Toward Secure Implementation of McEliece Decryption

Similar documents
Side-channel analysis in code-based cryptography

FPGA-based Niederreiter Cryptosystem using Binary Goppa Codes

Improved Timing Attacks against the Secret Permutation in the McEliece PKC

Errors, Eavesdroppers, and Enormous Matrices

Code-Based Cryptography Error-Correcting Codes and Cryptography

A Key Recovery Attack on MDPC with CCA Security Using Decoding Errors

Cosc 412: Cryptography and complexity Lecture 7 (22/8/2018) Knapsacks and attacks

Code-based cryptography

Elliptic Curve Cryptography and Security of Embedded Devices

Error-correcting Pairs for a Public-key Cryptosystem

Side Channel Analysis and Protection for McEliece Implementations

Leakage Measurement Tool of McEliece PKC Calculator

Cryptographie basée sur les codes correcteurs d erreurs et arithmétique

Attacking and defending the McEliece cryptosystem

List decoding of binary Goppa codes and key reduction for McEliece s cryptosystem

McBits: Fast code-based cryptography

Signing with Codes. c Zuzana Masárová 2014

Code-based Cryptography

2 Description of McEliece s Public-Key Cryptosystem

9 Knapsack Cryptography

Discrete Mathematics GCD, LCM, RSA Algorithm

Cryptanalysis of the McEliece Public Key Cryptosystem Based on Polar Codes

Codes used in Cryptography

Algorithmic Number Theory and Public-key Cryptography

RSA Key Extraction via Low- Bandwidth Acoustic Cryptanalysis. Daniel Genkin, Adi Shamir, Eran Tromer

Code Based Cryptology at TU/e

RSA. Ramki Thurimella

Mathematical Foundations of Public-Key Cryptography

Introduction on Block cipher Yoyo Game Application on AES Conclusion. Yoyo Game with AES. Navid Ghaedi Bardeh. University of Bergen.

Implementation Tutorial on RSA

Improving the efficiency of Generalized Birthday Attacks against certain structured cryptosystems

Cryptography and RSA. Group (1854, Cayley) Upcoming Interview? Outline. Commutative or Abelian Groups

CPE 776:DATA SECURITY & CRYPTOGRAPHY. Some Number Theory and Classical Crypto Systems

Public Key 9/17/2018. Symmetric Cryptography Review. Symmetric Cryptography: Shortcomings (1) Symmetric Cryptography: Analogy

U.C. Berkeley CS276: Cryptography Luca Trevisan February 5, Notes for Lecture 6

Public Key Cryptography

Differential Power Analysis of a McEliece Cryptosystem

A Smart Card Implementation of the McEliece PKC

Side-Channel Attacks on the McEliece and Niederreiter Public-Key Cryptosystems

Overview. Background / Context. CSC 580 Cryptography and Computer Security. March 21, 2017

Security Issues in Cloud Computing Modern Cryptography II Asymmetric Cryptography

Code Based Cryptography

Wild McEliece Incognito

Post-Quantum Code-Based Cryptography

Decoding One Out of Many

Lattices. A Lattice is a discrete subgroup of the additive group of n-dimensional space R n.

CPSC 467b: Cryptography and Computer Security

In fact, 3 2. It is not known whether 3 1. All three problems seem hard, although Shor showed that one can solve 3 quickly on a quantum computer.

Post-Quantum Cryptography

Introduction to Modern Cryptography. Benny Chor

McEliece type Cryptosystem based on Gabidulin Codes

Division Property: a New Attack Against Block Ciphers

7 Cryptanalysis. 7.1 Structural Attacks CA642: CRYPTOGRAPHY AND NUMBER THEORY 1

Branch Prediction based attacks using Hardware performance Counters IIT Kharagpur

Classical hardness of Learning with Errors

Lecture 4 Chiu Yuen Koo Nikolai Yakovenko. 1 Summary. 2 Hybrid Encryption. CMSC 858K Advanced Topics in Cryptography February 5, 2004

Cryptography CS 555. Topic 24: Finding Prime Numbers, RSA

Advanced code-based cryptography. Daniel J. Bernstein University of Illinois at Chicago & Technische Universiteit Eindhoven

8.1 Principles of Public-Key Cryptosystems

A Generic Hybrid Encryption Construction in the Quantum Random Oracle Model

Notes 10: Public-key cryptography

Efficient Implementation of the McEliece Cryptosystem

Notes for Lecture 17

Lecture 1: Introduction to Public key cryptography

Horizontal and Vertical Side-Channel Attacks against Secure RSA Implementations

Error-correcting codes and applications

Practice Final Exam Winter 2017, CS 485/585 Crypto March 14, 2017

Tutorial on Quantum Computing. Vwani P. Roychowdhury. Lecture 1: Introduction

Notes. Number Theory: Applications. Notes. Number Theory: Applications. Notes. Hash Functions I

Lecture Notes, Week 6

Lemma 1.2. (1) If p is prime, then ϕ(p) = p 1. (2) If p q are two primes, then ϕ(pq) = (p 1)(q 1).

Classical hardness of the Learning with Errors problem

Fast Cryptanalysis of the Matsumoto-Imai Public Key Scheme

Logic gates. Quantum logic gates. α β 0 1 X = 1 0. Quantum NOT gate (X gate) Classical NOT gate NOT A. Matrix form representation

Lossy Trapdoor Functions and Their Applications

2. Cryptography 2.5. ElGamal cryptosystems and Discrete logarithms

FPGA-based Key Generator for the Niederreiter Cryptosystem using Binary Goppa Codes

Course 2BA1: Trinity 2006 Section 9: Introduction to Number Theory and Cryptography

A Fuzzy Sketch with Trapdoor

Quantum-resistant cryptography

Cryptography and Security Midterm Exam

Some Comments on the Security of RSA. Debdeep Mukhopadhyay

Background: Lattices and the Learning-with-Errors problem

The Golay codes. Mario de Boer and Ruud Pellikaan

Gurgen Khachatrian Martun Karapetyan

Number Theory: Applications. Number Theory Applications. Hash Functions II. Hash Functions III. Pseudorandom Numbers

Public Key Cryptography

Public Key Encryption

Formal Fault Analysis of Branch Predictors: Attacking countermeasures of Asymmetric key ciphers

CIS 551 / TCOM 401 Computer and Network Security

QC-MDPC: A Timing Attack and a CCA2 KEM

Permutation Generators Based on Unbalanced Feistel Network: Analysis of the Conditions of Pseudorandomness 1

How to Use Short Basis : Trapdoors for Hard Lattices and new Cryptographic Constructions

CPSC 467b: Cryptography and Computer Security

On the power of non-adaptive quantum chosen-ciphertext attacks

Simple Matrix Scheme for Encryption (ABC)

Cryptography. Lecture 2: Perfect Secrecy and its Limitations. Gil Segev

Quantum-secure symmetric-key cryptography based on Hidden Shifts

Code-based post-quantum cryptography. D. J. Bernstein University of Illinois at Chicago

1 Number Theory Basics

Transcription:

Toward Secure Implementation of McEliece Decryption Mariya Georgieva & Frédéric de Portzamparc Gemalto & LIP6, 13/04/2015

1 MCELIECE PUBLIC-KEY ENCRYPTION 2 DECRYPTION ORACLE TIMING ATTACKS 3 EXTENDED EUCLIDEAN ALGORITHM WITH CONSTANT FLOW 13/04/2015 Toward Secure Implementation of McEliece Decryption 2 / 17

Code-based Cryptography Introduced in 1978 by McEliece Advantages Very fast encryption and fast decryption, faster than RSA No need for crypto coprocessors Based on NP-hard problem (Syndrome Decoding Problem) Post-quantum security 13/04/2015 Toward Secure Implementation of McEliece Decryption 3 / 17

Code-based Cryptography Introduced in 1978 by McEliece Advantages Very fast encryption and fast decryption, faster than RSA No need for crypto coprocessors Based on NP-hard problem (Syndrome Decoding Problem) Post-quantum security Disadvantages Big public keys ( 100 Kbits) Few side-channel analysis for secure implementation... 13/04/2015 Toward Secure Implementation of McEliece Decryption 3 / 17

Code based Cryptography Syndrome Decoding Problem plaintext m F k q ( 0,...,1 ) public key G pk F k n q G pk ( + error e F n q 1,0,...,0,1 ) = ( ciphertext c Fn q 1,0,...,1,1 ) Find m, e knowing G pk, c: NP-complete for G pk random. 13/04/2015 Toward Secure Implementation of McEliece Decryption 4 / 17

Code based Cryptography Syndrome Decoding Problem plaintext m F k q ( 0,...,1 ) public key G pk F k n q G pk ( + error e F n q 1,0,...,0,1 ) = ( ciphertext c Fn q 1,0,...,1,1 ) Find m, e knowing G pk, c: NP-complete for G pk random. Definitions A support: x = (x 0,..., x n 1 ) F n q m, with x i x j A polynomial g(x) F q m [x] of degree t with g(x i ) 0. A Goppa code G (x, g) is described by the secret elements x and g(z) T t a t-decoder for G (x, g), using the secret elements x and g(z) G a generator matrix of G (x, g) 13/04/2015 Toward Secure Implementation of McEliece Decryption 4 / 17

McEliece Public-Key Encryption PARAMETERS : Field size q = 2 PUBLIC KEY : G pk = SGP with S F (n k) (n k) q P F n n q random matrix a random permutation matrix. PRIVATE KEY : the t-decoder T t, S and P Algorithm 1 McEliece Cryptosystem ENCRYPT 1: Input m F k q. 2: Generate random e F n q with w H (e) = t. 3: Output c = mg pk + e. DECRYPT 1: Input c F n q. 2: Compute m = T t (cp 1 )). 3: If decoding succeeds, output S 1 m, else output. 13/04/2015 Toward Secure Implementation of McEliece Decryption 5 / 17

The Decoder The main steps are : Compute the polynomial syndrome S(z), a polynomial deduced from c, but depending only on e. Use the Extended Euclidean Algorithm (EEA) to compute the error locator polynomial σ(z), roots of σ(z) are related to the support elements x ij in the error positions i j. Find the roots of σ(z). Here e F n 2, so e i j 0 implies that e ij = 1. Alternant Decoder: generic for Alternant codes 1 EEA(z 2t, S Alt,e (z), t) Patterson Decoder: specific for binary Goppa codes 1 EEA(g(z), S Gop,e (z), 0) 2 EEA(g(z), τ, t/2 ) with τ = S Gop,e (z) 1 + 1 mod g(z) 13/04/2015 Toward Secure Implementation of McEliece Decryption 6 / 17

Extended Euclidean Algorithm Algorithm 2 Extended Euclidean Algorithm (EEA) Input: a(z), b(z), deg(a) deg(b), d fin Output: u(z), r(z) with b(z)u(z) = r(z) mod a(z) and deg(r) d fin 1: r 1 (z) a(z), r 0 (z) b(z),u 1 (z) 1, u 0 (z) 0, 2: i 0 3: while deg(r i (z)) > d fin do 4: i i + 1 5: q i r i 2 (z)/r i 1 (z) 6: r i r i 2 (z) q i (z)r i 1 (z) 7: u i u i 2 (z) q i (z)u i 1 (z) 8: end while 9: N i 10: return u N (z), r N (z) The number of steps in the while depends on inputs a(z) and b(z). Complexity is in O(deg(a) 2 ) fields multiplications. 13/04/2015 Toward Secure Implementation of McEliece Decryption 7 / 17

Motivation and attacks Difficulties for a secure implementation The operation flow of the decryption is strongly influenced by the error vector No information is known about the error vector before determining σ e The observed or manipulated device may leak information before any detection of the attack 13/04/2015 Toward Secure Implementation of McEliece Decryption 8 / 17

Motivation and attacks Difficulties for a secure implementation The operation flow of the decryption is strongly influenced by the error vector No information is known about the error vector before determining σ e The observed or manipulated device may leak information before any detection of the attack Various attacks when using an unprotected decryption: on the messages (R. Avanzi et al., A. Shoufan et al.) on the secret key (F. Strenzke) 13/04/2015 Toward Secure Implementation of McEliece Decryption 8 / 17

Motivation and attacks Difficulties for a secure implementation The operation flow of the decryption is strongly influenced by the error vector No information is known about the error vector before determining σ e The observed or manipulated device may leak information before any detection of the attack Various attacks when using an unprotected decryption: on the messages (R. Avanzi et al., A. Shoufan et al.) on the secret key (F. Strenzke) No satisfactory countermeasure. 13/04/2015 Toward Secure Implementation of McEliece Decryption 8 / 17

Motivation and attacks Difficulties for a secure implementation The operation flow of the decryption is strongly influenced by the error vector No information is known about the error vector before determining σ e The observed or manipulated device may leak information before any detection of the attack Various attacks when using an unprotected decryption: on the messages (R. Avanzi et al., A. Shoufan et al.) on the secret key (F. Strenzke) No satisfactory countermeasure. This work Shows the need for an efficient countermeasure. Proposes such countermeasure. 13/04/2015 Toward Secure Implementation of McEliece Decryption 8 / 17

Decryption oracle timing attacks Algorithm 3 Framework for key-recovery attacks on a decryption device. (Strenzke) INPUT: A decryption device D, public encryption key G pub. OUTPUT: The secret support x. 1: Choose w well-chosen error weights 2: for (i 1,..., i w ) subset of {0,..., n 1} do 3: Pick e = (0,..., e i1,..., e iw,..., 0) with w H (e) = w. 4: Request decryption D(e). 5: Perform timing or power consumption analysis of D(e). 6: If EEA is faster than average, deduce a polynomial condition on x i1,..., x iw 7: end for 8: Solve the non-linear system of all the collected equations. 9: return Secret support x = (x 0,..., x n 1 ). 13/04/2015 Toward Secure Implementation of McEliece Decryption 9 / 17

Secret decryption key recovery attacks Lemma (Patterson decoder) Let G (x, g(z)) be a binary Goppa code and S e(z) the pol. syndrome associated to an error e with w H (e) deg(g)/2 1. Write S e(z) = ωe(z) mod g(z). The number of σ e(z) iterations of the while loop (EEA(g(z), S e(z), 0), EEA(g(z), τ(z), t/2 )) = (N I, N K ). N I deg(ω e(z)) + w H (e) and N K deg(ω e(z))/2. (1) 13/04/2015 Toward Secure Implementation of McEliece Decryption 10 / 17

Secret decryption key recovery attacks Lemma (Patterson decoder) Let G (x, g(z)) be a binary Goppa code and S e(z) the pol. syndrome associated to an error e with w H (e) deg(g)/2 1. Write S e(z) = ωe(z) mod g(z). The number of σ e(z) iterations of the while loop (EEA(g(z), S e(z), 0), EEA(g(z), τ(z), t/2 )) = (N I, N K ). N I deg(ω e(z)) + w H (e) and N K deg(ω e(z))/2. (1) Strenzke s attacks in brief 2010 : Observe N K for error weights w = 4. ω e(z) = (x i1 + x i2 + x i3 + x i4 ) z 2 + x i1 x i2 x i3 + x i1 x i2 x i4 + x i1 x i3 x i4 + x i2 x i3 x i4. }{{}}{{} ω 1 (e) ω 3 (e) If N K is smaller than average x i1 + x i2 + x i3 + x i4 = 0 No practical attack, countermeasure proposed. 2011 : Observe N I for w = 6 = practical attack. Countermeasure proposed. 13/04/2015 Toward Secure Implementation of McEliece Decryption 10 / 17

Secret decryption key recovery attacks Lemma (Patterson decoder) Let G (x, g(z)) be a binary Goppa code and S e(z) the pol. syndrome associated to an error e with w H (e) deg(g)/2 1. Write S e(z) = ωe(z) mod g(z). The number of σ e(z) iterations of the while loop (EEA(g(z), S e(z), 0), EEA(g(z), τ(z), t/2 )) = (N I, N K ). N I deg(ω e(z)) + w H (e) and N K deg(ω e(z))/2. (1) Strenzke s attacks in brief 2010 : Observe N K for error weights w = 4. ω e(z) = (x i1 + x i2 + x i3 + x i4 ) z 2 + x i1 x i2 x i3 + x i1 x i2 x i4 + x i1 x i3 x i4 + x i2 x i3 x i4. }{{}}{{} ω 1 (e) ω 3 (e) If N K is smaller than average x i1 + x i2 + x i3 + x i4 = 0 No practical attack, countermeasure proposed. 2011 : Observe N I for w = 6 = practical attack. Countermeasure proposed. In this paper : Extended attack bypassing previous countermeasure Combination of first and second EEA: observe couples (N I, N K ) for errors with w = 8 13/04/2015 Toward Secure Implementation of McEliece Decryption 10 / 17

Extended Euclidean Algorithm EEA with a flow of operations independent of the error vector Discards previous message-recovery attacks Discards previous key-recovery attacks 13/04/2015 Toward Secure Implementation of McEliece Decryption 11 / 17

Extended Euclidean Algorithm EEA with a flow of operations independent of the error vector Discards previous message-recovery attacks Discards previous key-recovery attacks Inspired by a work of Berlekamp (VLSI) No clear completeness proofs found in the literature Never proposed for McEliece Fully efficient only for the Alternant decoder 13/04/2015 Toward Secure Implementation of McEliece Decryption 11 / 17

Unrolling Euclidean division Step 1: Decomposition of each euclidean division into a number of polynomial subtractions depending only on δ i = deg(q i (z)) = deg(r i 2 ) deg(r i 1 ). 1: while deg(r i (z)) > d fin do 2: i i + 1 3: q i r i 2 (z)/r i 1 (z) 4: r i r i 2 (z) q i (z)r i 1 (z) 5: end while z 4 α 11 z 2 +α 7 z +α 11 α 11 (z 4 ) z 2 (α 11 z 2 + α 7 z + α 11 ) α 7 z 3 +α 11 z 2 α 11 (α 7 z 3 + α 11 z 2 ) α 7 z(α 11 z 2 + α 7 z + α 11 ) αz 2 +α 3 z α 11 (αz 2 + α 3 z) α(α 11 z 2 + α 7 z + α 11 ) α 6 z +α 12 z 4 = (α 4 z 2 +z+α 13 )(α 11 z 2 +α 7 z+α 11 )+(α 3 z+α 9 ) 13/04/2015 Toward Secure Implementation of McEliece Decryption 12 / 17

Unrolling Euclidean division Step 1: Decomposition of each euclidean division into a number of polynomial subtractions depending only on δ i = deg(q i (z)) = deg(r i 2 ) deg(r i 1 ). 1: while deg(r i (z)) > d fin do 2: i i + 1 3: q i r i 2 (z)/r i 1 (z) 4: r i r i 2 (z) q i (z)r i 1 (z) 5: end while 1: while deg(r i (z)) > d fin do 2: i i + 1 3: R (0) i 2 (z) R i 2(z), β i LC(R i 1 (z)) 4: i deg(r i 2 ) deg(r i 1 ) 5: for j = 0,..., i do 6: α i,j R (j) i,d i 2 j, 7: R (j+1) i 2 (z) β i R (j) i 2 (z) α i,j z i j R i 1 (z) 8: end for 9: R i (z) R ( i +1) (z), i 2 10: end while 13/04/2015 Toward Secure Implementation of McEliece Decryption 12 / 17

Unrolling Euclidean division Step 1: Decomposition of each euclidean division into a number of polynomial subtractions depending only on δ i = deg(q i (z)) = deg(r i 2 ) deg(r i 1 ). 1: while deg(r i (z)) > d fin do 2: i i + 1 3: q i r i 2 (z)/r i 1 (z) 4: r i r i 2 (z) q i (z)r i 1 (z) 5: end while Lemma 1: while deg(r i (z)) > d fin do 2: i i + 1 3: R (0) i 2 (z) R i 2(z), β i LC(R i 1 (z)) 4: i deg(r i 2 ) deg(r i 1 ) 5: for j = 0,..., i do 6: α i,j R (j) i,d i 2 j, 7: R (j+1) i 2 (z) β i R (j) i 2 (z) α i,j z i j R i 1 (z) 8: end for 9: R i (z) R ( i +1) (z), i 2 10: end while For all i = 1,..., N, there exists λ i F q m such that: R i (z) = λ i r i (z), As a consequence, i = deg(r i 2 ) deg(r i 1 ) = deg(r i 2 ) deg(r i 1 ) = δ i. 13/04/2015 Toward Secure Implementation of McEliece Decryption 12 / 17

Unrolling Euclidean division Step 1: Decomposition of each euclidean division into a number of polynomial subtractions depending only on δ i = deg(q i (z)) = deg(r i 2 ) deg(r i 1 ). 1: while deg(r i (z)) > d fin do 2: i i + 1 3: q i r i 2 (z)/r i 1 (z) 4: r i r i 2 (z) q i (z)r i 1 (z) 5: end while Lemma 1: while deg(r i (z)) > d fin do 2: i i + 1 3: R (0) i 2 (z) R i 2(z), β i LC(R i 1 (z)) 4: i deg(r i 2 ) deg(r i 1 ) 5: for j = 0,..., i do 6: α i,j R (j) i,d i 2 j, 7: R (j+1) i 2 (z) β i R (j) i 2 (z) α i,j z i j R i 1 (z) 8: end for 9: R i (z) R ( i +1) (z), i 2 10: end while For all i = 1,..., N, there exists λ i F q m such that: R i (z) = λ i r i (z), As a consequence, i = deg(r i 2 ) deg(r i 1 ) = deg(r i 2 ) deg(r i 1 ) = δ i. Problems: Still a while loop. Polynomial shift changes. 13/04/2015 Toward Secure Implementation of McEliece Decryption 12 / 17

Regular polynomial shift pattern Step 2: multiply the operand by z at each for iteration ( re-aligning ). 13/04/2015 Toward Secure Implementation of McEliece Decryption 13 / 17

Regular polynomial shift pattern Step 2: multiply the operand by z at each for iteration ( re-aligning ). z 4 = (α 4 z 2 + z + α 13 )(α 11 z 2 + α 7 z + α 11 ) + (α 3 z + α 9 ) z 4 α 11 z 2 +α 7 z +α 11 α 11 (z 4 ) z 2 (α 11 z 2 + α 7 z + α 11 ) α 7 z 3 +α 11 z 2 α 11 (α 7 z 3 + α 11 z 2 ) α 7 z(α 11 z 2 + α 7 z + α 11 ) αz 2 +α 3 z α 11 (αz 2 + α 3 z) α(α 11 z 2 + α 7 z + α 11 ) α 6 z +α 12 z 4 α 11 z 2 + α 7 z + α 11 z(0 (z 4 ) 1 (α 11 z 2 + α 7 z + α 11 ) α 11 z 3 + α 7 z 2 + α 11 z 1 z(0 (z 4 ) 1 (α 11 z 3 + α 7 z 2 + α 11 z 1 )) α 11 z 4 + α 7 z 3 + α 11 z 2 z(α 11 (z 4 ) 1 (α 11 z 4 + α 7 z 3 + α 11 z 2 )) α 7 z 4 + α 11 z 3 z(α 7 (α 11 z 4 + α 7 z 3 + α 11 z 2 ) α 11 (α 7 z 4 + α 11 z 3 )) αz 4 + α 3 z 3 z(α(α 11 z 4 + α 7 z 3 + α 11 z 2 ) α 11 (αz 4 + α 3 z 3 )) α 6 z 4 + α 12 z 3 13/04/2015 Toward Secure Implementation of McEliece Decryption 13 / 17

Regular polynomial shift pattern 1: while deg(r i (z)) > d fin do 2: i i + 1 3: R (0) i 2 (z) R i 2(z), β i LC(R i 1 (z)) 4: i deg(r i 2 ) deg(r i 1 ) 5: for j = 0,..., i do 6: α i,j R (j) i,d i 2 j, 7: R (j+1) i 2 (z) β i R (j) i 2 (z) α i,j z i j R i 1 (z) 8: end for 9: R i (z) R ( i +1) (z), i 2 10: end while 1: for i = 1,..., N do 2: R(0) i 2 (z) R i 2 (z), 3: for j = 1,..., i 1 do 4: Ri 1 (z) z R i 1 (z) L 1 5: end for 6: for j = 0,..., i do (j) 7: α i,j R i,d, β i R i 1,d. 8: R(j+1) i 2 ( (z) z β R(j) i i 2 (z) α i,j R ) i 1 (z) 9: end for 10: Ri (z) R ( i +1) (z), i 2 11: end for L 2 13/04/2015 Toward Secure Implementation of McEliece Decryption 14 / 17

Regular polynomial shift pattern 1: while deg(r i (z)) > d fin do 2: i i + 1 3: R (0) i 2 (z) R i 2(z), β i LC(R i 1 (z)) 4: i deg(r i 2 ) deg(r i 1 ) 5: for j = 0,..., i do 6: α i,j R (j) i,d i 2 j, 7: R (j+1) i 2 (z) β i R (j) i 2 (z) α i,j z i j R i 1 (z) 8: end for 9: R i (z) R ( i +1) (z), i 2 10: end while 1: for i = 1,..., N do 2: R(0) i 2 (z) R i 2 (z), 3: for j = 1,..., i 1 do 4: Ri 1 (z) z R i 1 (z) L 1 5: end for 6: for j = 0,..., i do (j) 7: α i,j R i,d, β i R i 1,d. 8: R(j+1) i 2 ( (z) z β R(j) i i 2 (z) α i,j R ) i 1 (z) 9: end for 10: Ri (z) R ( i +1) (z), i 2 11: end for L 2 Lemma For all i = 1,..., N, ( R i 1 (z), R i (z)) = (z d d i 1 R i 1 (z), z d d i 1 +1 R i (z)). 13/04/2015 Toward Secure Implementation of McEliece Decryption 14 / 17

Regular polynomial shift pattern 1: while deg(r i (z)) > d fin do 2: i i + 1 3: R (0) i 2 (z) R i 2(z), β i LC(R i 1 (z)) 4: i deg(r i 2 ) deg(r i 1 ) 5: for j = 0,..., i do 6: α i,j R (j) i,d i 2 j, 7: R (j+1) i 2 (z) β i R (j) i 2 (z) α i,j z i j R i 1 (z) 8: end for 9: R i (z) R ( i +1) (z), i 2 10: end while 1: for i = 1,..., N do 2: R(0) i 2 (z) R i 2 (z), 3: for j = 1,..., i 1 do 4: Ri 1 (z) z R i 1 (z) L 1 5: end for 6: for j = 0,..., i do (j) 7: α i,j R i,d, β i R i 1,d. 8: R(j+1) i 2 ( (z) z β R(j) i i 2 (z) α i,j R ) i 1 (z) 9: end for 10: Ri (z) R ( i +1) (z), i 2 11: end for L 2 Lemma For all i = 1,..., N, ( R i 1 (z), R i (z)) = (z d d i 1 R i 1 (z), z d d i 1 +1 R i (z)). Problems (pedagogical algorithm): Find N Find the i during the execution 13/04/2015 Toward Secure Implementation of McEliece Decryption 14 / 17

Complete regular flow EEA For EEA(z 2t, S e(z), t) : N δ i = w H (e) 1. i=1 N = 2t δ is a counter for the number of shifts to re-align the operands: i Merge the loops L 1 and L 2 in a common pattern. 13/04/2015 Toward Secure Implementation of McEliece Decryption 15 / 17

Complete regular flow EEA For EEA(z 2t, S e(z), t) : N δ i = w H (e) 1. i=1 N = 2t δ is a counter for the number of shifts to re-align the operands: i Merge the loops L 1 and L 2 in a common pattern. 1: δ 1. 2: for j = 1,..., 2t do 3: α j ˆR j 1,2t, β j ˆR j 2,2t. ( ) 4: temp R (z) z α j ˆRj 2 (z) β j ˆRj 1 (z). 5: if α j = 0 (ie deg(ˆr j 1 ) < deg(ˆr j 2 )) then 6: δ δ + 1. 7: else 8: δ δ 1. 9: end if 10: if δ < 0 then 11: (ˆR j (z), ˆR j 1 (z)) (ˆR j 1 (z), temp R ) 12: δ 0. 13: else 14: (ˆR j (z), ˆR j 1 (z)) (temp R, ˆR j 2 (z)) 15: δ δ. 16: end if 17: end for 13/04/2015 Toward Secure Implementation of McEliece Decryption 15 / 17

Complete regular flow EEA For EEA(z 2t, S e(z), t) : N δ i = w H (e) 1. i=1 N = 2t δ is a counter for the number of shifts to re-align the operands: i Merge the loops L 1 and L 2 in a common pattern. Lemma ˆR d (z) = z d w H (e)+1 R N (z) = µz d w H (e)+1 r(z) 1: δ 1. 2: for j = 1,..., 2t do 3: α j ˆR j 1,2t, β j ˆR j 2,2t. ( ) 4: temp R (z) z α j ˆRj 2 (z) β j ˆRj 1 (z). 5: if α j = 0 (ie deg(ˆr j 1 ) < deg(ˆr j 2 )) then 6: δ δ + 1. 7: else 8: δ δ 1. 9: end if 10: if δ < 0 then 11: (ˆR j (z), ˆR j 1 (z)) (ˆR j 1 (z), temp R ) 12: δ 0. 13: else 14: (ˆR j (z), ˆR j 1 (z)) (temp R, ˆR j 2 (z)) 15: δ δ. 16: end if 17: end for 13/04/2015 Toward Secure Implementation of McEliece Decryption 15 / 17

Complete regular flow EEA For EEA(z 2t, S e(z), t) : N δ i = w H (e) 1. i=1 N = 2t δ is a counter for the number of shifts to re-align the operands: i Merge the loops L 1 and L 2 in a common pattern. Lemma ˆR d (z) = z d w H (e)+1 R N (z) = µz d w H (e)+1 r(z) 1: δ 1. 2: for j = 1,..., 2t do 3: α j ˆR j 1,2t, β j ˆR j 2,2t. ( ) 4: temp R (z) z α j ˆRj 2 (z) β j ˆRj 1 (z). 5: if α j = 0 (ie deg(ˆr j 1 ) < deg(ˆr j 2 )) then 6: δ δ + 1. 7: else 8: δ δ 1. 9: end if 10: if δ < 0 then 11: (ˆR j (z), ˆR j 1 (z)) (ˆR j 1 (z), temp R ) 12: δ 0. 13: else 14: (ˆR j (z), ˆR j 1 (z)) (temp R, ˆR j 2 (z)) 15: δ δ. 16: end if 17: end for Therefore, provided 0 is not an element of x, ˆR d (z) allows to recover the error positions without ambiguity. (EEA in Alternant decoder and EEA2 in Patterson decoder) 13/04/2015 Toward Secure Implementation of McEliece Decryption 15 / 17

Conclusion In this paper Extend the attacks of Strenzke Propose a new EEA algorithm determining the error-locator polynomial Costs always 16t 2 field multiplications on any input (for Alternant decoder) The test that depends on the secret data is followed by two balanced branches Provide completeness proofs 13/04/2015 Toward Secure Implementation of McEliece Decryption 16 / 17

Conclusion In this paper Extend the attacks of Strenzke Propose a new EEA algorithm determining the error-locator polynomial Costs always 16t 2 field multiplications on any input (for Alternant decoder) The test that depends on the secret data is followed by two balanced branches Provide completeness proofs Perspectives Hardware secure implementation and tests, other kinds of attacks (fault, memory, template...) 13/04/2015 Toward Secure Implementation of McEliece Decryption 16 / 17

Thank you for your attention! 13/04/2015 Toward Secure Implementation of McEliece Decryption 17 / 17

2024 © sciencedocbox.com Privacy Policy | Terms of Service | Feedback