Code-based Cryptography

Similar documents
Attacks in code based cryptography: a survey, new results and open problems

Errors, Eavesdroppers, and Enormous Matrices

A Key Recovery Attack on MDPC with CCA Security Using Decoding Errors

Code Based Cryptography

Error-correcting codes and applications

Attacking and defending the McEliece cryptosystem

Introduction to Quantum Safe Cryptography. ENISA September 2018

Cryptographie basée sur les codes correcteurs d erreurs et arithmétique

Post-Quantum Cryptography

Cryptanalysis of NISTPQC submissions

Codes used in Cryptography

Post-quantum cryptography Why? Kristian Gjøsteen Department of Mathematical Sciences, NTNU Finse, May 2017

FPGA-based Niederreiter Cryptosystem using Binary Goppa Codes

An Overview to Code based Cryptography

McEliece type Cryptosystem based on Gabidulin Codes

Side-channel analysis in code-based cryptography

Advances in code-based public-key cryptography. D. J. Bernstein University of Illinois at Chicago

Channel Coding for Secure Transmissions

Constructive aspects of code-based cryptography

QC-MDPC: A Timing Attack and a CCA2 KEM

Wild McEliece Incognito

List decoding of binary Goppa codes and key reduction for McEliece s cryptosystem

Code-based cryptography

Cryptanalysis of the McEliece Public Key Cryptosystem Based on Polar Codes

Code-based post-quantum cryptography. D. J. Bernstein University of Illinois at Chicago

Notes 10: Public-key cryptography

Error-correcting Pairs for a Public-key Cryptosystem

Noisy Diffie-Hellman protocols

Error-correcting codes and Cryptography

Code Based Cryptology at TU/e

A Reaction Attack on the QC-LDPC McEliece Cryptosystem

Vulnerabilities of McEliece in the World of Escher

arxiv: v2 [cs.cr] 14 Feb 2018

Side Channel Analysis and Protection for McEliece Implementations

Enhanced public key security for the McEliece cryptosystem

High-speed cryptography, part 3: more cryptosystems. Daniel J. Bernstein University of Illinois at Chicago & Technische Universiteit Eindhoven

Notes on Alekhnovich s cryptosystems

1 Number Theory Basics

Code-Based Cryptography

Quantum-resistant cryptography

On the Use of Structured Codes in Code Based Cryptography 1. Nicolas Sendrier

FPGA-based Key Generator for the Niederreiter Cryptosystem using Binary Goppa Codes

Cryptanalysis of Patarin s 2-Round Public Key System with S Boxes (2R)

A Generic Hybrid Encryption Construction in the Quantum Random Oracle Model

Report on Learning with Errors over Rings-based HILA5 and its CCA Security

LDPC codes in the McEliece cryptosystem: attacks and countermeasures

Code-based cryptography

Cryptanalysis of the Wu}Dawson Public Key Cryptosystem

An Overview on Post-Quantum Cryptography with an Emphasis. an Emphasis on Code based Systems

Improving the efficiency of Generalized Birthday Attacks against certain structured cryptosystems

DAGS: Key Encapsulation using Dyadic GS Codes

Cryptographie basée sur les codes correcteurs d erreurs et arithmétique

Logic gates. Quantum logic gates. α β 0 1 X = 1 0. Quantum NOT gate (X gate) Classical NOT gate NOT A. Matrix form representation

Lecture 1: Introduction to Public key cryptography

Code-Based Cryptography McEliece Cryptosystem

Toward Secure Implementation of McEliece Decryption

Notes for Lecture Decision Diffie Hellman and Quadratic Residues

Efficient Encryption from Random Quasi-Cyclic Codes

Cryptographic Engineering

Code-Based Cryptography Error-Correcting Codes and Cryptography

Signing with Codes. c Zuzana Masárová 2014

A Fuzzy Sketch with Trapdoor

MDPC-McEliece: New McEliece Variants from Moderate Density Parity-Check Codes

Code-based Cryptography

Discrete logarithm and related schemes

An Introduction to (Network) Coding Theory

Differential Cryptanalysis for Multivariate Schemes

Post-Quantum Code-Based Cryptography

APPLYING QUANTUM SEARCH TO A KNOWN- PLAINTEXT ATTACK ON TWO-KEY TRIPLE ENCRYPTION

Background: Lattices and the Learning-with-Errors problem

Coset Decomposition Method for Decoding Linear Codes

New results for rank based cryptography

Cryptanalysis of the Sidelnikov cryptosystem

Classic McEliece vs. NTS-KEM

Division Property: a New Attack Against Block Ciphers

Simple Matrix Scheme for Encryption (ABC)

McEliece and Niederreiter Cryptosystems That Resist Quantum Fourier Sampling Attacks

Code-based Cryptography

Tutorial on Quantum Computing. Vwani P. Roychowdhury. Lecture 1: Introduction

24th Conference on ACA Santiago de Compostela Session on CACTC Computer Algebra Tales on Goppa Codes and McEliece Cryptography

On the Decoding Failure Rate of QC-MDPC Bit-Flipping Decoders

Compact McEliece keys based on Quasi-Dyadic Srivastava codes

Public-Key Cryptosystems CHAPTER 4

McBits: Fast code-based cryptography

CRYPTANALYSIS OF COMPACT-LWE

A brief survey of post-quantum cryptography. D. J. Bernstein University of Illinois at Chicago

Lecture 4 Chiu Yuen Koo Nikolai Yakovenko. 1 Summary. 2 Hybrid Encryption. CMSC 858K Advanced Topics in Cryptography February 5, 2004

CPE 776:DATA SECURITY & CRYPTOGRAPHY. Some Number Theory and Classical Crypto Systems

Cosc 412: Cryptography and complexity Lecture 7 (22/8/2018) Knapsacks and attacks

Strengthening McEliece Cryptosystem

Cryptography. Lecture 2: Perfect Secrecy and its Limitations. Gil Segev

Public-Key Encryption: ElGamal, RSA, Rabin

Hidden Field Equations

Lecture Notes. Advanced Discrete Structures COT S

Low Rank Parity Check codes and their application to cryptography

An Efficient CCA2-Secure Variant of the McEliece Cryptosystem in the Standard Model

A new security notion for asymmetric encryption Draft #10

CS 282A/MATH 209A: Foundations of Cryptography Prof. Rafail Ostrovsky. Lecture 7

Discrete Mathematics GCD, LCM, RSA Algorithm

Cryptanalysis of the Original McEliece Cryptosystem

Transcription:

a Hands-On Introduction Daniel Loebenberger <daniel_loebenberger@genua.de> Ηράκλειο, September 27, 2018

Post-Quantum Cryptography Various flavours: Lattice-based cryptography Hash-based cryptography Code-based cryptography Further techniques (e.g. multivariate, isogeny-based, ) 2

Post-Quantum Cryptography Various flavours: Lattice-based cryptography Hash-based cryptography Code-based cryptography Further techniques (e.g. multivariate, isogeny-based, ) 2

Coding theory Dating back to Claude Shannon in 1948 Goal is to protect a message sent over a noisy channel Typically, this is achieved by adding redundancy 3

Public key Cryptography We need to specify three algorithms: Key Generation: Create a private and a public key Encryption of a message using the public key Decryption of a ciphertext using the private key Security: It is not possible to decrypt a ciphertext without the private key. 4

Content Linear Codes Optimizations Conclusion 5

Linear Codes Content Linear Codes Optimizations Conclusion 6

Linear Codes Basic Definitions Definition (Linear Code) A linear (n, k, d)-code C over a finite field F is a k-dimensional subspace of the vector space F n with minimum distance d = min x y C dist(x, y), where dist is the Hamming-distance. 7

Linear Codes Basic Definitions Definition (Linear Code) A linear (n, k, d)-code C over a finite field F is a k-dimensional subspace of the vector space F n with minimum distance d = min x y C dist(x, y), where dist is the Hamming-distance. Theorem A linear (n, k, d)-code can correct up to t = d 1 2 errors. 7

Linear Codes Basic Definitions Definition (Generator Matrix) The matrix G F k n is a generator matrix for the (n, k, d)-code C if C = G, i.e. the rows of G span C. Definition (Encoding) For a message m F k, define its encoding as c = mg F n. 7

Linear Codes Basic Definitions Problem (Decoding problem) Given x F n find c C, where dist(x, c) is minimal. If x = c + e and e is a vector of weight at most t then x is uniquely determined. 7

Linear Codes Basic Definitions Problem (Decoding problem) Given x F n find c C, where dist(x, c) is minimal. If x = c + e and e is a vector of weight at most t then x is uniquely determined. Theorem The (general) decoding problem is N P-hard. 7

Linear Codes Encoding/Decoding: Example 1 0 0 0 1 1 0 G = 0 1 0 0 0 1 1 0 0 1 0 1 1 1 0 0 0 1 1 0 1 G F 4 7 2 generator matrix for code C 8

Linear Codes Encoding/Decoding: Example 1 0 0 0 1 1 0 G = 0 1 0 0 0 1 1 1 0 1 1 1 0 0 0 0 1 0 1 1 1 H = 1 1 1 0 0 1 0 0 1 1 1 0 0 1 0 0 0 1 1 0 1 G F 4 7 2 generator matrix for code C, H F 3 7 2 parity check matrix: GH t = 0 8

Linear Codes Encoding/Decoding: Example 1 0 0 0 1 1 0 G = 0 1 0 0 0 1 1 1 0 1 1 1 0 0 0 0 1 0 1 1 1 H = 1 1 1 0 0 1 0 0 1 1 1 0 0 1 0 0 0 1 1 0 1 G F 4 7 2 generator matrix for code C, H F 3 7 2 parity check matrix: GH t = 0 m = [ 0 1 0 1 ] = c = mg = 8

Linear Codes Encoding/Decoding: Example 1 0 0 0 1 1 0 G = 0 1 0 0 0 1 1 1 0 1 1 1 0 0 0 0 1 0 1 1 1 H = 1 1 1 0 0 1 0 0 1 1 1 0 0 1 0 0 0 1 1 0 1 G F 4 7 2 generator matrix for code C, H F 3 7 2 parity check matrix: GH t = 0 m = [ 0 1 0 1 ] = c = mg = [ 0 1 0 1 1 1 0 ] ch t = 8

Linear Codes Encoding/Decoding: Example 1 0 0 0 1 1 0 G = 0 1 0 0 0 1 1 1 0 1 1 1 0 0 0 0 1 0 1 1 1 H = 1 1 1 0 0 1 0 0 1 1 1 0 0 1 0 0 0 1 1 0 1 G F 4 7 2 generator matrix for code C, H F 3 7 2 parity check matrix: GH t = 0 m = [ 0 1 0 1 ] = c = mg = [ 0 1 0 1 1 1 0 ] ch t = 0, i.e. c C 8

Linear Codes Encoding/Decoding: Example 1 0 0 0 1 1 0 G = 0 1 0 0 0 1 1 1 0 1 1 1 0 0 0 0 1 0 1 1 1 H = 1 1 1 0 0 1 0 0 1 1 1 0 0 1 0 0 0 1 1 0 1 G F 4 7 2 generator matrix for code C, H F 3 7 2 parity check matrix: GH t = 0 m = [ 0 1 0 1 ] = c = mg = [ 0 1 0 1 1 1 0 ] ch t = 0, i.e. c C One-bit error e = [ 0 0 0 1 0 0 0 ] = x = c + e = 8

Linear Codes Encoding/Decoding: Example 1 0 0 0 1 1 0 G = 0 1 0 0 0 1 1 1 0 1 1 1 0 0 0 0 1 0 1 1 1 H = 1 1 1 0 0 1 0 0 1 1 1 0 0 1 0 0 0 1 1 0 1 G F 4 7 2 generator matrix for code C, H F 3 7 2 parity check matrix: GH t = 0 m = [ 0 1 0 1 ] = c = mg = [ 0 1 0 1 1 1 0 ] ch t = 0, i.e. c C One-bit error e = [ 0 0 0 1 0 0 0 ] = x = c + e = [ 0 1 0 0 1 1 0 ] 8

Linear Codes Encoding/Decoding: Example 1 0 0 0 1 1 0 G = 0 1 0 0 0 1 1 1 0 1 1 1 0 0 0 0 1 0 1 1 1 H = 1 1 1 0 0 1 0 0 1 1 1 0 0 1 0 0 0 1 1 0 1 G F 4 7 2 generator matrix for code C, H F 3 7 2 parity check matrix: GH t = 0 m = [ 0 1 0 1 ] = c = mg = [ 0 1 0 1 1 1 0 ] ch t = 0, i.e. c C One-bit error e = [ 0 0 0 1 0 0 0 ] = x = c + e = [ 0 1 0 0 1 1 0 ] Then: xh t = ch t + eh t = eh t = [ 1 0 1 ] Decoding idea: run over all possible errors e, compute eh t and compare to xh t. 8

Content Linear Codes Optimizations Conclusion 9

Basic idea The general decoding problem is a hard problem 10

Basic idea The general decoding problem is a hard problem However, there are certain codes with efficient decoding One example are binary Goppa codes 10

Basic idea The general decoding problem is a hard problem However, there are certain codes with efficient decoding One example are binary Goppa codes Disguise such a code 10

Basic idea The general decoding problem is a hard problem However, there are certain codes with efficient decoding One example are binary Goppa codes Disguise such a code Use this information as a trapdoor! 10

Specification (I) Key Generation Secret generator matrix G F k n 2 of an easily decodeable (n, k, d)-code C = G Secret random invertible matrix S F k k 2 Secret random permutation matrix P F n n 2 Compute public G = SGP. 11

Specification (I) Key Generation Secret generator matrix G F k n 2 of an easily decodeable (n, k, d)-code C = G Secret random invertible matrix S F k k 2 Secret random permutation matrix P F n n 2 Compute public G = SGP. Heuristically, the matrix G behaves like a uniformly selected matrix, i.e. C = G is hard to decode. 11

Specification (II) Encryption of m F k 2 Choose e F n 2 of weight t return x = mg + e 12

Specification (II) Decryption of x F n 2 Encryption of m F k 2 Choose e F n 2 of weight t return x = mg + e Compute y = xp 1 = (ms)g + ep 1 Decode y, obtaining (ms)g Recover m = ms return m = m S 1 12

Specification (II) Decryption of x F n 2 Encryption of m F k 2 Choose e F n 2 of weight t return x = mg + e Compute y = xp 1 = (ms)g + ep 1 Decode y, obtaining (ms)g Recover m = ms return m = m S 1 Both operations are comparatively efficient! 12

Encryption: Example 0 0 0 0 1 0 0 1 0 0 0 1 1 0 0 1 1 1 0 1 0 0 0 0 0 G = 0 1 0 0 0 1 1 0 0 1 0 1 1 1 S = 1 1 0 1 1 1 0 0 P = 0 0 0 1 0 0 0 0 0 0 0 0 0 1 0 0 0 1 1 0 1 1 1 1 1 0 0 0 0 0 1 0 0 0 1 0 0 0 0 1 0 0 0 0 0 0 13

Encryption: Example 1 1 0 1 0 0 1 Public G = SGP = 0 1 0 0 1 0 1 1 1 0 0 1 1 0 1 1 1 1 1 1 1 13

Encryption: Example 1 1 0 1 0 0 1 Public G = SGP = 0 1 0 0 1 0 1 1 1 0 0 1 1 0 1 1 1 1 1 1 1 Message m = [ 0 1 0 1 ] = c = mg = [ 1 0 1 1 0 1 0 ] One-bit error e = [ 0 0 0 1 0 0 0 ] = x = c + e = [ 1 0 1 0 0 1 0 ] 13

Decryption: Example 0 0 0 0 1 0 0 1 0 0 0 1 1 0 0 1 1 1 0 1 0 0 0 0 0 G = 0 1 0 0 0 1 1 0 0 1 0 1 1 1 S = 1 1 0 1 1 1 0 0 P = 0 0 0 1 0 0 0 0 0 0 0 0 0 1 0 0 0 1 1 0 1 1 1 1 1 0 0 0 0 0 1 0 0 0 1 0 0 0 0 1 0 0 0 0 0 0 14

Decryption: Example 0 0 0 0 0 0 1 1 0 0 0 1 1 0 1 0 0 1 0 1 0 0 0 0 0 G = 0 1 0 0 0 1 1 0 0 1 0 1 1 1 S 1 = 1 0 1 1 0 1 0 1 P 0 0 0 0 0 1 0 1 = 0 0 1 0 0 0 0 0 0 0 1 1 0 1 0 1 1 0 1 0 0 0 0 0 0 0 0 0 0 1 0 0 0 0 0 1 0 0 0 14

Decryption: Example 0 0 0 0 0 0 1 1 0 0 0 1 1 0 1 0 0 1 0 1 0 0 0 0 0 G = 0 1 0 0 0 1 1 0 0 1 0 1 1 1 S 1 = 1 0 1 1 0 1 0 1 P 0 0 0 0 0 1 0 1 = 0 0 1 0 0 0 0 0 0 0 1 1 0 1 0 1 1 0 1 0 0 0 0 0 0 0 0 0 0 1 0 0 0 0 0 1 0 0 0 Receive x = [ 1 0 1 0 0 1 0 ], compute y = xp 1 = [ 0 0 0 0 1 1 1 ] 14

Decryption: Example 0 0 0 0 0 0 1 1 0 0 0 1 1 0 1 0 0 1 0 1 0 0 0 0 0 G = 0 1 0 0 0 1 1 0 0 1 0 1 1 1 S 1 = 1 0 1 1 0 1 0 1 P 0 0 0 0 0 1 0 1 = 0 0 1 0 0 0 0 0 0 0 1 1 0 1 0 1 1 0 1 0 0 0 0 0 0 0 0 0 0 1 0 0 0 0 0 1 0 0 0 Receive x = [ 1 0 1 0 0 1 0 ], compute y = xp 1 = [ 0 0 0 0 1 1 1 ] Use decoding algorithm for G, giving message m = ms = [ 0 0 1 0 ] m S 1 = m = [ 0 1 0 1 ] 14

Security (classical) McEliece Problem Given a McEliece public key G F k n 2 and a ciphertext x F n 2, find (the unique) m Fk 2, s.t. dist(mg, x) = t Fact If you can solve the general decoding problem, then you can solve the McEliece problem. 15

Security (classical) McEliece Problem Given a McEliece public key G F k n 2 and a ciphertext x F n 2, find (the unique) m Fk 2, s.t. dist(mg, x) = t Fact If you can solve the general decoding problem, then you can solve the McEliece problem. However, the converse is not true, since C = G is not a random code, but a disguised binary Goppa code! 15

Security (post-quantum) Grover's algorithm A quantum-computer can search an unordered set of size l in time O( l). Theorem One can apply Grover s algorithm to solve the general decoding problem. This gives (roughly) a quadratic speedup. 16

Security (post-quantum) Grover's algorithm A quantum-computer can search an unordered set of size l in time O( l). Theorem One can apply Grover s algorithm to solve the general decoding problem. This gives (roughly) a quadratic speedup. Runtime still exponential! Wide believe: This is all of the speedup a quantum-computer provides. 16

Parameter Sets From the NIST proposal by Bernstein et al., Nov 2017: kem/mceliece6960119 k = 5413, n = 6960, t = 119 kem/mceliece8192128 k = 6528, n = 8192, t = 128 17

Parameter Sets From the NIST proposal by Bernstein et al., Nov 2017: kem/mceliece6960119 k = 5413, n = 6960, t = 119 Approximate parameter sizes: Plaintext: 677B, ciphertext: 870B Public key: 4.5MB, secret key: 13.75MB kem/mceliece8192128 k = 6528, n = 8192, t = 128 Approximate parameter sizes: Plaintext: 870B, ciphertext: 1024B Public key: 6.4MB, secret key: 19.45MB 17

Parameter Sets From the NIST proposal by Bernstein et al., Nov 2017: kem/mceliece6960119 k = 5413, n = 6960, t = 119 Approximate parameter sizes: Plaintext: 677B, ciphertext: 870B Public key: 4.5MB, secret key: 13.75MB kem/mceliece8192128 k = 6528, n = 8192, t = 128 Approximate parameter sizes: Plaintext: 870B, ciphertext: 1024B Public key: 6.4MB, secret key: 19.45MB Expectedly, both parameter sets fulfill the NIST requirements for an IND-CCA2 KEM, category 5, i.e. a security level of 256 bit. 17

McEliece: Conclusion The security of the McEliece cryptosystem is convincing. It comes, however, at the cost of large key-sizes. 18

Optimizations Content Linear Codes Optimizations Conclusion 19

Optimizations Reducing the Key-Sizes Opimization possibilities not affecting security: If k > n k, rewrite using the parity check matrix H F (n k) n 2 G = 1 0 0 0 1 1 0 0 1 0 0 0 1 1 0 0 1 0 1 1 1 0 0 0 1 1 0 1 = H = [ 1 0 1 1 1 0 0 1 1 1 0 0 1 0 0 1 1 1 0 0 1 ] 20

Optimizations Reducing the Key-Sizes Opimization possibilities not affecting security: If k > n k, rewrite using the parity check matrix H F (n k) n 2 G = 1 0 0 0 1 1 0 0 1 0 0 0 1 1 0 0 1 0 1 1 1 0 0 0 1 1 0 1 = H = Store the permutation P in tuple representation! P = 0 0 0 0 1 0 0 0 1 0 0 0 0 0 0 0 0 1 0 0 0 0 0 0 0 0 0 1 0 0 0 0 0 1 0 0 0 1 0 0 0 0 1 0 0 0 0 0 0 [ 1 0 1 1 1 0 0 1 1 1 0 0 1 0 0 1 1 1 0 0 1 = P = (7, 2, 6, 3, 1, 5, 4) ] 20

Optimizations Reducing the Key-Sizes: Effect kem/mceliece6960119 k = 5413, n = 6960, t = 119 Public key: 4.5MB 1.3MB Secret key: 13.75MB 4.8MB kem/mceliece8192128 k = 6528, n = 8192, t = 128 Public key: 6.4MB 1.6MB Secret key: 19.45MB 6.7MB 21

Optimizations Reducing the Key-Sizes: Effect kem/mceliece6960119 k = 5413, n = 6960, t = 119 Public key: 4.5MB 1.3MB Secret key: 13.75MB 4.8MB kem/mceliece8192128 k = 6528, n = 8192, t = 128 Public key: 6.4MB 1.6MB Secret key: 19.45MB 6.7MB Even more reductions possible, c.f. NIST submission on classic McEliece! 21

Optimizations The Code-Based NIST Submissions BIG QUAKE BIKE DAGS Edon-K (withdrawn) HQC LAKE LEDAkem LEDApkc Lepton LOCKER McNie NTS-KEM Ouroboros-R pqsigrm QC-MDPC KEM RaCoSS Ramstake; RankSign (withdrawn) RLCE-KEM RQC 22

Optimizations The Code-Based NIST Submissions QC-MDPC codes Binary Goppa codes Quasi-Cyclic codes BCH codes Rank Metric codes Rank Quasi-Cyclic codes Random Linear codes QC-LDPC codes Quasi-Dyadic Gen. Srivastava codes LRPC codes Ideal-LRPC codes Punctured Reed-Muller codes Quasi-cyclic Goppa codes 22

Optimizations Security Considerations Several good proposals Most aim on the goal of having much smaller key-sizes Security based on the problem of decoding special codes Further cryptanalysis necessary! 23

Optimizations Security Considerations Several good proposals Most aim on the goal of having much smaller key-sizes Security based on the problem of decoding special codes Further cryptanalysis necessary! We live in exciting times :-) 23

Conclusion Content Linear Codes Optimizations Conclusion 24

Conclusion Summary McEliece is well studied and appears to be secure even in a post-quantum setting This comes at cost of large key-sizes 25

Conclusion Summary McEliece is well studied and appears to be secure even in a post-quantum setting This comes at cost of large key-sizes Most NIST submissions try to address this issue by using special classes of codes Their decoding problem is much less analyzed The study of this tradeoff will probably continue over the next years. 25

Conclusion Further questions? 26

2024 © sciencedocbox.com Privacy Policy | Terms of Service | Feedback