Code-based cryptography

Similar documents
Cryptographie basée sur les codes correcteurs d erreurs et arithmétique

Code-based cryptography

Cryptographie basée sur les codes correcteurs d erreurs et arithmétique

Recent progress in code-based cryptography

Side-channel analysis in code-based cryptography

FPGA-based Niederreiter Cryptosystem using Binary Goppa Codes

Errors, Eavesdroppers, and Enormous Matrices

Improving the Performance of the SYND Stream Cipher

Code-based identification and signature schemes in software

Improving the efficiency of Generalized Birthday Attacks against certain structured cryptosystems

A Key Recovery Attack on MDPC with CCA Security Using Decoding Errors

Attacking and defending the McEliece cryptosystem

Leakage Measurement Tool of McEliece PKC Calculator

Constructive aspects of code-based cryptography

Toward Secure Implementation of McEliece Decryption

Code-based Cryptography

Wild McEliece Incognito

2 Description of McEliece s Public-Key Cryptosystem

arxiv: v2 [cs.cr] 14 Feb 2018

Cryptanalysis of the McEliece Public Key Cryptosystem Based on Polar Codes

Hardware Implementation of the Code-based Key Encapsulation Mechanism using Dyadic GS Codes (DAGS)

Coset Decomposition Method for Decoding Linear Codes

A Smart Card Implementation of the McEliece PKC

Post-Quantum Code-Based Cryptography

Decoding One Out of Many

On the Security of Some Cryptosystems Based on Error-correcting Codes

Cosc 412: Cryptography and complexity Lecture 7 (22/8/2018) Knapsacks and attacks

Notes 10: Public-key cryptography

Improved Timing Attacks against the Secret Permutation in the McEliece PKC

Code Based Cryptology at TU/e

A Provably Secure Group Signature Scheme from Code-Based Assumptions

MDPC-McEliece: New McEliece Variants from Moderate Density Parity-Check Codes

Elliptic Curve Cryptography and Security of Embedded Devices

List decoding of binary Goppa codes and key reduction for McEliece s cryptosystem

Public Key Algorithms

Advances in code-based public-key cryptography. D. J. Bernstein University of Illinois at Chicago

CPE 776:DATA SECURITY & CRYPTOGRAPHY. Some Number Theory and Classical Crypto Systems

Algorithmic Number Theory and Public-key Cryptography

Side Channel Analysis and Protection for McEliece Implementations

Introduction to Quantum Safe Cryptography. ENISA September 2018

Post-Quantum Cryptography

CIS 6930/4930 Computer and Network Security. Topic 5.2 Public Key Cryptography

A new zero-knowledge code based identification scheme with reduced communication

McBits: Fast code-based cryptography

Signing with Codes. c Zuzana Masárová 2014

MCELIECE [1] is the oldest post-quantum public key

McEliece type Cryptosystem based on Gabidulin Codes

Theory of Computation Chapter 12: Cryptography

Efficient Implementation of the McEliece Cryptosystem

Error-correcting codes and Cryptography

Error-correcting Pairs for a Public-key Cryptosystem

Cyclic Redundancy Check Codes

Cryptography. Course 1: Remainder: RSA. Jean-Sébastien Coron. September 21, Université du Luxembourg

RSA Key Extraction via Low- Bandwidth Acoustic Cryptanalysis. Daniel Genkin, Adi Shamir, Eran Tromer

Channel Coding for Secure Transmissions

Compact McEliece keys based on Quasi-Dyadic Srivastava codes

Code-based post-quantum cryptography. D. J. Bernstein University of Illinois at Chicago

A distinguisher for high-rate McEliece Cryptosystems

A brief survey of post-quantum cryptography. D. J. Bernstein University of Illinois at Chicago

DAGS: Key Encapsulation using Dyadic GS Codes

Code-Based Cryptography McEliece Cryptosystem

An Overview to Code based Cryptography

Number Theory in Cryptography

On the Use of Structured Codes in Code Based Cryptography 1. Nicolas Sendrier

Practice Exam Winter 2018, CS 485/585 Crypto March 14, 2018

Chapter 8 Public-key Cryptography and Digital Signatures

Differential Power Analysis of a McEliece Cryptosystem

Reducing Key Length of the McEliece Cryptosystem

McBits: fast constant-time code-based cryptography. (to appear at CHES 2013)

A Public Key Encryption Scheme Based on the Polynomial Reconstruction Problem

Noisy Diffie-Hellman protocols

An Efficient CCA2-Secure Variant of the McEliece Cryptosystem in the Standard Model

Error-correcting codes and applications

The failure of McEliece PKC based on Reed-Muller codes.

Lecture Notes. Advanced Discrete Structures COT S

Public Key Cryptography. All secret key algorithms & hash algorithms do the same thing but public key algorithms look very different from each other.

How SAGE helps to implement Goppa Codes and McEliece PKCSs

FPGA-based Key Generator for the Niederreiter Cryptosystem using Binary Goppa Codes

Public Key Cryptography

Theme : Cryptography. Instructor : Prof. C Pandu Rangan. Speaker : Arun Moorthy CS

Cryptographic Engineering

Quasi-dyadic CFS signatures

A FUZZY COMMITMENT SCHEME WITH MCELIECE S CIPHER

Cryptanalysis of a Zero-Knowledge Identification Protocol of Eurocrypt 95

Overview. Public Key Algorithms II

Digital Signatures. p1.

Cryptanalysis of the Original McEliece Cryptosystem

Post-Quantum Cryptography & Privacy. Andreas Hülsing

Enhanced public key security for the McEliece cryptosystem

Classic McEliece vs. NTS-KEM

Lecture 1: Introduction to Public key cryptography

How to Use Short Basis : Trapdoors for Hard Lattices and new Cryptographic Constructions

Other Public-Key Cryptosystems

Lecture 10: Zero-Knowledge Proofs

Communications II Lecture 9: Error Correction Coding. Professor Kin K. Leung EEE and Computing Departments Imperial College London Copyright reserved

Public Key Algorithms

Differential Power Analysis of a McEliece Cryptosystem

A DPA attack on RSA in CRT mode

Cryptographic Protocols Notes 2

Applications of Lattices in Telecommunications

Transcription:

Code-based graphy Laboratoire Hubert Curien, UMR CNRS 5516, Bâtiment F 18 rue du professeur Benoît Lauras 42000 Saint-Etienne France pierre.louis.cayrel@univ-st-etienne.fr June 4th 2013 Pierre-Louis CAYREL Code-based graphy 1/43

Syndrome decoding problem 1 Input. H : matrix of size r n S : vector of F r 2 t : integer 2 Problem. Does there exist a vector e of F n 2 of weight t such that : Problem NP-complete E.R. BERLEKAMP, R.J. MCELIECE and H.C. VAN TILBORG 1978 Pierre-Louis CAYREL Code-based graphy 2/43

Pierre-Louis CAYREL Code-based graphy 3/43

What can we do with this problem? encryption signature identification hash function stream cipher Pierre-Louis CAYREL Code-based graphy 4/43

Pierre-Louis CAYREL Code-based graphy 5/43

Menu 1 Error-correcting 2 3 4 5 6 Pierre-Louis CAYREL Code-based graphy 6/43

1 Error-correcting 2 3 4 5 6 Pierre-Louis CAYREL Code-based graphy 7/43

Error-correcting make possible the correction of errors when the communication is done on a noisy channel. we add redundancy to the information transmitted. Noise e c = m r Channel y = c e by correcting the errors when the message is corrupted. stronger than a control of parity, they can detect and correct errors. We use them : DVD,CD : reduce the effects of dust... Phone : improve the quality of the communication. graphy? Pierre-Louis CAYREL Code-based graphy 8/43

Linear most used in error correction error correcting for which redundancy depends linearly on the information can be defined by a generator matrix : c is a word of the code C if and only if : Figure : G : generator matrix in systematic form The generator matrix G : is a k n matrix; rows of G form a basis for the code C. Pierre-Louis CAYREL Code-based graphy 9/43

Minimum distance The Hamming weight of a word c is the number of non-zero coordinates. The minimum distance d of a code is the minimum of the Hamming weight between two words of the code. It is also the smallest weight of a non-zero vector. Pierre-Louis CAYREL Code-based graphy 10/43

The parity check matrix H is orthogonal to G : it s a n k n matrix, we will use the notation r := n k it s the generator matrix of the dual; the code C is the kernel of H. c C if and only if H t c = 0. s = H t c = H t c H t e is the syndrome of the error. Pierre-Louis CAYREL Code-based graphy 11/43

1 Error-correcting 2 3 4 5 6 Pierre-Louis CAYREL Code-based graphy 12/43

Code based systems introduced at the same time than RSA by McEliece + advantages : faster than RSA ; not based on number theory problem (PQ secure) ; does not need processors ; based on hard problem (syndrome decoding problem...) disadvantages : size of public keys (few hundred bits...) Pierre-Louis CAYREL Code-based graphy 13/43

Pierre-Louis CAYREL Code-based graphy 14/43

How does the McEliece PKC work? generate a code for which we have a decoding algorithm and G the generator matrix. this is the private key. transform G to obtain G which seems random. this is the public key. encrypt a message m by computing : c = m G e with e a random vector of weight t. Pierre-Louis CAYREL Code-based graphy 15/43

A dual construction using H instead of G? Security equivalent to McEliece scheme. Private key : C a [n, r, d] code which corrects t errors, H a parity check matrix of C and γ H a decoding algorithm for C, a r r invertible matrix Q, a n n permutation matrix P. Public key : H = QH P. : φ n,t : m e, with e of weight t. e S = H t e = QH P t e Decryption : decode Q 1 S = (Q 1 Q)H P t e in P t e, then P 1 P t e gives e, φ 1 n,t (e) = m. Pierre-Louis CAYREL Code-based graphy 16/43

Hardware? Eisenbarth et al. "MicroEliece: McEliece for Embedded Devices", CHES 09. Shoufan et al. "A Novel Processor Architecture for McEliece Cryptosystem and FPGA Platforms", ASAP 2009 Heyse. "Low-Reiter: Niederreiter Scheme for Embedded Microcontrollers", PQCrypto 2010 Strenzke. "A Smart Card Implementation of the McEliece PKC", WISTP 2010 Heyse. "CCA2 secure McEliece based on Quasi Dyadic Goppa Codes for Embedded Devices", PQCrypto 2011 Cayrel, Hoffmann and Persichetti. "Efficient implementation of a CCA2-secure variant of McEliece using generalized Srivastava ", PKC 2012 Pierre-Louis CAYREL Code-based graphy 17/43

generalized Srivastava, Was ist das? Warum? generalized Srivastava (GS) are Alternant (efficient decoding algorithm) there are quasi-dyadic-gs (small public key size, 2560 bytes for 80 bit security) a nice structure ( defined on small extension field secure faces structural attacks) we (Gerhard Hoffmann) implemented a CCA2-secure version of McEliece on microcontroller Figure : from the PKC 2012 paper Pierre-Louis CAYREL Code-based graphy 18/43

1 Error-correcting 2 3 4 5 6 Pierre-Louis CAYREL Code-based graphy 19/43

PKC signature. RSA yes McEliece and Niederreiter no directly Pierre-Louis CAYREL Code-based graphy 20/43

Pierre-Louis CAYREL Code-based graphy 21/43

Pierre-Louis CAYREL Code-based graphy 22/43

d the message to sign, we compute M = h(d) h a hash function with values in F r 2 we search e F n 2 of given weight t with h(m) = Ht e let γ be a decoding algorithm 1 i 0 2 while h(m i) is not decodable do i i + 1 3 compute e = γ H (h(m i)) Figure : CFS signature scheme signer sends {e, j} such that h(m j) = H t e Pierre-Louis CAYREL Code-based graphy 23/43

we need a dense family of : Goppa binary Goppa t small the probability for a random element to be decodable (in a ball of radius t centered on the codewords) is 1 t! we take n = 2 m, m = 16, t = 9. we have 1 chance over 9! = 362880 to have a decodable word. Pierre-Louis CAYREL Code-based graphy 24/43

How to improve this scheme (make it more practical)? QD (still dense) implement the scheme on GPU (in progress, Keccak on GPU already) hash directly into decodable elements (hard but in progress) use a stream cipher instead of an hash function (semantical security?) Side channel analysis : decode many times instead of one time in McEliece implementation in hardware (FPGA, ASIC?) countermeasure : Berlekamp-Massey instead of Patterson New construction (from identification or OTS) Pierre-Louis CAYREL Code-based graphy 25/43

1 Error-correcting 2 3 4 5 6 Pierre-Louis CAYREL Code-based graphy 26/43

Pierre-Louis CAYREL Code-based graphy 27/43

generate a random matrix H of size r n we choose an integer t which is the weight this is the public key (H, t) each user receive e of n bits and weight t. this is the private key each user compute : S = H t e. just once for H fixed S is public Pierre-Louis CAYREL Code-based graphy 28/43

A wants to prove to B that she knows the secret but she doesn t want to divulgate it. The protocol is on λ rounds and each of them is defined as follows. Pierre-Louis CAYREL Code-based graphy 29/43

Pierre-Louis CAYREL Code-based graphy 30/43

Pierre-Louis CAYREL Code-based graphy 31/43

Pierre-Louis CAYREL Code-based graphy 32/43

efficient (software) implementation of signature scheme (submitted) Figure : from ElYousfi s thesis security of the Fiat-Shamir transformation for n-pass (Africacrypt 2012) generalization to TRSS (WAIFI 2012) 3 rounds and cheating probability 1 2 Pierre-Louis CAYREL Code-based graphy 33/43

1 Error-correcting 2 3 4 5 6 Pierre-Louis CAYREL Code-based graphy 34/43

How to hash? Pierre-Louis CAYREL Code-based graphy 35/43

How to hash? Pierre-Louis CAYREL Code-based graphy 36/43

How φ n,t could work? Pierre-Louis CAYREL Code-based graphy 37/43

How to generate pseudo-random sequences? Pierre-Louis CAYREL Code-based graphy 38/43

How to generate pseudo-random sequences? Pierre-Louis CAYREL Code-based graphy 39/43

improved scheme XSYND (Africacrypt 2012), PSYND (submitted) Figure : from Meziani s slides efficient implementations (submitted) Pierre-Louis CAYREL Code-based graphy 40/43

1 Error-correcting 2 3 4 5 6 Pierre-Louis CAYREL Code-based graphy 41/43

: Study of the QC/QD constructions ; Identity-based encryption. : FPGA implementation ; Smaller public keys. : 3-pass and soundness 1/2 ; Efficient implementation. : Fast schemes ; Study of side-channel attacks. Pierre-Louis CAYREL Code-based graphy 42/43

Pierre-Louis CAYREL Code-based graphy 43/43

2024 © sciencedocbox.com Privacy Policy | Terms of Service | Feedback