Decoding One Out of Many

Similar documents
How to improve information set decoding exploiting that = 0 mod 2

On the Use of Structured Codes in Code Based Cryptography 1. Nicolas Sendrier

Attacking and defending the McEliece cryptosystem

Improving the efficiency of Generalized Birthday Attacks against certain structured cryptosystems

CRYPTANALYSE EN TEMPS POLYNOMIAL DU SCHÉMA DE MCELIECE BASÉ SUR LES CODES

A Fast Provably Secure Cryptographic Hash Function

The Support Splitting Algorithm and its Application to Code-based Cryptography

Post-Quantum Cryptography

Ball-collision decoding

Code Based Cryptology at TU/e

SYND: a Fast Code-Based Stream Cipher with a Security Reduction

Code-based Cryptography

Advances in code-based public-key cryptography. D. J. Bernstein University of Illinois at Chicago

MDPC-McEliece: New McEliece Variants from Moderate Density Parity-Check Codes

Constructive aspects of code-based cryptography

Errors, Eavesdroppers, and Enormous Matrices

Code-based Cryptography

Vulnerabilities of McEliece in the World of Escher

Hidden Field Equations

Code-Based Cryptography McEliece Cryptosystem

Quasi-dyadic CFS signatures

On the Security of Some Cryptosystems Based on Error-correcting Codes

Improved Generalized Birthday Attack

Hexi McEliece Public Key Cryptosystem

High-speed cryptography, part 3: more cryptosystems. Daniel J. Bernstein University of Illinois at Chicago & Technische Universiteit Eindhoven

Error-correcting Pairs for a Public-key Cryptosystem

Side-channel analysis in code-based cryptography

Code-based post-quantum cryptography. D. J. Bernstein University of Illinois at Chicago

Cryptanalysis of the McEliece Public Key Cryptosystem Based on Polar Codes

McEliece in the world of Escher

Code-based identification and signature schemes in software

A Key Recovery Attack on MDPC with CCA Security Using Decoding Errors

Code-based cryptography

Decoding Random Binary Linear Codes in 2 n/20 : How 1+1=0Improves Information Set Decoding

FPGA-based Niederreiter Cryptosystem using Binary Goppa Codes

arxiv: v4 [cs.cr] 30 Nov 2017

Cryptanalysis of the Original McEliece Cryptosystem

Wild McEliece Incognito

Compact McEliece keys based on Quasi-Dyadic Srivastava codes

Improved Information Set Decoding Decoding Random Linear Codes in O(20.054n)

THIS paper investigates the difficulty of the Goppa Code

A brief survey of post-quantum cryptography. D. J. Bernstein University of Illinois at Chicago

Attacks in code based cryptography: a survey, new results and open problems

Recent progress in code-based cryptography

Quantum-resistant cryptography

The failure of McEliece PKC based on Reed-Muller codes.

A Fuzzy Sketch with Trapdoor

An Efficient CCA2-Secure Variant of the McEliece Cryptosystem in the Standard Model

Decoding Random Binary Linear Codes in 2n/20 How 1+1=0 Improves Information Set Decoding

arxiv: v2 [cs.cr] 14 Feb 2018

A new zero-knowledge code based identification scheme with reduced communication

Smaller Decoding Exponents: Ball-Collision Decoding

Enhanced public key security for the McEliece cryptosystem

Cryptanalysis of the Wu}Dawson Public Key Cryptosystem

QC-MDPC: A Timing Attack and a CCA2 KEM

Signing with Codes. c Zuzana Masárová 2014

Code Based Cryptography

A distinguisher for high-rate McEliece Cryptosystems

Code-based cryptography

Cryptographie basée sur les codes correcteurs d erreurs et arithmétique

Fast correlation attacks on certain stream ciphers

Cryptanalysis of the Sidelnikov cryptosystem

Cryptographie basée sur les codes correcteurs d erreurs et arithmétique

Code-Based Cryptography

Strengthening McEliece Cryptosystem

Introduction to Quantum Safe Cryptography. ENISA September 2018

Efficient One-Time Signatures from Quasi-Cyclic Codes: A Full Treatment

Cryptanalysis of Patarin s 2-Round Public Key System with S Boxes (2R)

Side Channel Analysis and Protection for McEliece Implementations

Toward Secure Implementation of McEliece Decryption

Efficient Constructions of Deterministic Encryption from Hybrid Encryption and Code-Based PKE

Proof of Plaintext Knowledge for Code-Based Public-Key Encryption Revisited

Coding-Based Oblivious Transfer

Cryptanalysis of the TTM Cryptosystem

Noisy Diffie-Hellman protocols

Finding good differential patterns for attacks on SHA-1

Solving LPN Using Covering Codes

Algebraic Attack against Variants of McEliece with Goppa Polynomial of a Special Form

Oblivious Transfer Based on the McEliece Assumptions

Gröbner Bases in Public-Key Cryptography

Cryptanalysis of two knapsack public-key cryptosystems

Error-correcting codes and Cryptography

McBits: fast constant-time code-based cryptography. (to appear at CHES 2013)

LDPC codes in the McEliece cryptosystem: attacks and countermeasures

Benes and Butterfly schemes revisited

Code-based Cryptography

Codes used in Cryptography

How to Use Short Basis : Trapdoors for Hard Lattices and new Cryptographic Constructions

A Smart Card Implementation of the McEliece PKC

A Public Key Encryption Scheme Based on the Polynomial Reconstruction Problem

On the Decoding Failure Rate of QC-MDPC Bit-Flipping Decoders

A Provably Secure Short Signature Scheme from Coding Theory

McBits: Fast code-based cryptography

THIS paper 1 investigates the difficulty of the Goppa Code Distinguishing (GD) problem which first appeared in [2]. This

Lecture 4: DES and block ciphers

Signatures and DLP-I. Tanja Lange Technische Universiteit Eindhoven

Really fast syndrome-based hashing

McEliece type Cryptosystem based on Gabidulin Codes

2 Description of McEliece s Public-Key Cryptosystem

McEliece and Niederreiter Cryptosystems That Resist Quantum Fourier Sampling Attacks

Transcription:

Decoding One Out of Many Nicolas Sendrier INRIA Paris-Rocquencourt, équipe-projet SECRET Code-based Cryptography Workshop 11-12 May 2011, Eindhoven, The Netherlands

Computational Syndrome Decoding Problem: Syndrome Decoding Instance: H {0, 1} r n, s {0, 1} r and w > 0 Question: is there a word e of Hamming weight w such that He T = s? Problem: Computational Syndrome Decoding (CSD) Given H {0, 1} r n, s {0, 1} r and w > 0 Find a word e of Hamming weight w such that He T = s NP-hard, conjectured hard in the average case We will denote CSD(H, s, w) this problem as well as the set of its solutions Typically n = 2048, r = 352 and w = 32 1/31

Computational Syndrome Decoding Multiple instances Problem: Syndrome Decoding One Out of Many Instance: H {0, 1} r n, S {0, 1} r and w > 0 Question: is there a word e of Hamming weight w such that He T S? Problem: Computational Syndrome Decoding One Out of Many Given H {0, 1} r n, S {0, 1} r and w > 0 Find a word e of Hamming weight w such that He T S For convenience, we will also denote CSD(H, S, w) this problem and the set of its solutions 2/31

Message Security of Code-Based Public-Key Cryptosystems The public key is a parity check matrix H 0 {0, 1} r n (or a generator matrix) of some binary (n, k) error correcting code (r = n k) Solving CSD(H 0, y, w) for a cryptogram y and some prescribed value of w breaks the system In McEliece system the cryptogram is a noisy codeword x; we have y = H 0 x T and w = t = r/ log 2 n is the error correcting capability of the (secret) Goppa code In Niederreiter system the cryptogram is the syndrome y and w = t as above In CFS signature y is the hash of the message and either w = t and we decode one out of t! instances, or w = t + δ = d GV (the Gilbert-Varshamov distance) 3/31

Best Decoding Algorithms Fixed binary (n, k) code, solve CSD for growing w codimension r = n k, Gilbert-Varshamov distance ( n d GV ) > 2 r ISD: Information Set Decoding GBA: Generalized Birthday Algorithm ISD GBA 0 d GV r/4 ISD Linearization w In the present study we will consider w d GV and the impact of multiple instances on the complexity of GBA and ISD 4/31

Problem Statement The size of the problem (i.e. r and n) is fixed Three facts: Decoding one out of N is easier when N grows One cannot gain more than a factor N It is useless to let N grow indefinitely Two questions: How easier is it to solve CSD(H, S, w) rather than CSD(H, s, w) when S = N grows? What is the largest useful value of N? 5/31

Generalized Birthday Algorithm for Decoding

Generalized Birthday Algorithm for Decoding Bibliography Order 2 GBA Camion and Patarin, EUROCRYPT 91 GBA Wagner, CRYPTO 2005 GBA for decoding Coron and Joux, 2004 (IACR eprint), attack against FSB GBA for decoding one out of many Bleichenbacher, 200? (unpublished), attack against CFS 6/31

Generalized Birthday Algorithm for Decoding Order 2 H = s = CSD(H, s, w) find w columns of H adding to s Order 2 Build 4 subsets of {0, 1} r, i {1, 2, 3, 4} (l is optimized later) W i s i + {He T wt(e) = w i } with s = i s i, w i w/4, w = i w i and W i = 2 l Next build W 1,2 and W 3,4 as W i,j = {x + y x W i and y W j match on their first l bits} Any element of W 1,2 W 3,4 provides a solution to CSD(H, s, w) 7/31

Generalized Birthday Algorithm for Decoding Complexity H = s = CSD(H, s, w) find w columns of H adding to s Order 2 If 4 (n w) 2 r/3 then one may choose l = r/3 and W 1,2 W 3,4 with probability > 1/2 complexity O(r2 r/3 ) Else W i = 2 l = 4 (n w complexity O ( r2 r 2l) = O ) and W1,2 W 3,4 with probability 2 r 3l r2 r ( n w ) When w = d GV then ( ) n w 2 r and the complexity is O(r2 r/2 ) 8/31

Generalized Birthday Algorithm for Decoding General Case H = s = CSD(H, s, w) find w columns of H adding to s Order a The best value for l is l = min ( r a + 1, log 2 2a (n ) ) w complexity O(r2 r al ) When 2a ( ) n r w 2 a+1 the complexity is O (r2a+1 r ) else it is O ( r2 r ( n w ) a 2 a ) Only interesting for very large values of w 9/31

GBA for Decoding One Out of Many

Order 2 GBA with Multiple Instances H = s = CSD(H, S, w) find w columns of H adding to s S, N = S Order 2 Build 3 subsets of {0, 1} r, i {1, 2, 3} W i s i + {He T wt(e) = w i } with s 1 + s 2 + s 3 = 0, w 1 + w 2 + w 3 w and a fourth set W 4 S + {He T wt(e) = w 4 } where w 4 = w w 1 w 2 w 3 (possibly w 4 = 0) and all W i = 2 l N Next build W 1,2 and W 3,4 as W i,j = {x + y x W i and y W j match on their first l bits} Any element of W 1,2 W 3,4 provides a solution to CSD(H, S, w) 10/31

Order 2 GBA with Multiple Instances Complexity H = s = CSD(H, S, w) find w columns of H adding to s S, N = S Order 2 ) 4 If 2 r/3 then we may choose l = r/3 and W 1,2 W 3,4 N ( n w with probability > 1/2 complexity O(r2 r/3 ) Else W i = 2 l = 4 (n w complexity O ( r2 r 2l) = O ) and W1,2 W 3,4 with probability 2 r 3l r2 r N( n w ) There is a gain of a factor N as long as N 2 4r/3 / ( n When w = d GV then ( ) n w 2 r and N = 2 r/3 complexity O(r2 r/3 ) w ) 11/31

Bleichenbacher s Attack For CFS (original counter version) one can build as many syndromes as needed by hashing many variants of a favorable message We need to decode w = t errors in a code of length n = 2 m and codimension r = tm For those value, ( ) (n n t 2 r /t! and the largest value for N is 3 t (common size of the 4 lists) the complexity of CSD becomes O ( r2 r/3 (t!) 2/3) with t = 9 and m = 16 we get 2 67.5 with 2 42 instances which can be improved a bit (around 2 63.3 ) because we can use slightly larger ( ) (n ) lists ( instead of 3 ) n 2w/3 w Finally there is a small multiplicative constant (2 to 6) which seems difficult to avoid ) 12/31

Bleichenbacher s Attack For CFS counterless version, the attacker needs to perform a complete decoding. As many variants as needed of a favorable message are hashed to produce the syndromes We need to decode w = d GV > t errors in a code of length n = 2 m and codimension r = tm For those value, ( ) n w 2 r and the good choice for N and the list size is 2 r/3 the complexity of CSD becomes O ( r2 r/3) with w = 11 and m = 16 we get 2 53.6 with 2 48 instances However because w is not a multiple of 3, some ajustement are required and the cost is 2 54.9 with 2 45.4 instances 13/31

GBA with Multiple Instances General Case H = s = CSD(H, S, w) find w columns of H adding to s S Order a The best value for l is l = min complexity O(r2 r al ) ( r a + 1, log 2 2a When 2a N ( ) r n w 2 a+1 the complexity is O Else the complexity is O ( r2 r (N( n w )) a 2 a ) N ( n w ) ) (r2a+1 r ) and we only gain a factor N a 2 a 14/31

Information Set Decoding

Information Set Decoding Bibliography ISD Folklore, 1978 Collision decoding Stern, 1989 Canteaut and Chabaud, IEEE-IT 1998 (1995) Bernstein, Lange, and Peters, PQCrypto 2008 One out of many Johansson and Jönsson, IEEE-IT 2002 15/31

Information Set Decoding First Step Problem: Solve CSD(H 0, y, w) The algorithm involves two parameters p and l which will be chosen to minimize the cost Step 1: Column permutation and Gaussian elimination Pick a random permutation matrix P r l k + l 1 Compute H = UH 0 P = 1 0 H H with U {0, 1} r r non singular and s = Uy l e CSD(H, s, w) ep T CSD(H 0, y, w) 16/31

Information Set Decoding Second Step r l 1 H s H = 1 s = 0 k + l H l s Step 2: Find (all) solutions of CSD(H, s, p) Build two subsets of {0, 1} l : Problem: Solve CSD(H, s, w) W 1 {H e T wt(e) = p/2 } W 2 {H e T wt(e) = p/2 } Any element of W 1 (s +W 2 ) corresponds to a pair (e 1, e 2 ) W 1 W 2 such that e 1 + e 2 CSD(H, s, p) Birthday attack with a search space of size ( ) k+l, we expect that it is optimal for L = W 1 = W 2 = (k+l ) p p 17/31

Information Set Decoding Third Step r l 1 H s H = 1 s = 0 k + l H l s Problem: Solve CSD(H, s, w) e = e e weight w p p Step 3: For all e CSD(H, s, p) found in Step 2. Let e = s + H e T {0, 1} r l and e = (e, e ) If wt(e ) = w p then e = (e, e ) CSD(H, s, w) ( success) 18/31

Information Set Decoding Algorithm 1 r l H s H = 1 s = 0 k + l weight: w p p Subset size in Step 2. L = (could be less) H l s (k+l ) Iteration success probability P = L2 p ( ) r l w p ( n w) Repeat: 1. Permutation + elimination Cost polynomial in n 2. Solve CSD(H, s, p) Birthday attack Total cost is 2lL for L 2 /2 l solutions 3. For each e found in step 2, test the weight of H e T + s One test costs K w p 2(1 + w p) ( 2p(1 + w p) in practice) Total cost is K w p L 2 /2 l All costs in binary operations 19/31

ISD Lower Bound on the Binary Work Factor We neglect the cost of step 1 WF ISD min p,l 1 P p (l) ( 2lL p (l) + L p(l) 2 K w p 2 l ) where nb iter. step 2 step 3 P p (l) is the success probability of one iteration L p (l) is the optimal subset size in step 2 In practice we have P p (l) = ( )( ) k+l r l p w p (k+l ) ( n and L p (l) =, but the w) p general formula is P p (l) = 1 (1 ε) (k+l p ) and L p (l) = P p (l) ε where ε = ( ) r l w p min (( n w ), 2 r ). 20/31

ISD Lower Bound on the Binary Work Factor Assuming L p (l)/p p (l) varies slowly with l, for a given p the optimal value of the parameter l is l p log 2 ( ln(2)kw p L p (l p ) 2 Taking into account the variation of L p (l)/p p (l) leads to a marginaly smaller value of l p with no easy closed expression For convenience, we will use below the notations l, L and P (instead of l p, L p (l p ) and P p (l p )) to denote the optimal values Claim. Provided there are solutions to CSD(H 0, y, w), the cost for finding one with ISD is not smaller than ) WF ISD min p 2lL P 21/31

ISD One Out of Many

Information Set Decoding One Out of Many First Step Problem: Solve CSD(H 0, Y, w) The algorithm involves two parameters p and l which will be chosen to minimize the cost Step 1: Column permutation and Gaussian elimination Pick a random permutation matrix P r l k + l 1 Compute H = UH 0 P = 1 0 H H with U {0, 1} r r non singular and S = {Uy y Y} l e CSD(H, S, w) ep T CSD(H 0, Y, w) 22/31

Information Set Decoding One Out of Many Second Step r l 1 H s H = 1 s = 0 k + l H l s Step 2: Find (all) solutions of CSD(H, S, p) Build two subsets of {0, 1} l : Problem: Solve CSD(H, S, w) S the set of all s W 1 {H e T wt(e) = a} W 2 {H e T wt(e) = b} (a + b = p) Any element of W 1 (S +W 2 ) corresponds to a pair (e 1, e 2 ) W 1 W 2 such that e 1 + e 2 CSD(H, S, p) In fact the solutions are triples (e 1, e 2, s = (s, s )) W 1 W 2 S Birthday attack with a search space of size N ( ) k+l p, we expect that ) ( ) it is optimal for L = W 1 = N W 2 = ( N L k+l ) N ( k+l p p 23/31

Information Set Decoding One Out of Many Third Step r l 1 H s H = 1 s = 0 k + l e = e e weight w p p H l s Step 3: For all e found in Step 2. (e is associated to some s = (s, s ) S) Let e = s + H e T {0, 1} r l and e = (e, e ) Problem: Solve CSD(H, S, w) If wt(e ) = w p then e = (e, e ) CSD(H, s, w) CSD(H, S, w) ( success) 24/31

Information Set Decoding One Out of Many Algorithm 1 r l H s H = 1 s = 0 k + l weight: w p p Subset size in Step 2. L = (could be less) H l s N ( ) k+l p Iteration success probability ( ) r l P = L2 w p ( n if P 1 w) Repeat: 1. Permutation + elimination Cost polynomial in n +? 2. Solve CSD(H, S, p) Birthday attack Total cost is 2lL for L 2 /2 l solutions 3. For each e found in step 2, test the weight of H e T + s One test costs K w p 2(1 + w p) ( 2p(1 + w p) in practice) Total cost is K w p L 2 /2 l All costs in binary operations 25/31

ISDOOM Lower Bound on the Binary Work Factor We neglect the cost of step 1 where WF (N) ISD min p,l 1 P p (N) (l) 2lL (N) p (l) + L(N) p nb iter. step 2 step 3 (l) 2 K w p 2 l P p (N) (l) is the success probability of one iteration L (N) p (l) is the optimal subset size in step 2 In practice we have P p (N) (l) = N ( )( ) k+l r l p w p ( n w ) and L (N) p (l) = N ( ) k+l p, but the general formula is P p (N) (l) = 1 (1 ε) N ( k+l p ) and L p (N) (l) = P p (N) ε (l) where ε = ( ) r l w p min (( n w ), 2 r ). 26/31

ISDOOM Lower Bound on the Binary Work Factor For a given p the optimal value of the parameter l is l (N) p log 2 ln(2)k w pl (N) p 2 (l (N) p ) For convenience, we will use below the notations l, L and P instead of l (N) p, L p (N) (l (N) p ) and P p (N) (l p (N) ) to denote the optimal values Claim. Provided there are solutions to CSD(H 0, y, w) for all y Y, the cost for finding one solution of CSD(H 0, Y, w) with ISD is not smaller than WF (N) ISD min 2l L p For fixed p and l we have L NL and P NP so we expect a gain of a factor N P 27/31

ISDOOM Complexity gain More precisely, as long as N is not too large where c 1 l l + x l + log 2 N L (k+l+x ) N NL exp ( c 12 x ) P N p k + l p 1 2 ( p )( ) k+l+x r l x p w p 2l L P ( n w) NP exp (c 1 x c 2 x) and c 2 2lL P ( w p r l w p 1 2 1 + log 2 N l ) (both 1) 1 N 1 c where c (c 2 c 1 /2)/ ln 2 is a small (usually positive) constant 28/31

About tightness I ve been cheating you! It is not possible to claim a computational gain from lower bounds!!! We need tight bounds to do that and so we must make sure it was legitimate to neglect the cost of the first step Computing the set S = {Uy y Y} will cost something like 2r(K w p + l)n log 2 N possibly less because there are ways to reduce the impact of Step 1. [Bernstein, Lange, Peters, PQCrypto 2008] This has to be compared with 2lL, the cost of an iteration Consequence: if r(k w p + l)n log 2 N ll the gain is smaller than expected 29/31

Some Numbers McEliece or Niederreiter n = 2 11, w = 32, r = 352 single multiple p l WF l N WF 4 22 85.9 40 2 38 74.2 6 30 85.9 55 2 52 66.2 8 37 86.3 61 2 49 66.1 10 45 87.0 65 2 41 69.9 CFS - counterless version n = 2 16, w = 11, r = 144 single multiple p l WF l N WF 4 31 85.2 56 2 57 63.0 6 44 81.1 60 2 38 66.6 8 56 77.8 64 2 20 70.9 10 68 76.2 69 2 5 76.0 30/31

Conclusion Further work DOOM is a threat to code-based crypto Its impact can be cancelled Against the signature scheme Repared by Finiasz (SAC 2010) decode several (3 or 4) related syndromes Against McEliece (or Niederreiter) If you are going to encrypt many messages you may chain them Security of FSB: what about w > d GV or regular words? Are there other ways to use multiple instances? 31/31

Thank you

2024 © sciencedocbox.com Privacy Policy | Terms of Service | Feedback