a key recovery attack on mdpc with cca security using
play

A Key Recovery Attack on MDPC with CCA Security Using Decoding - PowerPoint PPT Presentation

Nov 15, 2022 •21 likes •381 views

A Key Recovery Attack on MDPC with CCA Security Using Decoding Errors Qian Guo Thomas Johansson Paul Stankovski Dept. of Electrical and Information Technology, Lund University ASIACRYPT 2016 Dec 8th, 2016 Outline 1 Motivation 2 Background on

  1. A Key Recovery Attack on MDPC with CCA Security Using Decoding Errors Qian Guo Thomas Johansson Paul Stankovski Dept. of Electrical and Information Technology, Lund University ASIACRYPT 2016 Dec 8th, 2016

  2. Outline 1 Motivation 2 Background on QC-MDPC 3 The New Idea Using Decoding Errors Key-Recovery from Distance Spectrum (DS) On Plain QC-MDPC (CPA) On the CCA-Secure Version An Intuitive Explanation 4 Results 5 Discussions and Conclusions Qian Guo, Thomas Johansson, Paul Stankovski, 2 / 24

  3. Outline 1 Motivation 2 Background on QC-MDPC 3 The New Idea Using Decoding Errors Key-Recovery from Distance Spectrum (DS) On Plain QC-MDPC (CPA) On the CCA-Secure Version An Intuitive Explanation 4 Results 5 Discussions and Conclusions Qian Guo, Thomas Johansson, Paul Stankovski, 3 / 24

  4. Motivation ◮ Quantum computers break cryptosystems based on the hardness of factoring and discrete log—e.g., RSA, ECC. ◮ Post-quantum candidates: lattice-based, code-based, hash-based, multivariate crypto. Qian Guo, Thomas Johansson, Paul Stankovski, 3 / 24

  5. Motivation ◮ Quantum computers break cryptosystems based on the hardness of factoring and discrete log—e.g., RSA, ECC. ◮ Post-quantum candidates: lattice-based, code-based, hash-based, multivariate crypto. ◮ Code-based cryptosystems—e.g., McEliece using Goppa codes [McEliece 1978]. ◮ Main drawback: large key-size. Qian Guo, Thomas Johansson, Paul Stankovski, 3 / 24

  6. Motivation ◮ Quantum computers break cryptosystems based on the hardness of factoring and discrete log—e.g., RSA, ECC. ◮ Post-quantum candidates: lattice-based, code-based, hash-based, multivariate crypto. ◮ Code-based cryptosystems—e.g., McEliece using Goppa codes [McEliece 1978]. ◮ Main drawback: large key-size. ◮ An important variant: QC-MDPC [Misoczki, Tillich, Sendrier, Barreto 2013]. ◮ Much smaller key-size: 4801 bits for 80-bit security. ◮ good security arguments (very little structure). ◮ easy implementation (including lightweight implementation) [Heyse, von Maurich, Güneysu, 2013]. ◮ A scheme recommended for further study. Qian Guo, Thomas Johansson, Paul Stankovski, 3 / 24

  7. Motivation ◮ Quantum computers break cryptosystems based on the hardness of factoring and discrete log—e.g., RSA, ECC. ◮ Post-quantum candidates: lattice-based, code-based, hash-based, multivariate crypto. ◮ Code-based cryptosystems—e.g., McEliece using Goppa codes [McEliece 1978]. ◮ Main drawback: large key-size. ◮ An important variant: QC-MDPC [Misoczki, Tillich, Sendrier, Barreto 2013]. ◮ Much smaller key-size: 4801 bits for 80-bit security. ◮ good security arguments (very little structure). ◮ easy implementation (including lightweight implementation) [Heyse, von Maurich, Güneysu, 2013]. ◮ A scheme recommended for further study. ◮ Our goal: to recover the secret key Qian Guo, Thomas Johansson, Paul Stankovski, 3 / 24

  8. Outline 1 Motivation 2 Background on QC-MDPC 3 The New Idea Using Decoding Errors Key-Recovery from Distance Spectrum (DS) On Plain QC-MDPC (CPA) On the CCA-Secure Version An Intuitive Explanation 4 Results 5 Discussions and Conclusions Qian Guo, Thomas Johansson, Paul Stankovski, 4 / 24

  9. QC-MDPC Codes Quasi-cyclic Codes Suppose n = n 0 r . An [ n , n − r ] -linear code C over F 2 is quasi-cyclic if every cyclic shift of a codeword by n 0 steps remains a codeword. We assume that n 0 = 2 throughout the remaining slides. ◮ For convenience, we write H = [ H 0 | H 1 ] , � 1 H 0 ) T � I | ( H − 1 G = [ I | P ] = . where H i are circulant matrices (defined by its first row). ◮ Operations can be viewed in the polynomial ring F 2 [ x ] / � x r − 1 � . h 0 ( x ) , h 1 ( x ) , p ( x ) = h 0 ( x ) / h 1 ( x ) , . . . ◮ The polynomial h 0 ( x ) can also be represented by a vector h 0 . Qian Guo, Thomas Johansson, Paul Stankovski, 4 / 24

  10. QC-MDPC Codes LDPC/MDPC Codes A Low Density Parity-Check Code (LDPC) is a linear code admitting a sparse parity-check matrix, while a Moderate Density Parity-Check Code (MDPC) is a linear code with a denser but still sparse parity-check matrix. ◮ LDPC codes are with small constant row weights. � ◮ MDPC codes with row weights scale in O ( n log n ) . QC-MDPC Codes A QC-MDPC code is a quasi-cyclic MDPC code with row weight ˆ w . Qian Guo, Thomas Johansson, Paul Stankovski, 4 / 24

  11. The QC-MDPC PKC Scheme ◮ KeyGen(): ◮ Generate a parity-check matrix H = [ H 0 | H 1 ] for a binary QC-MDPC code with row weight ˆ w . ◮ Derive the systematic generator matrix G = [ I | P ] , where P = ( H − 1 1 H 0 ) T . ◮ The public key: G . The private key: H . ◮ Enc G ( m ): ◮ Generate a random error vector e with weight t . ◮ The ciphertext is c = mG + e . ◮ Dec H ( c ): ◮ Compute the syndrome vector s = cH T = eH T , and then use an iterative decoder to extract the noise e . ◮ Recover the plaintext m from the first k entries of mG . Qian Guo, Thomas Johansson, Paul Stankovski, 5 / 24

  12. CCA-Secure Version ◮ Extending the security model beyond CPA: ◮ Resend attacks, reaction attacks, chosen ciphertext attacks,... ◮ To cope with CCA, one can use a CCA conversion, e.g., the one suggested by Kobara, Imai in 2001. ◮ The CCA conversion makes the choice of error vector e "random". Suggested parameters for 80-bit security: n = 9602 , k = r = 4801 , ˆ w = 90 , t = 84 public key: 4801 bits Qian Guo, Thomas Johansson, Paul Stankovski, 6 / 24

  13. Iterative Decoding: Gallager’s Bit-Flipping Strategy E 1 E 2 E 3 E 4 E 5 E 6 E 7 digit nodes check nodes C 1 C 2 C 3 cH T = ( v + e ) H T = eH T = s ◮ Start with Tanner graph for H , initial syndrome s and set digit nodes to zero. Add a counter to each digit node. ◮ For the t th iteration: ◮ Run through all parity-check equations and for every digit node connected to an unsatisfied check node, increase its corresponding counter by one. ◮ Run through all digit nodes and flip its value if its counter satisfies a certain constraint, e.g., the counter surpasses a threshold. Qian Guo, Thomas Johansson, Paul Stankovski, 7 / 24

  14. Outline 1 Motivation 2 Background on QC-MDPC 3 The New Idea Using Decoding Errors Key-Recovery from Distance Spectrum (DS) On Plain QC-MDPC (CPA) On the CCA-Secure Version An Intuitive Explanation 4 Results 5 Discussions and Conclusions Qian Guo, Thomas Johansson, Paul Stankovski, 8 / 24

  15. Basic Scenario E pk Bob ( m i ) Alice Bob i = 1 , . . . Alice Bob “YES” or ⊥ ◮ In terms of a security model definition, the attack is called a reaction attack . ◮ A weaker model than CCA (a stronger attack). ◮ Resend and reaction attacks on McEliece PKC have appeared before. However, they have only targeted message recovery. ◮ Key recovery: to recover h 0 . Qian Guo, Thomas Johansson, Paul Stankovski, 8 / 24

  16. Basic Scenario E pk Bob ( m i ) Alice Bob i = 1 , . . . Alice Bob “YES” or ⊥ ◮ In terms of a security model definition, the attack is called a reaction attack . ◮ A weaker model than CCA (a stronger attack). ◮ Resend and reaction attacks on McEliece PKC have appeared before. However, they have only targeted message recovery. ◮ Key recovery: to recover h 0 . ◮ Show: Decoding error probabilities for different error patterns ⇒ the private key h 0 . Qian Guo, Thomas Johansson, Paul Stankovski, 8 / 24

  17. Key-Related Property: Distance Spectrum (DS) Distance Spectrum (DS) The distance spectrum for h 0 , denoted D ( h 0 ) , is given as D ( h 0 ) = { d : 1 ≤ d ≤ ⌊ r 2 ⌋ , ∃ a pair of ones with distance d in cyc ( h 0 ) } . Here cyc ( h 0 ) includes all cyclic shifts of h 0 . Since a distance d can appear many times in h 0 , we introduce the multiplicity µ ( d ) . As an example, for the bit pattern c = 0011001 we have r = 7 and 1 ≤ d ≤ 3. Thus, D ( c ) = { 1 , 3 } , with distance multiplicities µ ( 1 ) = 1 , µ ( 2 ) = 0 and µ ( 3 ) = 2. ◮ D ( h 0 ) ⇒ the private key h 0 . Qian Guo, Thomas Johansson, Paul Stankovski, 9 / 24

  18. Reconstruction of h 0 from DS · · · 0 i 0 i 1 i 2 Assuming D ( h 0 ) is known, we can reconstruct h 0 . ◮ Start by assigning the first two ones in a length i 0 vector in position 0 and i 0 , where i 0 is the smallest value in D ( h 0 ) . ◮ Put the third one in a position and test if the two distances between this third one and the previous two ones both appear in the distance spectrum. If they do not, we test the next position for the third bit. ◮ If they do, we move to test the fourth bit and its distances to the previous three ones, etc. In expectation, it is efficient. Qian Guo, Thomas Johansson, Paul Stankovski, 10 / 24

  19. Main Observation The Problem Decoding error probabilities for different error patterns ⇒ D ( h 0 ) ? Qian Guo, Thomas Johansson, Paul Stankovski, 11 / 24

  20. Main Observation The Problem Decoding error probabilities for different error patterns ⇒ D ( h 0 ) ? Main Observation For a distance d , consider the error patterns with at least one pair of ones at distance d . Then, the decoding error probability when d ∈ D ( h 0 ) is smaller than that if d �∈ D ( h 0 ) . Qian Guo, Thomas Johansson, Paul Stankovski, 11 / 24

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

A Key Recovery Attack on QC-MDPC Using Decoding Errors Qian Guo Selmer Center, University of

A Key Recovery Attack on QC-MDPC Using Decoding Errors Qian Guo Selmer Center, University of

A Key Recovery Attack on QC-MDPC Using Decoding Errors Qian Guo Selmer Center, University of Bergen. This is a joint work with Thomas Johansson and Paul Stankovski. Finse winter school 2018 May 11th, 2018 Outline 1 Motivation 2 Background on

813 views • 38 slides
A Reaction Attack on the QC-LDPC McEliece Cryptosystem Tomas Fabsic 1 , Viliam Hromada 1 , Paul

A Reaction Attack on the QC-LDPC McEliece Cryptosystem Tomas Fabsic 1 , Viliam Hromada 1 , Paul

LDPC and MDPC Codes QC-MDPC McEliece Attack of Guo et al. QC-LDPC McEliece Our Attack A Reaction Attack on the QC-LDPC McEliece Cryptosystem Tomas Fabsic 1 , Viliam Hromada 1 , Paul Stankovski 2 , Pavol Zajac 1 , Qian Guo 2 , Thomas Johansson

693 views • 37 slides
QC-MDPC: A Timing Attack and a CCA2 KEM PQCrypto April 9, 2018 Edward Eaton 1 , Matthieu

QC-MDPC: A Timing Attack and a CCA2 KEM PQCrypto April 9, 2018 Edward Eaton 1 , Matthieu

QC-MDPC: A Timing Attack and a CCA2 KEM PQCrypto April 9, 2018 Edward Eaton 1 , Matthieu Lequesne 2,3 , Alex Parent 1 and Nicolas Sendrier 3 1 - ISARA Corporation, Waterloo, Canada 2 - Sorbonne Universit Paris, France 3 - Inria Paris,

1.05k views • 91 slides
Security Overview Security Goals The Attack Space Security Mechanisms

Security Overview Security Goals The Attack Space Security Mechanisms

CSCE Intro to Computer Systems Security Security Overview Security Goals The Attack Space Security Mechanisms Introduction to Cryptography Authentication Authorization Confidentiality Case Studies Security

472 views • 20 slides
Security & Compliance Thursday, September 4 2014 What is a security breach/attack? A

Security & Compliance Thursday, September 4 2014 What is a security breach/attack? A

Security & Compliance Thursday, September 4 2014 What is a security breach/attack? A security breach/attack is defined as an event in which a corporations network is compromised or an individuals name plus Social Security Name (SSN),

890 views • 12 slides
Security Overview Security Goals The Attack Space Security Mechanisms

Security Overview Security Goals The Attack Space Security Mechanisms

CPSC 410/611 Operating Systems Security Security Overview Security Goals The Attack Space Security Mechanisms Introduction to Cryptography Authentication Authorization Confidentiality Case Studies

419 views • 19 slides
ss 8 Class Cl CSC 495/583 Topics of Software Security PLT, GOT & Return-to-plt Attack

ss 8 Class Cl CSC 495/583 Topics of Software Security PLT, GOT & Return-to-plt Attack

ss 8 Class Cl CSC 495/583 Topics of Software Security PLT, GOT & Return-to-plt Attack & GOT Overwrite Attack Dr. Si Chen (schen@wcupa.edu) Review Page 2 ret2libc Attack Page 3 libc C standard library Provides

662 views • 36 slides
Again Guideline of IPA Again Guideline of IPA We respect the IPAs policy so that we reported

Again Guideline of IPA Again Guideline of IPA We respect the IPAs policy so that we reported

Extended APOP Password Extended APOP Password Recovery Attack Recovery Attack Yu Sasaki, Lei Wang, Kazuo Ohta and Noboru Kunihiro (The University of Electro-Communications) 31 characters can be recovered. Remark: This research was done only

117 views • 7 slides
Attack Graphs Systems and Internet Infrastructure Security (SIIS) Laboratory Page 1 Outline Attack

Attack Graphs Systems and Internet Infrastructure Security (SIIS) Laboratory Page 1 Outline Attack

Systems and Internet Infrastructure Security Network and Security Research Center Department of Computer Science and Engineering Pennsylvania State University, University Park PA Attack Graphs Systems and Internet Infrastructure Security (SIIS)

1.06k views • 60 slides
Effective Security Going Back To The Basics M e r i k e K a e o , C T O m e r i k e @ f s i .

Effective Security Going Back To The Basics M e r i k e K a e o , C T O m e r i k e @ f s i .

Effective Security Going Back To The Basics M e r i k e K a e o , C T O m e r i k e @ f s i . i o FARSIGHT SECURITY DISCUSSION POINTS Attack Trends A Historical View Attack Vectors in Recent Years Evolution of Mitigation

634 views • 29 slides
Security & Pie Android 9.0 & APK Security Plan of Attack Start at the hardware

Security & Pie Android 9.0 & APK Security Plan of Attack Start at the hardware

Security & Pie Android 9.0 & APK Security Plan of Attack Start at the hardware Work up to Android OS Climb into the Play Store Discuss Application (APK) Connor Tumbleson Senior Software Engineer @Sourcetoad

672 views • 56 slides
BinRec: Attack Surface Reduction Through Dynamic Binary Recovery Taddeus Kroes, Anil Altinay,

BinRec: Attack Surface Reduction Through Dynamic Binary Recovery Taddeus Kroes, Anil Altinay,

BinRec: Attack Surface Reduction Through Dynamic Binary Recovery Taddeus Kroes, Anil Altinay, Joseph Nash, Yeoul Na, Stijn Volckaert, Herbert Bos, Michael Franz, Cristiano Giuffrida October 19, 2018 Attack Surface Reduction x =

2.55k views • 62 slides
Mars Attacks! Revisited. Differential Attack 12 Rounds of the MARS Core and Defeating the Complex

Mars Attacks! Revisited. Differential Attack 12 Rounds of the MARS Core and Defeating the Complex

MARS Distinguisher and Subkey Recovery Recovery of the secret key Attack Analysis Conclusion Mars Attacks! Revisited. Differential Attack 12 Rounds of the MARS Core and Defeating the Complex MARS Key Schedule INDOCRYPT11 Michael Gorski,

1.16k views • 48 slides
Practical key recovery attack against APOP , an MD5 based challenge response authentication. By

Practical key recovery attack against APOP , an MD5 based challenge response authentication. By

Practical key recovery attack against APOP , an MD5 based challenge response authentication. By Gaetan Leurent Presented by:- Guided By:- Raagi Sukhlecha Prof. Anish Mathuria Lalit Agarwal Outline Introduction APOP What is

953 views • 79 slides
Security vulnerabilities, exploits and attack patterns: 15 years of art, pseudo-science, fun &

Security vulnerabilities, exploits and attack patterns: 15 years of art, pseudo-science, fun &

15th USENIX Security Symposium | July 31st August 4th 2006 | Vancouver, B.C. - Canada Security vulnerabilities, exploits and attack patterns: 15 years of art, pseudo-science, fun & profit Ivn Arce Core Security Technologies Humboldt

767 views • 41 slides
1 11/05/2016 18:35 Strong recovery in Q4 post cyber attack Lowest ever churn Flat net

1 11/05/2016 18:35 Strong recovery in Q4 post cyber attack Lowest ever churn Flat net

1 11/05/2016 18:35 Strong recovery in Q4 post cyber attack Lowest ever churn Flat net adds Strongest quarter of RGU growth +148k FY EBITDA 260m in line with guidance; material step up in H2 margin to 18.4% Reiterating FY17

651 views • 43 slides
...well theres a language called Go... James Stenger Jillian Knoll Lusa Zhan Jonathan

...well theres a language called Go... James Stenger Jillian Knoll Lusa Zhan Jonathan

...well theres a language called Go... James Stenger Jillian Knoll Lusa Zhan Jonathan Barrios System Architect Language Guru Project Manager Tester Goals Both functional and object oriented: - We want to create a functional

685 views • 8 slides
Common Language Infrastructure (CLI) Introduction and Class Library Factorization

Common Language Infrastructure (CLI) Introduction and Class Library Factorization

Common Language Infrastructure (CLI) Introduction and Class Library Factorization Hewlett-Packard Intel Microsoft Outline What is the CLI? Factoring the Base Class Libraries Categories Packages by Category Questions and

271 views • 26 slides
DRILLING PART 3 CAP Safety Meetings Revision: 07 2011 CAP Safety Meetings DRILLING

DRILLING PART 3 CAP Safety Meetings Revision: 07 2011 CAP Safety Meetings DRILLING

DRILLING PART 3 CAP Safety Meetings Revision: 07 2011 CAP Safety Meetings DRILLING PART 3 1 PEC/Premier Safety Management, Inc. Revision: [07-2011] T RIPPING O UT / I N Tripping refers to the process of removing and/or replacing

435 views • 30 slides
PORTFOLIO Our power Software Mobile Development APIs Development Technology consultancy

PORTFOLIO Our power Software Mobile Development APIs Development Technology consultancy

PORTFOLIO Our power Software Mobile Development APIs Development Technology consultancy Cloud Integrations Devops Web Scraping & Clients about us Design Automation SOFTWARE DEVELOPMENT Projects Content Management System

145 views • 12 slides
Disk Formation with Ambipolar Diffusion from Low- to High- Mass Star Formation Benot Commeron

Disk Formation with Ambipolar Diffusion from Low- to High- Mass Star Formation Benot Commeron

Disk Formation with Ambipolar Diffusion from Low- to High- Mass Star Formation Benot Commeron Centre de Recherche Astrophysique de Lyon Ugo Lebreuilly, Matthias Gonzlez, Patrick Hennebelle, Gilles Chabrier, Pierre Marchand, Jacques Masson,

413 views • 20 slides
Linux Plumbers Conference Scaling Microconference RCU Judy Arrays: cache-efficient, compact, fast

Linux Plumbers Conference Scaling Microconference RCU Judy Arrays: cache-efficient, compact, fast

Linux Plumbers Conference Scaling Microconference RCU Judy Arrays: cache-efficient, compact, fast and scalable trie E-mail: mathieu.desnoyers@efficios.com Mathieu Desnoyers August 31th, 2012 1 > Presenter Mathieu Desnoyers

791 views • 35 slides
OpenStack and Cars the OpenStack Journey of the Volkswagen Group Holger Urban / Tilman

OpenStack and Cars the OpenStack Journey of the Volkswagen Group Holger Urban / Tilman

OpenStack and Cars the OpenStack Journey of the Volkswagen Group Holger Urban / Tilman Schulz #ThinkReinvented Volkswagen Group ~ 10 million Vehicles per year > 600 thousand Employees > 167 Locations // Disruption of the

434 views • 18 slides
ZOHO PROJECTS PARTNER PROGRAM ABOUT ZOHO At Zoho, software is our craft and passion. We create

ZOHO PROJECTS PARTNER PROGRAM ABOUT ZOHO At Zoho, software is our craft and passion. We create

ZOHO PROJECTS PARTNER PROGRAM ABOUT ZOHO At Zoho, software is our craft and passion. We create beautiful software to solve business problems. Over the past decade of our journey, the Zoho suite has emerged to be a leader in the cloud and on

231 views • 21 slides

More recommend