Side-channel analysis in code-based cryptography
|
|
- Josephine Haynes
- 5 years ago
- Views:
Transcription
1 1 Side-channel analysis in code-based cryptography Tania RICHMOND IMATH Laboratory University of Toulon SoSySec Seminar Rennes, April 5, 2017
2 Outline McEliece cryptosystem Timing Attack Power consumption Attack Conclusion
3 Outline McEliece cryptosystem Timing Attack Power consumption Attack Conclusion
4 Communication Once upon a time... a woman, Alice and a man, Bob who wanted to communicate together.
5 Attack But, they did not want that anyone, Eve could understand this message.
6 Cryptology science of secret kryptos=secret/hidden logos=science Two concepts : Cryptography Secret writting Cryptanalysis Analysis of a secret
7 7 Cryptography Using a one-way function to do: Encryption Identification Signature Hash function
8 7 Cryptography Using a one-way function to do: Encryption Identification Signature Hash function
9 8 Secret-Key Cryptosystem Ceasar
10 Public-Key Cryptosystem (PKC) [DH76] 1 1 W. Diffie and M. Hellman, New directions in cryptography, IEEE Transactions on Information Theory 1976.
11 Post-quantum cryptography Code-based cryptography Lattice-based cryptography Hash-based cryptography Multivariate-based cryptography No solving in polynomial time, contrary to number theory problems [Sho97] 2 2 P. W. Shor, Polynomial-time algorithms for prime factorization and discrete logarithms on a quantum computer, SIAM Journal on Computing, 26(5), pp ,
12 Post-quantum cryptography Code-based cryptography Lattice-based cryptography Hash-based cryptography Multivariate-based cryptography No solving in polynomial time, contrary to number theory problems [Sho97] 2 2 P. W. Shor, Polynomial-time algorithms for prime factorization and discrete logarithms on a quantum computer, SIAM Journal on Computing, 26(5), pp ,
13 11 Linear code Definition (Linear code) Let q = p m be a power m > 0 of some prime p. Let F q denoted the finite field of q elements. A linear code C of length n and dimension k is a k-dimensional subspace of F n q. Definition (Generator matrix) Let C be a [n, k] q -linear code. Let G M k,n (F q ). We call G a generator matrix of C iff G-rows are basis vectors of C.
14 Syndrome Decoding (SD) problem [BMcEvT78] 3 Inputs H matrix of size r n, S binary vector of length r, t interger. Problem Does there exist a binary vector e of length n and weight t such that : r = n k S is called syndrome. Theorem SD is NP-complete. 3 E. R. Berlekamp, R. J. McEliece, and H. C. van Tilborg, On the inherent intractability of certain coding problems, IEEE Transactions on Information Theory, 1978.
15 Proposed in [McE78] 4. Key generation: Encryption: sk: (Q, G, P) pk: (G, m, t) McEliece PKC 1. Message encoding into a codeword 2. Error vector adding to the codeword Decryption: 1. Ciphertext permutation 2. Syndrome computation 3. Solving of the key equation G = Q G P 4. Error position finding 4 R. J. McEliece, A public-key cryptosystem based on algebraic coding theory, California Inst. Technol., Pasadena, CA, Tech. Rep. 44, 1978.
16 14 Cryptography Theory vs. Practice Mathematics Implementations VS.
17 Definition (SCA) Side-Channel Attack (SCA) Exploit the laws of physics phenomenons to obtain some information contained in channels associated to an implementation (software or hardware). 1st SCA in [Koc96] 5 5 P. C. Kocher, Timing attacks on implementations of Diffie- Hellman, RSA, DSS, and other systems, CRYPTO 96, Springer, LNCS, vol. 1109, pp ,
18 Outline McEliece cryptosystem Timing Attack Power consumption Attack Conclusion
19 Proposed in [McE78] 6. Key generation: Encryption: sk: (Q, G, P) pk: (G, m, t) McEliece PKC 1. Message encoding into a codeword 2. Error vector adding to the codeword Decryption: 1. Ciphertext permutation 2. Syndrome computation 3. Solving of the key equation G = Q G P 4. Error position finding 6 R. J. McEliece, A public-key cryptosystem based on algebraic coding theory, California Inst. Technol., Pasadena, CA, Tech. Rep. 44, 1978.
20 McEliece Decryption Attack on the Extended Euclidean Algorithm (EEA) double call 1. Ciphertext permutation 2. Syndrome computation 3. Solving the key equation (with Patterson [Pat75] 7 ): 3.1 Syndrome inversion (via EEA) 3.2 Square root computation 3.3 Error locator polynomial (ELP) determination (via EEA) 4. Errors positions finding 4.1 ELP evaluation 4.2 Errors correction 7 N. J. Patterson, The algebraic decoding of goppa codes, IEEE Transactions on Information Theory, 21(2): , 1975.
21 Attack on the 2nd EEA call Error locator polynomial (ELP) determination [Str10] ELP determination attack [Str10] 8 with error weight ε = 4 < t: with: σ(x ) = σ 4 X 4 σ 3 X 3 σ 2 X 2 σ 1 X σ 0 = a 2 (X ) X b 2 (X ) a(x ) = σ 4 X 2 σ 2 X σ 0 b(x ) = σ 3 X σ 1 Two possible cases: If deg(b) = 0: then σ 3 = 0. If deg(b) = 1: then σ F. Strenzke, A timing attack against the secret permutation in the McEliece PKC, Post-Quantum Cryptography 2010, Springer, LNCS, vol. 6061, pp ,
22 20 Attack on the 2nd EEA call Error locator polynomial (ELP) determination [Str10] b(x ) = σ 3 X σ 1 Two possible cases: If deg(b) = 0: then σ 3 = α P(i1 ) α P(i2 ) α P(i3 ) α P(i4 ) = 0, so max 2 iterations in EEA. If deg(b) = 1: then σ 3 = α P(i1 ) α P(i2 ) α P(i3 ) α P(i4 ) 0, so max 1 iteration in EEA.
23 Attack on the 1st EEA call Syndrome inversion [Str13] Syndrome inversion attack [Str13] 9 with error weight ε = 4 < t: S E (X ) S E (X ) σ E (X ) σ E (X ) n i=1 E i =1 1 X α i mod G(X ) σ 3 X 2 σ 1 X 4 σ 3 X 3 σ 2 X 2 σ 1 X σ 0 mod G(X ). 9 F. Strenzke, Timing attacks against the syndrome inversion in code-based cryptosystems, PQCrypto 2013, Springer, LNCS, vol. 7932, pp ,
24 Attack on the 1st EEA call Syndrome inversion [Str13] Syndrome inversion attack [Str13] 9 with error weight ε = 4 < t: S E (X ) S E (X ) σ E (X ) σ E (X ) n i=1 E i =1 1 X α i mod G(X ) σ 3 X 2 σ 1 X 4 σ 3 X 3 σ 2 X 2 σ 1 X σ 0 mod G(X ). 9 F. Strenzke, Timing attacks against the syndrome inversion in code-based cryptosystems, PQCrypto 2013, Springer, LNCS, vol. 7932, pp ,
25 22 Attack on the 1st EEA call Syndrome inversion [Str13] Attack with error weight ε = 4 < t: with: Two possible cases: σ E (X ) = σ 3 X 2 σ 1, σ 3 = α P(i1 ) α P(i2 ) α P(i3 ) α P(i4 ). If σ 3 = 0: then deg(σ E ) = 0, so max 4 iterations in EEA. If σ 3 0: then deg(σ E ) = 2, so max 6 iterations in EEA.
26 Attack on the EEA double call Relation between both EEA calls [BCDR17] Relation between both EEA calls exploited in [BCDR17] 10 : For an error weight ε s.t. 4 ε t/2 and 2 ε: If σ ε 1 0: then 1. Syndrome inversion: max 2ε 2 iterations. 2. ELP determination: max ε/2 iterations. If σ ε 1 = 0 and σ ε3 0: then 1. Syndrome inversion: max 2ε 4 iterations. 2. ELP determination: max ε/2 1 iterations. 10 D. Bucerzan, P.-L. Cayrel, V. Dragoi and T. Richmond, Improved Timing Attacks against the Secret Permutation in the McEliece PKC, IJCCC
27 24 Attack on the EEA double call Relation between both EEA calls [BCDR17] Our proposition Combine two previous attacks, [Str10] et [Str13], to obtain relations between support elements up to t/2 elements. Countermeasure Do additional iterations to make the iteration number constant in EEA (i.e. not depending on the error weight but only on the Goppa polynomial degree).
28 24 Attack on the EEA double call Relation between both EEA calls [BCDR17] Our proposition Combine two previous attacks, [Str10] et [Str13], to obtain relations between support elements up to t/2 elements. Countermeasure Do additional iterations to make the iteration number constant in EEA (i.e. not depending on the error weight but only on the Goppa polynomial degree). Remark Possible attack by power analysis? Or fault injection like the Square-and-Multiply algorithm?
29 Outline McEliece cryptosystem Timing Attack Power consumption Attack Conclusion
30 Proposed in [McE78] 11. Key generation: Encryption: sk: (Q, G, P) pk: (G, m, t) McEliece PKC 1. Message encoding into a codeword 2. Error vector adding to the codeword Decryption: 1. Ciphertext permutation 2. Syndrome computation 3. Solving of the key equation G = Q G P 4. Error position finding 11 R. J. McEliece, A public-key cryptosystem based on algebraic coding theory, California Inst. Technol., Pasadena, CA, Tech. Rep. 44, 1978.
31 Four profiles of implementation [HMP10] 12 for ciphertext permutation and syndrome computation Profile I Profile II C p = C P 1 C p = C P 1 Polynomial operations S = C p H T for Goppa codes Γ(L, G) with L and G Profile III Profile IV L p L P Hp T = P 1 H T Polynomial operations S = C Hp T for Goppa codes Γ(L, G) with L p and G 12 S. Heyse, A. Moradi and C. Paar, Practical Power Analysis Attacks on Software Implementations of McEliece, PQCrypto 2010.
32 28 Attack platform scheme ARM Cortex-M3 microprocessor
33 29 Simple Power Analysis (SPA) on the syndrome computation Vector-matrix product McEliece Decryption: 1. Ciphertext permutation 2. Syndrome computation : S = C p H 3. Solving of the key equation 4. Error position finding
34 30 Four profiles of implementation [HMP10] for ciphertext permutation and syndrome computation Profile I Profile II C p = C P 1 C p = C P 1 Polynomial operations S = C p H T for Goppa codes Γ(L, G) with L and G Profile III Profile IV L p L P Hp T = P 1 H T Polynomial operations S = C Hp T for Goppa codes Γ(L, G) with L p and G
35 31 Syndrome computation Algorithm Inputs: Permuted ciphertext C p F n 2, parity-check matrix H M r,n (F 2 ). For i = 1 to n If C pi = 1 S = S H i EndIf EndFor Return S. Output: Syndrome S F r 2 of C p.
36 32 Syndrome computation Scheme
37 SPA on the syndrome computation [PRDCF15] 13 Toy example SPA with Chosen Ciphertext Attack (CCA) Known to attacker Secret data Leakage Reconstruction of the P matrix 1 st measurement: nd measurement: 3 rd measurement: P -1 H T S P A P* 4 th measurement: Input codewords (CCA) Permutation matrix Bit permuted codewords Parity-check matrix Power consumption traces Attack Reconstructed bit Reconstructed P matrix permuted codewords by comparing with inputs 13 M. Petrvalsk, T. Richmond, M. Drutarovsk, P.-L. Cayrel and V. Fischer, Countermeasure against the SPA attack on an embedded McEliece cryptosystem, IEEE, International Conference Radioelektronika 2015, pp ,
38 34 Countermeasure [PRDCF15] First algorithm Inputs: Permuted ciphertext C p F n 2, parity-check matrix H M r,n(f 2). words = r/sizeof (S) Required number of bytes to store S For i = 1 to n tmp = unsigned(0 C pi ) For j = 1 to words S j = S j H i,j & tmp EndFor EndFor Return S. Output: Syndrome S F r 2 of C p.
39 Countermeasure [PRDCF15] Second algorithm Inputs: Permuted ciphertext C p F n 2, parity-check matrix H M r,n(f 2). words = r/sizeof (S) Required number of bytes to store S Syndrome masking For j = 1 to words S j = S j & 0xAAAA EndFor Syndrome computation For i = 1 to n tmp = unsigned(0 C pi ) For j = 1 to words S j = S j H i,j & tmp EndFor EndFor Syndrome unmasking For j = 1 to words S j = S j & 0xAAAA EndFor Return S. Output: Syndrome S F r 2 of C p.
40 36 Syndrome computation with countermeasure [PRDCF15] Scheme
41 37 Differential Power Analysis (DPA) on the ciphertext permutation For example vector-matrix product Decryption: 1. Ciphertext permutation : C p = C P 1 2. Syndrome computation 3. Solving of the key equation 4. Error position finding
42 38 Four profiles of implementation [HMP10] for ciphertext permutation and syndrome computation Profile I Profile II C p = C P 1 C p = C P 1 Polynomial operations S = C p H T for Goppa codes Γ(L, G) with L and G Profile III Profile IV L p L P Hp T = P 1 H T Polynomial operations S = C Hp T for Goppa codes Γ(L, G) with L p and G
43 39 Simple permutation Example C j... n P C p i... n
44 40 Simple permutation Algorithm Inputs: Private permutation matrix P 1 M n,n (F 2 ) represented by a lookup table t P 1, ciphertext C F n 2. For i = 0 to n 1 j = ti P 1 C pi = C j Endfor Return C p. Output: Permuted ciphertext C p F n 2.
45 Secure permutation [STMOS08] 14 Algorithm Inputs: Private permutation matrix P 1 M n,n (F 2 ) represented by a lookup table t P 1, ciphertext C F n For i = 0 to n 1 2. j = ti P 1 3. Cpi = 0 4. For h = 0 to n 1 5. k = C pi 6. µ = C h 7. s = j h 8. s = s 1 9. s = s s = s s = s s = s s & = s = (s 1) 15. C pi = (s & k) (( s) & µ) 16. Endfor 17. Endfor 18. Return C p Output: Permuted ciphertext C p F n F. Strenzke, E. Tews, H. G. Molter, R. Overbeck and A. Shoufan, Side Channels in the McEliece PKC, PQCrypto 2008.
46 42 Secure permutation [STMOS08] Examples Steps 7: s = j h 1 } 00 {{... 0 } 31 8: s = s : s = s } 00 {{... 0 } 28 10: s = s : s = s : s = s 16 } 11 {{... 1 } 32 13: s & = : s = (s 1) Test hypotheses } 00 {{... 0 } }{{... 1 }
47 Leakage Step 15: Giving: Weakness [PRDCF16] 15 C pi = (s & k) true only if s= else false (( s) & µ) true only if s= else false k = 0 k = C j j n 1 h 15 M. Petrvalský, T. Richmond, M. Drutarovský, P.-L. Cayrel and V. Fischer, Differential power analysis attack on the secure bit permutation in the McEliece cryptosystem, IEEE Radioelektronika
48 44 DPA on the ciphertext permutation [PRDCF16] Known to attacker Secret data 1 st m easurem ent: nd m easurem ent: 3 rd m easurem ent: P th m easurem ent: Input random ciphertexts (CCA) Permutation matrix Bit permuted ciphertexts Leakage Reconstruction of the P matrix CA for 1 st bit: DPA CA for 2 nd bit: CA for 3 rd bit: P -1 * = CA for 4 th bit: Power consumption Attack Correlation analyses (CAs) Reconstructed P -1 matrix traces for each bit by analysing CAs
49 45 Traces analysis [PRDCF16] Apply a Hamming weight of individual bits leakage model: H i {0, 1}, Use correlation coefficient to test our hypotheses compared with measurements, Good hypothesis if the coefficient is (almost) 1 or -1, Average of 500 traces per ciphertext hypothesis to avoid noise, Chosen ciphertexts as every vectors of weight 1.
50 46 Trace example [PRDCF16]
51 Output: Permuted ciphertext C p F n 2 masked by a codeword. 47 Countermeasure [PRDCF16] Algorithm Inputs: Private permutation matrix P 1 M n,n (F 2 ) represented by a lookup table t P 1, ciphertext C F n 2 and private generator matrix. 1. Randomly choose B Γ(L, G) 2. B p = B P 3. C = C B p 4. For i = 0 to n 1 5. j = ti P 1 6. Cpi = 0 7. For h = 0 to n 1 8. k = C pi 9. µ = C h 10. s = j h 11. s = s s = s s = s s = s s = s s & = s = (s 1) 18. Cpi = (s & k) (( s) & µ) 19. Endfor 20. Endfor 21. Return C p
52 48 Countermeasure [PRDCF16] Scheme Known to attacker Secret data 1 st m easurem ent: nd m easurem ent: 3 rd m easurem ent: P th m easurem ent: Input random ciphertexts (CCA) Bit permuted ciphertexts with added codewords pb 1 p B 2 p B 3 p B 4 Modified Goppa codewords for all four ciphertexts
53 49 Countermeasure [PRDCF16] Main idea From masked ciphertext to masked permuted ciphertext: C p = C P 1 = ( C B p ) P 1 = C P 1 (B P) P 1 = C p B. From masked permuted ciphertext to the same syndrome than non-masked ciphertext: S = C p H T = ( C p B) H T = C p H T B H T =0 = C p H T.
54 50 Countermeasure [PRDCF16] Trace example Correlation coefficient MS/s x 10 5
55 Outline McEliece cryptosystem Timing Attack Power consumption Attack Conclusion
56 52 Conclusion Two Chosen Ciphertext Attacks targeting the private permutation in the McEliece cryptosystem. Timing attack (TA): analysis of both EEA calls in the Patterson s algorithm during the McEliece decryption: syndrome inversion and error locator determination, study two previous attacks, combining both attacks to get more information, countermeasure proposal (by adding computations in the EEA), those TA attacks are depending on the code structure, so useless for others linear codes than Goppa codes.
57 53 Conclusion Power consumption attack (PA): analysis of the two first steps in the McEliece decryption: ciphertext permutation and syndrome computation, SPA against the syndrome computation implemented on a microcontroller, masking countermeasure to avoid branches, DPA against a secure permutation algorithm implemented on a microcontroller, masking countermeasure (with n more bits and not a huge amount of additional computations), both PA attacks are not depending on the code structure, so possible for others linear codes than Goppa codes.
58 54 Perspectives Four profiles of implementation [HMP10] for ciphertext permutation and syndrome computation Profile I Profile II C p = C P 1 C p = C P 1 Polynomial operations S = C p H T for Goppa codes Γ(L, G) with L and G Profile III Profile IV L p L P Hp T = P 1 H T Polynomial operations S = C Hp T for Goppa codes Γ(L, G) with L p and G Best choice?!
59 55 Perspectives Make a power analysis and try a fault injection attack for the countermeasure against the TA, Try a higher-order power consumption or a template attack for the countermeasure against PA, Goppa polynomial recovering after getting the private permutation matrix and knowing the support elements order in the McEliece public key cryptosystem.
60 56 Side-channel analysis in code-based cryptography Tania RICHMOND Thank you for your attention!
Toward Secure Implementation of McEliece Decryption
Toward Secure Implementation of McEliece Decryption Mariya Georgieva & Frédéric de Portzamparc Gemalto & LIP6, 13/04/2015 1 MCELIECE PUBLIC-KEY ENCRYPTION 2 DECRYPTION ORACLE TIMING ATTACKS 3 EXTENDED
More informationImproved Timing Attacks against the Secret Permutation in the McEliece PKC
INTERNATIONAL JOURNAL OF COMPUTERS COMMUNICATIONS & CONTROL ISSN 1841-9836, 1(1):7-5, February 017. Improved Timing Attacks against the Secret Permutation in the McEliece PKC D. Bucerzan, P.L. Cayrel,
More informationCode-based cryptography
Code-based graphy Laboratoire Hubert Curien, UMR CNRS 5516, Bâtiment F 18 rue du professeur Benoît Lauras 42000 Saint-Etienne France pierre.louis.cayrel@univ-st-etienne.fr June 4th 2013 Pierre-Louis CAYREL
More informationSide Channel Analysis and Protection for McEliece Implementations
Side Channel Analysis and Protection for McEliece Implementations Thomas Eisenbarth Joint work with Cong Chen, Ingo von Maurich and Rainer Steinwandt 9/27/2016 NATO Workshop- Tel Aviv University Overview
More informationA Key Recovery Attack on MDPC with CCA Security Using Decoding Errors
A Key Recovery Attack on MDPC with CCA Security Using Decoding Errors Qian Guo Thomas Johansson Paul Stankovski Dept. of Electrical and Information Technology, Lund University ASIACRYPT 2016 Dec 8th, 2016
More informationLeakage Measurement Tool of McEliece PKC Calculator
Leakage Measurement Tool of McEliece PKC Calculator MAREK REPKA Faculty of Electrical Engineering and Information Technology Institute of Computer Science and Mathematics Ilkovicova 3, SK-812 19 Bratislava
More informationErrors, Eavesdroppers, and Enormous Matrices
Errors, Eavesdroppers, and Enormous Matrices Jessalyn Bolkema September 1, 2016 University of Nebraska - Lincoln Keep it secret, keep it safe Public Key Cryptography The idea: We want a one-way lock so,
More informationImproving the efficiency of Generalized Birthday Attacks against certain structured cryptosystems
Improving the efficiency of Generalized Birthday Attacks against certain structured cryptosystems Robert Niebuhr 1, Pierre-Louis Cayrel 2, and Johannes Buchmann 1,2 1 Technische Universität Darmstadt Fachbereich
More informationFPGA-based Niederreiter Cryptosystem using Binary Goppa Codes
FPGA-based Niederreiter Cryptosystem using Binary Goppa Codes Wen Wang 1, Jakub Szefer 1, and Ruben Niederhagen 2 1. Yale University, USA 2. Fraunhofer Institute SIT, Germany April 9, 2018 PQCrypto 2018
More informationA Smart Card Implementation of the McEliece PKC
A Smart Card Implementation of the McEliece PKC Falko Strenzke 1 1 FlexSecure GmbH, Germany, strenzke@flexsecure.de 2 Cryptography and Computeralgebra, Department of Computer Science, Technische Universität
More informationCode-based cryptography
Code-based graphy Laboratoire Hubert Curien, UMR CNRS 5516, Bâtiment F 18 rue du professeur Benoît Lauras 42000 Saint-Etienne France pierre.louis.cayrel@univ-st-etienne.fr 16 Novembre 2011 Pierre-Louis
More informationCryptographie basée sur les codes correcteurs d erreurs et arithmétique
with Cryptographie basée sur les correcteurs d erreurs et arithmétique with with Laboratoire Hubert Curien, UMR CNRS 5516, Bâtiment F 18 rue du professeur Benoît Lauras 42000 Saint-Etienne France pierre.louis.cayrel@univ-st-etienne.fr
More informationCryptographie basée sur les codes correcteurs d erreurs et arithmétique
Cryptographie basée sur les correcteurs d erreurs et arithmétique with with with with Laboratoire Hubert Curien, UMR CNRS 5516, Bâtiment F 18 rue du professeur Benoît Lauras 42000 Saint-Etienne France
More information2 Description of McEliece s Public-Key Cryptosystem
1 A SOFTWARE IMPLEMENTATION OF THE McELIECE PUBLIC-KEY CRYPTOSYSTEM Bart Preneel 1,2, Antoon Bosselaers 1, René Govaerts 1 and Joos Vandewalle 1 A software implementation of the McEliece public-key cryptosystem
More informationCosc 412: Cryptography and complexity Lecture 7 (22/8/2018) Knapsacks and attacks
1 Cosc 412: Cryptography and complexity Lecture 7 (22/8/2018) Knapsacks and attacks Michael Albert michael.albert@cs.otago.ac.nz 2 This week Arithmetic Knapsack cryptosystems Attacks on knapsacks Some
More informationRecent progress in code-based cryptography
Recent progress in code-based graphy Laboratoire Hubert Curien, UMR CNRS 5516, Bâtiment F 18 rue du professeur Benoît Lauras 42000 Saint-Etienne France pierre.louis.cayrel@univ-st-etienne.fr June, 21st
More informationSide-Channel Attacks on the McEliece and Niederreiter Public-Key Cryptosystems
Side-Channel Attacks on the McEliece and Niederreiter Public-Key Cryptosystems Roberto M. Avanzi 1, Simon Hoerder 1,2, Dan Page 2, Michael Tunstall 2 roberto.avanzi@ruhr-uni-bochum.de {hoerder,page,tunstall}@compsci.bristol.ac.uk
More informationMcBits: Fast code-based cryptography
McBits: Fast code-based cryptography Peter Schwabe Radboud University Nijmegen, The Netherlands Joint work with Daniel Bernstein, Tung Chou December 17, 2013 IMA International Conference on Cryptography
More informationNotes 10: Public-key cryptography
MTH6115 Cryptography Notes 10: Public-key cryptography In this section we look at two other schemes that have been proposed for publickey ciphers. The first is interesting because it was the earliest such
More informationNoisy Diffie-Hellman protocols
Noisy Diffie-Hellman protocols Carlos Aguilar 1, Philippe Gaborit 1, Patrick Lacharme 1, Julien Schrek 1 and Gilles Zémor 2 1 University of Limoges, France, 2 University of Bordeaux, France. Classical
More informationElliptic Curve Cryptography and Security of Embedded Devices
Elliptic Curve Cryptography and Security of Embedded Devices Ph.D. Defense Vincent Verneuil Institut de Mathématiques de Bordeaux Inside Secure June 13th, 2012 V. Verneuil - Elliptic Curve Cryptography
More informationQuantum-resistant cryptography
Quantum-resistant cryptography Background: In quantum computers, states are represented as vectors in a Hilbert space. Quantum gates act on the space and allow us to manipulate quantum states with combination
More informationAlgorithmic Number Theory and Public-key Cryptography
Algorithmic Number Theory and Public-key Cryptography Course 3 University of Luxembourg March 22, 2018 The RSA algorithm The RSA algorithm is the most widely-used public-key encryption algorithm Invented
More informationCode-based Cryptography
a Hands-On Introduction Daniel Loebenberger Ηράκλειο, September 27, 2018 Post-Quantum Cryptography Various flavours: Lattice-based cryptography Hash-based cryptography Code-based
More informationMcEliece type Cryptosystem based on Gabidulin Codes
McEliece type Cryptosystem based on Gabidulin Codes Joachim Rosenthal University of Zürich ALCOMA, March 19, 2015 joint work with Kyle Marshall Outline Traditional McEliece Crypto System 1 Traditional
More informationPost-Quantum Code-Based Cryptography
Big Data Photonics UCLA Post-Quantum Code-Based Cryptography 03-25-2016 Valérie Gauthier Umaña Assistant Professor valeriee.gauthier@urosario.edu.co Cryptography Alice 1 Cryptography Alice Bob 1 Cryptography
More informationAttacking and defending the McEliece cryptosystem
Attacking and defending the McEliece cryptosystem (Joint work with Daniel J. Bernstein and Tanja Lange) Christiane Peters Technische Universiteit Eindhoven PQCrypto 2nd Workshop on Postquantum Cryptography
More informationWild McEliece Incognito
Wild McEliece Incognito Christiane Peters Technische Universiteit Eindhoven joint work with Daniel J. Bernstein and Tanja Lange Seminaire de Cryptographie Rennes April 1, 2011 Bad news Quantum computers
More informationStrengthening McEliece Cryptosystem
Strengthening McEliece Cryptosystem Pierre Loidreau Project CODES, INRIA Rocquencourt Research Unit - B.P. 105-78153 Le Chesnay Cedex France Pierre.Loidreau@inria.fr Abstract. McEliece cryptosystem is
More informationDifferential Power Analysis of a McEliece Cryptosystem
Differential Power Analysis of a McEliece Cryptosystem Cong Chen 1, Thomas Eisenbarth 1, Ingo von Maurich 2, and Rainer Steinwandt 3 1 Worcester Polytechnic Institute, Worcester, MA, USA {cchen3,teisenbarth}@wpi.edu
More informationLecture 1: Introduction to Public key cryptography
Lecture 1: Introduction to Public key cryptography Thomas Johansson T. Johansson (Lund University) 1 / 44 Key distribution Symmetric key cryptography: Alice and Bob share a common secret key. Some means
More informationPublic-Key Cryptosystems CHAPTER 4
Public-Key Cryptosystems CHAPTER 4 Introduction How to distribute the cryptographic keys? Naïve Solution Naïve Solution Give every user P i a separate random key K ij to communicate with every P j. Disadvantage:
More informationarxiv: v2 [cs.cr] 14 Feb 2018
Code-based Key Encapsulation from McEliece s Cryptosystem Edoardo Persichetti arxiv:1706.06306v2 [cs.cr] 14 Feb 2018 Florida Atlantic University Abstract. In this paper we show that it is possible to extend
More informationError-correcting codes and applications
Error-correcting codes and applications November 20, 2017 Summary and notation Consider F q : a finite field (if q = 2, then F q are the binary numbers), V = V(F q,n): a vector space over F q of dimension
More informationCPSC 467b: Cryptography and Computer Security
CPSC 467b: Cryptography and Computer Security Michael J. Fischer Lecture 11 February 21, 2013 CPSC 467b, Lecture 11 1/27 Discrete Logarithm Diffie-Hellman Key Exchange ElGamal Key Agreement Primitive Roots
More informationLecture Notes, Week 6
YALE UNIVERSITY DEPARTMENT OF COMPUTER SCIENCE CPSC 467b: Cryptography and Computer Security Week 6 (rev. 3) Professor M. J. Fischer February 15 & 17, 2005 1 RSA Security Lecture Notes, Week 6 Several
More informationCode Based Cryptology at TU/e
Code Based Cryptology at TU/e Ruud Pellikaan g.r.pellikaan@tue.nl University Indonesia, Depok, Nov. 2 University Padjadjaran, Bandung, Nov. 6 Institute Technology Bandung, Bandung, Nov. 6 University Gadjah
More informationCryptography and RSA. Group (1854, Cayley) Upcoming Interview? Outline. Commutative or Abelian Groups
Great Theoretical Ideas in CS V. Adamchik CS 15-251 Upcoming Interview? Lecture 24 Carnegie Mellon University Cryptography and RSA How the World's Smartest Company Selects the Most Creative Thinkers Groups
More information8 Elliptic Curve Cryptography
8 Elliptic Curve Cryptography 8.1 Elliptic Curves over a Finite Field For the purposes of cryptography, we want to consider an elliptic curve defined over a finite field F p = Z/pZ for p a prime. Given
More informationAsymmetric Encryption
-3 s s Encryption Comp Sci 3600 Outline -3 s s 1-3 2 3 4 5 s s Outline -3 s s 1-3 2 3 4 5 s s Function Using Bitwise XOR -3 s s Key Properties for -3 s s The most important property of a hash function
More informationNotes for Lecture 17
U.C. Berkeley CS276: Cryptography Handout N17 Luca Trevisan March 17, 2009 Notes for Lecture 17 Scribed by Matt Finifter, posted April 8, 2009 Summary Today we begin to talk about public-key cryptography,
More informationPractice Final Exam Winter 2017, CS 485/585 Crypto March 14, 2017
Practice Final Exam Name: Winter 2017, CS 485/585 Crypto March 14, 2017 Portland State University Prof. Fang Song Instructions This exam contains 7 pages (including this cover page) and 5 questions. Total
More informationDifferential Power Analysis of a McEliece Cryptosystem
Differential Power Analysis of a McEliece Cryptosystem Cong Chen 1, Thomas Eisenbarth 1, Ingo von Maurich 2, and Rainer Steinwandt 3 1 Worcester Polytechnic Institute, Worcester, MA, USA {cchen3,teisenbarth}@wpi.edu
More informationHow SAGE helps to implement Goppa Codes and McEliece PKCSs
How SAGE helps to implement and s DSI GmbH Bremen Institute of Informatics & Automation, IIA Faculty EEE & CS, Hochschule Bremen University of Applied Sciences, risse@hs-bremen.de ICIT 11, May 11 th, 2011,
More informationChapter 8 Public-key Cryptography and Digital Signatures
Chapter 8 Public-key Cryptography and Digital Signatures v 1. Introduction to Public-key Cryptography 2. Example of Public-key Algorithm: Diffie- Hellman Key Exchange Scheme 3. RSA Encryption and Digital
More informationCryptanalysis of the McEliece Public Key Cryptosystem Based on Polar Codes
Cryptanalysis of the McEliece Public Key Cryptosystem Based on Polar Codes Magali Bardet 1 Julia Chaulet 2 Vlad Dragoi 1 Ayoub Otmani 1 Jean-Pierre Tillich 2 Normandie Univ, France; UR, LITIS, F-76821
More informationGurgen Khachatrian Martun Karapetyan
34 International Journal Information Theories and Applications, Vol. 23, Number 1, (c) 2016 On a public key encryption algorithm based on Permutation Polynomials and performance analyses Gurgen Khachatrian
More informationLecture V : Public Key Cryptography
Lecture V : Public Key Cryptography Internet Security: Principles & Practices John K. Zao, PhD (Harvard) SMIEEE Amir Rezapoor Computer Science Department, National Chiao Tung University 2 Outline Functional
More informationDecoding One Out of Many
Decoding One Out of Many Nicolas Sendrier INRIA Paris-Rocquencourt, équipe-projet SECRET Code-based Cryptography Workshop 11-12 May 2011, Eindhoven, The Netherlands Computational Syndrome Decoding Problem:
More informationENEE 457: Computer Systems Security 10/3/16. Lecture 9 RSA Encryption and Diffie-Helmann Key Exchange
ENEE 457: Computer Systems Security 10/3/16 Lecture 9 RSA Encryption and Diffie-Helmann Key Exchange Charalampos (Babis) Papamanthou Department of Electrical and Computer Engineering University of Maryland,
More informationEfficient Implementation of the McEliece Cryptosystem
Computer Security Symposium 2011 19-21 October 2011 Efficient Implementation of the McEliece Cryptosystem Takuya Sumi Kirill Morozov Tsuyoshi Takagi Department of Mathematics, Kyushu University, 744, Motooka,
More informationL7. Diffie-Hellman (Key Exchange) Protocol. Rocky K. C. Chang, 5 March 2015
L7. Diffie-Hellman (Key Exchange) Protocol Rocky K. C. Chang, 5 March 2015 1 Outline The basic foundation: multiplicative group modulo prime The basic Diffie-Hellman (DH) protocol The discrete logarithm
More informationConstructive aspects of code-based cryptography
DIMACS Workshop on The Mathematics of Post-Quantum Cryptography Rutgers University January 12-16, 2015 Constructive aspects of code-based cryptography Marco Baldi Università Politecnica delle Marche Ancona,
More informationLDPC codes in the McEliece cryptosystem: attacks and countermeasures
arxiv:0710.0142v2 [cs.it] 11 Jan 2009 LDPC codes in the McEliece cryptosystem: attacks and countermeasures Marco BALDI 1 Polytechnic University of Marche, Ancona, Italy Abstract. The McEliece cryptosystem
More informationMaTRU: A New NTRU-Based Cryptosystem
MaTRU: A New NTRU-Based Cryptosystem Michael Coglianese 1 and Bok Min Goi 2 1 Macgregor, 321 Summer Street Boston, MA 02210, USA mcoglian@comcast.net 2 Centre for Cryptography and Information Security
More informationCode-Based Cryptography Error-Correcting Codes and Cryptography
Code-Based Cryptography Error-Correcting Codes and Cryptography I. Márquez-Corbella 0 1. Error-Correcting Codes and Cryptography 1. Introduction I - Cryptography 2. Introduction II - Coding Theory 3. Encoding
More informationOn the Use of Structured Codes in Code Based Cryptography 1. Nicolas Sendrier
On the Use of Structured Codes in Code Based Cryptography 1 Nicolas Sendrier INRIA, CRI Paris-Rocquencourt, Project-Team SECRET Email: Nicolas.Sendrier@inria.fr WWW: http://www-roc.inria.fr/secret/nicolas.sendrier/
More informationA FUZZY COMMITMENT SCHEME WITH MCELIECE S CIPHER
Surveys in Mathematics and its Applications ISSN 1842-6298 (electronic), 1843-7265 (print) Volume 5 (2010), 73 82 A FUZZY COMMITMENT SCHEME WITH MCELIECE S CIPHER Deo Brat Ojha and Ajay Sharma Abstract.
More informationThe failure of McEliece PKC based on Reed-Muller codes.
The failure of McEliece PKC based on Reed-Muller codes. May 8, 2013 I. V. Chizhov 1, M. A. Borodin 2 1 Lomonosov Moscow State University. email: ivchizhov@gmail.com, ichizhov@cs.msu.ru 2 Lomonosov Moscow
More informationError-correcting Pairs for a Public-key Cryptosystem
Error-correcting Pairs for a Public-key Cryptosystem Ruud Pellikaan g.r.pellikaan@tue.nl joint work with Irene Márquez-Corbella Code-based Cryptography Workshop 2012 Lyngby, 9 May 2012 Introduction and
More informationLattices. A Lattice is a discrete subgroup of the additive group of n-dimensional space R n.
Lattices A Lattice is a discrete subgroup of the additive group of n-dimensional space R n. Lattices have many uses in cryptography. They may be used to define cryptosystems and to break other ciphers.
More informationCryptography. Course 1: Remainder: RSA. Jean-Sébastien Coron. September 21, Université du Luxembourg
Course 1: Remainder: RSA Université du Luxembourg September 21, 2010 Public-key encryption Public-key encryption: two keys. One key is made public and used to encrypt. The other key is kept private and
More informationFormal Fault Analysis of Branch Predictors: Attacking countermeasures of Asymmetric key ciphers
Formal Fault Analysis of Branch Predictors: Attacking countermeasures of Asymmetric key ciphers Sarani Bhattacharya and Debdeep Mukhopadhyay Indian Institute of Technology Kharagpur PROOFS 2016 August
More informationSigning with Codes. c Zuzana Masárová 2014
Signing with Codes by Zuzana Masárová A thesis presented to the University of Waterloo in fulfilment of the thesis requirement for the degree of Master of Mathematics in Combinatorics and Optimization
More informationA Fast Provably Secure Cryptographic Hash Function
A Fast Provably Secure Cryptographic Hash Function Daniel Augot, Matthieu Finiasz, and Nicolas Sendrier Projet Codes, INRIA Rocquencourt BP 15, 78153 Le Chesnay - Cedex, France [DanielAugot,MatthieuFiniasz,NicolasSendrier]@inriafr
More informationA brief survey of post-quantum cryptography. D. J. Bernstein University of Illinois at Chicago
A brief survey of post-quantum cryptography D. J. Bernstein University of Illinois at Chicago Once the enormous energy boost that quantum computers are expected to provide hits the street, most encryption
More informationIntroduction to Quantum Safe Cryptography. ENISA September 2018
Introduction to Quantum Safe Cryptography ENISA September 2018 Introduction This talk will introduce the mathematical background of the most popular PQC primitives Code-based Lattice-based Multivariate
More informationCIS 6930/4930 Computer and Network Security. Topic 5.2 Public Key Cryptography
CIS 6930/4930 Computer and Network Security Topic 5.2 Public Key Cryptography 1 Diffie-Hellman Key Exchange 2 Diffie-Hellman Protocol For negotiating a shared secret key using only public communication
More informationError-correcting codes and Cryptography
Error-correcting codes and Cryptography Henk van Tilborg Code-based Cryptography Workshop Eindhoven, May -2, 2 /45 CONTENTS I II III IV V Error-correcting codes; the basics Quasi-cyclic codes; codes generated
More informationPublic Key Algorithms
Public Key Algorithms Raj Jain Washington University in Saint Louis Saint Louis, MO 63130 Jain@cse.wustl.edu Audio/Video recordings of this lecture are available at: http://www.cse.wustl.edu/~jain/cse571-09/
More informationEfficient Leak Resistant Modular Exponentiation in RNS
Efficient Leak Resistant Modular Exponentiation in RNS Andrea Lesavourey (1), Christophe Negre (1) and Thomas Plantard (2) (1) DALI (UPVD) and LIRMM (Univ. of Montpellier, CNRS), Perpignan, France (2)
More informationElliptic curves: Theory and Applications. Day 4: The discrete logarithm problem.
Elliptic curves: Theory and Applications. Day 4: The discrete logarithm problem. Elisa Lorenzo García Université de Rennes 1 14-09-2017 Elisa Lorenzo García (Rennes 1) Elliptic Curves 4 14-09-2017 1 /
More informationA DPA attack on RSA in CRT mode
A DPA attack on RSA in CRT mode Marc Witteman Riscure, The Netherlands 1 Introduction RSA is the dominant public key cryptographic algorithm, and used in an increasing number of smart card applications.
More informationCryptanalysis of the Original McEliece Cryptosystem
Cryptanalysis of the Original McEliece Cryptosystem Anne Canteaut and Nicolas Sendrier INRIA - projet CODES BP 105 78153 Le Chesnay, France Abstract. The class of public-ey cryptosystems based on error-correcting
More informationHow to Use Short Basis : Trapdoors for Hard Lattices and new Cryptographic Constructions
Presentation Article presentation, for the ENS Lattice Based Crypto Workgroup http://www.di.ens.fr/~pnguyen/lbc.html, 30 September 2009 How to Use Short Basis : Trapdoors for http://www.cc.gatech.edu/~cpeikert/pubs/trap_lattice.pdf
More informationDiscrete Logarithm Problem
Discrete Logarithm Problem Finite Fields The finite field GF(q) exists iff q = p e for some prime p. Example: GF(9) GF(9) = {a + bi a, b Z 3, i 2 = i + 1} = {0, 1, 2, i, 1+i, 2+i, 2i, 1+2i, 2+2i} Addition:
More informationOther Public-Key Cryptosystems
Other Public-Key Cryptosystems Raj Jain Washington University in Saint Louis Saint Louis, MO 63130 Jain@cse.wustl.edu Audio/Video recordings of this lecture are available at: http://www.cse.wustl.edu/~jain/cse571-11/
More informationPublic-key Cryptography and elliptic curves
Public-key Cryptography and elliptic curves Dan Nichols nichols@math.umass.edu University of Massachusetts Oct. 14, 2015 Cryptography basics Cryptography is the study of secure communications. Here are
More information9 Knapsack Cryptography
9 Knapsack Cryptography In the past four weeks, we ve discussed public-key encryption systems that depend on various problems that we believe to be hard: prime factorization, the discrete logarithm, and
More informationSide-channel attacks on PKC and countermeasures with contributions from PhD students
basics Online Side-channel attacks on PKC and countermeasures (Tutorial @SPACE2016) with contributions from PhD students Lejla Batina Institute for Computing and Information Sciences Digital Security Radboud
More informationBasics in Cryptology. Outline. II Distributed Cryptography. Key Management. Outline. David Pointcheval. ENS Paris 2018
Basics in Cryptology II Distributed Cryptography David Pointcheval Ecole normale supérieure, CNRS & INRIA ENS Paris 2018 NS/CNRS/INRIA Cascade David Pointcheval 1/26ENS/CNRS/INRIA Cascade David Pointcheval
More informationPost-Quantum Cryptography
Post-Quantum Cryptography Code-Based Cryptography Tanja Lange with some slides by Tung Chou and Christiane Peters Technische Universiteit Eindhoven ASCrypto Summer School: 18 September 2017 Error correction
More informationPost-Quantum Cryptography & Privacy. Andreas Hülsing
Post-Quantum Cryptography & Privacy Andreas Hülsing Privacy? Too abstract? How to achieve privacy? Under the hood... Public-key crypto ECC RSA DSA Secret-key crypto AES SHA2 SHA1... Combination of both
More informationRSA Key Extraction via Low- Bandwidth Acoustic Cryptanalysis. Daniel Genkin, Adi Shamir, Eran Tromer
RSA Key Extraction via Low- Bandwidth Acoustic Cryptanalysis Daniel Genkin, Adi Shamir, Eran Tromer Mathematical Attacks Input Crypto Algorithm Key Output Goal: recover the key given access to the inputs
More informationTutorial on Quantum Computing. Vwani P. Roychowdhury. Lecture 1: Introduction
Tutorial on Quantum Computing Vwani P. Roychowdhury Lecture 1: Introduction 1 & ) &! # Fundamentals Qubits A single qubit is a two state system, such as a two level atom we denote two orthogonal states
More informationCRYPTANALYSIS OF COMPACT-LWE
SESSION ID: CRYP-T10 CRYPTANALYSIS OF COMPACT-LWE Jonathan Bootle, Mehdi Tibouchi, Keita Xagawa Background Information Lattice-based cryptographic assumption Based on the learning-with-errors (LWE) assumption
More informationEnhanced public key security for the McEliece cryptosystem
Enhanced public key security for the McEliece cryptosystem Marco Baldi 1, Marco Bianchi 1, Franco Chiaraluce 1, Joachim Rosenthal 2, and Davide Schipani 2 1 Università Politecnica delle Marche, Ancona,
More informationIntroduction to Elliptic Curve Cryptography. Anupam Datta
Introduction to Elliptic Curve Cryptography Anupam Datta 18-733 Elliptic Curve Cryptography Public Key Cryptosystem Duality between Elliptic Curve Cryptography and Discrete Log Based Cryptography Groups
More informationIntroduction to Cryptography. Lecture 8
Introduction to Cryptography Lecture 8 Benny Pinkas page 1 1 Groups we will use Multiplication modulo a prime number p (G, ) = ({1,2,,p-1}, ) E.g., Z 7* = ( {1,2,3,4,5,6}, ) Z p * Z N * Multiplication
More informationCryptanalysis of Patarin s 2-Round Public Key System with S Boxes (2R)
Cryptanalysis of Patarin s 2-Round Public Key System with S Boxes (2R) Eli Biham Computer Science Department Technion Israel Institute of Technology Haifa 32000, Israel biham@cs.technion.ac.il http://www.cs.technion.ac.il/~biham/
More informationMDPC-McEliece: New McEliece Variants from Moderate Density Parity-Check Codes
MDPC-McEliece: New McEliece Variants from Moderate Density Parity-Check Codes Rafael Misoczki, Jean-Pierre Tillich, Nicolas Sendrier, Paulo S. L. M. Barreto To cite this version: Rafael Misoczki, Jean-Pierre
More informationCryptography and Network Security Prof. D. Mukhopadhyay Department of Computer Science and Engineering Indian Institute of Technology, Kharagpur
Cryptography and Network Security Prof. D. Mukhopadhyay Department of Computer Science and Engineering Indian Institute of Technology, Kharagpur Module No. # 01 Lecture No. # 33 The Diffie-Hellman Problem
More informationDiscrete Mathematics GCD, LCM, RSA Algorithm
Discrete Mathematics GCD, LCM, RSA Algorithm Abdul Hameed http://informationtechnology.pk/pucit abdul.hameed@pucit.edu.pk Lecture 16 Greatest Common Divisor 2 Greatest common divisor The greatest common
More informationOther Public-Key Cryptosystems
Other Public-Key Cryptosystems Raj Jain Washington University in Saint Louis Saint Louis, MO 63130 Jain@cse.wustl.edu Audio/Video recordings of this lecture are available at: 10-1 Overview 1. How to exchange
More informationRSA. Ramki Thurimella
RSA Ramki Thurimella Public-Key Cryptography Symmetric cryptography: same key is used for encryption and decryption. Asymmetric cryptography: different keys used for encryption and decryption. Public-Key
More information2. Cryptography 2.5. ElGamal cryptosystems and Discrete logarithms
CRYPTOGRAPHY 19 Cryptography 5 ElGamal cryptosystems and Discrete logarithms Definition Let G be a cyclic group of order n and let α be a generator of G For each A G there exists an uniue 0 a n 1 such
More informationQC-MDPC: A Timing Attack and a CCA2 KEM
QC-MDPC: A Timing Attack and a CCA2 KEM Edward Eaton 1, Matthieu Lequesne 23, Alex Parent 1, and Nicolas Sendrier 3 1 ISARA Corporation, Waterloo, Canada {ted.eaton,alex.parent}@isara.com 2 Sorbonne Universités,
More informationMATH 158 FINAL EXAM 20 DECEMBER 2016
MATH 158 FINAL EXAM 20 DECEMBER 2016 Name : The exam is double-sided. Make sure to read both sides of each page. The time limit is three hours. No calculators are permitted. You are permitted one page
More informationAn Overview to Code based Cryptography
Joachim Rosenthal University of Zürich HKU, August 24, 2016 Outline Basics on Public Key Crypto Systems 1 Basics on Public Key Crypto Systems 2 3 4 5 Where are Public Key Systems used: Public Key Crypto
More informationResistance of Randomized Projective Coordinates Against Power Analysis
Resistance of Randomized Projective Coordinates Against Power Analysis William Dupuy and Sébastien Kunz-Jacques DCSSI Crypto Lab 51, bd de Latour-Maubourg, 75700 PARIS 07 SP william.dupuy@laposte.net,
More information