes (J. Combin. Theory Ser. A 97 (2002) 85). Many new codes with better parameters are constructed: in particular the first extremal ternary self-dual [52,26,15] and [78,39,18] codes and the first binary self-dual [114,57,18] and [116,58,18] codes are constructed. We also give the minimum weight of the Pless symmetry codes of length 84. We also update tables for quadratic residue codes over GF(4),GF(5) and GF(7) and we obtain in particular a [62,31,20] code over GF(5).

Distinguisher-based attacks on public-key cryptosystems using Reed---Solomon codes

Because of their interesting algebraic properties, several authors promote the use of generalized Reed–Solomon codes in cryptography. Niederreiter was the first to suggest an instantiation of his cryptosystem with them but Sidelnikov and Shestakov showed that this choice is insecure. Wieschebrink proposed a variant of the McEliece cryptosystem which consists in concatenating a few random columns to a generator matrix of a secretly chosen generalized Reed–Solomon code. More recently, new schemes appeared which are the homomorphic encryption scheme proposed by Bogdanov and Lee, and a variation of the McEliece cryptosystem proposed by Baldi et al. which hides the generalized Reed–Solomon code by means of matrices of very low rank. In this work, we show how to mount key-recovery attacks against these public-key encryption schemes. We use the concept of distinguisher which aims at detecting a behavior different from the one that one would expect from a random code. All the distinguishers we have built are based on the notion of component-wise product of codes. It results in a powerful tool that is able to recover the secret structure of codes when they are derived from generalized Reed–Solomon codes. Lastly, we give an alternative to Sidelnikov and Shestakov attack by building a filtration which enables to completely recover the support and the non-zero scalars defining the secret generalized Reed–Solomon code.

A Distinguisher for High-Rate McEliece Cryptosystems

The Goppa Code Distinguishing (GD) problem consists in distinguishing the matrix of a Goppa code from a random matrix. The hardness of this problem is an assumption to prove the security of code-based cryptographic primitives such as McElieces cryptosystem. Up to now, it is widely believed that the GD problem is a hard decision problem. We present the first method allowing to distinguish alternant and Goppa codes over any field. Our technique can solve the GD problem in polynomial time provided that the codes have sufficiently large rates. The key ingredient is an algebraic characterization of the key-recovery problem. The idea is to consider the rank of a linear system which is obtained by linearizing a particular polynomial system describing a key-recovery attack. It appears that this dimension depends on the type of code considered. Explicit formulas derived from extensive experimentations for the rank are provided for “generic” random, alternant, and Goppa codes over any field. Finally, we give theoretical explanations of these formulas in the case of random codes, alternant codes over any field of characteristic two and binary Goppa codes.

A systematic construction of self-dual codes

A new coding construction scheme of block codes using short base codes and permutations that enables the construction of binary self-dual codes is presented in Cadic et al. (2001) and Carlach et al. (1999, 2000). The scheme leads to doubly-even (resp,. singly-even) self-dual codes provided the base code is a doubly-even self-dual code and the number of permutations is even (resp., odd). We study the particular case where the base code is the [8, 4, 4] extended Hamming. In this special case, we construct a new [88, 44, 16] extremal doubly-even self-dual code and we give a new unified construction of the five [32, 16, 8] extremal doubly-even self-dual codes.

Structural cryptanalysis of McEliece schemes with compact keys

A very popular trend in code-based cryptography is to decrease the public-key size by focusing on subclasses of alternant/Goppa codes which admit a very compact public matrix, typically quasi-cyclic (

Folding Alternant and Goppa Codes With Non-Trivial Automorphism Groups

\mathrm{QC}

Cryptanalysis of the McEliece Public Key Cryptosystem Based on Polar Codes

QC), quasi-dyadic (