classic mceliece conservative code based cryptography
play

Classic McEliece: conservative code-based cryptography Daniel J. - PowerPoint PPT Presentation

Aug 23, 2022 •420 likes •684 views

Classic McEliece: conservative code-based cryptography Daniel J. Bernstein 1 , Tung Chou 2 , Tanja Lange 3 , Ingo von Maurich, Rafael Misoczki 4 , Ruben Niederhagen 5 , Edoardo Persichetti 6 , Christiane Peters, Peter Schwabe 7 , Nicolas Sendrier 8

  1. Classic McEliece: conservative code-based cryptography Daniel J. Bernstein 1 , Tung Chou 2 , Tanja Lange 3 , Ingo von Maurich, Rafael Misoczki 4 , Ruben Niederhagen 5 , Edoardo Persichetti 6 , Christiane Peters, Peter Schwabe 7 , Nicolas Sendrier 8 , Jakub Szefer 9 , Wen Wang 9 1 University of Illinois at Chicago, 2 Osaka University, 3 Technische Universiteit Eindhoven, 4 Intel Corporation, 5 Fraunhofer SIT, 6 Florida Atlantic University, 7 Radboud University, 8 Inria, 9 Yale University 29 June 2018 PQCRYPTO Mini-School and Workshop

  2. NIST’s Call Classic McEliece https://classic.mceliece.org/ 1

  3. Classic McEliece Classic McEliece https://classic.mceliece.org/ 2

  4. Classic McEliece: a quick look Cons • Large public key size ( 1 ∼ 1 . 3 MB) Pros • Based on a 40-year-old code-based cryptosystem • Small ciphertext size ( 226 ∼ 240 bytes) • Fast, constant-time en/decapsulation ( ≤ 500 000 cycles) Classic McEliece https://classic.mceliece.org/ 3

  5. 40 years and more than 30 analysis papers later 1962 Prange; 1981 Clark–Cain, crediting Omura; 1988 Lee–Brickell; 1988 Leon; 1989 Krouk; 1989 Stern; 1989 Dumer; 1990 Coffey–Goodman; 1990 van Tilburg; 1991 Dumer; 1991 Coffey–Goodman–Farrell; 1993 Chabanne–Courteau; 1993 Chabaud; 1994 van Tilburg; 1994 Canteaut–Chabanne; 1998 Canteaut–Chabaud; 1998 Canteaut–Sendrier; 2008 Bernstein–Lange–Peters; 2009 Bernstein–Lange–Peters–van Tilborg; 2009 Bernstein ( post-quantum ); 2009 Finiasz–Sendrier; 2010 Bernstein–Lange–Peters; 2011 May–Meurer–Thomae; 2012 Becker–Joux–May–Meurer; 2013 Hamdaoui–Sendrier; 2015 May–Ozerov; 2016 Canto Torres–Sendrier; 2017 Kachigar–Tillich ( post-quantum ); 2017 Both–May; 2018 Both–May; 2018 Kirshanova ( post-quantum ). Classic McEliece https://classic.mceliece.org/ 4

  6. 40 years and more than 30 analysis papers later 1962 Prange; 1981 Clark–Cain, crediting Omura; 1988 Lee–Brickell; 1988 Leon; 1989 Krouk; 1989 Stern; 1989 Dumer; 1990 Coffey–Goodman; 1990 van Tilburg; 1991 Dumer; 1991 Coffey–Goodman–Farrell; 1993 Chabanne–Courteau; 1993 Chabaud; 1994 van Tilburg; 1994 Canteaut–Chabanne; 1998 Canteaut–Chabaud; 1998 Canteaut–Sendrier; 2008 Bernstein–Lange–Peters; 2009 Bernstein–Lange–Peters–van Tilborg; 2009 Bernstein ( post-quantum ); 2009 Finiasz–Sendrier; 2010 Bernstein–Lange–Peters; 2011 May–Meurer–Thomae; 2012 Becker–Joux–May–Meurer; 2013 Hamdaoui–Sendrier; 2015 May–Ozerov; 2016 Canto Torres–Sendrier; 2017 Kachigar–Tillich ( post-quantum ); 2017 Both–May; 2018 Both–May; 2018 Kirshanova ( post-quantum ). The McEliece system uses ( c 0 + o (1)) λ 2 (lg λ ) 2 -bit keys as λ → ∞ to achieve 2 λ security against all attacks known today. Same c 0 ≈ 0 . 7418860694 . Classic McEliece https://classic.mceliece.org/ 4

  7. 40 years and more than 30 analysis papers later 1962 Prange; 1981 Clark–Cain, crediting Omura; 1988 Lee–Brickell; 1988 Leon; 1989 Krouk; 1989 Stern; 1989 Dumer; 1990 Coffey–Goodman; 1990 van Tilburg; 1991 Dumer; 1991 Coffey–Goodman–Farrell; 1993 Chabanne–Courteau; 1993 Chabaud; 1994 van Tilburg; 1994 Canteaut–Chabanne; 1998 Canteaut–Chabaud; 1998 Canteaut–Sendrier; 2008 Bernstein–Lange–Peters; 2009 Bernstein–Lange–Peters–van Tilborg; 2009 Bernstein ( post-quantum ); 2009 Finiasz–Sendrier; 2010 Bernstein–Lange–Peters; 2011 May–Meurer–Thomae; 2012 Becker–Joux–May–Meurer; 2013 Hamdaoui–Sendrier; 2015 May–Ozerov; 2016 Canto Torres–Sendrier; 2017 Kachigar–Tillich ( post-quantum ); 2017 Both–May; 2018 Both–May; 2018 Kirshanova ( post-quantum ). The McEliece system uses ( c 0 + o (1)) λ 2 (lg λ ) 2 -bit keys as λ → ∞ to achieve 2 λ security against all attacks known today. Same c 0 ≈ 0 . 7418860694 . Replacing λ with 2 λ stops all known quantum attacks. Classic McEliece https://classic.mceliece.org/ 4

  8. McEliece/Niederreiter cryptosystem Sender Receiver m + � � e = � r � r � = � m m � (noisy channel) Classic McEliece https://classic.mceliece.org/ 5

  9. McEliece/Niederreiter cryptosystem Sender Receiver � c + � e = � r � c, � e = Decode ( � r ) � c = � mG (noisy channel) Classic McEliece https://classic.mceliece.org/ 5

  10. McEliece/Niederreiter cryptosystem Sender Receiver � r � r = � mG + � e � c, � e = Decode ( � r ) (McEliece, 1978) Classic McEliece https://classic.mceliece.org/ 5

  11. McEliece/Niederreiter cryptosystem Sender Receiver � r � r = � mG + � e � c, � e = Decode ( � r ) (McEliece, 1978) � r � e = Decode ( � r ) � r = H� e (Niederreiter, 1986) Classic McEliece https://classic.mceliece.org/ 5

  12. McEliece/Niederreiter using binary Goppa code • Definition of the code C ⊂ F n 2 : c 1 c 2 c n + + · · · ≡ 0 mod g ( x ) x − α 1 x − α 2 x − α n • Support ( α 1 , . . . , α n ) : n distinct elements in F 2 m • Goppa polynomial : random irreducible degree- t g ( x ) Classic McEliece https://classic.mceliece.org/ 6

  13. McEliece/Niederreiter using binary Goppa code • Definition of the code C ⊂ F n 2 : c 1 c 2 c n + + · · · ≡ 0 mod g ( x ) x − α 1 x − α 2 x − α n • Support ( α 1 , . . . , α n ) : n distinct elements in F 2 m • Goppa polynomial : random irreducible degree- t g ( x ) • Secret key: ( α 1 , . . . , α n ) , g ( x ) • Public key: generating/parity-check matrix of C • Classic McEliece: Niederreiter + binary Goppa code Classic McEliece https://classic.mceliece.org/ 6

  14. Classic McEliece: parameter sets mceliece8192128 • (m, n, t) = (13, 8192, 128) • 1357824 bytes for public key. • 14080 bytes for secret key. • 240 bytes for ciphertext. • More natural for software implementation mceliece6960119 • (m, n, t) = (13, 6960, 119) • 1047319 bytes for public key. • 13908 bytes for secret key. • 226 bytes for ciphertext. • Fits into 1 megabyte Classic McEliece https://classic.mceliece.org/ 7

  15. Classic McEliece: OW-CPA to ROM IND-CCA2 Secret key: • g, ( α 1 , . . . , α n ) , and an n -bit string s Encapsulation: • ciphertext C = ( C 0 , C 1 ) = ( He, H 2 ( e )) • session key K = H 1 ( e, C ) Decapsulation: • decode C 0 to get e ∗ • compare C 1 with H 2 ( e ∗ ) • K ∗ = H 0 ( s, C ) , if decoding or comparison failed • K ∗ = H 1 ( e ∗ , C ) , if decoding and comparison both succeeded Classic McEliece https://classic.mceliece.org/ 8

  16. Comparison with NTS-KEM https://classic.mceliece.org/nist/ vsntskem-20180629.pdf Classic McEliece https://classic.mceliece.org/ 9

  17. Comparison with NTS-KEM: advertisement “The NTS-KEM submission delares a US patent application and a granted UK patent describing a method by which a McEliece ciphertext may be shortened and have the same security as the full length McEliece ciphertext. The same method is used in NTS-KEM but in no other PQC submission as far as we can tell.” – Martin Tomlinson, 3 Jan., 2018 “We have decided to eliminate any uncertainty by abandoning the patent with immediate effect. Our submission will no longer be subject to any patents and is free for anyone to experiment with.” – Martin Tomlinson, 27 Apr., 2018 Classic McEliece https://classic.mceliece.org/ 10

  18. Comparison with NTS-KEM: implementations sec key-gen encapsulation decapsulation platform CM-13-128 5 4010278828 295932 458476 Haswell NTSKEM-13-80 3 123761512 368946 604459 Broadwell NTSKEM-13-136 5 221106162 478323 1123879 Broadwell NTSKEM-13-80 3 51275xxx 178xxx 332xxx Skylake NTSKEM-13-136 5 108501xxx 265xxx 644xxx Skylake Classic McEliece https://classic.mceliece.org/ 11

  19. Comparison with NTS-KEM: implementations sec key-gen encapsulation decapsulation platform CM-13-128 5 4010278828 295932 458476 Haswell NTSKEM-13-80 3 123761512 368946 604459 Broadwell NTSKEM-13-136 5 221106162 478323 1123879 Broadwell NTSKEM-13-80 3 51275xxx 178xxx 332xxx Skylake NTSKEM-13-136 5 108501xxx 265xxx 644xxx Skylake Some issues: • problem in NTS-KEM’s Skylake cycles: Turbo-boosted? • constant-time vs non-constant-time key generation • distributions of keys are different: are the support and g ( x ) independent Classic McEliece https://classic.mceliece.org/ 11

  20. Comparison with NTS-KEM: security Decapsulation: • decode C 0 to get e ∗ • compare C 1 with H 2 ( e ∗ ) — (1) plaintext confirmation • K ∗ = H 0 ( s, C ) , if decoding or comparison failed — (2) implicit rejection • K ∗ = H 1 ( e ∗ , C ) , if decoding and comparison both succeeded Security • Both schemes achieves ROM IND-CCA2 • Classic McEliece is more conservative: NTS-KEM only has (1) • Simpler proof for Classic McEliece • Classic McEliece has more chance of proving QROM IND-CCA2 Classic McEliece https://classic.mceliece.org/ 12

  21. Comparison with NTS-KEM: Goppa polynomial Classic McEliece • Irreducible g NTS-KEM • Valid square-free g (without linear factors) Classic McEliece https://classic.mceliece.org/ 13

  22. Comparison with NTS-KEM: Goppa polynomial Classic McEliece • Irreducible g NTS-KEM • Valid square-free g (without linear factors) Roughly δ = exp (1) /t of valid square-free are irreducible • which means that the potential gain in security level is bounded by log 2 (1 /δ ) = log 2 ( t ) − 1 . 44 . Classic McEliece https://classic.mceliece.org/ 13

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

Classic McEliece: conservative code-based cryptography D. J. Bernstein classic.mceliece.org

Classic McEliece: conservative code-based cryptography D. J. Bernstein classic.mceliece.org

1 Classic McEliece: conservative code-based cryptography D. J. Bernstein classic.mceliece.org Fundamental literature: 1962 Prange (attack) + many more attack papers. 1968 Berlekamp (decoder). 19701971 Goppa (codes). 1978 McEliece

775 views • 58 slides
Classic McEliece: conservative code-based cryptography Round 2 https://classic.mceliece.org/

Classic McEliece: conservative code-based cryptography Round 2 https://classic.mceliece.org/

Classic McEliece: conservative code-based cryptography Round 2 https://classic.mceliece.org/ Daniel J. Bernstein 1 , Tung Chou 2 , Tanja Lange 3 , Ingo von Maurich, Rafael Misoczki 4 , Ruben Niederhagen 5 , Edoardo Persichetti 6 , Christiane

439 views • 28 slides
Smaller Keys for Code based Cryptography: QC MDPC McEliece Implementations on Embedded

Smaller Keys for Code based Cryptography: QC MDPC McEliece Implementations on Embedded

Smaller Keys for Code based Cryptography: QC MDPC McEliece Implementations on Embedded Devices 4 th Code based Cryptography Workshop 2013, Rocquencourt, France Stefan Heyse, Ingo von Maurich and Tim Gneysu Horst Grtz Institute for

500 views • 39 slides
Code-Based Cryptography for FPGAs Dr. Ruben Niederhagen, February 8, 2018 Introduction Global

Code-Based Cryptography for FPGAs Dr. Ruben Niederhagen, February 8, 2018 Introduction Global

Code-Based Cryptography for FPGAs Dr. Ruben Niederhagen, February 8, 2018 Introduction Global Map public-key cryptography classic post-quantum lattice code multivariate hash isogenies . . . McEliece Niederreiter . . . GRS codes

1.04k views • 73 slides
An Overview on Post-Quantum Cryptography with an Emphasis on Code based Systems Joachim Rosenthal

An Overview on Post-Quantum Cryptography with an Emphasis on Code based Systems Joachim Rosenthal

Basics on Public Key Crypto Systems Research Directions in Post-Quantum Cryptography Variants of McEliece System Distinguisher Attacks McEliece for Rank Metric Codes An Overview on Post-Quantum Cryptography with an Emphasis on Code based

1.05k views • 100 slides
Code-based Cryptography Christiane Peters Technical University of Denmark ECC 2011 September

Code-based Cryptography Christiane Peters Technical University of Denmark ECC 2011 September

Code-based Cryptography Christiane Peters Technical University of Denmark ECC 2011 September 20, 2011 Code-based cryptography 1. Background 2. The McEliece cryptosystem 3. Information-set-decoding attacks 4. Designs: Wild McEliece 5.

721 views • 55 slides
McTiny: classic.mceliece.org McEliece for tiny network servers submission team (alphabetical):

McTiny: classic.mceliece.org McEliece for tiny network servers submission team (alphabetical):

1 2 McTiny: classic.mceliece.org McEliece for tiny network servers submission team (alphabetical): me; Daniel J. Bernstein, Tung Chou, osaka-u.ac.jp ; uic.edu , rub.de Tanja Lange, tue.nl ; Joint work with: Ingo von Maurich;

1.87k views • 162 slides
Making McEliece and Regev meet Gilles Zmor based on common work with C. Aguilar, O. Blazy, J-C.

Making McEliece and Regev meet Gilles Zmor based on common work with C. Aguilar, O. Blazy, J-C.

Making McEliece and Regev meet Gilles Zmor based on common work with C. Aguilar, O. Blazy, J-C. Deneuville, P . Gaborit Bordeaux Mathematics Institute March 21, 2019, Oberwolfach the McEliece paridigm Choose a code C that comes with a

680 views • 20 slides
McEliece type Cryptosystem based on Gabidulin Codes Joachim Rosenthal University of Z urich

McEliece type Cryptosystem based on Gabidulin Codes Joachim Rosenthal University of Z urich

Traditional McEliece Crypto System Variants of McEliece System Distinguisher Attacks McEliece for Rank Metric Codes McEliece type Cryptosystem based on Gabidulin Codes Joachim Rosenthal University of Z urich ALCOMA, March 19, 2015 joint

763 views • 54 slides
Code-based Cryptography Selected publications [1] Carlos Aguilar, Philippe Gaborit, and Julien

Code-based Cryptography Selected publications [1] Carlos Aguilar, Philippe Gaborit, and Julien

1 Code-based Cryptography Code-based Cryptography Selected publications [1] Carlos Aguilar, Philippe Gaborit, and Julien Schrek. A new zero-knowledge code based identification scheme with reduced communication. In ITW 2011 , pages 648

284 views • 6 slides
The Support Splitting Algorithm and its Application to Code-based Cryptography Dimitris E. Simos

The Support Splitting Algorithm and its Application to Code-based Cryptography Dimitris E. Simos

The Support Splitting Algorithm and its Application to Code-based Cryptography Dimitris E. Simos ( joint work with Nicolas Sendrier) Project-Team SECRET INRIA Paris-Rocquencourt May 9, 2012 3rd Code-based Cryptography Workshop Technical

301 views • 17 slides
McTiny: McEliece for tiny network servers Daniel J. Bernstein, uic.edu , rub.de Joint work with:

McTiny: McEliece for tiny network servers Daniel J. Bernstein, uic.edu , rub.de Joint work with:

1 McTiny: McEliece for tiny network servers Daniel J. Bernstein, uic.edu , rub.de Joint work with: Tanja Lange, tue.nl My main question in this talk: Shouldnt NIST PQC simply standardize Classic McEliece, discard the other 25 proposals?

1.18k views • 79 slides
Attacks in code based cryptography: a survey, new results and open problems J.-P. Tillich Inria,

Attacks in code based cryptography: a survey, new results and open problems J.-P. Tillich Inria,

Attacks in code based cryptography: a survey, new results and open problems J.-P. Tillich Inria, team-project SECRET April 9, 2018 introduction 1. Code based cryptography Difficult problem in coding theory Problem 1. [Decoding] Input: n, r,

800 views • 53 slides
How to achieve a McEliece-based Digital Signature Scheme Nicolas Courtois Matthieu Finiasz

How to achieve a McEliece-based Digital Signature Scheme Nicolas Courtois Matthieu Finiasz

How to achieve a McEliece-based Digital Signature Scheme Nicolas Courtois Matthieu Finiasz Nicolas Sendrier ASIACRYPT 2001 Brisbane McEliece in a nutshell (Niederreiter version) This scheme is equivalent to the original McEliece

432 views • 12 slides
Efficient implementation of Objectives code-based cryptography Set new speed records D. J.

Efficient implementation of Objectives code-based cryptography Set new speed records D. J.

Efficient implementation of Objectives code-based cryptography Set new speed records D. J. Bernstein for public-key cryptography. University of Illinois at Chicago & Technische Universiteit Eindhoven Joint work with: Tung Chou

868 views • 73 slides
Tweaking Code-Based Cryptography for Embedded Systems DIMACS Workshop on The Mathematics of

Tweaking Code-Based Cryptography for Embedded Systems DIMACS Workshop on The Mathematics of

Tweaking Code-Based Cryptography for Embedded Systems DIMACS Workshop on The Mathematics of Post-Quantum Cryptography Tim Gneysu, Ingo von Maurich 1/12/2015 Horst Grtz Institute for IT-Security, Ruhr-Universitt Bochum, Germany Motivation

920 views • 70 slides
John Reid Presentation to CANTO Ministerial Round Table 1 August 2016 CWC: The journey

John Reid Presentation to CANTO Ministerial Round Table 1 August 2016 CWC: The journey

John Reid Presentation to CANTO Ministerial Round Table 1 August 2016 CWC: The journey continues 2014 2015 2016 20 May 2015 August 2016 Cable & Wireless Communications Plc Full Year Results 2014/15 John Reid presentation to CANTO 2

617 views • 7 slides
Tracing the stellar halo with BHB stars Guillaume THOMAS @Thomas_gft Stellar Halos Across the

Tracing the stellar halo with BHB stars Guillaume THOMAS @Thomas_gft Stellar Halos Across the

Tracing the stellar halo with BHB stars Guillaume THOMAS @Thomas_gft Stellar Halos Across the Cosmos 3 rd July 2018 Mon. Not. R. Astron. Soc. 000 , 1 ?? (2018) Printed 30 May 2018 (MN L A T EX style file v2.2) Blue horizontal branch

530 views • 34 slides
Open-source PortugueseSpanish machine translation C. Armentano-Oller 1 , R.C. Carrasco 1 , 2 ,

Open-source PortugueseSpanish machine translation C. Armentano-Oller 1 , R.C. Carrasco 1 , 2 ,

The Apertium MT toolbox Data for the pt es pair Concluding remarks Open-source PortugueseSpanish machine translation C. Armentano-Oller 1 , R.C. Carrasco 1 , 2 , A.M. Corb-Bellot 1 , M.L. Forcada 1 , 2 , M. Ginest-Rosell 1 , S.

338 views • 30 slides
Argumentation in Statutory Interpretation Giovanni Sartor Guangzhou, China, April 2018 Kinds of

Argumentation in Statutory Interpretation Giovanni Sartor Guangzhou, China, April 2018 Kinds of

Argumentation in Statutory Interpretation Giovanni Sartor Guangzhou, China, April 2018 Kinds of interpretive arguments n Argument from ordinary meaning requires that a term should be interpreted according to the meaning that a native speaker

294 views • 28 slides
Birdsong Classification Advanced Computing - U. de Cantabria - 20/04/2015 Yael Gutirrez

Birdsong Classification Advanced Computing - U. de Cantabria - 20/04/2015 Yael Gutirrez

Birdsong Classification Advanced Computing - U. de Cantabria - 20/04/2015 Yael Gutirrez Ignacio Surez Pablo de Castro Introduction Aim of this project Develop a system capable of identifying bird species by the sounds they make

310 views • 19 slides
The action for higher spin black holes Max Ba nados (Santiago) with R. Canto (Santiago) and S.

The action for higher spin black holes Max Ba nados (Santiago) with R. Canto (Santiago) and S.

The action for higher spin black holes Max Ba nados (Santiago) with R. Canto (Santiago) and S. Theisen (Golm) arXiv:1204.5105 [hep-th]. Published in JHEP. Fields and their interactions Fields with spins lower or equal than two ( s 2)

466 views • 27 slides
0 mixing 0 D D K.Trabelsi ( KEK ) karim.trabelsi@kek.jp Flavor Physics & CP Violation

0 mixing 0 D D K.Trabelsi ( KEK ) karim.trabelsi@kek.jp Flavor Physics & CP Violation

0 mixing 0 D D K.Trabelsi ( KEK ) karim.trabelsi@kek.jp Flavor Physics & CP Violation 2013 May 19-24, 2013 Flavour Mixing in the Charm Sector Mass eigenstates flavour eigenstates m 1, 2 and 1, 2 are mass and width of |D 1, 2 >

668 views • 33 slides
The A class of weights and some of its extensions Carlos P erez University of the

The A class of weights and some of its extensions Carlos P erez University of the

The A class of weights and some of its extensions Carlos P erez University of the Basque Country and BCAM Probability and Analysis 2019 Banach Center for Mathematics Be dlewo, May 22, 2019 The C p class of weights

1.6k views • 142 slides

More recommend