classic mceliece conservative code based cryptography
play

Classic McEliece: conservative code-based cryptography Round 2 - PowerPoint PPT Presentation

Feb 02, 2024 •152 likes •439 views

Classic McEliece: conservative code-based cryptography Round 2 https://classic.mceliece.org/ Daniel J. Bernstein 1 , Tung Chou 2 , Tanja Lange 3 , Ingo von Maurich, Rafael Misoczki 4 , Ruben Niederhagen 5 , Edoardo Persichetti 6 , Christiane

  1. Classic McEliece: conservative code-based cryptography Round 2 https://classic.mceliece.org/ Daniel J. Bernstein 1 , Tung Chou 2 , Tanja Lange 3 , Ingo von Maurich, Rafael Misoczki 4 , Ruben Niederhagen 5 , Edoardo Persichetti 6 , Christiane Peters, Peter Schwabe 7 , Nicolas Sendrier 8 , Jakub Szefer 9 , Wen Wang 9 1 University of Illinois at Chicago, 2 Osaka University, 3 Technische Universiteit Eindhoven, 4 Intel Corporation, 5 Fraunhofer SIT, 6 Florida Atlantic University, 7 Radboud University, 8 Inria, 9 Yale University 24 August 2019 Second NIST PQC workshop

  2. Conservative code-based encryption “This is going to be the most boring submission of them all”. (T. Lange, April 2018) Classic McEliece https://classic.mceliece.org/ 2

  3. Conservative code-based encryption “This is going to be the most boring submission of them all”. (T. Lange, April 2018) This is still the case. Classic McEliece https://classic.mceliece.org/ 2

  4. Conservative code-based encryption “This is going to be the most boring submission of them all”. (T. Lange, April 2018) This is still the case. Nothing has changed in more than 40 years in the asymptotics of OW-Passive security for McEliece. Classic McEliece https://classic.mceliece.org/ 2

  5. Conservative code-based encryption “This is going to be the most boring submission of them all”. (T. Lange, April 2018) This is still the case. Nothing has changed in more than 40 years in the asymptotics of OW-Passive security for McEliece. We follow best practices to obtain an IND-CCA KEM. Classic McEliece https://classic.mceliece.org/ 2

  6. Conservative code-based encryption “This is going to be the most boring submission of them all”. (T. Lange, April 2018) This is still the case. Nothing has changed in more than 40 years in the asymptotics of OW-Passive security for McEliece. We follow best practices to obtain an IND-CCA KEM. For Round 2, we added more parameter sets, as requested. Classic McEliece https://classic.mceliece.org/ 2

  7. One-wayness (OW-Passive) Fundamental security question (SDP): Given random parity-check matrix H and syndrome s , can attacker efficiently find e with s = He ? Classic McEliece https://classic.mceliece.org/ 3

  8. One-wayness (OW-Passive) Fundamental security question (SDP): Given random parity-check matrix H and syndrome s , can attacker efficiently find e with s = He ? ◮ Write H = ( I n − k | T ), public key is ( n − k ) × k matrix T , n − k = t log 2 q . H constructed from binary Goppa code. ◮ Encapsulate using e of weight t . ◮ Decapsulate using Goppa decoding algorithm. Classic McEliece https://classic.mceliece.org/ 3

  9. One-wayness (OW-Passive) Fundamental security question (SDP): Given random parity-check matrix H and syndrome s , can attacker efficiently find e with s = He ? ◮ Write H = ( I n − k | T ), public key is ( n − k ) × k matrix T , n − k = t log 2 q . H constructed from binary Goppa code. ◮ Encapsulate using e of weight t . ◮ Decapsulate using Goppa decoding algorithm. Classic McEliece only uses Niederreiter’s “dual” framework, and some decoding speedups. This improves efficiency while clearly preserving security. Classic McEliece https://classic.mceliece.org/ 3

  10. Parameter sets public key secret key ciphertext n t 8,192 128 1,357,824 bytes 14,080 bytes 240 bytes Both n and t powers of 2. Same as Round 1. 6,960 119 1,047,319 bytes 13,908 bytes 226 bytes Max security with pkbytes ≤ 2 20 . Same as Round 1. Classic McEliece https://classic.mceliece.org/ 4

  11. Parameter sets public key secret key ciphertext n t 8,192 128 1,357,824 bytes 14,080 bytes 240 bytes Both n and t powers of 2. Same as Round 1. 6,960 119 1,047,319 bytes 13,908 bytes 226 bytes Max security with pkbytes ≤ 2 20 . Same as Round 1. 6,688 128 1,044,992 bytes 13,892 bytes 240 bytes Max security with pkbytes ≤ 2 20 if n and t are multiples of 32. 4,608 96 524,160 bytes 13,568 bytes 188 bytes Max security with pkbytes ≤ 2 19 if n and t are multiples of 32. 3,488 64 261,120 bytes 6,452 bytes 128 bytes Max security with pkbytes ≤ 2 18 if n and t are multiples of 32. Classic McEliece https://classic.mceliece.org/ 4

  12. Ciphertext size Classic McEliece has very short ciphertexts. Classic McEliece https://classic.mceliece.org/ 5

  13. Ciphertext size Classic McEliece has very short ciphertexts. We could save another 32 bytes of ciphertext by removing plaintext confirmation in the IND-CCA transform. However, plaintext confirmation has security advantages. Classic McEliece https://classic.mceliece.org/ 5

  14. Ciphertext size Classic McEliece has very short ciphertexts. We could save another 32 bytes of ciphertext by removing plaintext confirmation in the IND-CCA transform. However, plaintext confirmation has security advantages. Even including these 32 bytes, Classic McEliece has the smallest ciphertexts in the competition. Classic McEliece https://classic.mceliece.org/ 5

  15. Ciphertext size Classic McEliece has very short ciphertexts. We could save another 32 bytes of ciphertext by removing plaintext confirmation in the IND-CCA transform. However, plaintext confirmation has security advantages. Even including these 32 bytes, Classic McEliece has the smallest ciphertexts in the competition. High degree of flexibility in choice of parameters. Could increase key size to obtain even smaller ciphertexts. Classic McEliece https://classic.mceliece.org/ 5

  16. Optimized implementations We provided four implementations for each parameter set, all constant-time: ref, vec, sse, avx . Classic McEliece https://classic.mceliece.org/ 6

  17. Optimized implementations We provided four implementations for each parameter set, all constant-time: ref, vec, sse, avx . Times improved: e.g. for mceliece8192128 (Haswell cycles) ◮ 4,000,000,000 → 811,681,256 for keygen ◮ 300,000 → 194,500 for encaps ◮ 450,000 → 322,236 for decaps Classic McEliece https://classic.mceliece.org/ 6

  18. Optimized implementations We provided four implementations for each parameter set, all constant-time: ref, vec, sse, avx . Times improved: e.g. for mceliece8192128 (Haswell cycles) ◮ 4,000,000,000 → 811,681,256 for keygen ◮ 300,000 → 194,500 for encaps ◮ 450,000 → 322,236 for decaps Very fast in hardware (Artix-7/Virtex-7). Classic McEliece https://classic.mceliece.org/ 6

  19. Optimized implementations We provided four implementations for each parameter set, all constant-time: ref, vec, sse, avx . Times improved: e.g. for mceliece8192128 (Haswell cycles) ◮ 4,000,000,000 → 811,681,256 for keygen ◮ 300,000 → 194,500 for encaps ◮ 450,000 → 322,236 for decaps Very fast in hardware (Artix-7/Virtex-7). For mceliece8192128 (time-optimized) ◮ 1,286,179 for keygen ◮ 6,528 for encaps ◮ 26,237 for decaps (cycles at 28.4MHz on Virtex-7 XC7V2000T FPGA). Classic McEliece https://classic.mceliece.org/ 6

  20. Key-generation speed Classic McEliece uses keys in systematic form. We choose to abort if left r × r submatrix has not full rank. This works about 29% of the time. Classic McEliece https://classic.mceliece.org/ 7

  21. Key-generation speed Classic McEliece uses keys in systematic form. We choose to abort if left r × r submatrix has not full rank. This works about 29% of the time. NTS-KEM uses permuted systematic form. This works about 100% of the time, but pivoting makes constant-time Gaussian elimination much slower. Classic McEliece https://classic.mceliece.org/ 7

  22. Key-generation speed Classic McEliece uses keys in systematic form. We choose to abort if left r × r submatrix has not full rank. This works about 29% of the time. NTS-KEM uses permuted systematic form. This works about 100% of the time, but pivoting makes constant-time Gaussian elimination much slower. We introduced and analyzed ( µ, ν )-semi-systematic form to ◮ achieve KeyGen success probability about 1 − 2 µ − ν , ◮ obtain a fast constant-time implementation of Gaussian elimination with pivoting limited by ( µ, ν ). We have implemented 5 additional parameter sets with ( µ, ν ) = (32 , 64) as possible future proposals. Classic McEliece https://classic.mceliece.org/ 7

  23. Large keys in practice IND-CCA means we can generate key once and use it many times. Classic McEliece https://classic.mceliece.org/ 8

  24. Large keys in practice IND-CCA means we can generate key once and use it many times. Key generation is well under a second even with largest parameters. Classic McEliece https://classic.mceliece.org/ 8

  25. Large keys in practice IND-CCA means we can generate key once and use it many times. Key generation is well under a second even with largest parameters. Even more efficient in hardware. Classic McEliece https://classic.mceliece.org/ 8

  26. Large keys in practice IND-CCA means we can generate key once and use it many times. Key generation is well under a second even with largest parameters. Even more efficient in hardware. Public keys can use efficient broadcast networks and do not add much to modern Internet traffic. Classic McEliece https://classic.mceliece.org/ 8

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

Classic McEliece: conservative code-based cryptography D. J. Bernstein classic.mceliece.org

Classic McEliece: conservative code-based cryptography D. J. Bernstein classic.mceliece.org

1 Classic McEliece: conservative code-based cryptography D. J. Bernstein classic.mceliece.org Fundamental literature: 1962 Prange (attack) + many more attack papers. 1968 Berlekamp (decoder). 19701971 Goppa (codes). 1978 McEliece

775 views • 58 slides
Classic McEliece: conservative code-based cryptography Daniel J. Bernstein 1 , Tung Chou 2 , Tanja

Classic McEliece: conservative code-based cryptography Daniel J. Bernstein 1 , Tung Chou 2 , Tanja

Classic McEliece: conservative code-based cryptography Daniel J. Bernstein 1 , Tung Chou 2 , Tanja Lange 3 , Ingo von Maurich, Rafael Misoczki 4 , Ruben Niederhagen 5 , Edoardo Persichetti 6 , Christiane Peters, Peter Schwabe 7 , Nicolas Sendrier 8

684 views • 25 slides
Smaller Keys for Code based Cryptography: QC MDPC McEliece Implementations on Embedded

Smaller Keys for Code based Cryptography: QC MDPC McEliece Implementations on Embedded

Smaller Keys for Code based Cryptography: QC MDPC McEliece Implementations on Embedded Devices 4 th Code based Cryptography Workshop 2013, Rocquencourt, France Stefan Heyse, Ingo von Maurich and Tim Gneysu Horst Grtz Institute for

500 views • 39 slides
Code-Based Cryptography for FPGAs Dr. Ruben Niederhagen, February 8, 2018 Introduction Global

Code-Based Cryptography for FPGAs Dr. Ruben Niederhagen, February 8, 2018 Introduction Global

Code-Based Cryptography for FPGAs Dr. Ruben Niederhagen, February 8, 2018 Introduction Global Map public-key cryptography classic post-quantum lattice code multivariate hash isogenies . . . McEliece Niederreiter . . . GRS codes

1.04k views • 73 slides
An Overview on Post-Quantum Cryptography with an Emphasis on Code based Systems Joachim Rosenthal

An Overview on Post-Quantum Cryptography with an Emphasis on Code based Systems Joachim Rosenthal

Basics on Public Key Crypto Systems Research Directions in Post-Quantum Cryptography Variants of McEliece System Distinguisher Attacks McEliece for Rank Metric Codes An Overview on Post-Quantum Cryptography with an Emphasis on Code based

1.05k views • 100 slides
Code-based Cryptography Christiane Peters Technical University of Denmark ECC 2011 September

Code-based Cryptography Christiane Peters Technical University of Denmark ECC 2011 September

Code-based Cryptography Christiane Peters Technical University of Denmark ECC 2011 September 20, 2011 Code-based cryptography 1. Background 2. The McEliece cryptosystem 3. Information-set-decoding attacks 4. Designs: Wild McEliece 5.

721 views • 55 slides
McTiny: classic.mceliece.org McEliece for tiny network servers submission team (alphabetical):

McTiny: classic.mceliece.org McEliece for tiny network servers submission team (alphabetical):

1 2 McTiny: classic.mceliece.org McEliece for tiny network servers submission team (alphabetical): me; Daniel J. Bernstein, Tung Chou, osaka-u.ac.jp ; uic.edu , rub.de Tanja Lange, tue.nl ; Joint work with: Ingo von Maurich;

1.87k views • 162 slides
Making McEliece and Regev meet Gilles Zmor based on common work with C. Aguilar, O. Blazy, J-C.

Making McEliece and Regev meet Gilles Zmor based on common work with C. Aguilar, O. Blazy, J-C.

Making McEliece and Regev meet Gilles Zmor based on common work with C. Aguilar, O. Blazy, J-C. Deneuville, P . Gaborit Bordeaux Mathematics Institute March 21, 2019, Oberwolfach the McEliece paridigm Choose a code C that comes with a

680 views • 20 slides
McEliece type Cryptosystem based on Gabidulin Codes Joachim Rosenthal University of Z urich

McEliece type Cryptosystem based on Gabidulin Codes Joachim Rosenthal University of Z urich

Traditional McEliece Crypto System Variants of McEliece System Distinguisher Attacks McEliece for Rank Metric Codes McEliece type Cryptosystem based on Gabidulin Codes Joachim Rosenthal University of Z urich ALCOMA, March 19, 2015 joint

763 views • 54 slides
Code-based Cryptography Selected publications [1] Carlos Aguilar, Philippe Gaborit, and Julien

Code-based Cryptography Selected publications [1] Carlos Aguilar, Philippe Gaborit, and Julien

1 Code-based Cryptography Code-based Cryptography Selected publications [1] Carlos Aguilar, Philippe Gaborit, and Julien Schrek. A new zero-knowledge code based identification scheme with reduced communication. In ITW 2011 , pages 648

284 views • 6 slides
The Support Splitting Algorithm and its Application to Code-based Cryptography Dimitris E. Simos

The Support Splitting Algorithm and its Application to Code-based Cryptography Dimitris E. Simos

The Support Splitting Algorithm and its Application to Code-based Cryptography Dimitris E. Simos ( joint work with Nicolas Sendrier) Project-Team SECRET INRIA Paris-Rocquencourt May 9, 2012 3rd Code-based Cryptography Workshop Technical

301 views • 17 slides
McTiny: McEliece for tiny network servers Daniel J. Bernstein, uic.edu , rub.de Joint work with:

McTiny: McEliece for tiny network servers Daniel J. Bernstein, uic.edu , rub.de Joint work with:

1 McTiny: McEliece for tiny network servers Daniel J. Bernstein, uic.edu , rub.de Joint work with: Tanja Lange, tue.nl My main question in this talk: Shouldnt NIST PQC simply standardize Classic McEliece, discard the other 25 proposals?

1.18k views • 79 slides
Attacks in code based cryptography: a survey, new results and open problems J.-P. Tillich Inria,

Attacks in code based cryptography: a survey, new results and open problems J.-P. Tillich Inria,

Attacks in code based cryptography: a survey, new results and open problems J.-P. Tillich Inria, team-project SECRET April 9, 2018 introduction 1. Code based cryptography Difficult problem in coding theory Problem 1. [Decoding] Input: n, r,

800 views • 53 slides
How to achieve a McEliece-based Digital Signature Scheme Nicolas Courtois Matthieu Finiasz

How to achieve a McEliece-based Digital Signature Scheme Nicolas Courtois Matthieu Finiasz

How to achieve a McEliece-based Digital Signature Scheme Nicolas Courtois Matthieu Finiasz Nicolas Sendrier ASIACRYPT 2001 Brisbane McEliece in a nutshell (Niederreiter version) This scheme is equivalent to the original McEliece

432 views • 12 slides
Efficient implementation of Objectives code-based cryptography Set new speed records D. J.

Efficient implementation of Objectives code-based cryptography Set new speed records D. J.

Efficient implementation of Objectives code-based cryptography Set new speed records D. J. Bernstein for public-key cryptography. University of Illinois at Chicago & Technische Universiteit Eindhoven Joint work with: Tung Chou

868 views • 73 slides
Tweaking Code-Based Cryptography for Embedded Systems DIMACS Workshop on The Mathematics of

Tweaking Code-Based Cryptography for Embedded Systems DIMACS Workshop on The Mathematics of

Tweaking Code-Based Cryptography for Embedded Systems DIMACS Workshop on The Mathematics of Post-Quantum Cryptography Tim Gneysu, Ingo von Maurich 1/12/2015 Horst Grtz Institute for IT-Security, Ruhr-Universitt Bochum, Germany Motivation

920 views • 70 slides
RACE AND GENDER AND THE PERCEPTION OF MASCULINITY AND FEMININITY OF THE AMERICAN POLITICAL

RACE AND GENDER AND THE PERCEPTION OF MASCULINITY AND FEMININITY OF THE AMERICAN POLITICAL

RACE AND GENDER AND THE PERCEPTION OF MASCULINITY AND FEMININITY OF THE AMERICAN POLITICAL PARTIES. Jessica Dulz Bemidji State University Advisor: Dr. Pat Donnay Senior Thesis Introduction Why did I choose this topic? Psychology

249 views • 13 slides
Results Based Advocacy to Increase Access Marie Stopes International Results Based Advocacy

Results Based Advocacy to Increase Access Marie Stopes International Results Based Advocacy

Results Based Advocacy to Increase Access Marie Stopes International Results Based Advocacy Women dont lease their bodies from the state or church, they own them. Founder, Tim Black (1937 2014) Almost all of the health services

637 views • 6 slides
MAPS LTE SLs Emulator LoCation Services Application Protocol (LCS-AP) 818 West Diamond Avenue

MAPS LTE SLs Emulator LoCation Services Application Protocol (LCS-AP) 818 West Diamond Avenue

MAPS LTE SLs Emulator LoCation Services Application Protocol (LCS-AP) 818 West Diamond Avenue - Third Floor, Gaithersburg, MD 20878 Phone: (301) 670-4784 Fax: (301) 670-9187 Email: info@gl.com Website: http://www.gl.com 1 LCS Architecture

431 views • 18 slides
Euro Health Consumer Index 2016 January 30, 2017 Prof. Arne Bjrnberg, PhD

Euro Health Consumer Index 2016 January 30, 2017 Prof. Arne Bjrnberg, PhD

Euro Health Consumer Index 2016 January 30, 2017 Prof. Arne Bjrnberg, PhD info@healthpowerhouse.com About Health Consumer Powerhouse Comparing healthcare systems performance in 35 countries from a consumer/patient view. Since 2004, more

415 views • 29 slides
Jupai Holdings Ltd NYSE: JP Q4 2017 Disclaimer The information in this presentation is

Jupai Holdings Ltd NYSE: JP Q4 2017 Disclaimer The information in this presentation is

Jupai Holdings Ltd NYSE: JP Q4 2017 Disclaimer The information in this presentation is provided to you by Jupai Holdings Limited (the Company) pursuant to Section 5(d) of the U.S. Securities Act of 1933, as amended (the Securities

483 views • 24 slides
Saying the A Word: Abortion Advocacy and Access in Louisiana Jessie Nieblas, MPH New

Saying the A Word: Abortion Advocacy and Access in Louisiana Jessie Nieblas, MPH New

Saying the A Word: Abortion Advocacy and Access in Louisiana Jessie Nieblas, MPH New Orleans Abortion Fund abortionfundnola@gmail.com Jessie Nieblas The following personal financial relationships with commercial interests relevant to

430 views • 20 slides
Learn how together we can fight back and win Learn more about whats at stake Learn about the

Learn how together we can fight back and win Learn more about whats at stake Learn about the

In this presentation you will: Learn how together we can fight back and win Learn more about whats at stake Learn about the state of play around the country 2.3 million members across 50 states fighting for access to abortion care, birth

511 views • 40 slides
Latin American and U.S. opinions regarding abortion and LGBT rights Panel: Contrasting The

Latin American and U.S. opinions regarding abortion and LGBT rights Panel: Contrasting The

Reviewing existing polling on Latin American and U.S. opinions regarding abortion and LGBT rights Panel: Contrasting The Struggle for Marriage Equality and Abortion Rights October 30, 2015 Nancy Belden Washington, DC Latin Americans

379 views • 12 slides

More recommend