In Eurocrypt 2003, Augot and Finiasz presented a novel Public-key Cryptosystem based on the Polynomial Reconstruction Problem. While there is no immediate way to use coding theoretic techniques to break their system, it has been subsequently broken by Coron who presented a ciphertext-only attack (based on a worst case analysis). In the present work we study the optimal parameter setting of their cryptosystem and analyze it from a probabilistic point of view. We first show that a small modification of the parameters of this scheme foils the worst case analysis of the above attack; however we give an alternative probabilistic analysis showing that the attack works almost always. We then present a novel analysis of optimal parameter selection for their cryptosystem. We show that in the optimal setting of parameter selection, the Augot and Finiasz cryptosystem actually thwarts Coron’s attack. Then, we present a stronger ciphertext-only attack based on the Sudan and Guruswami-Sudan’s list-decoding algorithms that breaks the optimal parameter setting of this cryptosystem. We conclude that the Augot and Finiasz’s cryptosystem, regardless of exact choice of parameters, succumbs to a polynomial-time ciphertext-only attack. 1 Introduction. Polynomial Reconstruction is a curve-fitting problem that has been studied extensively especially in the coding theoretic setting, where it corresponds to the Decoding Problem of
|
1752
|
New directions in cryptography
– Diffie, Hellman
- 1976
|
|
845
|
Probabilistic Encryption
– Goldwasser, Micali
- 1984
|
|
553
|
How to prove yourself: Practical solutions to identification and signature problems
– Fiat, Shamir
- 1987
|
|
357
|
Undeniable signatures
– Chaum, Antwerpen
|
|
355
|
Nonmalleable cryptography
– Dolev, Dwork, et al.
|
|
257
|
Fast probabilistic algorithms for verification of polynomial identities
– Schwartz
- 1980
|
|
245
|
Non-interactive zero-knowledge proof of knowledge and chosen ciphertext attack
– Rackoff, Simon
- 1992
|
|
175
|
Security arguments for digital signatures and blind signatures
– Pointcheval, Stern
- 2000
|
|
169
|
Efficient group signature schemes for large groups
– Camenisch, Stadler
- 1997
|
|
159
|
Tsudik: A Practical and Provably Secure Coalition-Resistant Group Signature Scheme
– Ateniese, Camenisch, et al.
- 2000
|
|
157
|
Improved decoding of ReedSolomon and algebraic-geometric codes
– Guruswami, Sudan
- 1998
|
|
148
|
Decoding of Reed-Solomon codes beyond the error-correction bound
– Sudan
- 1997
|
|
140
|
Oblivious transfer and polynomial evaluation
– Noar, Pinkas
- 1999
|
|
133
|
The Decision Diffie-Hellman Problem
– Boneh
- 1998
|
|
113
|
Signature schemes based on the strong RSA assumption
– Cramer, Shoup
|
|
99
|
Short group signatures
– Boneh, Boyen, et al.
- 2004
|
|
89
|
Error correction of algebraic block codes
– Berlekamp, Welch
|
|
80
|
A group signature scheme with improved efficiency
– Camenisch, Michels
- 1998
|
|
74
|
Foundations of group signatures: Formal definitions, simplified requirements, and a construction based on general assumptions
– Bellare, Micciancio, et al.
- 2003
|
|
71
|
Identity escrow
– Kilian, Petrank
- 1998
|
|
68
|
Efficient and generalized group signatures
– Camenisch
- 1997
|
|
67
|
An Efficient Public Key Traitor Tracing Scheme
– Boneh, Franklin
- 1999
|
|
62
|
Separability and Efficiency for Generic Group Signature Schemes
– Camenisch, Michels
- 1998
|
|
57
|
Some open issues and new directions in group signatures
– Ateniese, Tsudik
|
|
55
|
A key distribution system equivalent to factoring
– McCurley
- 1988
|
|
40
|
Dynamic Traitor Tracing
– Fiat, Tassa
|
|
35
|
Efficient Trace and Revoke Schemes
– Naor, Pinkas
- 2000
|
|
32
|
How to convert any digital signature scheme into a group signature scheme
– Petersen
- 1997
|
|
31
|
The tail of the hypergeometric distribution
– Chvátal
- 1979
|
|
31
|
Long-lived broadcast encryption
– Garay, Staddon, et al.
- 2000
|
|
29
|
Verifiable Encryption, Group Encryption, and Their Applications to Group Signatures and Signature Sharing Schemes
– Camenisch, Damg˚ard
- 2000
|
|
28
|
Trials of traced traitors
– Pfitzmann
- 1996
|
|
27
|
Traceable signatures
– Kiayias, Tsiounis, et al.
- 2004
|
|
25
|
Public key trace and revoke scheme secure against adaptive chosen ciphertext attack
– Dodis, Fazio
- 2003
|
|
25
|
Optimum traitor tracing and asymmetric schemes
– Kurosawa, Desmedt
- 1998
|
|
22
|
Threshold Traitor Tracing
– Naor, Pinkas
- 1998
|
|
20
|
On the foundations of modern cryptography
– Goldreich
- 1997
|
|
20
|
Moni Naor. Tracing traitors
– Chor, Fiat
- 1994
|
|
18
|
An identity escrow scheme with appointed verifiers
– Camenisch, Lysyanskaya
|
|
17
|
From identification to signatures via the Fiat-Shamir transform: Minimizing assumptions for security and forward-security
– Abdalla, An, et al.
- 2002
|
|
17
|
Self Protecting Pirates and Black-Box Traitor Tracing
– Kiayias, Yung
- 2001
|
|
16
|
Traitor Tracing with Constant Transmission Rate
– Kiayias, Yung
- 2002
|
|
15
|
Non-malleable cryptography (extended abstract
– Dolev, Dwork, et al.
- 1991
|
|
12
|
Group signatures: provable security, efficient constructions, and anonymity from trapdoor-holders. Cryptology ePrint Archive, Report 2004/076
– Kiayias, Yung
- 2004
|
|
12
|
and Erez Petrank. Identity escrow
– Kilian
- 1998
|
|
12
|
Sequential Traitor Tracing
– Safavi-Naini, Wang
|
|
11
|
On the efficiency of group signatures providing information theoretic anonymity
– Chen, Pedersen
- 1995
|
|
11
|
Breaking and repairing asymmetric public-key traitor tracing
– Kiayias, Yung
- 2003
|
|
10
|
Extracting group signatures from traitor tracing schemes
– Kiayias, Yung
- 2003
|
|
10
|
Efficient traitor tracing algorithms using list decoding
– Silverberg, Staddon, et al.
- 2001
|
