a reaction attack on the qc ldpc mceliece cryptosystem
play

A Reaction Attack on the QC-LDPC McEliece Cryptosystem Tomas Fabsic - PowerPoint PPT Presentation

Dec 28, 2023 •320 likes •693 views

LDPC and MDPC Codes QC-MDPC McEliece Attack of Guo et al. QC-LDPC McEliece Our Attack A Reaction Attack on the QC-LDPC McEliece Cryptosystem Tomas Fabsic 1 , Viliam Hromada 1 , Paul Stankovski 2 , Pavol Zajac 1 , Qian Guo 2 , Thomas Johansson

  1. LDPC and MDPC Codes QC-MDPC McEliece Attack of Guo et al. QC-LDPC McEliece Our Attack A Reaction Attack on the QC-LDPC McEliece Cryptosystem Tomas Fabsic 1 , Viliam Hromada 1 , Paul Stankovski 2 , Pavol Zajac 1 , Qian Guo 2 , Thomas Johansson 2 1 Slovak University of Technology in Bratislava, Slovakia 2 Lund University, Sweden PQCrypto 2017 Fabsic et al. A Reaction Attack on the QC-LDPC McEliece Cryptosystem

  2. LDPC and MDPC Codes QC-MDPC McEliece Attack of Guo et al. QC-LDPC McEliece Our Attack Contents LDPC and MDPC Codes 1 QC-MDPC McEliece 2 Attack of Guo et al. 3 QC-LDPC McEliece 4 Our Attack 5 Fabsic et al. A Reaction Attack on the QC-LDPC McEliece Cryptosystem

  3. LDPC and MDPC Codes QC-MDPC McEliece Attack of Guo et al. QC-LDPC McEliece Our Attack Contents LDPC and MDPC Codes 1 QC-MDPC McEliece 2 Attack of Guo et al. 3 QC-LDPC McEliece 4 Our Attack 5 Fabsic et al. A Reaction Attack on the QC-LDPC McEliece Cryptosystem

  4. LDPC and MDPC Codes QC-MDPC McEliece Attack of Guo et al. QC-LDPC McEliece Our Attack Contents LDPC and MDPC Codes 1 QC-MDPC McEliece 2 Attack of Guo et al. 3 QC-LDPC McEliece 4 Our Attack 5 Fabsic et al. A Reaction Attack on the QC-LDPC McEliece Cryptosystem

  5. LDPC and MDPC Codes QC-MDPC McEliece Attack of Guo et al. QC-LDPC McEliece Our Attack Contents LDPC and MDPC Codes 1 QC-MDPC McEliece 2 Attack of Guo et al. 3 QC-LDPC McEliece 4 Our Attack 5 Fabsic et al. A Reaction Attack on the QC-LDPC McEliece Cryptosystem

  6. LDPC and MDPC Codes QC-MDPC McEliece Attack of Guo et al. QC-LDPC McEliece Our Attack Contents LDPC and MDPC Codes 1 QC-MDPC McEliece 2 Attack of Guo et al. 3 QC-LDPC McEliece 4 Our Attack 5 Fabsic et al. A Reaction Attack on the QC-LDPC McEliece Cryptosystem

  7. LDPC and MDPC Codes QC-MDPC McEliece Attack of Guo et al. QC-LDPC McEliece Our Attack Contents LDPC and MDPC Codes 1 QC-MDPC McEliece 2 Attack of Guo et al. 3 QC-LDPC McEliece 4 Our Attack 5 Fabsic et al. A Reaction Attack on the QC-LDPC McEliece Cryptosystem

  8. LDPC and MDPC Codes QC-MDPC McEliece Attack of Guo et al. QC-LDPC McEliece Our Attack Definitions Definition Low-density parity-check (LDPC) code = a binary linear code which admits a parity-check matrix H with a low number of 1s. Definition Moderate-density parity-check (MDPC) code - admits a parity-check matrix H with a slightly higher number of 1s than an LDPC code. Fabsic et al. A Reaction Attack on the QC-LDPC McEliece Cryptosystem

  9. LDPC and MDPC Codes QC-MDPC McEliece Attack of Guo et al. QC-LDPC McEliece Our Attack Decoding Soft-decision decoding (belief propagation algorithms) Hard-decision decoding (bit-flipping algorithms) Both methods fail with some probability. Fabsic et al. A Reaction Attack on the QC-LDPC McEliece Cryptosystem

  10. LDPC and MDPC Codes QC-MDPC McEliece Attack of Guo et al. QC-LDPC McEliece Our Attack Contents LDPC and MDPC Codes 1 QC-MDPC McEliece 2 Attack of Guo et al. 3 QC-LDPC McEliece 4 Our Attack 5 Fabsic et al. A Reaction Attack on the QC-LDPC McEliece Cryptosystem

  11. LDPC and MDPC Codes QC-MDPC McEliece Attack of Guo et al. QC-LDPC McEliece Our Attack Circulant matrices - definition Definition An n × n matrix C is circulant if it is of the form:   c 0 c 1 c 2 c n − 1 . . . c n − 1 c 0 c 1 c n − 2   . . .   c n − 2 c n − 1 c 0 c n − 3 C =   . . .  . . . .  ... . . . .   . . . .   c 1 c 2 c 3 c 0 . . . Fabsic et al. A Reaction Attack on the QC-LDPC McEliece Cryptosystem

  12. LDPC and MDPC Codes QC-MDPC McEliece Attack of Guo et al. QC-LDPC McEliece Our Attack Private Key in QC-MDPC McEliece H is a parity-check matrix of an MDPC code. H = ( H 0 | H 1 | . . . | H n 0 − 1 ) , where each H i is a circulant matrix with a low weight. (i.e. H is quasi-cyclic (QC)) Fabsic et al. A Reaction Attack on the QC-LDPC McEliece Cryptosystem

  13. LDPC and MDPC Codes QC-MDPC McEliece Attack of Guo et al. QC-LDPC McEliece Our Attack How QC-MDPC McEliece works? H is randomly generated. A generator matrix G is computed. G is the public key. Encryption of a message x : y = x · G + e , where e is an error vector. Decryption: by a decoding algorithm (uses H ). Fabsic et al. A Reaction Attack on the QC-LDPC McEliece Cryptosystem

  14. LDPC and MDPC Codes QC-MDPC McEliece Attack of Guo et al. QC-LDPC McEliece Our Attack Contents LDPC and MDPC Codes 1 QC-MDPC McEliece 2 Attack of Guo et al. 3 QC-LDPC McEliece 4 Our Attack 5 Fabsic et al. A Reaction Attack on the QC-LDPC McEliece Cryptosystem

  15. LDPC and MDPC Codes QC-MDPC McEliece Attack of Guo et al. QC-LDPC McEliece Our Attack Presented in Guo, Johansson and Stankovski: A key recovery attack on MDPC with CCA security using decoding errors, ASIACRYPT 2016. Fabsic et al. A Reaction Attack on the QC-LDPC McEliece Cryptosystem

  16. LDPC and MDPC Codes QC-MDPC McEliece Attack of Guo et al. QC-LDPC McEliece Our Attack Distances Definition We say that a distance d is present in a vector v of length p if there exist two 1s in v in positions p 1 and p 2 such that d = min { p 1 − p 2 mod p , p 2 − p 1 mod p } . E.g., the distance between the 1s in ( 0 , 1 , 0 , 0 , 0 , 0 , 0 , 1 , 0 ) is 3. Definition We say that a distance d is present in a p × p circulant matrix C if the distance d is present in the first row of C . Fabsic et al. A Reaction Attack on the QC-LDPC McEliece Cryptosystem

  17. LDPC and MDPC Codes QC-MDPC McEliece Attack of Guo et al. QC-LDPC McEliece Our Attack Key Observation of Guo et al. Suppose that the circulant blocks in H are of size p × p . Let e be the error vector added to a message during the encryption. Let e = ( e 0 , e 1 , . . . , e n / p − 1 ) , where each e i has length p . Observation Suppose that e i contains a distance d . If the distance d is present in the corresponding block H i in H , then the probability that a bit-flipping algorithm fails to decode the message is lower! Fabsic et al. A Reaction Attack on the QC-LDPC McEliece Cryptosystem

  18. LDPC and MDPC Codes QC-MDPC McEliece Attack of Guo et al. QC-LDPC McEliece Our Attack How the attack on QC-MDPC McEliece works? 1 Send a large number of encrypted messages with a randomly generated error vector e . 2 Observe when the recipient requests a message to be resend. (This means that the recipient experienced a decoding error.) 3 Group the encrypted messages into groups Σ d according to the rule: A message belongs to Σ d if its error vector contains the distance d in e 0 . 4 For each Σ d estimate the probability of the decoding error. 5 Select the distances with low estimates of the probability of the decoding error. (These are the distances present in H 0 .) 6 Reconstruct candidates for H 0 . Fabsic et al. A Reaction Attack on the QC-LDPC McEliece Cryptosystem

  19. LDPC and MDPC Codes QC-MDPC McEliece Attack of Guo et al. QC-LDPC McEliece Our Attack Contents LDPC and MDPC Codes 1 QC-MDPC McEliece 2 Attack of Guo et al. 3 QC-LDPC McEliece 4 Our Attack 5 Fabsic et al. A Reaction Attack on the QC-LDPC McEliece Cryptosystem

  20. LDPC and MDPC Codes QC-MDPC McEliece Attack of Guo et al. QC-LDPC McEliece Our Attack Private key in QC-LDPC McEliece Private key consists of matrices: H , S , Q . All matrices are quasi-cyclic. Circulant blocks in all three matrices have the same size p × p . Fabsic et al. A Reaction Attack on the QC-LDPC McEliece Cryptosystem

  21. LDPC and MDPC Codes QC-MDPC McEliece Attack of Guo et al. QC-LDPC McEliece Our Attack Private key in QC-LDPC McEliece - matrix H H is as in QC-MDPC McEliece but sparser,i.e. H = ( H 0 | H 1 | . . . | H n 0 − 1 ) , where each H i is a circulant matrix with a fixed weight. Fabsic et al. A Reaction Attack on the QC-LDPC McEliece Cryptosystem

  22. LDPC and MDPC Codes QC-MDPC McEliece Attack of Guo et al. QC-LDPC McEliece Our Attack Private key in QC-LDPC McEliece - matrix Q Q is a sparse invertible n × n matrix.   Q 00 Q 0 , n 0 − 1 . . . . . ... . . Q =   . .  ,  Q n 0 − 1 , 0 Q n 0 − 1 , n 0 − 1 . . . where each Q ij is a sparse circulant matrix. Fabsic et al. A Reaction Attack on the QC-LDPC McEliece Cryptosystem

  23. LDPC and MDPC Codes QC-MDPC McEliece Attack of Guo et al. QC-LDPC McEliece Our Attack Private key in QC-LDPC McEliece - matrix S S is a dense invertible k × k matrix.   S 00 S 0 , k 0 − 1 . . . . . ... . . S =   . .  ,  S k 0 − 1 , 0 S k 0 − 1 , k 0 − 1 . . . where each S ij is a dense circulant matrix. Fabsic et al. A Reaction Attack on the QC-LDPC McEliece Cryptosystem

  24. LDPC and MDPC Codes QC-MDPC McEliece Attack of Guo et al. QC-LDPC McEliece Our Attack Public Key in QC-LDPC McEliece H , S , Q are randomly generated. A generator matrix G is computed from H . Public key G ′ is computed as: G ′ = S − 1 · G · Q − 1 . Fabsic et al. A Reaction Attack on the QC-LDPC McEliece Cryptosystem

  25. LDPC and MDPC Codes QC-MDPC McEliece Attack of Guo et al. QC-LDPC McEliece Our Attack Encryption in QC-LDPC McEliece Message x is encrypted as: y = x · G ′ + e , where e is an error vector. Fabsic et al. A Reaction Attack on the QC-LDPC McEliece Cryptosystem

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

McEliece type Cryptosystem based on Gabidulin Codes Joachim Rosenthal University of Z urich

McEliece type Cryptosystem based on Gabidulin Codes Joachim Rosenthal University of Z urich

Traditional McEliece Crypto System Variants of McEliece System Distinguisher Attacks McEliece for Rank Metric Codes McEliece type Cryptosystem based on Gabidulin Codes Joachim Rosenthal University of Z urich ALCOMA, March 19, 2015 joint

763 views • 54 slides
Cryptanalysis of a variant of the McEliece encryption scheme Julien Lavauzelle IRMAR,

Cryptanalysis of a variant of the McEliece encryption scheme Julien Lavauzelle IRMAR,

Cryptanalysis of a variant of the McEliece encryption scheme Julien Lavauzelle IRMAR, Universit de Rennes 1 Journes Nationales de Calcul Formel 2020 03/03/2020 Outline 1. McEliece cryptosystem and variants 2. Attack on the ReedSolomon

782 views • 52 slides
Classic McEliece: conservative code-based cryptography D. J. Bernstein classic.mceliece.org

Classic McEliece: conservative code-based cryptography D. J. Bernstein classic.mceliece.org

1 Classic McEliece: conservative code-based cryptography D. J. Bernstein classic.mceliece.org Fundamental literature: 1962 Prange (attack) + many more attack papers. 1968 Berlekamp (decoder). 19701971 Goppa (codes). 1978 McEliece

775 views • 58 slides
Twisted Hermitian Codes and the McEliece Cryptosystem Bethany Matsick Liberty University

Twisted Hermitian Codes and the McEliece Cryptosystem Bethany Matsick Liberty University

Twisted Hermitian Codes and the McEliece Cryptosystem Bethany Matsick Liberty University January 26, 2018 Joint work with Austin Allen, Keller Blackwell, Olivia Fiol, Rutuja Kshirsagar, and Zoe Nelson, supervised by Gretchen Matthews. Coding

773 views • 18 slides
McTiny: McEliece for tiny network servers Daniel J. Bernstein, uic.edu , rub.de Tanja Lange,

McTiny: McEliece for tiny network servers Daniel J. Bernstein, uic.edu , rub.de Tanja Lange,

1 McTiny: McEliece for tiny network servers Daniel J. Bernstein, uic.edu , rub.de Tanja Lange, tue.nl Fundamental literature: 1962 Prange (attack) + many more attack papers. 1968 Berlekamp (decoder). 19701971 Goppa (codes). 1978 McEliece

899 views • 61 slides
Cryptanalysis of Two Variants of the McEliece Cryptosystem Ayoub Otmani 1

Cryptanalysis of Two Variants of the McEliece Cryptosystem Ayoub Otmani 1

Cryptanalysis of Two Variants of the McEliece Cryptosystem Ayoub Otmani 1 Ayoub.Otmani@info.unicaen.fr eonard Dallot 1 Jean-Pierre Tillich 2 L Leonard.Dallot@info.unicaen.fr jean-pierre.tillich@inria.fr 1 GREYC - Groupe de Recherche en

857 views • 51 slides
- tunnel-effect ( "micro-convergence" ) for SC-LDPC [ 1 ] [ 1 ] Schmalen, ten Brink,

- tunnel-effect ( "micro-convergence" ) for SC-LDPC [ 1 ] [ 1 ] Schmalen, ten Brink,

EXIT-Chart of SC-LDPC Spatial Coupling & Tail-biting Further Investigation Simulation results Block-LDPC SC-LDPC 1 1 0.9 0.9 0.8 0.8 0.7 0.7 I E,VND , I A,CND 0.6 I E,VND , I A,CND 0.6 0.5 0.5 0.4 0.4 0.3 0.3 0.2 0.2 I

436 views • 5 slides
Cryptanalysis of LEDAcrypt Daniel Apon 1 , Ray Perlner 1 , Angela Robinson 1 , Paolo Santini 2 1:

Cryptanalysis of LEDAcrypt Daniel Apon 1 , Ray Perlner 1 , Angela Robinson 1 , Paolo Santini 2 1:

Cryptanalysis of LEDAcrypt Daniel Apon 1 , Ray Perlner 1 , Angela Robinson 1 , Paolo Santini 2 1: NIST 2: Universit Politecnica delle Marche, Florida Atlantic University Significance We present an attack on the QC-LDPC-McEliece construction

735 views • 25 slides
Cryptanalysis of the Sidelnikov cryptosystem Lorenz Minder, Amin Shokrollahi {

Cryptanalysis of the Sidelnikov cryptosystem Lorenz Minder, Amin Shokrollahi {

Cryptanalysis of the Sidelnikov cryptosystem Lorenz Minder, Amin Shokrollahi { lorenz.minder,amin.shokrollahi } @epfl.ch. LMA, EPFL Cryptanalysis of the Sidelnikov cryptosystem p.1/18 McEliece type cryptosystems PKCS based on

785 views • 18 slides
A Reaction Attack against Cryptosystems based on LRPC Codes Gustavo Banegas joint work with

A Reaction Attack against Cryptosystems based on LRPC Codes Gustavo Banegas joint work with

A Reaction Attack against Cryptosystems based on LRPC Codes Gustavo Banegas joint work with Simona Samardjiska, Paolo Santini and Edoardo Persichetti Latincrypt 2019 October 3rd, 2019 A Reaction Attack against Cryptosystems based on LRPC

590 views • 33 slides
The Paillier Cryptosystem A Look Into The Cryptosystem And Its Potential Application By Michael

The Paillier Cryptosystem A Look Into The Cryptosystem And Its Potential Application By Michael

The Paillier Cryptosystem A Look Into The Cryptosystem And Its Potential Application By Michael OKeeffe The College of New Jersey Mathematics Department April 18, 2008 A BSTRACT So long as there are secrets, there is a need for encryption

357 views • 16 slides
Classic McEliece: conservative code-based cryptography Round 2 https://classic.mceliece.org/

Classic McEliece: conservative code-based cryptography Round 2 https://classic.mceliece.org/

Classic McEliece: conservative code-based cryptography Round 2 https://classic.mceliece.org/ Daniel J. Bernstein 1 , Tung Chou 2 , Tanja Lange 3 , Ingo von Maurich, Rafael Misoczki 4 , Ruben Niederhagen 5 , Edoardo Persichetti 6 , Christiane

439 views • 28 slides
McTiny: classic.mceliece.org McEliece for tiny network servers submission team (alphabetical):

McTiny: classic.mceliece.org McEliece for tiny network servers submission team (alphabetical):

1 2 McTiny: classic.mceliece.org McEliece for tiny network servers submission team (alphabetical): me; Daniel J. Bernstein, Tung Chou, osaka-u.ac.jp ; uic.edu , rub.de Tanja Lange, tue.nl ; Joint work with: Ingo von Maurich;

1.87k views • 162 slides
Code-based Cryptography Christiane Peters Technical University of Denmark ECC 2011 September

Code-based Cryptography Christiane Peters Technical University of Denmark ECC 2011 September

Code-based Cryptography Christiane Peters Technical University of Denmark ECC 2011 September 20, 2011 Code-based cryptography 1. Background 2. The McEliece cryptosystem 3. Information-set-decoding attacks 4. Designs: Wild McEliece 5.

721 views • 55 slides
McTiny: Encoding and decoding McEliece for tiny network servers 1978 McEliece public key:

McTiny: Encoding and decoding McEliece for tiny network servers 1978 McEliece public key:

1 2 McTiny: Encoding and decoding McEliece for tiny network servers 1978 McEliece public key: Daniel J. Bernstein, matrix G over F 2 . uic.edu , rub.de Normally m mG is injective. Tanja Lange, tue.nl Fundamental literature: 1962

2.16k views • 132 slides
How to achieve a McEliece-based Digital Signature Scheme Nicolas Courtois Matthieu Finiasz

How to achieve a McEliece-based Digital Signature Scheme Nicolas Courtois Matthieu Finiasz

How to achieve a McEliece-based Digital Signature Scheme Nicolas Courtois Matthieu Finiasz Nicolas Sendrier ASIACRYPT 2001 Brisbane McEliece in a nutshell (Niederreiter version) This scheme is equivalent to the original McEliece

432 views • 12 slides
CSCE 790 Computer Systems Security Threat Modeling Professor Qiang Zeng Spring 2020

CSCE 790 Computer Systems Security Threat Modeling Professor Qiang Zeng Spring 2020

CSCE 790 Computer Systems Security Threat Modeling Professor Qiang Zeng Spring 2020 Previous Class The CIA Triad as security objectives Threat: potential Attack: attempt Compromise: success Vulnerability: security

660 views • 29 slides
Implementing Differential Privacy & Side-channel attacks CompSci 590.03 Instructor: Ashwin

Implementing Differential Privacy & Side-channel attacks CompSci 590.03 Instructor: Ashwin

Implementing Differential Privacy & Side-channel attacks CompSci 590.03 Instructor: Ashwin Machanavajjhala Lecture 14 : 590.03 Fall 12 1 Outline Differential Privacy Implementations PINQ: Privacy Integrated Queries [McSherry SIGMOD

1.22k views • 40 slides
Key Reinstallation Attacks: Forcing Nonce Reuse in WPA2 Mathy Vanhoef @vanhoefm CCS 2017, 1

Key Reinstallation Attacks: Forcing Nonce Reuse in WPA2 Mathy Vanhoef @vanhoefm CCS 2017, 1

Key Reinstallation Attacks: Forcing Nonce Reuse in WPA2 Mathy Vanhoef @vanhoefm CCS 2017, 1 October 2017 Overview Key reinstalls in 4-way handshake Misconceptions Practical impact Lessons learned 2 Overview Key reinstalls in 4-way

566 views • 38 slides
Why Black Hats Always Win Val Smith (valsmith@attackresearch.com) Chris

Why Black Hats Always Win Val Smith (valsmith@attackresearch.com) Chris

Why Black Hats Always Win Val Smith (valsmith@attackresearch.com) Chris (chris@sdnaconsulting.com) Slide: 1 Bios Val Smith Affiliations: Attack Research Metasploit Work: Attack Techniques Research Previous Talks Pen

1.07k views • 76 slides
Practical Algebraic Attacks on the HITAG2 TM Stream Cipher Nicolas T. Courtois 1 Sean O Neil 2

Practical Algebraic Attacks on the HITAG2 TM Stream Cipher Nicolas T. Courtois 1 Sean O Neil 2

Practical Algebraic Attacks on the HITAG2 TM Stream Cipher Nicolas T. Courtois 1 Sean O Neil 2 Jean-Jacques Quisquater 3 1 - University College London, UK 2 - VEST Corporation, France 3 - Universit Catholique de Louvain, Belgium Algebraic

995 views • 61 slides
Optical Properties of Liquid Argon measured by the PDS in ProtoDUNE-SP Bryan Ramson (on behalf of

Optical Properties of Liquid Argon measured by the PDS in ProtoDUNE-SP Bryan Ramson (on behalf of

Optical Properties of Liquid Argon measured by the PDS in ProtoDUNE-SP Bryan Ramson (on behalf of the DUNE collaboration) LIDINE 2019, Manchester, UK August 30, 2019 You Inst Logo Introduction(What is DUNE?) The Fermilab Deep Underground

346 views • 18 slides
Looking for Dark Matter in the Earth's Shadow Bradley J. Kavanagh LPTHE (Paris) & IPhT

Looking for Dark Matter in the Earth's Shadow Bradley J. Kavanagh LPTHE (Paris) & IPhT

Looking for Dark Matter in the Earth's Shadow Bradley J. Kavanagh LPTHE (Paris) & IPhT (CEA/Saclay) with Riccardo Catena (Chalmers) and Chris Kouvaris (CP 3 -Origins) IDM - Sheffield - 19th July 2016 bradley.kavanagh@lpthe.jussieu.fr

317 views • 30 slides
Determination of the photon mass attenuation coefficients Geometrical set-up N 0 N d primary

Determination of the photon mass attenuation coefficients Geometrical set-up N 0 N d primary

Determination of the photon mass attenuation coefficients Geometrical set-up N 0 N d primary photons generated primary photons detected Vacuum material Check on (checked) ParentID( ) surrounds Energy value the experimental

409 views • 14 slides

More recommend