classic mceliece conservative code based cryptography d j
play

Classic McEliece: conservative code-based cryptography D. J. - PDF document

Jun 28, 2023 •189 likes •775 views

1 Classic McEliece: conservative code-based cryptography D. J. Bernstein classic.mceliece.org Fundamental literature: 1962 Prange (attack) + many more attack papers. 1968 Berlekamp (decoder). 19701971 Goppa (codes). 1978 McEliece

  1. 1 Classic McEliece: conservative code-based cryptography D. J. Bernstein classic.mceliece.org Fundamental literature: 1962 Prange (attack) + many more attack papers. 1968 Berlekamp (decoder). 1970–1971 Goppa (codes). 1978 McEliece (cryptosystem). 1986 Niederreiter (dual) + many more optimizations.

  2. 2 Submission is joint work with: Tung Chou, osaka-u.ac.jp Tanja Lange, tue.nl * Ingo von Maurich Rafael Misoczki, intel.com Ruben Niederhagen, fraunhofer.de Edoardo Persichetti, fau.edu Christiane Peters Peter Schwabe, ru.nl * Nicolas Sendrier, inria.fr * Jakub Szefer, yale.edu Wen Wang, yale.edu *: PQCRYPTO institutions.

  3. 3 mceliece6960119 parameter set: 1047319 bytes for public key. 13908 bytes for secret key. mceliece8192128 parameter set: 1357824 bytes for public key. 14080 bytes for secret key.

  4. 3 mceliece6960119 parameter set: 1047319 bytes for public key. 13908 bytes for secret key. mceliece8192128 parameter set: 1357824 bytes for public key. 14080 bytes for secret key. Current software: billions of cycles to generate a key; not much optimization effort yet.

  5. 3 mceliece6960119 parameter set: 1047319 bytes for public key. 13908 bytes for secret key. mceliece8192128 parameter set: 1357824 bytes for public key. 14080 bytes for secret key. Current software: billions of cycles to generate a key; not much optimization effort yet. Very fast in hardware: a few million cycles at 231MHz using 129059 modules, 1126 RAM blocks on Altera Stratix V FPGA.

  6. 4 mceliece6960119 parameter set: 226 bytes for ciphertext. mceliece8192128 parameter set: 240 bytes for ciphertext.

  7. 4 mceliece6960119 parameter set: 226 bytes for ciphertext. mceliece8192128 parameter set: 240 bytes for ciphertext. Software: 295932 cycles for enc, 355152 cycles for dec (decoding, hashing, etc.).

  8. 4 mceliece6960119 parameter set: 226 bytes for ciphertext. mceliece8192128 parameter set: 240 bytes for ciphertext. Software: 295932 cycles for enc, 355152 cycles for dec (decoding, hashing, etc.). Again very fast in hardware: 17140 cycles for decoding.

  9. 4 mceliece6960119 parameter set: 226 bytes for ciphertext. mceliece8192128 parameter set: 240 bytes for ciphertext. Software: 295932 cycles for enc, 355152 cycles for dec (decoding, hashing, etc.). Again very fast in hardware: 17140 cycles for decoding. Can tweak parameters for even smaller ciphertexts, not much penalty in key size.

  10. 5 Encoding and decoding 1978 McEliece public key: matrix A over F 2 . Ciphertext: vector C = Ab + e . Ab is “codeword”; e is random weight- w “error vector”. Original proposal for 2 64 security: 1024 × 512 matrix; w = 50. Public key is secretly generated with “binary Goppa code” structure that allows efficient decoding: C �→ Ab; e .

  11. 6 Binary Goppa codes Parameters: q ∈ { 8 ; 16 ; 32 ; : : : } ; w ∈ { 2 ; 3 ; : : : ; ⌊ ( q − 1) = lg q ⌋} ; n ∈ { w lg q + 1 ; : : : ; q − 1 ; q } .

  12. 6 Binary Goppa codes Parameters: q ∈ { 8 ; 16 ; 32 ; : : : } ; w ∈ { 2 ; 3 ; : : : ; ⌊ ( q − 1) = lg q ⌋} ; n ∈ { w lg q + 1 ; : : : ; q − 1 ; q } . Secrets: distinct a 1 ; : : : ; a n ∈ F q ; monic irreducible degree- w polynomial g ∈ F q [ x ].

  13. 6 Binary Goppa codes Parameters: q ∈ { 8 ; 16 ; 32 ; : : : } ; w ∈ { 2 ; 3 ; : : : ; ⌊ ( q − 1) = lg q ⌋} ; n ∈ { w lg q + 1 ; : : : ; q − 1 ; q } . Secrets: distinct a 1 ; : : : ; a n ∈ F q ; monic irreducible degree- w polynomial g ∈ F q [ x ]. Goppa code: kernel of the map v �→ P i v i = ( x − a i ) from F n 2 to F q [ x ] =g . Typical dimension n − w lg q .

  14. 6 Binary Goppa codes Parameters: q ∈ { 8 ; 16 ; 32 ; : : : } ; w ∈ { 2 ; 3 ; : : : ; ⌊ ( q − 1) = lg q ⌋} ; n ∈ { w lg q + 1 ; : : : ; q − 1 ; q } . Secrets: distinct a 1 ; : : : ; a n ∈ F q ; monic irreducible degree- w polynomial g ∈ F q [ x ]. Goppa code: kernel of the map v �→ P i v i = ( x − a i ) from F n 2 to F q [ x ] =g . Typical dimension n − w lg q . McEliece uses random matrix A whose image is this code.

  15. 7 One-wayness (OW-CPA) Fundamental security question: Given random public key A and ciphertext Ab + e for random b; e , can attacker efficiently find b; e ?

  16. 7 One-wayness (OW-CPA) Fundamental security question: Given random public key A and ciphertext Ab + e for random b; e , can attacker efficiently find b; e ? 1962 Prange: simple attack idea guiding sizes in 1978 McEliece.

  17. 7 One-wayness (OW-CPA) Fundamental security question: Given random public key A and ciphertext Ab + e for random b; e , can attacker efficiently find b; e ? 1962 Prange: simple attack idea guiding sizes in 1978 McEliece. The McEliece system (with later key-size optimizations) uses ( c 0 + o (1)) – 2 (lg – ) 2 -bit keys as – → ∞ to achieve 2 – security against Prange’s attack. Here c 0 ≈ 0 : 7418860694.

  18. 8 ≥ 25 subsequent publications analyzing one-wayness of system: 1981 Clark–Cain, crediting Omura. 1988 Lee–Brickell. 1988 Leon. 1989 Krouk. 1989 Stern. 1989 Dumer. 1990 Coffey–Goodman. 1990 van Tilburg. 1991 Dumer. 1991 Coffey–Goodman–Farrell. 1993 Chabanne–Courteau.

  19. 9 1993 Chabaud. 1994 van Tilburg. 1994 Canteaut–Chabanne. 1998 Canteaut–Chabaud. 1998 Canteaut–Sendrier. 2008 Bernstein–Lange–Peters. 2009 Bernstein–Lange–Peters– van Tilborg. 2009 Finiasz–Sendrier. 2011 Bernstein–Lange–Peters. 2011 May–Meurer–Thomae. 2012 Becker–Joux–May–Meurer. 2013 Hamdaoui–Sendrier. 2015 May–Ozerov. 2016 Canto Torres–Sendrier.

  20. 10 The McEliece system uses ( c 0 + o (1)) – 2 (lg – ) 2 -bit keys as – → ∞ to achieve 2 – security against all attacks known today. Same c 0 ≈ 0 : 7418860694.

  21. 10 The McEliece system uses ( c 0 + o (1)) – 2 (lg – ) 2 -bit keys as – → ∞ to achieve 2 – security against all attacks known today. Same c 0 ≈ 0 : 7418860694. Replacing – with 2 – stops all known quantum attacks (and is probably massive overkill), as in symmetric crypto.

  22. 10 The McEliece system uses ( c 0 + o (1)) – 2 (lg – ) 2 -bit keys as – → ∞ to achieve 2 – security against all attacks known today. Same c 0 ≈ 0 : 7418860694. Replacing – with 2 – stops all known quantum attacks (and is probably massive overkill), as in symmetric crypto. mceliece6960119 parameter set (2008 Bernstein–Lange–Peters): q = 8192, n = 6960, w = 119. mceliece8192128 parameter set: q = 8192, n = 8192, w = 128.

  23. 11 McEliece’s system prompted a huge amount of followup work. Some work improves efficiency while clearly preserving security: e.g., Niederreiter’s dual PKE; e.g., many decoding speedups. Classic McEliece uses all this.

  24. 11 McEliece’s system prompted a huge amount of followup work. Some work improves efficiency while clearly preserving security: e.g., Niederreiter’s dual PKE; e.g., many decoding speedups. Classic McEliece uses all this. Classic McEliece does not use variants whose security has not been studied as thoroughly: e.g., replacing binary Goppa codes with other families of codes; e.g., lattice-based cryptography.

  25. 12 Niederreiter key compression Generator matrix for code Γ of length n and dimension k : n × k matrix G with Γ = G · F k 2 . McEliece public key: G times random k × k invertible matrix.

  26. 12 Niederreiter key compression Generator matrix for code Γ of length n and dimension k : n × k matrix G with Γ = G · F k 2 . McEliece public key: G times random k × k invertible matrix. Niederreiter instead reduces G to the unique generator matrix in “systematic form”: bottom k rows are k × k identity matrix I k . Public key T is top n − k rows.

  27. 12 Niederreiter key compression Generator matrix for code Γ of length n and dimension k : n × k matrix G with Γ = G · F k 2 . McEliece public key: G times random k × k invertible matrix. Niederreiter instead reduces G to the unique generator matrix in “systematic form”: bottom k rows are k × k identity matrix I k . Public key T is top n − k rows. Pr ≈ 29% that systematic form exists. Security loss: < 2 bits.

  28. 13 Niederreiter ciphertext compression „ « T Use Niederreiter key A = . I k McEliece ciphertext: Ab + e ∈ F n 2 .

  29. 13 Niederreiter ciphertext compression „ « T Use Niederreiter key A = . I k McEliece ciphertext: Ab + e ∈ F n 2 . Niederreiter ciphertext, shorter: He ∈ F n − k where H = ( I n − k | T ). 2

  30. 13 Niederreiter ciphertext compression „ « T Use Niederreiter key A = . I k McEliece ciphertext: Ab + e ∈ F n 2 . Niederreiter ciphertext, shorter: He ∈ F n − k where H = ( I n − k | T ). 2 Given H and Niederreiter’s He , can attacker efficiently find e ?

  31. 13 Niederreiter ciphertext compression „ « T Use Niederreiter key A = . I k McEliece ciphertext: Ab + e ∈ F n 2 . Niederreiter ciphertext, shorter: He ∈ F n − k where H = ( I n − k | T ). 2 Given H and Niederreiter’s He , can attacker efficiently find e ? If so, attacker can efficiently find b; e given A and Ab + e : compute H ( Ab + e ) = He ; find e ; compute b from Ab .

  32. 14 Sampling via sorting How to generate random permutation of F q ? One answer (see, e.g., Knuth): generate q random numbers, sort them together with F q .

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

Classic McEliece: conservative code-based cryptography Round 2 https://classic.mceliece.org/

Classic McEliece: conservative code-based cryptography Round 2 https://classic.mceliece.org/

Classic McEliece: conservative code-based cryptography Round 2 https://classic.mceliece.org/ Daniel J. Bernstein 1 , Tung Chou 2 , Tanja Lange 3 , Ingo von Maurich, Rafael Misoczki 4 , Ruben Niederhagen 5 , Edoardo Persichetti 6 , Christiane

439 views • 28 slides
Classic McEliece: conservative code-based cryptography Daniel J. Bernstein 1 , Tung Chou 2 , Tanja

Classic McEliece: conservative code-based cryptography Daniel J. Bernstein 1 , Tung Chou 2 , Tanja

Classic McEliece: conservative code-based cryptography Daniel J. Bernstein 1 , Tung Chou 2 , Tanja Lange 3 , Ingo von Maurich, Rafael Misoczki 4 , Ruben Niederhagen 5 , Edoardo Persichetti 6 , Christiane Peters, Peter Schwabe 7 , Nicolas Sendrier 8

684 views • 25 slides
Smaller Keys for Code based Cryptography: QC MDPC McEliece Implementations on Embedded

Smaller Keys for Code based Cryptography: QC MDPC McEliece Implementations on Embedded

Smaller Keys for Code based Cryptography: QC MDPC McEliece Implementations on Embedded Devices 4 th Code based Cryptography Workshop 2013, Rocquencourt, France Stefan Heyse, Ingo von Maurich and Tim Gneysu Horst Grtz Institute for

500 views • 39 slides
Code-Based Cryptography for FPGAs Dr. Ruben Niederhagen, February 8, 2018 Introduction Global

Code-Based Cryptography for FPGAs Dr. Ruben Niederhagen, February 8, 2018 Introduction Global

Code-Based Cryptography for FPGAs Dr. Ruben Niederhagen, February 8, 2018 Introduction Global Map public-key cryptography classic post-quantum lattice code multivariate hash isogenies . . . McEliece Niederreiter . . . GRS codes

1.04k views • 73 slides
An Overview on Post-Quantum Cryptography with an Emphasis on Code based Systems Joachim Rosenthal

An Overview on Post-Quantum Cryptography with an Emphasis on Code based Systems Joachim Rosenthal

Basics on Public Key Crypto Systems Research Directions in Post-Quantum Cryptography Variants of McEliece System Distinguisher Attacks McEliece for Rank Metric Codes An Overview on Post-Quantum Cryptography with an Emphasis on Code based

1.05k views • 100 slides
Code-based Cryptography Christiane Peters Technical University of Denmark ECC 2011 September

Code-based Cryptography Christiane Peters Technical University of Denmark ECC 2011 September

Code-based Cryptography Christiane Peters Technical University of Denmark ECC 2011 September 20, 2011 Code-based cryptography 1. Background 2. The McEliece cryptosystem 3. Information-set-decoding attacks 4. Designs: Wild McEliece 5.

721 views • 55 slides
McTiny: classic.mceliece.org McEliece for tiny network servers submission team (alphabetical):

McTiny: classic.mceliece.org McEliece for tiny network servers submission team (alphabetical):

1 2 McTiny: classic.mceliece.org McEliece for tiny network servers submission team (alphabetical): me; Daniel J. Bernstein, Tung Chou, osaka-u.ac.jp ; uic.edu , rub.de Tanja Lange, tue.nl ; Joint work with: Ingo von Maurich;

1.87k views • 162 slides
Making McEliece and Regev meet Gilles Zmor based on common work with C. Aguilar, O. Blazy, J-C.

Making McEliece and Regev meet Gilles Zmor based on common work with C. Aguilar, O. Blazy, J-C.

Making McEliece and Regev meet Gilles Zmor based on common work with C. Aguilar, O. Blazy, J-C. Deneuville, P . Gaborit Bordeaux Mathematics Institute March 21, 2019, Oberwolfach the McEliece paridigm Choose a code C that comes with a

680 views • 20 slides
McEliece type Cryptosystem based on Gabidulin Codes Joachim Rosenthal University of Z urich

McEliece type Cryptosystem based on Gabidulin Codes Joachim Rosenthal University of Z urich

Traditional McEliece Crypto System Variants of McEliece System Distinguisher Attacks McEliece for Rank Metric Codes McEliece type Cryptosystem based on Gabidulin Codes Joachim Rosenthal University of Z urich ALCOMA, March 19, 2015 joint

763 views • 54 slides
Code-based Cryptography Selected publications [1] Carlos Aguilar, Philippe Gaborit, and Julien

Code-based Cryptography Selected publications [1] Carlos Aguilar, Philippe Gaborit, and Julien

1 Code-based Cryptography Code-based Cryptography Selected publications [1] Carlos Aguilar, Philippe Gaborit, and Julien Schrek. A new zero-knowledge code based identification scheme with reduced communication. In ITW 2011 , pages 648

284 views • 6 slides
The Support Splitting Algorithm and its Application to Code-based Cryptography Dimitris E. Simos

The Support Splitting Algorithm and its Application to Code-based Cryptography Dimitris E. Simos

The Support Splitting Algorithm and its Application to Code-based Cryptography Dimitris E. Simos ( joint work with Nicolas Sendrier) Project-Team SECRET INRIA Paris-Rocquencourt May 9, 2012 3rd Code-based Cryptography Workshop Technical

301 views • 17 slides
McTiny: McEliece for tiny network servers Daniel J. Bernstein, uic.edu , rub.de Joint work with:

McTiny: McEliece for tiny network servers Daniel J. Bernstein, uic.edu , rub.de Joint work with:

1 McTiny: McEliece for tiny network servers Daniel J. Bernstein, uic.edu , rub.de Joint work with: Tanja Lange, tue.nl My main question in this talk: Shouldnt NIST PQC simply standardize Classic McEliece, discard the other 25 proposals?

1.18k views • 79 slides
Attacks in code based cryptography: a survey, new results and open problems J.-P. Tillich Inria,

Attacks in code based cryptography: a survey, new results and open problems J.-P. Tillich Inria,

Attacks in code based cryptography: a survey, new results and open problems J.-P. Tillich Inria, team-project SECRET April 9, 2018 introduction 1. Code based cryptography Difficult problem in coding theory Problem 1. [Decoding] Input: n, r,

800 views • 53 slides
How to achieve a McEliece-based Digital Signature Scheme Nicolas Courtois Matthieu Finiasz

How to achieve a McEliece-based Digital Signature Scheme Nicolas Courtois Matthieu Finiasz

How to achieve a McEliece-based Digital Signature Scheme Nicolas Courtois Matthieu Finiasz Nicolas Sendrier ASIACRYPT 2001 Brisbane McEliece in a nutshell (Niederreiter version) This scheme is equivalent to the original McEliece

432 views • 12 slides
Efficient implementation of Objectives code-based cryptography Set new speed records D. J.

Efficient implementation of Objectives code-based cryptography Set new speed records D. J.

Efficient implementation of Objectives code-based cryptography Set new speed records D. J. Bernstein for public-key cryptography. University of Illinois at Chicago &amp; Technische Universiteit Eindhoven Joint work with: Tung Chou

868 views • 73 slides
Tweaking Code-Based Cryptography for Embedded Systems DIMACS Workshop on The Mathematics of

Tweaking Code-Based Cryptography for Embedded Systems DIMACS Workshop on The Mathematics of

Tweaking Code-Based Cryptography for Embedded Systems DIMACS Workshop on The Mathematics of Post-Quantum Cryptography Tim Gneysu, Ingo von Maurich 1/12/2015 Horst Grtz Institute for IT-Security, Ruhr-Universitt Bochum, Germany Motivation

920 views • 70 slides
On the q -Analogue of Cauchy Matrices Alessandro Neri 17-21 June 2019 - VUB Alessandro Neri 19

On the q -Analogue of Cauchy Matrices Alessandro Neri 17-21 June 2019 - VUB Alessandro Neri 19

On the q -Analogue of Cauchy Matrices Alessandro Neri 17-21 June 2019 - VUB Alessandro Neri 19 June 2019 1 / 19 On the q -Analogue of Cauchy Matrices Alessandro Neri I am a friend of Finite Geometry! 17-21 June 2019 - VUB Alessandro Neri

631 views • 50 slides
Generalization of the Ball-Collision Algorithm Violetta Weger joint work with Carmelo Interlando,

Generalization of the Ball-Collision Algorithm Violetta Weger joint work with Carmelo Interlando,

Generalization of the Ball-Collision Algorithm Violetta Weger joint work with Carmelo Interlando, Karan Khathuria, Nicole Rohrer and Joachim Rosenthal University of Zurich 7th Code-Based Cryptography Workshop 19 May 2019 Violetta Weger

522 views • 34 slides
Generalized Gabidulin Codes and their Generator Matrices Alessandro Neri 23 July 2018 - LAWCI

Generalized Gabidulin Codes and their Generator Matrices Alessandro Neri 23 July 2018 - LAWCI

Generalized Gabidulin Codes and their Generator Matrices Alessandro Neri 23 July 2018 - LAWCI Alessandro Neri 11 June 2018 1 / 6 Generalized Reed-Solomon Codes Reed, Solomon (1960) F q [ x ] &lt; k := { f ( x ) F q [ x ] | deg f &lt; k }

255 views • 21 slides
MuNeG - The Framework for Multilayer Network Generator Adrian Popiel , Tomasz Kajdanowicz,

MuNeG - The Framework for Multilayer Network Generator Adrian Popiel , Tomasz Kajdanowicz,

MuNeG - The Framework for Multilayer Network Generator Adrian Popiel , Tomasz Kajdanowicz, Przemys aw Kazienko Wroc aw University of Technology, Poland MANEM 2015 , August 25, 2015 Slide 2/25 Outline Uniplex and multiplex networks

613 views • 25 slides
McTiny: McEliece for tiny network servers Daniel J. Bernstein, uic.edu , rub.de Tanja Lange,

McTiny: McEliece for tiny network servers Daniel J. Bernstein, uic.edu , rub.de Tanja Lange,

1 McTiny: McEliece for tiny network servers Daniel J. Bernstein, uic.edu , rub.de Tanja Lange, tue.nl Fundamental literature: 1962 Prange (attack) + many more attack papers. 1968 Berlekamp (decoder). 19701971 Goppa (codes). 1978 McEliece

899 views • 61 slides
Lattice Basis Reduction Part 1: Concepts Sanzheng Qiao Department of Computing and Software

Lattice Basis Reduction Part 1: Concepts Sanzheng Qiao Department of Computing and Software

Introduction Applications Notions of Reduced Bases Examples Lattice Basis Reduction Part 1: Concepts Sanzheng Qiao Department of Computing and Software McMaster University, Canada qiao@mcmaster.ca www.cas.mcmaster.ca/ qiao October 25,

757 views • 50 slides
Error Codes Correcting Gary Lecture 11 toolkit CMU Preliminaries Setting Error of

Error Codes Correcting Gary Lecture 11 toolkit CMU Preliminaries Setting Error of

Rohan Error Codes Correcting Gary Lecture 11 toolkit CMU Preliminaries Setting Error of Correcting Codes Linear Error Correcting codes and Hadamard Codes Hamming Reed Solomon Code Definitions Basic Def An Error code is

291 views • 18 slides
Some aspects of codes over rings Peter J. Cameron p.j.cameron@qmul.ac.uk Galway, July 2009 This

Some aspects of codes over rings Peter J. Cameron p.j.cameron@qmul.ac.uk Galway, July 2009 This

Some aspects of codes over rings Peter J. Cameron p.j.cameron@qmul.ac.uk Galway, July 2009 This is work by two of my students, Josephine Kusuma and Fatma Al-Kharoosi Summary Codes over rings and orthogonal arrays Summary Codes over

1.07k views • 70 slides

More recommend