code based cryptography
play

Code-Based Cryptography Tanja Lange with some slides by Tung Chou - PowerPoint PPT Presentation

Oct 23, 2023 •813 likes •1.54k views

Code-Based Cryptography Tanja Lange with some slides by Tung Chou and Christiane Peters Technische Universiteit Eindhoven PQCRYPTO Mini-School and Workshop 28 June 2018 Error correction Digital media is exposed to memory corruption.

  1. Code-Based Cryptography Tanja Lange with some slides by Tung Chou and Christiane Peters Technische Universiteit Eindhoven PQCRYPTO Mini-School and Workshop 28 June 2018

  2. Error correction ◮ Digital media is exposed to memory corruption. ◮ Many systems check whether data was corrupted in transit: ◮ ISBN numbers have check digit to detect corruption. ◮ ECC RAM detects up to two errors and can correct one error. 64 bits are stored as 72 bits: extra 8 bits for checks and recovery. ◮ In general, k bits of data get stored in n bits, adding some redundancy. ◮ If no error occurred, these n bits satisfy n − k parity check equations; else can correct errors from the error pattern. ◮ Good codes can correct many errors without blowing up storage too much; offer guarantee to correct t errors (often can correct or at least detect more). ◮ To represent these check equations we need a matrix. 2

  3. 3

  4. Hamming code Parity check matrix ( n = 7 , k = 4):   1 1 0 1 1 0 0 H = 1 0 1 1 0 1 0   0 1 1 1 0 0 1 An error-free string of 7 bits b = ( b 0 , b 1 , b 2 , b 3 , b 4 , b 5 , b 6 ) satisfies these three equations: b 0 + b 1 + b 3 + b 4 = 0 + b 2 + b 3 + b 5 = 0 b 0 b 1 + b 2 + b 3 + b 6 = 0 If one error occurred at least one of these equations will not hold. Failure pattern uniquely identifies the error location, e.g., 1 , 0 , 1 means 4

  5. Hamming code Parity check matrix ( n = 7 , k = 4):   1 1 0 1 1 0 0 H = 1 0 1 1 0 1 0   0 1 1 1 0 0 1 An error-free string of 7 bits b = ( b 0 , b 1 , b 2 , b 3 , b 4 , b 5 , b 6 ) satisfies these three equations: b 0 + b 1 + b 3 + b 4 = 0 + b 2 + b 3 + b 5 = 0 b 0 b 1 + b 2 + b 3 + b 6 = 0 If one error occurred at least one of these equations will not hold. Failure pattern uniquely identifies the error location, e.g., 1 , 0 , 1 means b 1 flipped. 4

  6. Hamming code Parity check matrix ( n = 7 , k = 4):   1 1 0 1 1 0 0 H = 1 0 1 1 0 1 0   0 1 1 1 0 0 1 An error-free string of 7 bits b = ( b 0 , b 1 , b 2 , b 3 , b 4 , b 5 , b 6 ) satisfies these three equations: b 0 + b 1 + b 3 + b 4 = 0 + b 2 + b 3 + b 5 = 0 b 0 b 1 + b 2 + b 3 + b 6 = 0 If one error occurred at least one of these equations will not hold. Failure pattern uniquely identifies the error location, e.g., 1 , 0 , 1 means b 1 flipped. In math notation, the failure pattern is H · b . 4

  7. Coding theory ◮ Names: code word c , error vector e , received word b = c + e . ◮ Very common to transform the matrix so that the right part has just 1 on the diagonal (no need to store that).     1 1 0 1 1 0 0 1 1 0 1 H = 1 0 1 1 0 1 0  � 1 0 1 1    0 1 1 1 0 0 1 0 1 1 1 ◮ Many special constructions discovered in 65 years of coding theory: ◮ Large matrix H . ◮ Fast decoding algorithm to find e given s = H · ( c + e ), whenever e does not have too many bits set. ◮ Given large H , usually very hard to find fast decoding algorithm. ◮ Use this difference in complexities for encryption. 5

  8. Code-based encryption ◮ 1971 Goppa: Fast decoders for many matrices H . ◮ 1978 McEliece: Use Goppa codes for public-key crypto. ◮ Original parameters designed for 2 64 security. ◮ 2008 Bernstein–Lange–Peters: broken in ≈ 2 60 cycles. ◮ Easily scale up for higher security. ◮ 1986 Niederreiter: Simplified and smaller version of McEliece. ◮ 1962 Prange: simple attack idea guiding sizes in 1978 McEliece. The McEliece system (with later key-size optimizations) uses ( c 0 + o (1)) λ 2 (lg λ ) 2 -bit keys as λ → ∞ to achieve 2 λ security against Prange’s attack. Here c 0 ≈ 0 . 7418860694. 6

  9. Security analysis Some papers studying algorithms for attackers: 1962 Prange; 1981 Clark–Cain, crediting Omura; 1988 Lee–Brickell; 1988 Leon; 1989 Krouk; 1989 Stern; 1989 Dumer; 1990 Coffey–Goodman; 1990 van Tilburg; 1991 Dumer; 1991 Coffey–Goodman–Farrell; 1993 Chabanne–Courteau; 1993 Chabaud; 1994 van Tilburg; 1994 Canteaut–Chabanne; 1998 Canteaut–Chabaud; 1998 Canteaut–Sendrier; 2008 Bernstein–Lange–Peters; 2009 Bernstein–Lange–Peters–van Tilborg; 2009 Bernstein ( post-quantum ); 2009 Finiasz–Sendrier; 2010 Bernstein–Lange–Peters; 2011 May–Meurer–Thomae; 2012 Becker–Joux–May–Meurer; 2013 Hamdaoui–Sendrier; 2015 May–Ozerov; 2016 Canto Torres–Sendrier; 2017 Kachigar–Tillich ( post-quantum ); 2017 Both–May; 2018 Both–May; 2018 Kirshanova ( post-quantum ). 7

  10. Consequence of security analysis ◮ The McEliece system (with later key-size optimizations) uses ( c 0 + o (1)) λ 2 (lg λ ) 2 -bit keys as λ → ∞ to achieve 2 λ security against all these attacks. 8

  11. Consequence of security analysis ◮ The McEliece system (with later key-size optimizations) uses ( c 0 + o (1)) λ 2 (lg λ ) 2 -bit keys as λ → ∞ to achieve 2 λ security against all these attacks. Here c 0 ≈ 0 . 7418860694. ◮ 256 KB public key for 2 146 pre-quantum security. ◮ 512 KB public key for 2 187 pre-quantum security. ◮ 1024 KB public key for 2 263 pre-quantum security. 8

  12. Consequence of security analysis ◮ The McEliece system (with later key-size optimizations) uses ( c 0 + o (1)) λ 2 (lg λ ) 2 -bit keys as λ → ∞ to achieve 2 λ security against all these attacks. Here c 0 ≈ 0 . 7418860694. ◮ 256 KB public key for 2 146 pre-quantum security. ◮ 512 KB public key for 2 187 pre-quantum security. ◮ 1024 KB public key for 2 263 pre-quantum security. ◮ Post-quantum (Grover): below 2 263 , above 2 131 . 8

  13. Linear codes A binary linear code C of length n and dimension k is a F n k -dimensional subspace of I 2 . C is usually specified as F k × n ◮ the row space of a generating matrix G ∈ I 2 F k C = { m G | m ∈ I 2 } F ( n − k ) × n ◮ the kernel space of a parity-check matrix H ∈ I 2 C = { c | H c ⊺ = 0 , c ∈ I F n 2 } ⊺ from now on. Leaving out the 9

  14. Example   1 0 1 0 1 G = 1 1 0 0 0   1 1 1 1 0 c = (111) G = (10011) is a codeword. 10

  15. Example   1 0 1 0 1 G = 1 1 0 0 0   1 1 1 1 0 c = (111) G = (10011) is a codeword. Linear codes are linear: The sum of two codewords is a codeword: 10

  16. Example   1 0 1 0 1 G = 1 1 0 0 0   1 1 1 1 0 c = (111) G = (10011) is a codeword. Linear codes are linear: The sum of two codewords is a codeword: c 1 + c 2 = m 1 G + m 2 G = ( m 1 + m 2 ) G . Same with parity-check matrix: 10

  17. Example   1 0 1 0 1 G = 1 1 0 0 0   1 1 1 1 0 c = (111) G = (10011) is a codeword. Linear codes are linear: The sum of two codewords is a codeword: c 1 + c 2 = m 1 G + m 2 G = ( m 1 + m 2 ) G . Same with parity-check matrix: H ( c 1 + c 2 ) = H c 1 + H c 2 = 0 + 0 = 0 . 10

  18. Hamming weight and distance ◮ The Hamming weight of a word is the number of nonzero coordinates. wt (1 , 0 , 0 , 1 , 1) = 3 F n ◮ The Hamming distance between two words in I 2 is the number of coordinates in which they differ. d ((1 , 1 , 0 , 1 , 1) , (1 , 0 , 0 , 1 , 1)) = 11

  19. Hamming weight and distance ◮ The Hamming weight of a word is the number of nonzero coordinates. wt (1 , 0 , 0 , 1 , 1) = 3 F n ◮ The Hamming distance between two words in I 2 is the number of coordinates in which they differ. d ((1 , 1 , 0 , 1 , 1) , (1 , 0 , 0 , 1 , 1)) = 1 11

  20. Hamming weight and distance ◮ The Hamming weight of a word is the number of nonzero coordinates. wt (1 , 0 , 0 , 1 , 1) = 3 F n ◮ The Hamming distance between two words in I 2 is the number of coordinates in which they differ. d ((1 , 1 , 0 , 1 , 1) , (1 , 0 , 0 , 1 , 1)) = 1 The Hamming distance between x and y equals the Hamming weight of x + y : d ((1 , 1 , 0 , 1 , 1) , (1 , 0 , 0 , 1 , 1)) = wt (0 , 1 , 0 , 0 , 0) . 11

  21. Minimum distance ◮ The minimum distance of a linear code C is the smallest Hamming weight of a nonzero codeword in C . d = min 0 � = c ∈ C { wt ( c ) } = min b � = c ∈ C { d ( b , c ) } ◮ In code with minimum distance d = 2 t + 1, any vector x = c + e with wt ( e ) ≤ t is uniquely decodable to c ; i. e. there is no closer code word. 12

  22. Decoding problem Decoding problem: find the closest codeword c ∈ C to a given F n x ∈ I 2 , assuming that there is a unique closest codeword. Let x = c + e . Note that finding e is an equivalent problem. ◮ If c is t errors away from x , i.e., the Hamming weight of e is t , this is called a t -error correcting problem. ◮ There are lots of code families with fast decoding algorithms, e.g., Reed–Solomon codes, Goppa codes/alternant codes, etc. ◮ However, the general decoding problem is hard: Information-set decoding (see later) takes exponential time. 13

  23. The McEliece cryptosystem I ◮ Let C be a length- n binary Goppa code Γ of dimension k with minimum distance 2 t + 1 where t ≈ ( n − k ) / log 2 ( n ); original parameters (1978) n = 1024, k = 524, t = 50. ◮ The McEliece secret key consists of a generator matrix G for Γ, an efficient t -error correcting decoding algorithm for Γ; an n × n permutation matrix P and a nonsingular k × k matrix S . ◮ n , k , t are public; but Γ, P , S are randomly generated secrets. ◮ The McEliece public key is the k × n matrix G ′ = SGP . 14

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

Code-based Cryptography Selected publications [1] Carlos Aguilar, Philippe Gaborit, and Julien

Code-based Cryptography Selected publications [1] Carlos Aguilar, Philippe Gaborit, and Julien

1 Code-based Cryptography Code-based Cryptography Selected publications [1] Carlos Aguilar, Philippe Gaborit, and Julien Schrek. A new zero-knowledge code based identification scheme with reduced communication. In ITW 2011 , pages 648

284 views • 6 slides
Smaller Keys for Code based Cryptography: QC MDPC McEliece Implementations on Embedded

Smaller Keys for Code based Cryptography: QC MDPC McEliece Implementations on Embedded

Smaller Keys for Code based Cryptography: QC MDPC McEliece Implementations on Embedded Devices 4 th Code based Cryptography Workshop 2013, Rocquencourt, France Stefan Heyse, Ingo von Maurich and Tim Gneysu Horst Grtz Institute for

500 views • 39 slides
The Support Splitting Algorithm and its Application to Code-based Cryptography Dimitris E. Simos

The Support Splitting Algorithm and its Application to Code-based Cryptography Dimitris E. Simos

The Support Splitting Algorithm and its Application to Code-based Cryptography Dimitris E. Simos ( joint work with Nicolas Sendrier) Project-Team SECRET INRIA Paris-Rocquencourt May 9, 2012 3rd Code-based Cryptography Workshop Technical

301 views • 17 slides
Attacks in code based cryptography: a survey, new results and open problems J.-P. Tillich Inria,

Attacks in code based cryptography: a survey, new results and open problems J.-P. Tillich Inria,

Attacks in code based cryptography: a survey, new results and open problems J.-P. Tillich Inria, team-project SECRET April 9, 2018 introduction 1. Code based cryptography Difficult problem in coding theory Problem 1. [Decoding] Input: n, r,

800 views • 53 slides
Code-Based Cryptography for FPGAs Dr. Ruben Niederhagen, February 8, 2018 Introduction Global

Code-Based Cryptography for FPGAs Dr. Ruben Niederhagen, February 8, 2018 Introduction Global

Code-Based Cryptography for FPGAs Dr. Ruben Niederhagen, February 8, 2018 Introduction Global Map public-key cryptography classic post-quantum lattice code multivariate hash isogenies . . . McEliece Niederreiter . . . GRS codes

1.04k views • 73 slides
Efficient implementation of Objectives code-based cryptography Set new speed records D. J.

Efficient implementation of Objectives code-based cryptography Set new speed records D. J.

Efficient implementation of Objectives code-based cryptography Set new speed records D. J. Bernstein for public-key cryptography. University of Illinois at Chicago & Technische Universiteit Eindhoven Joint work with: Tung Chou

868 views • 73 slides
Tweaking Code-Based Cryptography for Embedded Systems DIMACS Workshop on The Mathematics of

Tweaking Code-Based Cryptography for Embedded Systems DIMACS Workshop on The Mathematics of

Tweaking Code-Based Cryptography for Embedded Systems DIMACS Workshop on The Mathematics of Post-Quantum Cryptography Tim Gneysu, Ingo von Maurich 1/12/2015 Horst Grtz Institute for IT-Security, Ruhr-Universitt Bochum, Germany Motivation

920 views • 70 slides
Code-based Cryptography Christiane Peters Technical University of Denmark ECC 2011 September

Code-based Cryptography Christiane Peters Technical University of Denmark ECC 2011 September

Code-based Cryptography Christiane Peters Technical University of Denmark ECC 2011 September 20, 2011 Code-based cryptography 1. Background 2. The McEliece cryptosystem 3. Information-set-decoding attacks 4. Designs: Wild McEliece 5.

721 views • 55 slides
Code-based Cryptography ECRYPT-CSA Executive School on Post-Quantum Cryptography 2017 TU

Code-based Cryptography ECRYPT-CSA Executive School on Post-Quantum Cryptography 2017 TU

Code-based Cryptography ECRYPT-CSA Executive School on Post-Quantum Cryptography 2017 TU Eindhoven Nicolas Sendrier Linear Codes for Telecommunication linear expansion data codeword k n > k noisy channel noisy

783 views • 52 slides
Code Based Cryptography Colloquium at Eastern Kentucky University E. Mart nez-Moro i

Code Based Cryptography Colloquium at Eastern Kentucky University E. Mart nez-Moro i

Code Based Cryptography Colloquium at Eastern Kentucky University E. Mart nez-Moro i Acknowledgements Full papers: Two in Designs, Codes and Cryptography (also as preprints OWP 2012-01 at MFO) and one in Journal of Symbolic Computation.

1.14k views • 67 slides
Code-Based Cryptography Tanja Lange with some slides by Tung Chou and Christiane Peters

Code-Based Cryptography Tanja Lange with some slides by Tung Chou and Christiane Peters

Code-Based Cryptography Tanja Lange with some slides by Tung Chou and Christiane Peters Technische Universiteit Eindhoven Executive School on Post-Quantum Cryptography 02 July 2019 Error correction Digital media is exposed to memory

1.83k views • 96 slides
Code-Based Cryptography Tanja Lange with some slides by Tung Chou and Christiane Peters

Code-Based Cryptography Tanja Lange with some slides by Tung Chou and Christiane Peters

Code-Based Cryptography Tanja Lange with some slides by Tung Chou and Christiane Peters Technische Universiteit Eindhoven Post-Quantum Cryptography Winter School 23 February 2016 Error correction Digital media is exposed to memory

519 views • 38 slides
Code-Based Post-Quantum Cryptography Wijik Lee 1 , Young-Sik Kim 2 , and Jong-Seon No 1 1

Code-Based Post-Quantum Cryptography Wijik Lee 1 , Young-Sik Kim 2 , and Jong-Seon No 1 1

Mathematical Methods for Cryptography 2017, Svolvaer, Lofoten, Norway 1 / 41 Code-Based Post-Quantum Cryptography Wijik Lee 1 , Young-Sik Kim 2 , and Jong-Seon No 1 1 Department of ECE, INMC, Seoul National University, Seoul, Korea 2 Chosun

565 views • 41 slides
McBits: Objectives fast constant-time Set new speed records code-based cryptography for

McBits: Objectives fast constant-time Set new speed records code-based cryptography for

McBits: Objectives fast constant-time Set new speed records code-based cryptography for public-key cryptography. (to appear at CHES 2013) D. J. Bernstein University of Illinois at Chicago & Technische Universiteit Eindhoven Joint work

969 views • 94 slides
McBits: Objectives fast constant-time Set new speed records code-based cryptography for

McBits: Objectives fast constant-time Set new speed records code-based cryptography for

McBits: Objectives fast constant-time Set new speed records code-based cryptography for public-key cryptography. D. J. Bernstein University of Illinois at Chicago & Technische Universiteit Eindhoven Joint work with: Tung Chou

746 views • 73 slides
Code-based Cryptography PQCRYPTO Summer School on Post-Quantum Cryptography 2017 TU

Code-based Cryptography PQCRYPTO Summer School on Post-Quantum Cryptography 2017 TU

Code-based Cryptography PQCRYPTO Summer School on Post-Quantum Cryptography 2017 TU Eindhoven Nicolas Sendrier Linear Codes for Telecommunication linear expansion data codeword k n > k noisy channel noisy codeword

916 views • 74 slides
McBits: fast constant-time code-based cryptography D. J. Bernstein University of Illinois at

McBits: fast constant-time code-based cryptography D. J. Bernstein University of Illinois at

McBits: fast constant-time code-based cryptography D. J. Bernstein University of Illinois at Chicago & Technische Universiteit Eindhoven Joint work with: Tung Chou Technische Universiteit Eindhoven Peter Schwabe Radboud University

902 views • 43 slides
List of Attendees Paul Stacey, Jean Brochi, Tom Gregory, Phil Calarusso, Toby Stover, Dan

List of Attendees Paul Stacey, Jean Brochi, Tom Gregory, Phil Calarusso, Toby Stover, Dan

List of Attendees Paul Stacey, Jean Brochi, Tom Gregory, Phil Calarusso, Toby Stover, Dan Arsenault, John Storer, Jeff Barnum, Rep. Peter Schmidt, Sharon Rogers, Alison Watts, Steve Couture, Matt Wood, Rich Langan, David Patrick, David Burdick,

926 views • 48 slides
Is Your Gut Microbiome Making You Fat? Andrew N. Goldberg, MD, MSCE, FACS Department of

Is Your Gut Microbiome Making You Fat? Andrew N. Goldberg, MD, MSCE, FACS Department of

2/13/2018 Is Your Gut Microbiome Making You Fat? Andrew N. Goldberg, MD, MSCE, FACS Department of Otolaryngology-Head and Neck Surgery University of California-San Francisco Disclosures Siesta Medical Minor stock holder sleep apnea device

814 views • 13 slides
The presentation will begin shortly. The content provided herein is provided for informational

The presentation will begin shortly. The content provided herein is provided for informational

The presentation will begin shortly. The content provided herein is provided for informational purposes only. The views expressed by any individual presenter are solely their own, and not necessarily the views of HRET. This content is made

855 views • 47 slides
East Training EUGM Day 2 Pantelis Vlachos Pantelis.Vlachos@cytel.com Agenda Cytel Software map

East Training EUGM Day 2 Pantelis Vlachos Pantelis.Vlachos@cytel.com Agenda Cytel Software map

Shaping the Future of Drug Development East Training EUGM Day 2 Pantelis Vlachos Pantelis.Vlachos@cytel.com Agenda Cytel Software map East Overview/Introduction Phase I: Dose Escalation with cohort expansion (ESCALATE + PROGRAM)

1.41k views • 124 slides
Mee$ng Highlights and Summary Robert C. Welsh, MD, FRCPC

Mee$ng Highlights and Summary Robert C. Welsh, MD, FRCPC

Mee$ng Highlights and Summary Robert C. Welsh, MD, FRCPC Professor of Medicine Director, Adult Cardiac Catheteriza$on and Interven$onal Cardiology

429 views • 25 slides
3) OVERVIEW PLURAL OF NOUNS ( DE OLHO NO VESTIBULAR ) 4) REVIEW 2 Smartphone use could be

3) OVERVIEW PLURAL OF NOUNS ( DE OLHO NO VESTIBULAR ) 4) REVIEW 2 Smartphone use could be

1) TEXT STUDY 2) VOCABULARY 3) OVERVIEW PLURAL OF NOUNS ( DE OLHO NO VESTIBULAR ) 4) REVIEW 2 Smartphone use could be changing shape of our skull Scientists say that smartphones are changing the shape of people's skulls. Some people are

319 views • 12 slides
On D n Des esign gn and nd Enh nhancem cement of of Sm Smart Grid H Hone oneypot S

On D n Des esign gn and nd Enh nhancem cement of of Sm Smart Grid H Hone oneypot S

On D n Des esign gn and nd Enh nhancem cement of of Sm Smart Grid H Hone oneypot S System em f for or P Practical Col Collec ection of of T Thr hrea eat In Intelli lligence - Long prelimina nary w work p pap aper -

483 views • 12 slides

More recommend