a reaction attack against cryptosystems based on lrpc
play

A Reaction Attack against Cryptosystems based on LRPC Codes Gustavo - PowerPoint PPT Presentation

Sep 21, 2022 •258 likes •590 views

A Reaction Attack against Cryptosystems based on LRPC Codes Gustavo Banegas joint work with Simona Samardjiska, Paolo Santini and Edoardo Persichetti Latincrypt 2019 October 3rd, 2019 A Reaction Attack against Cryptosystems based on LRPC

  1. A Reaction Attack against Cryptosystems based on LRPC Codes Gustavo Banegas joint work with Simona Samardjiska, Paolo Santini and Edoardo Persichetti Latincrypt 2019 October 3rd, 2019 A Reaction Attack against Cryptosystems based on LRPC Codes Gustavo Banegas 1

  2. Outline Introduction Reaction Attack Our Result Conclusion A Reaction Attack against Cryptosystems based on LRPC Codes Gustavo Banegas 2

  3. Post-quantum cryptography Why do we need post-quantum cryptography? Shor’s Algorithm solves in polynomial time: ◮ Integer factorization; RSA is dead. ◮ The discrete-logarithm problem in finite fields; DSA is dead. ◮ The discrete-logarithm problem on elliptic curves; ECDSA is dead. A Reaction Attack against Cryptosystems based on LRPC Codes Gustavo Banegas 3

  4. Post-quantum cryptography What is post-quantum cryptography? A Reaction Attack against Cryptosystems based on LRPC Codes Gustavo Banegas 4

  5. Post-quantum cryptography Timeline ◮ 2016: NIST calls for submissions to “Post-Quantum Cryptography Standardization Project”. ◮ 2017: NIST receives 69 proper submissions. ◮ 2018-19: NIST 2nd round of proposals with 26 proposals. ◮ 17 code-based in the 1st round; 7 code-based in 2nd round. A Reaction Attack against Cryptosystems based on LRPC Codes Gustavo Banegas 5

  6. Code-based Cryptography Code-based cryptography in a nutshell Linear transformation Add errors Codeword Ciphertext Plaintext Inverse transformation Remove errors ◮ Originally proposed by McEliece in 1978; ◮ It uses a linear code: ◮ Goppa codes; ◮ LDPC/MDPC; ◮ Rank Metric (LRPC); ◮ Several others. A Reaction Attack against Cryptosystems based on LRPC Codes Gustavo Banegas 6

  7. Rank Metric Codes A Low-Rank Parity-Check (LRPC) code A LRPC C over F q m of length n , dimension k and rank d is described by an ( n − k ) × n parity-check matrix H = { h i , j } ∈ F ( n − k ) × n , q m ◮ Each coefficient h i , j can be written as d � h i , j = h i , j , l F l , h i , j , l ∈ F q , l = 1 each F i ∈ F q m , and F = � F 1 , F 2 , · · · , F d � is a F q subspace of F q m . A Reaction Attack against Cryptosystems based on LRPC Codes Gustavo Banegas 7

  8. Decoding LRPC codes How to decode LRPC codes? be the syndrome of e , i.e. He ⊤ = s . Let s = ( s 1 , . . . , s n − k ) ∈ F n − k q m Decoding: Recover e from the knowledge of s . Crucial facts: ◮ If h i , j ∈ F = � F 1 , F 2 , · · · , F d � and e ∈ E = � E 1 , E 2 , · · · , E r � then s i ∈ � F 1 E 1 , F 1 E 2 , . . . , F d E r � ◮ Assume S = � s 1 , s 2 , . . . , s n − k � = � F 1 E 1 , F 1 E 2 , . . . , F d E r � then: 1. Set S i = F − 1 . S . Then i S i = F − 1 . � . . . F i E 1 , F i E 2 , . . . , F i E r ... � ⇒ E = � E 1 , E 2 , · · · , E r � ⊂ S i i 2. Find E = S 1 ∩ S 2 ∩ · · · ∩ S d 3. Find e by solving He ⊤ = s A Reaction Attack against Cryptosystems based on LRPC Codes Gustavo Banegas 8

  9. Decoding of LRPC codes When do decoding failures happen? � � 1. When Dim � EF � < rd : this happens with probability d P 1 = q m − rd 2. When E � = � d i = 1 S i : when m > rd + 8, this happens with probability P 2 ≪ 2 − 30 � � 3. When Dim S < rd this happens with probability 1 P 3 = q n − k + 1 − rd ◮ In practice usually P 1 , P 2 ≪ P 3 . A Reaction Attack against Cryptosystems based on LRPC Codes Gustavo Banegas 9

  10. LRPC cryptosystems What is a LRPC cryptosystem? Basically any cryptosystem that ◮ uses LRPC codes (low rank of H secret ) ◮ uses RH secret = H to hide the secret H secret ◮ relies on the Rank syndrome decoding problem: Find e such that He ⊤ = s and | e | � r . ◮ LRPC cryptosystem [Gaborit et al.’13] ◮ McNie [Kim et al.’17] (NIST 1st round candidate) ◮ ROLLO (Rank-Ouroboros, LAKE and LOCKER) [Aguilar Melchor et al. ’17] (NIST 2nd round candidate) ◮ Durandal [Aragon et al.’19] A Reaction Attack against Cryptosystems based on LRPC Codes Gustavo Banegas 10

  11. Reaction attack A Reaction Attack against Cryptosystems based on LRPC Codes Gustavo Banegas 11

  12. Reaction attack m 1 , e 1 , c 1 = m 1 G + e 1 A Reaction Attack against Cryptosystems based on LRPC Codes Gustavo Banegas 11

  13. Reaction attack c 1 m 1 , e 1 , c 1 = m 1 G + e 1 A Reaction Attack against Cryptosystems based on LRPC Codes Gustavo Banegas 11

  14. Reaction attack c 1 m 1 , e 1 , c 1 = m 1 G + e 1 � ← Decode ( c 1 ) A Reaction Attack against Cryptosystems based on LRPC Codes Gustavo Banegas 11

  15. Reaction attack c 1 m 1 , e 1 , c 1 = m 1 G + e 1 � ← Decode ( c 1 ) m 2 , e 2 , c 2 A Reaction Attack against Cryptosystems based on LRPC Codes Gustavo Banegas 11

  16. Reaction attack c 1 m 1 , e 1 , c 1 = m 1 G + e 1 � ← Decode ( c 1 ) c 2 m 2 , e 2 , c 2 A Reaction Attack against Cryptosystems based on LRPC Codes Gustavo Banegas 11

  17. Reaction attack c 1 m 1 , e 1 , c 1 = m 1 G + e 1 � ← Decode ( c 1 ) c 2 m 2 , e 2 , c 2 � ← Decode ( c 2 ) A Reaction Attack against Cryptosystems based on LRPC Codes Gustavo Banegas 11

  18. Reaction attack c 1 m 1 , e 1 , c 1 = m 1 G + e 1 � ← Decode ( c 1 ) c 2 m 2 , e 2 , c 2 � ← Decode ( c 2 ) . . . A Reaction Attack against Cryptosystems based on LRPC Codes Gustavo Banegas 11

  19. Reaction attack c 1 m 1 , e 1 , c 1 = m 1 G + e 1 � ← Decode ( c 1 ) c 2 m 2 , e 2 , c 2 � ← Decode ( c 2 ) . . . m t , e t , c t A Reaction Attack against Cryptosystems based on LRPC Codes Gustavo Banegas 11

  20. Reaction attack c 1 m 1 , e 1 , c 1 = m 1 G + e 1 � ← Decode ( c 1 ) c 2 m 2 , e 2 , c 2 � ← Decode ( c 2 ) . . . c t m t , e t , c t A Reaction Attack against Cryptosystems based on LRPC Codes Gustavo Banegas 11

  21. Reaction attack c 1 m 1 , e 1 , c 1 = m 1 G + e 1 � ← Decode ( c 1 ) c 2 m 2 , e 2 , c 2 � ← Decode ( c 2 ) . . . c t m t , e t , c t X ← Decode ( c t ) A Reaction Attack against Cryptosystems based on LRPC Codes Gustavo Banegas 11

  22. Reaction attack c 1 m 1 , e 1 , c 1 = m 1 G + e 1 � ← Decode ( c 1 ) c 2 m 2 , e 2 , c 2 � ← Decode ( c 2 ) . . . c t m t , e t , c t X ← Decode ( c t ) Pls resend! A Reaction Attack against Cryptosystems based on LRPC Codes Gustavo Banegas 11

  23. Reaction attack c 1 m 1 , e 1 , c 1 = m 1 G + e 1 � ← Decode ( c 1 ) c 2 m 2 , e 2 , c 2 � ← Decode ( c 2 ) . . . c t m t , e t , c t X ← Decode ( c t ) Pls resend! A Reaction Attack against Cryptosystems based on LRPC Codes Gustavo Banegas 11

  24. Key recovery attack When does a decoding failure happen? (A closer look at) the syndrome equation for LRPC: H secret e ⊤ = s � d � � r n n � � � � � s i = h i , j e j = h i , j , l F l e j , u E u j = 1 j = 1 l = 1 v = 1   d r n � � �  , = F l E u h i , j , l e j , u ∀ i ∈ { 1 , . . . , n − k } .  l = 1 u = 1 j = 1 In matrix form: s = ( F 1 E 1 , F 1 E 2 . . . , F d E r ) · ¯ A h , e � � Recall: Decoding fails when Dim S < rd ¯ A h , e is not of full rank A Reaction Attack against Cryptosystems based on LRPC Codes Gustavo Banegas 12

  25. Our Attack What to do with the errors? v e 1 · ¯  A e 1 ( h ) = 0 1 × n − k  v e 2 · ¯  A e 2 ( h ) = 0 1 × n − k  . . .   v e t · ¯ A e t ( h ) = 0 1 × n − k  A Reaction Attack against Cryptosystems based on LRPC Codes Gustavo Banegas 13

  26. Our Attack What to do with the errors? v e 1 · ¯  A e 1 ( h ) = 0 1 × n − k  v e 2 · ¯  A e 2 ( h ) = 0 1 × n − k  . . .   v e t · ¯ A e t ( h ) = 0 1 × n − k  High level attack idea: 0: Collect errors e 1 , e 2 , . . . , e t from decryption failures 0: repeat h ← SolveSystem ( v e 1 , v e 2 , . . . , v e t , e 1 , e 2 , . . . , e t ) 0: if h � = ⊥ then 0: Collect ℓ messages, errors, ciphertexts ( m i , e i , c i ) 0: F , success ← FindBasis ( h , { ( m i , e i , c i ) } ℓ i = 1 ) 0: else success ← ⊥ 0: 0: until success 0: H ← ReconstructMatrix ( h , F ) return H of small rank d =0 A Reaction Attack against Cryptosystems based on LRPC Codes Gustavo Banegas 13

  27. Our Attack How to solve the system? v e 1 · ¯  A e 1 ( h ) = 0 1 × n − k  v e 2 · ¯  A e 2 ( h ) = 0 1 × n − k  . . .   v e t · ¯ A e t ( h ) = 0 1 × n − k  ◮ Kernel method ◮ n − k equations for each error e i ◮ nd unknown coefficients in h ◮ guess v e i in kernel of ¯ A e t ( h ) ◮ ⇒ linear system only in the nd h -variables ◮ need to collect t � nd n − k errors from DF A Reaction Attack against Cryptosystems based on LRPC Codes Gustavo Banegas 14

  28. Our Attack How to solve the system? v e 1 · ¯  A e 1 ( h ) = 0 1 × n − k  v e 2 · ¯  A e 2 ( h ) = 0 1 × n − k  . . .   v e t · ¯ A e t ( h ) = 0 1 × n − k  ◮ Kernel method ◮ n − k equations for each error e i ◮ nd unknown coefficients in h ◮ guess v e i in kernel of ¯ A e t ( h ) ◮ ⇒ linear system only in the nd h -variables ◮ need to collect t � nd n − k errors from DF ◮ Probability of guessing v e i correctly: P e i = q K e i q rd , where q K e i = | Ker (¯ A e i ( h )) | . A Reaction Attack against Cryptosystems based on LRPC Codes Gustavo Banegas 14

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

A Timing Attack on Hyperelliptic Curve Cryptosystems Asiacrypt 2003 rump session on Dec. 2 nd ,

A Timing Attack on Hyperelliptic Curve Cryptosystems Asiacrypt 2003 rump session on Dec. 2 nd ,

A Timing Attack on Hyperelliptic Curve Cryptosystems Asiacrypt 2003 rump session on Dec. 2 nd , 2003 M.Katagi, I.Kitamura, T.Akishita, and T. Takagi(*) Sony Corporation (*)Technische Universitaet Darmstadt Introduction Optimization of

229 views • 5 slides
Discrete-Log Based Public Key Cryptosystems Jim Royer September 25, 2018 Introduction to

Discrete-Log Based Public Key Cryptosystems Jim Royer September 25, 2018 Introduction to

Note: Log = logarithm, not Discrete-Log Based Public Key Cryptosystems Jim Royer September 25, 2018 Introduction to Cryptography 1 References Symmetric and Asymmetric Cryptosystems Public-Key Cryptosystems Based on the Discrete

436 views • 9 slides
Fault Attacks on Supersingular Isogeny Cryptosystems Yan Bo Ti Department of Mathematics,

Fault Attacks on Supersingular Isogeny Cryptosystems Yan Bo Ti Department of Mathematics,

Fault Attacks on Supersingular Isogeny Cryptosystems Yan Bo Ti Department of Mathematics, University of Auckland PQCrypto 2017, 26th of June 1/15 Outline 1 Preliminaries Introduction Supersingular isogenies SSI cryptosystems 2 Fault attack

378 views • 33 slides
The RSA Algorithm Private-key cryptosystems: - Alice and Bob agree on the key before the

The RSA Algorithm Private-key cryptosystems: - Alice and Bob agree on the key before the

The RSA Algorithm Private-key cryptosystems: - Alice and Bob agree on the key before the communication - all cryptosystems we discussed so far - also called: symmetric-key cryptosystems Public-key cryptosystems (Chapter 6) : - what to do if

281 views • 4 slides
A Reaction Attack on the QC-LDPC McEliece Cryptosystem Tomas Fabsic 1 , Viliam Hromada 1 , Paul

A Reaction Attack on the QC-LDPC McEliece Cryptosystem Tomas Fabsic 1 , Viliam Hromada 1 , Paul

LDPC and MDPC Codes QC-MDPC McEliece Attack of Guo et al. QC-LDPC McEliece Our Attack A Reaction Attack on the QC-LDPC McEliece Cryptosystem Tomas Fabsic 1 , Viliam Hromada 1 , Paul Stankovski 2 , Pavol Zajac 1 , Qian Guo 2 , Thomas Johansson

693 views • 37 slides
Cryptosystems from 1900 to 1975 Late Classical Cryptosystems From 1900 up to the mid-1970s

Cryptosystems from 1900 to 1975 Late Classical Cryptosystems From 1900 up to the mid-1970s

Cryptosystems from 1900 to 1975 Late Classical Cryptosystems From 1900 up to the mid-1970s Many important and storied examples. See: http://users.telenet.be/d.rijmenants/ Jim Royer Well talk about just one in detail: the one-time pad .

250 views • 6 slides
Elliptic Curve Isogeny Based Cryptosystems Frederik Vercauteren Open Security Research (China)

Elliptic Curve Isogeny Based Cryptosystems Frederik Vercauteren Open Security Research (China)

Elliptic Curve Isogeny Based Cryptosystems Frederik Vercauteren Open Security Research (China) KU Leuven ESAT/COSIC (Belgium) frederik.vercauteren@gmail.com 23 August 2016 Frederik Vercauteren Elliptic Curve Isogeny Based Cryptosystems 23

839 views • 52 slides
Outline Yet More On Cryptography Symmetric cryptosystems CS 239 Asymmetric

Outline Yet More On Cryptography Symmetric cryptosystems CS 239 Asymmetric

Outline Yet More On Cryptography Symmetric cryptosystems CS 239 Asymmetric cryptosystems Computer Security Digital signatures January 30, 2006 Digital hashes Key recovery cryptosystems Lecture 4 Lecture 4 Page 1 Page

358 views • 11 slides
Identity-Based Cryptosystems and Quadratic Residuosity Marc Joye Proxy: Fabrice Benhamouda PKC

Identity-Based Cryptosystems and Quadratic Residuosity Marc Joye Proxy: Fabrice Benhamouda PKC

Identity-Based Encryption Cocks IBE Scheme Algebraic Structure Applications Conclusion Identity-Based Cryptosystems and Quadratic Residuosity Marc Joye Proxy: Fabrice Benhamouda PKC 2016 Tapei, Taiwan 1 / 20 Identity-Based Encryption

655 views • 38 slides
(GLUP) Study Plus Long Range Planning Committee (LRPC) December 11, 2019 Tonights Agenda 1.

(GLUP) Study Plus Long Range Planning Committee (LRPC) December 11, 2019 Tonights Agenda 1.

Shirlington Village Special General Land Use Plan (GLUP) Study Plus Long Range Planning Committee (LRPC) December 11, 2019 Tonights Agenda 1. Introduction 2. Parking Utilization Report 3. LRPC Discussion 4. Results from Community

396 views • 22 slides
A Complete and Explicit Security Reduction Algorithm for RSA-based Cryptosystems Asiacrypt 2003,

A Complete and Explicit Security Reduction Algorithm for RSA-based Cryptosystems Asiacrypt 2003,

A Complete and Explicit Security Reduction Algorithm for RSA-based Cryptosystems Asiacrypt 2003, Taipei Kaoru Kurosawa 1 , Katja Schmidt-Samoa 2 , Tsuyoshi Takagi 2 1 Ibaraki University 2 Technische Universit at Darmstadt A Complete and

408 views • 39 slides
Unbreakable Cryptosystems ??? Almost all of the practical cryptosystems are theoretically

Unbreakable Cryptosystems ??? Almost all of the practical cryptosystems are theoretically

Unbreakable Cryptosystems ??? Almost all of the practical cryptosystems are theoretically breakable given the time are theoretically breakable given the time Security Notions and computational resources. However,

307 views • 10 slides
Attack- based Domain Transition Analysis Susan Hinrichs shinrich@ uiuc.edu Prasad Naldurg

Attack- based Domain Transition Analysis Susan Hinrichs shinrich@ uiuc.edu Prasad Naldurg

Attack- based Domain Transition Analysis Susan Hinrichs shinrich@ uiuc.edu Prasad Naldurg prasadn@ microsoft.com SE Linux Symposium Attack- based DTA 1 06 Outline Motivation Review of type enforcement transitions Attack

471 views • 18 slides
Public-Key Cryptosystems from the Worst-Case Shortest Vector Problem Chris Peikert SRI

Public-Key Cryptosystems from the Worst-Case Shortest Vector Problem Chris Peikert SRI

Public-Key Cryptosystems from the Worst-Case Shortest Vector Problem Chris Peikert SRI Georgia Tech Impagliazzos World Workshop 1 / 16 This Talk 1 State of Lattice-Based Cryptography 2 Main Result: Public-Key Encryption based on GapSVP

908 views • 73 slides
Fast and Secure Root Finding for Code-based Cryptosystems Falko Strenzke Cryptography and

Fast and Secure Root Finding for Code-based Cryptosystems Falko Strenzke Cryptography and

Fast and Secure Root Finding for Code-based Cryptosystems Falko Strenzke Cryptography and Computeralgebra, Department of Computer Science, Technische Universit at Darmstadt, Germany, fstrenzke@crypto-source.de April 13, 2015 Fast and

494 views • 38 slides
Efficiency and Implementation Security of Code-based Cryptosystems PhD Thesis by Falko Strenzke

Efficiency and Implementation Security of Code-based Cryptosystems PhD Thesis by Falko Strenzke

Efficiency and Implementation Security of Code-based Cryptosystems PhD Thesis by Falko Strenzke Falko Strenzke Cryptography and Computeralgebra, Department of Computer Science, Technische Universit at Darmstadt, Germany,

1.73k views • 160 slides
Triple intersection numbers of metric and cometric association schemes Jano s Vidali

Triple intersection numbers of metric and cometric association schemes Jano s Vidali

Triple intersection numbers of metric and cometric association schemes Jano s Vidali University of Ljubljana Faculty of Mathematics and Physics Joint work with Alexander Gavrilyuk May 30, 2018 Association schemes Introduction Bose-Mesner

615 views • 18 slides
Methods of Analysis of Textual Data (MATD) Ji Dvorsk October 11, 2019 Department of

Methods of Analysis of Textual Data (MATD) Ji Dvorsk October 11, 2019 Department of

Methods of Analysis of Textual Data (MATD) Ji Dvorsk October 11, 2019 Department of Computer Science VB TU Ostrava 1/31 Lectures Outline 1. Pattern Matching Exact pattern matching Searching for fjnite set of patterns Searching

526 views • 33 slides
Locality Sensitive Hashing Lecture 14 October 13, 2020 Chandra (UIUC) CS498ABD 1 Fall 2020 1

Locality Sensitive Hashing Lecture 14 October 13, 2020 Chandra (UIUC) CS498ABD 1 Fall 2020 1

CS 498ABD: Algorithms for Big Data Locality Sensitive Hashing Lecture 14 October 13, 2020 Chandra (UIUC) CS498ABD 1 Fall 2020 1 / 25 Near-Neighbor Search Collection of n points P = { x 1 , . . . , x n } in a metric space. NNS: preprocess P

693 views • 45 slides
Neighbour-transitive codes in Johnson graphs Mark Ioppolo Centre for Mathematics of Symmetry and

Neighbour-transitive codes in Johnson graphs Mark Ioppolo Centre for Mathematics of Symmetry and

Codes in Graphs Neighbour-transitive codes Neighbour-transitive codes in Johnson graphs Mark Ioppolo Centre for Mathematics of Symmetry and Computation University of Western Australia August 6, 2013 Joint work with John Bamberg, Alice

238 views • 23 slides
Improved efficiency for covering codes matching the sphere- covering bound Aditya Potukuchi and

Improved efficiency for covering codes matching the sphere- covering bound Aditya Potukuchi and

Improved efficiency for covering codes matching the sphere- covering bound Aditya Potukuchi and Yihan Zhang ISIT 2020 Introduction: Covering codes Introduction: Covering codes A subset {0,1} n is said to be a covering code with

957 views • 93 slides
Todays exercises 7.1: Covering Radius Example 7.2: Random Covering Code 7.3: Exact

Todays exercises 7.1: Covering Radius Example 7.2: Random Covering Code 7.3: Exact

Exercise Session 10 17.05.2016 slide 1 Todays exercises 7.1: Covering Radius Example 7.2: Random Covering Code 7.3: Exact Radius In Class: Exam Questions from SAT14 Hamming Balls and k -SAT Algorithms Chidambaram Annamalai

388 views • 9 slides
Latin American Week on Coding and Information Covering problems in hierarchical poset spaces over

Latin American Week on Coding and Information Covering problems in hierarchical poset spaces over

Latin American Week on Coding and Information Covering problems in hierarchical poset spaces over finite rings Marcos V. P . Spreafico and Ot avio J. N. T. N. dos Santos INMA - UFMS and UEMS - Ponta Por a July - 2018 Marcos V. P .

657 views • 44 slides
1-Resiliency of Bipermutive CA Rules AUTOMATA 2013 - September 17-19 - Giessen Alberto Leporati,

1-Resiliency of Bipermutive CA Rules AUTOMATA 2013 - September 17-19 - Giessen Alberto Leporati,

1-Resiliency of Bipermutive CA Rules AUTOMATA 2013 - September 17-19 - Giessen Alberto Leporati, Luca Mariot Dipartimento di Informatica, Sistemistica e Comunicazione, Universit degli Studi Milano - Bicocca, Viale Sarca 336/14, 20124 Milano,

813 views • 24 slides

More recommend