Efficiency and Implementation Security of Code-based Cryptosystems - - PowerPoint PPT Presentation

Efficiency and Implementation Security of Code-based Cryptosystems

PhD Thesis by Falko Strenzke

Falko Strenzke

Cryptography and Computeralgebra, Department of Computer Science, Technische Universit¨ at Darmstadt, Germany, fstrenzke@cryptosource.de

November 11, 2013

Efficiency and Implementation Security of Code-based Cryptosyst. Falko Strenzke 1 / 37

Public Key Encryption

Alice Bob secret key (s)

Efficiency and Implementation Security of Code-based Cryptosyst. Falko Strenzke 2 / 37

Public Key Encryption

Alice Bob public key (p) secret key (s)

Efficiency and Implementation Security of Code-based Cryptosyst. Falko Strenzke 2 / 37

Public Key Encryption

Alice Bob public key (p) secret key (s)

Efficiency and Implementation Security of Code-based Cryptosyst. Falko Strenzke 2 / 37

Public Key Encryption

Alice Bob public key (p) c = Ep(m) secret key (s)

Efficiency and Implementation Security of Code-based Cryptosyst. Falko Strenzke 2 / 37

Public Key Encryption

Alice Bob public key (p) c = Ep(m) secret key (s)

Efficiency and Implementation Security of Code-based Cryptosyst. Falko Strenzke 2 / 37

Public Key Encryption

Alice Bob public key (p) c = Ep(m) secret key (s)

Efficiency and Implementation Security of Code-based Cryptosyst. Falko Strenzke 2 / 37

Public Key Encryption

Alice Bob public key (p) c = Ep(m) secret key (s) m = Ds(c)

Efficiency and Implementation Security of Code-based Cryptosyst. Falko Strenzke 2 / 37

Public Key Encryption

Alice Bob public key (p) c = Ep(m) secret key (s) m = Ds(c)

Efficiency and Implementation Security of Code-based Cryptosyst. Falko Strenzke 2 / 37

Public Key Encryption

Alice Bob public key (p) c = Ep(m) secret key (s) m = Ds(c)

RSA, ElGamal, etc.

Efficiency and Implementation Security of Code-based Cryptosyst. Falko Strenzke 2 / 37

Public Key Encryption

Alice Bob public key (p) c = Ep(m) secret key (s) m = Ds(c) today: classical computer

RSA, ElGamal, etc.

Efficiency and Implementation Security of Code-based Cryptosyst. Falko Strenzke 2 / 37

Public Key Encryption

Alice Bob public key (p) c = Ep(m) secret key (s) m = Ds(c) today: classical computer

RSA, ElGamal, etc.

Efficiency and Implementation Security of Code-based Cryptosyst. Falko Strenzke 2 / 37

Public Key Encryption

Alice Bob public key (p) c = Ep(m) secret key (s) m = Ds(c) today: classical computer 20??: quantum computer

RSA, ElGamal, etc.

Efficiency and Implementation Security of Code-based Cryptosyst. Falko Strenzke 2 / 37

Public Key Encryption

Alice Bob public key (p) c = Ep(m) secret key (s) m = Ds(c) today: classical computer 20??: quantum computer

RSA, ElGamal, etc.

Efficiency and Implementation Security of Code-based Cryptosyst. Falko Strenzke 2 / 37

Public Key Encryption

Alice Bob public key (p) c = Ep(m) secret key (s) m = Ds(c) today: classical computer 20??: quantum computer

RSA, ElGamal, etc.

Efficiency and Implementation Security of Code-based Cryptosyst. Falko Strenzke 2 / 37

Public Key Encryption

Alice Bob public key (p) c = Ep(m) secret key (s) m = Ds(c) today: classical computer 20??: quantum computer

RSA, ElGamal, etc.

Efficiency and Implementation Security of Code-based Cryptosyst. Falko Strenzke 2 / 37

Code-based Cryptosystems

need for cryptosystems in a post-quantum world lattice-based, multivariate, . . . code-based cryptosystems

McEliece scheme proposed in 1976 still regarded secure fast encryption and decryption large public key Niederreiter scheme very similar

Efficiency and Implementation Security of Code-based Cryptosyst. Falko Strenzke 3 / 37

Code-based Cryptosystems

need for cryptosystems in a post-quantum world lattice-based, multivariate, . . . code-based cryptosystems

McEliece scheme proposed in 1976 still regarded secure fast encryption and decryption large public key Niederreiter scheme very similar

Efficiency and Implementation Security of Code-based Cryptosyst. Falko Strenzke 3 / 37

Code-based Cryptosystems

need for cryptosystems in a post-quantum world lattice-based, multivariate, . . . code-based cryptosystems

McEliece scheme proposed in 1976 still regarded secure fast encryption and decryption large public key Niederreiter scheme very similar

Efficiency and Implementation Security of Code-based Cryptosyst. Falko Strenzke 3 / 37

Code-based Cryptosystems

need for cryptosystems in a post-quantum world lattice-based, multivariate, . . . code-based cryptosystems

McEliece scheme proposed in 1976 still regarded secure fast encryption and decryption large public key Niederreiter scheme very similar

Efficiency and Implementation Security of Code-based Cryptosyst. Falko Strenzke 3 / 37

Code-based Cryptosystems

need for cryptosystems in a post-quantum world lattice-based, multivariate, . . . code-based cryptosystems

McEliece scheme proposed in 1976 still regarded secure fast encryption and decryption large public key Niederreiter scheme very similar

Efficiency and Implementation Security of Code-based Cryptosyst. Falko Strenzke 3 / 37

Code-based Cryptosystems

need for cryptosystems in a post-quantum world lattice-based, multivariate, . . . code-based cryptosystems

McEliece scheme proposed in 1976 still regarded secure fast encryption and decryption large public key Niederreiter scheme very similar

Efficiency and Implementation Security of Code-based Cryptosyst. Falko Strenzke 3 / 37

Code-based Cryptosystems

need for cryptosystems in a post-quantum world lattice-based, multivariate, . . . code-based cryptosystems

McEliece scheme proposed in 1976 still regarded secure fast encryption and decryption large public key Niederreiter scheme very similar

Efficiency and Implementation Security of Code-based Cryptosyst. Falko Strenzke 3 / 37

Code-based Cryptosystems

need for cryptosystems in a post-quantum world lattice-based, multivariate, . . . code-based cryptosystems

McEliece scheme proposed in 1976 still regarded secure fast encryption and decryption large public key Niederreiter scheme very similar

Efficiency and Implementation Security of Code-based Cryptosyst. Falko Strenzke 3 / 37

Outline

Preliminaries

Error Correcting Codes Goppa Codes McEliece scheme

Encryption Decryption (syndrome decoding)

Challenges of code-based cryptosystems

Contributions

Efficiency and Implementation Security of Code-based Cryptosyst. Falko Strenzke 4 / 37

Outline

Preliminaries

Error Correcting Codes Goppa Codes McEliece scheme

Encryption Decryption (syndrome decoding)

Challenges of code-based cryptosystems

Contributions

Efficiency and Implementation Security of Code-based Cryptosyst. Falko Strenzke 4 / 37

Outline

Preliminaries

Error Correcting Codes Goppa Codes McEliece scheme

Encryption Decryption (syndrome decoding)

Challenges of code-based cryptosystems

Contributions

Efficiency and Implementation Security of Code-based Cryptosyst. Falko Strenzke 4 / 37

Outline

Preliminaries

Error Correcting Codes Goppa Codes McEliece scheme

Encryption Decryption (syndrome decoding)

Challenges of code-based cryptosystems

Contributions

Efficiency and Implementation Security of Code-based Cryptosyst. Falko Strenzke 4 / 37

Outline

Preliminaries

Error Correcting Codes Goppa Codes McEliece scheme

Encryption Decryption (syndrome decoding)

Challenges of code-based cryptosystems

Contributions

Efficiency and Implementation Security of Code-based Cryptosyst. Falko Strenzke 4 / 37

Outline

Preliminaries

Error Correcting Codes Goppa Codes McEliece scheme

Encryption Decryption (syndrome decoding)

Challenges of code-based cryptosystems

Contributions

Efficiency and Implementation Security of Code-based Cryptosyst. Falko Strenzke 4 / 37

Outline

Preliminaries

Error Correcting Codes Goppa Codes McEliece scheme

Encryption Decryption (syndrome decoding)

Challenges of code-based cryptosystems

Contributions

Efficiency and Implementation Security of Code-based Cryptosyst. Falko Strenzke 4 / 37

Outline

Preliminaries

Error Correcting Codes Goppa Codes McEliece scheme

Encryption Decryption (syndrome decoding)

Challenges of code-based cryptosystems

Contributions

Efficiency and Implementation Security of Code-based Cryptosyst. Falko Strenzke 4 / 37

Error Correcting Codes

Efficiency and Implementation Security of Code-based Cryptosyst. Falko Strenzke 5 / 37

Goppa Codes

Parameters of a Goppa Code

irreducible polynomial g(Y ) ∈ F2m[Y ] of degree t (the Goppa Polynomial) support Γ = (α0, α1, . . . , αn−1), where αi are pairwise distinct elements of F2m

Properties of the Code

the code has length n ≤ 2m (code word length) , dimension k = n − mt (message length) and can correct up to t errors. a parity check matrix H, where cH⊤ = 0 if c ∈ C example for secure parameters: n = 2048, t = 50 for 100 bit security

Efficiency and Implementation Security of Code-based Cryptosyst. Falko Strenzke 6 / 37

Goppa Codes

Parameters of a Goppa Code

irreducible polynomial g(Y ) ∈ F2m[Y ] of degree t (the Goppa Polynomial) support Γ = (α0, α1, . . . , αn−1), where αi are pairwise distinct elements of F2m

Properties of the Code

the code has length n ≤ 2m (code word length) , dimension k = n − mt (message length) and can correct up to t errors. a parity check matrix H, where cH⊤ = 0 if c ∈ C example for secure parameters: n = 2048, t = 50 for 100 bit security

Efficiency and Implementation Security of Code-based Cryptosyst. Falko Strenzke 6 / 37

Goppa Codes

Parameters of a Goppa Code

irreducible polynomial g(Y ) ∈ F2m[Y ] of degree t (the Goppa Polynomial) support Γ = (α0, α1, . . . , αn−1), where αi are pairwise distinct elements of F2m

Properties of the Code

the code has length n ≤ 2m (code word length) , dimension k = n − mt (message length) and can correct up to t errors. a parity check matrix H, where cH⊤ = 0 if c ∈ C example for secure parameters: n = 2048, t = 50 for 100 bit security

Efficiency and Implementation Security of Code-based Cryptosyst. Falko Strenzke 6 / 37

Goppa Codes

Parameters of a Goppa Code

irreducible polynomial g(Y ) ∈ F2m[Y ] of degree t (the Goppa Polynomial) support Γ = (α0, α1, . . . , αn−1), where αi are pairwise distinct elements of F2m

Properties of the Code

the code has length n ≤ 2m (code word length) , dimension k = n − mt (message length) and can correct up to t errors. a parity check matrix H, where cH⊤ = 0 if c ∈ C example for secure parameters: n = 2048, t = 50 for 100 bit security

Efficiency and Implementation Security of Code-based Cryptosyst. Falko Strenzke 6 / 37

Goppa Codes

Parameters of a Goppa Code

irreducible polynomial g(Y ) ∈ F2m[Y ] of degree t (the Goppa Polynomial) support Γ = (α0, α1, . . . , αn−1), where αi are pairwise distinct elements of F2m

Properties of the Code

the code has length n ≤ 2m (code word length) , dimension k = n − mt (message length) and can correct up to t errors. a parity check matrix H, where cH⊤ = 0 if c ∈ C example for secure parameters: n = 2048, t = 50 for 100 bit security

Efficiency and Implementation Security of Code-based Cryptosyst. Falko Strenzke 6 / 37

Goppa Codes

Parameters of a Goppa Code

irreducible polynomial g(Y ) ∈ F2m[Y ] of degree t (the Goppa Polynomial) support Γ = (α0, α1, . . . , αn−1), where αi are pairwise distinct elements of F2m

Properties of the Code

the code has length n ≤ 2m (code word length) , dimension k = n − mt (message length) and can correct up to t errors. a parity check matrix H, where cH⊤ = 0 if c ∈ C example for secure parameters: n = 2048, t = 50 for 100 bit security

Efficiency and Implementation Security of Code-based Cryptosyst. Falko Strenzke 6 / 37

Goppa Codes

Parameters of a Goppa Code

irreducible polynomial g(Y ) ∈ F2m[Y ] of degree t (the Goppa Polynomial) support Γ = (α0, α1, . . . , αn−1), where αi are pairwise distinct elements of F2m

Properties of the Code

the code has length n ≤ 2m (code word length) , dimension k = n − mt (message length) and can correct up to t errors. a parity check matrix H, where cH⊤ = 0 if c ∈ C example for secure parameters: n = 2048, t = 50 for 100 bit security

Efficiency and Implementation Security of Code-based Cryptosyst. Falko Strenzke 6 / 37

Goppa Codes

Parameters of a Goppa Code

irreducible polynomial g(Y ) ∈ F2m[Y ] of degree t (the Goppa Polynomial) support Γ = (α0, α1, . . . , αn−1), where αi are pairwise distinct elements of F2m

Properties of the Code

the code has length n ≤ 2m (code word length) , dimension k = n − mt (message length) and can correct up to t errors. a parity check matrix H, where cH⊤ = 0 if c ∈ C example for secure parameters: n = 2048, t = 50 for 100 bit security

Efficiency and Implementation Security of Code-based Cryptosyst. Falko Strenzke 6 / 37

Goppa Codes

Parameters of a Goppa Code

irreducible polynomial g(Y ) ∈ F2m[Y ] of degree t (the Goppa Polynomial) support Γ = (α0, α1, . . . , αn−1), where αi are pairwise distinct elements of F2m

Properties of the Code

the code has length n ≤ 2m (code word length) , dimension k = n − mt (message length) and can correct up to t errors. a parity check matrix H, where cH⊤ = 0 if c ∈ C example for secure parameters: n = 2048, t = 50 for 100 bit security

Efficiency and Implementation Security of Code-based Cryptosyst. Falko Strenzke 6 / 37

The McEliece PKC

Efficiency and Implementation Security of Code-based Cryptosyst. Falko Strenzke 7 / 37

Syndrome Decoding: Patterson Algorithm

secret key: g(Y ), Γ = (α0, α1, . . . , αn−1) input: distorted codeword e ⊕ c

• utput: error vector

e ∈ Fn

2m

S(Y ) ← ( e ⊕ c)H⊤

• ∈Ft

2m

• Y t−1, · · · , Y , 1

⊤ U(Y ) ← S−1 mod g(Y ) // by EEA τ(Y ) ←

• U(Y ) + Y mod g(Y )

(α(Y ), β(Y )) ← EEA(g(Y ), τ(Y )) //β(Y )τ(Y ) ≡ α(Y ) mod g(Y ) σ(Y ) ← α2(Y ) + Y β2(Y ) // σ(Y ) = t−1

i=0 (αfi − Y )

ei ← 1 iff σ(αi) = 0 // root finding

Efficiency and Implementation Security of Code-based Cryptosyst. Falko Strenzke 8 / 37

Syndrome Decoding: Patterson Algorithm

secret key: g(Y ), Γ = (α0, α1, . . . , αn−1) input: distorted codeword e ⊕ c

• utput: error vector

e ∈ Fn

2m

S(Y ) ← ( e ⊕ c)H⊤

• ∈Ft

2m

• Y t−1, · · · , Y , 1

⊤ U(Y ) ← S−1 mod g(Y ) // by EEA τ(Y ) ←

• U(Y ) + Y mod g(Y )

(α(Y ), β(Y )) ← EEA(g(Y ), τ(Y )) //β(Y )τ(Y ) ≡ α(Y ) mod g(Y ) σ(Y ) ← α2(Y ) + Y β2(Y ) // σ(Y ) = t−1

i=0 (αfi − Y )

ei ← 1 iff σ(αi) = 0 // root finding

Efficiency and Implementation Security of Code-based Cryptosyst. Falko Strenzke 8 / 37

Syndrome Decoding: Patterson Algorithm

secret key: g(Y ), Γ = (α0, α1, . . . , αn−1) input: distorted codeword e ⊕ c

• utput: error vector

e ∈ Fn

2m

S(Y ) ← ( e ⊕ c)H⊤

• ∈Ft

2m

• Y t−1, · · · , Y , 1

⊤ U(Y ) ← S−1 mod g(Y ) // by EEA τ(Y ) ←

• U(Y ) + Y mod g(Y )

(α(Y ), β(Y )) ← EEA(g(Y ), τ(Y )) //β(Y )τ(Y ) ≡ α(Y ) mod g(Y ) σ(Y ) ← α2(Y ) + Y β2(Y ) // σ(Y ) = t−1

i=0 (αfi − Y )

ei ← 1 iff σ(αi) = 0 // root finding

Efficiency and Implementation Security of Code-based Cryptosyst. Falko Strenzke 8 / 37

Syndrome Decoding: Patterson Algorithm

secret key: g(Y ), Γ = (α0, α1, . . . , αn−1) input: distorted codeword e ⊕ c

• utput: error vector

e ∈ Fn

2m

S(Y ) ← ( e ⊕ c)H⊤

• ∈Ft

2m

• Y t−1, · · · , Y , 1

⊤ U(Y ) ← S−1 mod g(Y ) // by EEA τ(Y ) ←

• U(Y ) + Y mod g(Y )

(α(Y ), β(Y )) ← EEA(g(Y ), τ(Y )) //β(Y )τ(Y ) ≡ α(Y ) mod g(Y ) σ(Y ) ← α2(Y ) + Y β2(Y ) // σ(Y ) = t−1

i=0 (αfi − Y )

ei ← 1 iff σ(αi) = 0 // root finding

Efficiency and Implementation Security of Code-based Cryptosyst. Falko Strenzke 8 / 37

Syndrome Decoding: Patterson Algorithm

secret key: g(Y ), Γ = (α0, α1, . . . , αn−1) input: distorted codeword e ⊕ c

• utput: error vector

e ∈ Fn

2m

S(Y ) ← ( e ⊕ c)H⊤

• ∈Ft

2m

• Y t−1, · · · , Y , 1

⊤ U(Y ) ← S−1 mod g(Y ) // by EEA τ(Y ) ←

• U(Y ) + Y mod g(Y )

(α(Y ), β(Y )) ← EEA(g(Y ), τ(Y )) //β(Y )τ(Y ) ≡ α(Y ) mod g(Y ) σ(Y ) ← α2(Y ) + Y β2(Y ) // σ(Y ) = t−1

i=0 (αfi − Y )

ei ← 1 iff σ(αi) = 0 // root finding

Efficiency and Implementation Security of Code-based Cryptosyst. Falko Strenzke 8 / 37

Syndrome Decoding: Patterson Algorithm

secret key: g(Y ), Γ = (α0, α1, . . . , αn−1) input: distorted codeword e ⊕ c

• utput: error vector

e ∈ Fn

2m

S(Y ) ← ( e ⊕ c)H⊤

• ∈Ft

2m

• Y t−1, · · · , Y , 1

⊤ U(Y ) ← S−1 mod g(Y ) // by EEA τ(Y ) ←

• U(Y ) + Y mod g(Y )

(α(Y ), β(Y )) ← EEA(g(Y ), τ(Y )) //β(Y )τ(Y ) ≡ α(Y ) mod g(Y ) σ(Y ) ← α2(Y ) + Y β2(Y ) // σ(Y ) = t−1

i=0 (αfi − Y )

ei ← 1 iff σ(αi) = 0 // root finding

Efficiency and Implementation Security of Code-based Cryptosyst. Falko Strenzke 8 / 37

Syndrome Decoding: Patterson Algorithm

secret key: g(Y ), Γ = (α0, α1, . . . , αn−1) input: distorted codeword e ⊕ c

• utput: error vector

e ∈ Fn

2m

S(Y ) ← ( e ⊕ c)H⊤

• ∈Ft

2m

• Y t−1, · · · , Y , 1

⊤ U(Y ) ← S−1 mod g(Y ) // by EEA τ(Y ) ←

• U(Y ) + Y mod g(Y )

(α(Y ), β(Y )) ← EEA(g(Y ), τ(Y )) //β(Y )τ(Y ) ≡ α(Y ) mod g(Y ) σ(Y ) ← α2(Y ) + Y β2(Y ) // σ(Y ) = t−1

i=0 (αfi − Y )

ei ← 1 iff σ(αi) = 0 // root finding

Efficiency and Implementation Security of Code-based Cryptosyst. Falko Strenzke 8 / 37

Syndrome Decoding: Patterson Algorithm

secret key: g(Y ), Γ = (α0, α1, . . . , αn−1) input: distorted codeword e ⊕ c

• utput: error vector

e ∈ Fn

2m

S(Y ) ← ( e ⊕ c)H⊤

• ∈Ft

2m

• Y t−1, · · · , Y , 1

⊤ U(Y ) ← S−1 mod g(Y ) // by EEA τ(Y ) ←

• U(Y ) + Y mod g(Y )

(α(Y ), β(Y )) ← EEA(g(Y ), τ(Y )) //β(Y )τ(Y ) ≡ α(Y ) mod g(Y ) σ(Y ) ← α2(Y ) + Y β2(Y ) // σ(Y ) = t−1

i=0 (αfi − Y )

ei ← 1 iff σ(αi) = 0 // root finding

Efficiency and Implementation Security of Code-based Cryptosyst. Falko Strenzke 8 / 37

Syndrome Decoding: Patterson Algorithm

secret key: g(Y ), Γ = (α0, α1, . . . , αn−1) input: distorted codeword e ⊕ c

• utput: error vector

e ∈ Fn

2m

S(Y ) ← ( e ⊕ c)H⊤

• ∈Ft

2m

• Y t−1, · · · , Y , 1

⊤ U(Y ) ← S−1 mod g(Y ) // by EEA τ(Y ) ←

• U(Y ) + Y mod g(Y )

(α(Y ), β(Y )) ← EEA(g(Y ), τ(Y )) //β(Y )τ(Y ) ≡ α(Y ) mod g(Y ) σ(Y ) ← α2(Y ) + Y β2(Y ) // σ(Y ) = t−1

i=0 (αfi − Y )

ei ← 1 iff σ(αi) = 0 // root finding

Efficiency and Implementation Security of Code-based Cryptosyst. Falko Strenzke 8 / 37

Implementation Aspects of Cryptograpic Algorithms

Efficiency and Implementation Security of Code-based Cryptosyst. Falko Strenzke 9 / 37

Implementation Aspects of Cryptograpic Algorithms

RAM

Efficiency and Implementation Security of Code-based Cryptosyst. Falko Strenzke 9 / 37

Implementation Aspects of Cryptograpic Algorithms

RAM ROM

Efficiency and Implementation Security of Code-based Cryptosyst. Falko Strenzke 9 / 37

Implementation Aspects of Cryptograpic Algorithms

RAM ROM input

• utput

∆t

Efficiency and Implementation Security of Code-based Cryptosyst. Falko Strenzke 9 / 37

Implementation Aspects of Cryptograpic Algorithms

Efficiency RAM ROM input

• utput

∆t

Efficiency and Implementation Security of Code-based Cryptosyst. Falko Strenzke 9 / 37

Implementation Aspects of Cryptograpic Algorithms

Efficiency RAM ROM input

• utput

∆t

Efficiency and Implementation Security of Code-based Cryptosyst. Falko Strenzke 9 / 37

Implementation Aspects of Cryptograpic Algorithms

Efficiency RAM ROM input

• utput

∆t input

• utput

∆t

Efficiency and Implementation Security of Code-based Cryptosyst. Falko Strenzke 9 / 37

Implementation Aspects of Cryptograpic Algorithms

Efficiency RAM ROM input

• utput

∆t input

• utput

∆t

Efficiency and Implementation Security of Code-based Cryptosyst. Falko Strenzke 9 / 37

Implementation Aspects of Cryptograpic Algorithms

Efficiency RAM ROM input

• utput

∆t input

• utput

∆t Side Channel Security

Efficiency and Implementation Security of Code-based Cryptosyst. Falko Strenzke 9 / 37

The Challenges of Code-based Encryption

Code-based schemes known to be fast

fast enough on embedded systems (smart cards)? time memory trade-offs?

Large public-key size

what does this mean for embedded systems?

Side Channel Security

no previous works

Efficiency and Implementation Security of Code-based Cryptosyst. Falko Strenzke 10 / 37

The Challenges of Code-based Encryption

Code-based schemes known to be fast

fast enough on embedded systems (smart cards)? time memory trade-offs?

Large public-key size

what does this mean for embedded systems?

Side Channel Security

no previous works

Efficiency and Implementation Security of Code-based Cryptosyst. Falko Strenzke 10 / 37

The Challenges of Code-based Encryption

Code-based schemes known to be fast

fast enough on embedded systems (smart cards)? time memory trade-offs?

Large public-key size

what does this mean for embedded systems?

Side Channel Security

no previous works

Efficiency and Implementation Security of Code-based Cryptosyst. Falko Strenzke 10 / 37

The Challenges of Code-based Encryption

Code-based schemes known to be fast

fast enough on embedded systems (smart cards)? time memory trade-offs?

Large public-key size

what does this mean for embedded systems?

Side Channel Security

no previous works

Efficiency and Implementation Security of Code-based Cryptosyst. Falko Strenzke 10 / 37

The Challenges of Code-based Encryption

Code-based schemes known to be fast

fast enough on embedded systems (smart cards)? time memory trade-offs?

Large public-key size

what does this mean for embedded systems?

Side Channel Security

no previous works

Efficiency and Implementation Security of Code-based Cryptosyst. Falko Strenzke 10 / 37

The Challenges of Code-based Encryption

Code-based schemes known to be fast

fast enough on embedded systems (smart cards)? time memory trade-offs?

Large public-key size

what does this mean for embedded systems?

Side Channel Security

no previous works

Efficiency and Implementation Security of Code-based Cryptosyst. Falko Strenzke 10 / 37

The Challenges of Code-based Encryption

Code-based schemes known to be fast

fast enough on embedded systems (smart cards)? time memory trade-offs?

Large public-key size

what does this mean for embedded systems?

Side Channel Security

no previous works

Efficiency and Implementation Security of Code-based Cryptosyst. Falko Strenzke 10 / 37

Overview

Efficiency Key-aimed SCA Message-aimed SCA RSA

(Message-aimed SCA) PQCrypto 2008 Timing Attack ICISC 2009 Timing Attack JCEN 2011 Power Analysis Attack JCEN 2011 Generalization CANS 2012 Root finding ISC 2012 Key Storage PQCrypto 2010 Timing Attack PQCrypto 2013 Timing Attack ISICS 2010 Efficiency and Implementation Security of Code-based Cryptosyst. Falko Strenzke 11 / 37

Overview

Efficiency Key-aimed SCA Message-aimed SCA

PQCrypto 2008 Timing Attack ICISC 2009 Timing Attack JCEN 2011 Power Analysis Attack JCEN 2011 Generalization CANS 2012 Root finding ISC 2012 Key Storage PQCrypto 2010 Timing Attack PQCrypto 2013 Timing Attack Decryption: S(Y ) ← ( e ⊕ c)H⊤

• ∈Ft

2m

• Y t−1, · · · , Y , 1

⊤ U(Y ) ← S−1(Y ) mod g(Y ) τ(Y ) ←

• U(Y ) + Y mod g(Y )

(α(Y ), β(Y )) ← EEA(g(Y ), τ(Y )) σ(Y ) ← α2(Y ) + Y β2(Y ) ei ← 1 iff σ(αi ) = 0 Encryption:

• z′ =

mGp

• z =

z′ ⊕ e Efficiency and Implementation Security of Code-based Cryptosyst. Falko Strenzke 12 / 37

Message-aimed Timing Attack

Efficiency Key-aimed SCA Message-aimed SCA

PQCrypto 2008 Timing Attack ICISC 2009 Timing Attack JCEN 2011 Power Analysis Attack JCEN 2011 Generalization CANS 2012 Root finding ISC 2012 Key Storage PQCrypto 2010 Timing Attack PQCrypto 2013 Timing Attack Decryption: S(Y ) ← ( e ⊕ c)H⊤

• ∈Ft

2m

• Y t−1, · · · , Y , 1

⊤ U(Y ) ← S−1(Y ) mod g(Y ) τ(Y ) ←

• U(Y ) + Y mod g(Y )

(α(Y ), β(Y )) ← EEA(g(Y ), τ(Y )) σ(Y ) ← α2(Y ) + Y β2(Y ) ei ← 1 iff σ(αi ) = 0 Encryption:

• z′ =

mGp

• z =

z′ ⊕ e Efficiency and Implementation Security of Code-based Cryptosyst. Falko Strenzke 13 / 37

Message-aimed Timing Attack (I)

let w = wt ( e) deg (σ(Y )) = w for w ≤ t basically any root-finding variant: (at least) linear dependency of root-finding time on deg (σ(Y ))

Efficiency and Implementation Security of Code-based Cryptosyst. Falko Strenzke 14 / 37

Message-aimed Timing Attack (I)

let w = wt ( e) deg (σ(Y )) = w for w ≤ t basically any root-finding variant: (at least) linear dependency of root-finding time on deg (σ(Y ))

Efficiency and Implementation Security of Code-based Cryptosyst. Falko Strenzke 14 / 37

Message-aimed Timing Attack (I)

let w = wt ( e) deg (σ(Y )) = w for w ≤ t basically any root-finding variant: (at least) linear dependency of root-finding time on deg (σ(Y ))

Efficiency and Implementation Security of Code-based Cryptosyst. Falko Strenzke 14 / 37

Message-aimed Timing Attack (I)

let w = wt ( e) deg (σ(Y )) = w for w ≤ t basically any root-finding variant: (at least) linear dependency of root-finding time on deg (σ(Y ))

Efficiency and Implementation Security of Code-based Cryptosyst. Falko Strenzke 14 / 37

Message-aimed Timing Attack (II)

t = 50

Efficiency and Implementation Security of Code-based Cryptosyst. Falko Strenzke 15 / 37

Overview

Efficiency Key-aimed SCA Message-aimed SCA

PQCrypto 2008 Timing Attack ICISC 2009 Timing Attack JCEN 2011 Power Analysis Attack JCEN 2011 Generalization CANS 2012 Root finding ISC 2012 Key Storage PQCrypto 2010 Timing Attack PQCrypto 2013 Timing Attack Decryption: S(Y ) ← ( e ⊕ c)H⊤

• ∈Ft

2m

• Y t−1, · · · , Y , 1

⊤ U(Y ) ← S−1(Y ) mod g(Y ) τ(Y ) ←

• U(Y ) + Y mod g(Y )

(α(Y ), β(Y )) ← EEA(g(Y ), τ(Y )) σ(Y ) ← α2(Y ) + Y β2(Y ) ei ← 1 iff σ(αi ) = 0 Encryption:

• z′ =

mGp

• z =

z′ ⊕ e Efficiency and Implementation Security of Code-based Cryptosyst. Falko Strenzke 16 / 37

Refinements of the Message-aimed Attack

Efficiency Key-aimed SCA Message-aimed SCA

PQCrypto 2008 Timing Attack ICISC 2009 Timing Attack JCEN 2011 Power Analysis Attack JCEN 2011 Generalization CANS 2012 Root finding ISC 2012 Key Storage PQCrypto 2010 Timing Attack PQCrypto 2013 Timing Attack Decryption: S(Y ) ← ( e ⊕ c)H⊤

• ∈Ft

2m

• Y t−1, · · · , Y , 1

⊤ U(Y ) ← S−1(Y ) mod g(Y ) τ(Y ) ←

• U(Y ) + Y mod g(Y )

(α(Y ), β(Y )) ← EEA(g(Y ), τ(Y )) σ(Y ) ← α2(Y ) + Y β2(Y ) ei ← 1 iff σ(αi ) = 0 Encryption:

• z′ =

mGp

• z =

z′ ⊕ e Efficiency and Implementation Security of Code-based Cryptosyst. Falko Strenzke 17 / 37

Refinements of the Message-aimed Attack (outline)

Number of iterations in the EEA already dependent on w

smaller timing differences, allowing same attack countermeasure: avoid “premature” abortion of the EEA

Related simple power analysis attack on the number of iterations in EEA

similar countermeasure

Efficiency and Implementation Security of Code-based Cryptosyst. Falko Strenzke 18 / 37

Refinements of the Message-aimed Attack (outline)

Number of iterations in the EEA already dependent on w

smaller timing differences, allowing same attack countermeasure: avoid “premature” abortion of the EEA

Related simple power analysis attack on the number of iterations in EEA

similar countermeasure

Efficiency and Implementation Security of Code-based Cryptosyst. Falko Strenzke 18 / 37

Refinements of the Message-aimed Attack (outline)

Number of iterations in the EEA already dependent on w

smaller timing differences, allowing same attack countermeasure: avoid “premature” abortion of the EEA

Related simple power analysis attack on the number of iterations in EEA

similar countermeasure

Efficiency and Implementation Security of Code-based Cryptosyst. Falko Strenzke 18 / 37

Refinements of the Message-aimed Attack (outline)

Number of iterations in the EEA already dependent on w

smaller timing differences, allowing same attack countermeasure: avoid “premature” abortion of the EEA

Related simple power analysis attack on the number of iterations in EEA

similar countermeasure

Efficiency and Implementation Security of Code-based Cryptosyst. Falko Strenzke 18 / 37

Refinements of the Message-aimed Attack (outline)

Number of iterations in the EEA already dependent on w

smaller timing differences, allowing same attack countermeasure: avoid “premature” abortion of the EEA

Related simple power analysis attack on the number of iterations in EEA

similar countermeasure

Efficiency and Implementation Security of Code-based Cryptosyst. Falko Strenzke 18 / 37

Overview

Efficiency Key-aimed SCA Message-aimed SCA

PQCrypto 2008 Timing Attack ICISC 2009 Timing Attack JCEN 2011 Power Analysis Attack JCEN 2011 Generalization CANS 2012 Root finding ISC 2012 Key Storage PQCrypto 2010 Timing Attack PQCrypto 2013 Timing Attack Decryption: S(Y ) ← ( e ⊕ c)H⊤

• ∈Ft

2m

• Y t−1, · · · , Y , 1

⊤ U(Y ) ← S−1(Y ) mod g(Y ) τ(Y ) ←

• U(Y ) + Y mod g(Y )

(α(Y ), β(Y )) ← EEA(g(Y ), τ(Y )) σ(Y ) ← α2(Y ) + Y β2(Y ) ei ← 1 iff σ(αi ) = 0 Encryption:

• z′ =

mGp

• z =

z′ ⊕ e Efficiency and Implementation Security of Code-based Cryptosyst. Falko Strenzke 19 / 37

Analysis of Root-Finding Variants

Efficiency Key-aimed SCA Message-aimed SCA

PQCrypto 2008 Timing Attack ICISC 2009 Timing Attack JCEN 2011 Power Analysis Attack JCEN 2011 Generalization CANS 2012 Root finding ISC 2012 Key Storage PQCrypto 2010 Timing Attack PQCrypto 2013 Timing Attack Decryption: S(Y ) ← ( e ⊕ c)H⊤

• ∈Ft

2m

• Y t−1, · · · , Y , 1

⊤ U(Y ) ← S−1(Y ) mod g(Y ) τ(Y ) ←

• U(Y ) + Y mod g(Y )

(α(Y ), β(Y )) ← EEA(g(Y ), τ(Y )) σ(Y ) ← α2(Y ) + Y β2(Y ) ei ← 1 iff σ(αi ) = 0 Encryption:

• z′ =

mGp

• z =

z′ ⊕ e Efficiency and Implementation Security of Code-based Cryptosyst. Falko Strenzke 20 / 37

Analysis of Root-Finding Variants

Speed RAM demands Mess.-

• aim. TA

Key-aim. TA

Efficiency and Implementation Security of Code-based Cryptosyst. Falko Strenzke 21 / 37

Analysis of Root-Finding Variants

using parameters n = 6624, t = 115 (244 bit security); Atmel AP7000, 30 MHz

Speed RAM demands Mess.-

• aim. TA

Key-aim. TA

Efficiency and Implementation Security of Code-based Cryptosyst. Falko Strenzke 21 / 37

Analysis of Root-Finding Variants

using parameters n = 6624, t = 115 (244 bit security); Atmel AP7000, 30 MHz

Speed RAM demands Mess.-

• aim. TA

Key-aim. TA

• exh. evaluation

Efficiency and Implementation Security of Code-based Cryptosyst. Falko Strenzke 21 / 37

Analysis of Root-Finding Variants

using parameters n = 6624, t = 115 (244 bit security); Atmel AP7000, 30 MHz

Speed RAM demands Mess.-

• aim. TA

Key-aim. TA

• exh. evaluation

1269ms

Efficiency and Implementation Security of Code-based Cryptosyst. Falko Strenzke 21 / 37

Analysis of Root-Finding Variants

using parameters n = 6624, t = 115 (244 bit security); Atmel AP7000, 30 MHz

Speed RAM demands Mess.-

• aim. TA

Key-aim. TA

• exh. evaluation

1269ms 2344 byte

Efficiency and Implementation Security of Code-based Cryptosyst. Falko Strenzke 21 / 37

Analysis of Root-Finding Variants

using parameters n = 6624, t = 115 (244 bit security); Atmel AP7000, 30 MHz

Speed RAM demands Mess.-

• aim. TA

Key-aim. TA

• exh. evaluation

1269ms 2344 byte safe

Efficiency and Implementation Security of Code-based Cryptosyst. Falko Strenzke 21 / 37

Analysis of Root-Finding Variants

using parameters n = 6624, t = 115 (244 bit security); Atmel AP7000, 30 MHz

Speed RAM demands Mess.-

• aim. TA

Key-aim. TA

• exh. evaluation

1269ms 2344 byte safe safe

Efficiency and Implementation Security of Code-based Cryptosyst. Falko Strenzke 21 / 37

Analysis of Root-Finding Variants

using parameters n = 6624, t = 115 (244 bit security); Atmel AP7000, 30 MHz

Speed RAM demands Mess.-

• aim. TA

Key-aim. TA

• exh. evaluation

1269ms 2344 byte safe safe

• exh. evalua-

tion w/ division

Efficiency and Implementation Security of Code-based Cryptosyst. Falko Strenzke 21 / 37

Analysis of Root-Finding Variants

using parameters n = 6624, t = 115 (244 bit security); Atmel AP7000, 30 MHz

Speed RAM demands Mess.-

• aim. TA

Key-aim. TA

• exh. evaluation

1269ms 2344 byte safe safe

• exh. evalua-

tion w/ division 638ms

Efficiency and Implementation Security of Code-based Cryptosyst. Falko Strenzke 21 / 37

Analysis of Root-Finding Variants

using parameters n = 6624, t = 115 (244 bit security); Atmel AP7000, 30 MHz

Speed RAM demands Mess.-

• aim. TA

Key-aim. TA

• exh. evaluation

1269ms 2344 byte safe safe

• exh. evalua-

tion w/ division 638ms 2344 byte

Efficiency and Implementation Security of Code-based Cryptosyst. Falko Strenzke 21 / 37

Analysis of Root-Finding Variants

using parameters n = 6624, t = 115 (244 bit security); Atmel AP7000, 30 MHz

Speed RAM demands Mess.-

• aim. TA

Key-aim. TA

• exh. evaluation

1269ms 2344 byte safe safe

• exh. evalua-

tion w/ division 638ms 2344 byte unsafe

Efficiency and Implementation Security of Code-based Cryptosyst. Falko Strenzke 21 / 37

Analysis of Root-Finding Variants

using parameters n = 6624, t = 115 (244 bit security); Atmel AP7000, 30 MHz

Speed RAM demands Mess.-

• aim. TA

Key-aim. TA

• exh. evaluation

1269ms 2344 byte safe safe

• exh. evalua-

tion w/ division 638ms 2344 byte unsafe safe with c.m.

Efficiency and Implementation Security of Code-based Cryptosyst. Falko Strenzke 21 / 37

Analysis of Root-Finding Variants

using parameters n = 6624, t = 115 (244 bit security); Atmel AP7000, 30 MHz

Speed RAM demands Mess.-

• aim. TA

Key-aim. TA

• exh. evaluation

1269ms 2344 byte safe safe

• exh. evalua-

tion w/ division 638ms 2344 byte unsafe safe with c.m. BTZ2

Efficiency and Implementation Security of Code-based Cryptosyst. Falko Strenzke 21 / 37

Analysis of Root-Finding Variants

using parameters n = 6624, t = 115 (244 bit security); Atmel AP7000, 30 MHz

Speed RAM demands Mess.-

• aim. TA

Key-aim. TA

• exh. evaluation

1269ms 2344 byte safe safe

• exh. evalua-

tion w/ division 638ms 2344 byte unsafe safe with c.m. BTZ2 272ms

Efficiency and Implementation Security of Code-based Cryptosyst. Falko Strenzke 21 / 37

Analysis of Root-Finding Variants

using parameters n = 6624, t = 115 (244 bit security); Atmel AP7000, 30 MHz

Speed RAM demands Mess.-

• aim. TA

Key-aim. TA

• exh. evaluation

1269ms 2344 byte safe safe

• exh. evalua-

tion w/ division 638ms 2344 byte unsafe safe with c.m. BTZ2 272ms 34886 byte

Efficiency and Implementation Security of Code-based Cryptosyst. Falko Strenzke 21 / 37

Analysis of Root-Finding Variants

using parameters n = 6624, t = 115 (244 bit security); Atmel AP7000, 30 MHz

Speed RAM demands Mess.-

• aim. TA

Key-aim. TA

• exh. evaluation

1269ms 2344 byte safe safe

• exh. evalua-

tion w/ division 638ms 2344 byte unsafe safe with c.m. BTZ2 272ms 34886 byte unsafe

Efficiency and Implementation Security of Code-based Cryptosyst. Falko Strenzke 21 / 37

Analysis of Root-Finding Variants

using parameters n = 6624, t = 115 (244 bit security); Atmel AP7000, 30 MHz

Speed RAM demands Mess.-

• aim. TA

Key-aim. TA

• exh. evaluation

1269ms 2344 byte safe safe

• exh. evalua-

tion w/ division 638ms 2344 byte unsafe safe with c.m. BTZ2 272ms 34886 byte unsafe probably unsafe

Efficiency and Implementation Security of Code-based Cryptosyst. Falko Strenzke 21 / 37

Analysis of Root-Finding Variants

using parameters n = 6624, t = 115 (244 bit security); Atmel AP7000, 30 MHz

Speed RAM demands Mess.-

• aim. TA

Key-aim. TA

• exh. evaluation

1269ms 2344 byte safe safe

• exh. evalua-

tion w/ division 638ms 2344 byte unsafe safe with c.m. BTZ2 272ms 34886 byte unsafe probably unsafe linearized polynomials

Efficiency and Implementation Security of Code-based Cryptosyst. Falko Strenzke 21 / 37

Analysis of Root-Finding Variants

using parameters n = 6624, t = 115 (244 bit security); Atmel AP7000, 30 MHz

Speed RAM demands Mess.-

• aim. TA

Key-aim. TA

• exh. evaluation

1269ms 2344 byte safe safe

• exh. evalua-

tion w/ division 638ms 2344 byte unsafe safe with c.m. BTZ2 272ms 34886 byte unsafe probably unsafe linearized polynomials 415ms

Efficiency and Implementation Security of Code-based Cryptosyst. Falko Strenzke 21 / 37

Analysis of Root-Finding Variants

using parameters n = 6624, t = 115 (244 bit security); Atmel AP7000, 30 MHz

Speed RAM demands Mess.-

• aim. TA

Key-aim. TA

• exh. evaluation

1269ms 2344 byte safe safe

• exh. evalua-

tion w/ division 638ms 2344 byte unsafe safe with c.m. BTZ2 272ms 34886 byte unsafe probably unsafe linearized polynomials 415ms 2344 byte

Efficiency and Implementation Security of Code-based Cryptosyst. Falko Strenzke 21 / 37

Analysis of Root-Finding Variants

using parameters n = 6624, t = 115 (244 bit security); Atmel AP7000, 30 MHz

Speed RAM demands Mess.-

• aim. TA

Key-aim. TA

• exh. evaluation

1269ms 2344 byte safe safe

• exh. evalua-

tion w/ division 638ms 2344 byte unsafe safe with c.m. BTZ2 272ms 34886 byte unsafe probably unsafe linearized polynomials 415ms 2344 byte safe

Efficiency and Implementation Security of Code-based Cryptosyst. Falko Strenzke 21 / 37

Analysis of Root-Finding Variants

using parameters n = 6624, t = 115 (244 bit security); Atmel AP7000, 30 MHz

Speed RAM demands Mess.-

• aim. TA

Key-aim. TA

• exh. evaluation

1269ms 2344 byte safe safe

• exh. evalua-

tion w/ division 638ms 2344 byte unsafe safe with c.m. BTZ2 272ms 34886 byte unsafe probably unsafe linearized polynomials 415ms 2344 byte safe safe with c.m.

Efficiency and Implementation Security of Code-based Cryptosyst. Falko Strenzke 21 / 37

Overview

Efficiency Key-aimed SCA Message-aimed SCA

PQCrypto 2008 Timing Attack ICISC 2009 Timing Attack JCEN 2011 Power Analysis Attack JCEN 2011 Generalization CANS 2012 Root finding ISC 2012 Key Storage PQCrypto 2010 Timing Attack PQCrypto 2013 Timing Attack Decryption: S(Y ) ← ( e ⊕ c)H⊤

• ∈Ft

2m

• Y t−1, · · · , Y , 1

⊤ U(Y ) ← S−1(Y ) mod g(Y ) τ(Y ) ←

• U(Y ) + Y mod g(Y )

(α(Y ), β(Y )) ← EEA(g(Y ), τ(Y )) σ(Y ) ← α2(Y ) + Y β2(Y ) ei ← 1 iff σ(αi ) = 0 Encryption:

• z′ =

mGp

• z =

z′ ⊕ e Efficiency and Implementation Security of Code-based Cryptosyst. Falko Strenzke 22 / 37

Encryption in PKI

Efficiency Key-aimed SCA Message-aimed SCA

PQCrypto 2008 Timing Attack ICISC 2009 Timing Attack JCEN 2011 Power Analysis Attack JCEN 2011 Generalization CANS 2012 Root finding ISC 2012 Key Storage PQCrypto 2010 Timing Attack PQCrypto 2013 Timing Attack Decryption: S(Y ) ← ( e ⊕ c)H⊤

• ∈Ft

2m

• Y t−1, · · · , Y , 1

⊤ U(Y ) ← S−1(Y ) mod g(Y ) τ(Y ) ←

• U(Y ) + Y mod g(Y )

(α(Y ), β(Y )) ← EEA(g(Y ), τ(Y )) σ(Y ) ← α2(Y ) + Y β2(Y ) ei ← 1 iff σ(αi ) = 0 Encryption:

• z′ =

mGp

• z =

z′ ⊕ e Efficiency and Implementation Security of Code-based Cryptosyst. Falko Strenzke 23 / 37

Solution for Memory-constrained Platforms

Process the certificate during receipt: fail –

• utput

error success – finalize & output sign.

• k?

TBS data beg. Matrix (Public Key) 100 KByte TBS end signature Hash value

• nline-

mul.

• mG
• m

. . .

Efficiency and Implementation Security of Code-based Cryptosyst. Falko Strenzke 24 / 37

Solution for Memory-constrained Platforms

Process the certificate during receipt: fail –

• utput

error success – finalize & output sign.

• k?

TBS data beg. Matrix (Public Key) 100 KByte TBS end signature Hash value

• nline-

mul.

• mG
• m

. . .

Efficiency and Implementation Security of Code-based Cryptosyst. Falko Strenzke 24 / 37

Solution for Memory-constrained Platforms

Process the certificate during receipt: fail –

• utput

error success – finalize & output sign.

• k?

TBS data beg. Matrix (Public Key) 100 KByte TBS end signature Hash value

• nline-

mul.

• mG
• m

. . .

Efficiency and Implementation Security of Code-based Cryptosyst. Falko Strenzke 24 / 37

Solution for Memory-constrained Platforms

Process the certificate during receipt: fail –

• utput

error success – finalize & output sign.

• k?

TBS data beg. Matrix (Public Key) 100 KByte TBS end signature Hash value

• nline-

mul.

• mG
• m

. . .

Efficiency and Implementation Security of Code-based Cryptosyst. Falko Strenzke 24 / 37

Solution for Memory-constrained Platforms

Process the certificate during receipt: fail –

• utput

error success – finalize & output sign.

• k?

TBS data beg. Matrix (Public Key) 100 KByte TBS end signature Hash value

• nline-

mul.

• mG
• m

. . .

Efficiency and Implementation Security of Code-based Cryptosyst. Falko Strenzke 24 / 37

Solution for Memory-constrained Platforms

Process the certificate during receipt: fail –

• utput

error success – finalize & output sign.

• k?

TBS data beg. Matrix (Public Key) 100 KByte TBS end signature Hash value

• nline-

mul.

• mG
• m

. . .

Efficiency and Implementation Security of Code-based Cryptosyst. Falko Strenzke 24 / 37

Solution for Memory-constrained Platforms

Process the certificate during receipt: fail –

• utput

error success – finalize & output sign.

• k?

TBS data beg. Matrix (Public Key) 100 KByte TBS end signature Hash value

• nline-

mul.

• mG
• m

. . .

Efficiency and Implementation Security of Code-based Cryptosyst. Falko Strenzke 24 / 37

Results

experiments: transmission rate is the limiting factor for a key with security level 244 bit: t > 13s

Efficiency and Implementation Security of Code-based Cryptosyst. Falko Strenzke 25 / 37

Results

experiments: transmission rate is the limiting factor for a key with security level 244 bit: t > 13s

Efficiency and Implementation Security of Code-based Cryptosyst. Falko Strenzke 25 / 37

Overview

Efficiency Key-aimed SCA Message-aimed SCA

PQCrypto 2008 Timing Attack ICISC 2009 Timing Attack JCEN 2011 Power Analysis Attack JCEN 2011 Generalization CANS 2012 Root finding ISC 2012 Key Storage PQCrypto 2010 Timing Attack PQCrypto 2013 Timing Attack Decryption: S(Y ) ← ( e ⊕ c)H⊤

• ∈Ft

2m

• Y t−1, · · · , Y , 1

⊤ U(Y ) ← S−1(Y ) mod g(Y ) τ(Y ) ←

• U(Y ) + Y mod g(Y )

(α(Y ), β(Y )) ← EEA(g(Y ), τ(Y )) σ(Y ) ← α2(Y ) + Y β2(Y ) ei ← 1 iff σ(αi ) = 0 Encryption:

• z′ =

mGp

• z =

z′ ⊕ e Efficiency and Implementation Security of Code-based Cryptosyst. Falko Strenzke 26 / 37

Timing Attack against the secret Support

Efficiency Key-aimed SCA Message-aimed SCA

PQCrypto 2008 Timing Attack ICISC 2009 Timing Attack JCEN 2011 Power Analysis Attack JCEN 2011 Generalization CANS 2012 Root finding ISC 2012 Key Storage PQCrypto 2010 Timing Attack PQCrypto 2013 Timing Attack Decryption: S(Y ) ← ( e ⊕ c)H⊤

• ∈Ft

2m

• Y t−1, · · · , Y , 1

⊤ U(Y ) ← S−1(Y ) mod g(Y ) τ(Y ) ←

• U(Y ) + Y mod g(Y )

(α(Y ), β(Y )) ← EEA(g(Y ), τ(Y )) σ(Y ) ← α2(Y ) + Y β2(Y ) ei ← 1 iff σ(αi ) = 0 Encryption:

• z′ =

mGp

• z =

z′ ⊕ e Efficiency and Implementation Security of Code-based Cryptosyst. Falko Strenzke 27 / 37

Timing Attack against the secret Support

secret key: g(Y ) Γ = (α0, α1, . . . αn−1)

• e =

( . . . 1 . . . 1 . . . ) indexes: 1 . . . f1 f2 αf1 αf2 σ(Y ) = w−1

i=0 (αfi − Y )

Efficiency and Implementation Security of Code-based Cryptosyst. Falko Strenzke 28 / 37

Timing Attack against the secret Support

secret key: g(Y ) Γ = (α0, α1, . . . αn−1)

• e =

( . . . 1 . . . 1 . . . ) indexes: 1 . . . f1 f2 αf1 αf2 σ(Y ) = w−1

i=0 (αfi − Y )

Efficiency and Implementation Security of Code-based Cryptosyst. Falko Strenzke 28 / 37

Timing Attack against the secret Support

secret key: g(Y ) Γ = (α0, α1, . . . αn−1)

• e =

( . . . 1 . . . 1 . . . ) indexes: 1 . . . f1 f2 αf1 αf2 σ(Y ) = w−1

i=0 (αfi − Y )

Efficiency and Implementation Security of Code-based Cryptosyst. Falko Strenzke 28 / 37

Timing Attack against the secret Support

secret key: g(Y ) Γ = (α0, α1, . . . αn−1)

• e =

( . . . 1 . . . 1 . . . ) indexes: 1 . . . f1 f2 αf1 αf2 σ(Y ) = w−1

i=0 (αfi − Y )

Efficiency and Implementation Security of Code-based Cryptosyst. Falko Strenzke 28 / 37

Overview of the Attack

Timing vulnerabilities:

for w = 4: linear equations for w = 1: zero element for w = 6: cubic equations

Efficiency and Implementation Security of Code-based Cryptosyst. Falko Strenzke 29 / 37

Overview of the Attack

Timing vulnerabilities:

for w = 4: linear equations for w = 1: zero element for w = 6: cubic equations

Efficiency and Implementation Security of Code-based Cryptosyst. Falko Strenzke 29 / 37

Overview of the Attack

Timing vulnerabilities:

for w = 4: linear equations for w = 1: zero element for w = 6: cubic equations

Efficiency and Implementation Security of Code-based Cryptosyst. Falko Strenzke 29 / 37

Overview of the Attack

Timing vulnerabilities:

for w = 4: linear equations for w = 1: zero element for w = 6: cubic equations

Efficiency and Implementation Security of Code-based Cryptosyst. Falko Strenzke 29 / 37

Source of timing differences for weight 4 error vectors

Syndrome S(Y ) ≡

w

• i=1

1 Y ⊕ αfi ≡ Ω(Y ) σ(Y ) mod g(Y ) If w ≤ t/2 then σ(Y ) can be found be EEA (break once deg (ri(Y )) ≤ (t/2) − 1 ) → information about an intermediate iteration where coefficient = σ(Y )

Efficiency and Implementation Security of Code-based Cryptosyst. Falko Strenzke 30 / 37

Source of timing differences for weight 4 error vectors

Syndrome S(Y ) ≡

w

• i=1

1 Y ⊕ αfi ≡ Ω(Y ) σ(Y ) mod g(Y ) If w ≤ t/2 then σ(Y ) can be found be EEA (break once deg (ri(Y )) ≤ (t/2) − 1 ) → information about an intermediate iteration where coefficient = σ(Y )

Efficiency and Implementation Security of Code-based Cryptosyst. Falko Strenzke 30 / 37

Source of timing differences for weight 4 error vectors

Syndrome S(Y ) ≡

w

• i=1

1 Y ⊕ αfi ≡ Ω(Y ) σ(Y ) mod g(Y ) If w ≤ t/2 then σ(Y ) can be found be EEA (break once deg (ri(Y )) ≤ (t/2) − 1 ) → information about an intermediate iteration where coefficient = σ(Y )

Efficiency and Implementation Security of Code-based Cryptosyst. Falko Strenzke 30 / 37

Source of timing differences for weight 4 error vectors

Syndrome S(Y ) ≡

w

• i=1

1 Y ⊕ αfi ≡ Ω(Y ) σ(Y ) mod g(Y ) If w ≤ t/2 then σ(Y ) can be found be EEA (break once deg (ri(Y )) ≤ (t/2) − 1 ) → information about an intermediate iteration where coefficient = σ(Y )

Efficiency and Implementation Security of Code-based Cryptosyst. Falko Strenzke 30 / 37

Source of timing differences for weight 4 error vectors

Syndrome S(Y ) ≡

w

• i=1

1 Y ⊕ αfi ≡ Ω(Y ) σ(Y ) mod g(Y ) If w ≤ t/2 then σ(Y ) can be found be EEA (break once deg (ri(Y )) ≤ (t/2) − 1 ) → information about an intermediate iteration where coefficient = σ(Y )

Efficiency and Implementation Security of Code-based Cryptosyst. Falko Strenzke 30 / 37

The Syndrome Inversion EEA for w = 4

S(Y ) ≡

4

• i=1

1 Y ⊕ αfi ≡ Ω(Y ) σ(Y ) ≡ σ3Y 2 ⊕ σ1 Y 4 ⊕ σ3Y 3 ⊕ σ2Y 2 ⊕ σ1Y ⊕ σ0 mod g(Y )

maximal number of iterations M = deg (Ω(Y )) + deg (σ(Y )) if σ3 = 0, then M smaller than otherwise → fewer iterations, smaller timing σ3 = αf1 ⊕ αf2 ⊕ αf3 ⊕ αf4 = 0

Efficiency and Implementation Security of Code-based Cryptosyst. Falko Strenzke 31 / 37

The Syndrome Inversion EEA for w = 4

S(Y ) ≡

4

• i=1

1 Y ⊕ αfi ≡ Ω(Y ) σ(Y ) ≡ σ3Y 2 ⊕ σ1 Y 4 ⊕ σ3Y 3 ⊕ σ2Y 2 ⊕ σ1Y ⊕ σ0 mod g(Y )

maximal number of iterations M = deg (Ω(Y )) + deg (σ(Y )) if σ3 = 0, then M smaller than otherwise → fewer iterations, smaller timing σ3 = αf1 ⊕ αf2 ⊕ αf3 ⊕ αf4 = 0

Efficiency and Implementation Security of Code-based Cryptosyst. Falko Strenzke 31 / 37

The Syndrome Inversion EEA for w = 4

S(Y ) ≡

4

• i=1

1 Y ⊕ αfi ≡ Ω(Y ) σ(Y ) ≡ σ3Y 2 ⊕ σ1 Y 4 ⊕ σ3Y 3 ⊕ σ2Y 2 ⊕ σ1Y ⊕ σ0 mod g(Y )

maximal number of iterations M = deg (Ω(Y )) + deg (σ(Y )) if σ3 = 0, then M smaller than otherwise → fewer iterations, smaller timing σ3 = αf1 ⊕ αf2 ⊕ αf3 ⊕ αf4 = 0

Efficiency and Implementation Security of Code-based Cryptosyst. Falko Strenzke 31 / 37

The Syndrome Inversion EEA for w = 4

S(Y ) ≡

4

• i=1

1 Y ⊕ αfi ≡ Ω(Y ) σ(Y ) ≡ σ3Y 2 ⊕ σ1 Y 4 ⊕ σ3Y 3 ⊕ σ2Y 2 ⊕ σ1Y ⊕ σ0 mod g(Y )

maximal number of iterations M = deg (Ω(Y )) + deg (σ(Y )) if σ3 = 0, then M smaller than otherwise → fewer iterations, smaller timing σ3 = αf1 ⊕ αf2 ⊕ αf3 ⊕ αf4 = 0

Efficiency and Implementation Security of Code-based Cryptosyst. Falko Strenzke 31 / 37

The Syndrome Inversion EEA for w = 4

S(Y ) ≡

4

• i=1

1 Y ⊕ αfi ≡ Ω(Y ) σ(Y ) ≡ σ3Y 2 ⊕ σ1 Y 4 ⊕ σ3Y 3 ⊕ σ2Y 2 ⊕ σ1Y ⊕ σ0 mod g(Y )

maximal number of iterations M = deg (Ω(Y )) + deg (σ(Y )) if σ3 = 0, then M smaller than otherwise → fewer iterations, smaller timing σ3 = αf1 ⊕ αf2 ⊕ αf3 ⊕ αf4 = 0

Efficiency and Implementation Security of Code-based Cryptosyst. Falko Strenzke 31 / 37

Weight 6 Vulnerability

S(Y ) ≡ σ5Y 4 ⊕ σ3Y 2 ⊕ σ1 Y 6 ⊕ σ5Y 5 ⊕ σ4Y 4 ⊕ σ3Y 3 ⊕ σ2Y 2 ⊕ σ1Y + σ0 mod g(Y ),

σ5 = 6

i=1 αfi

σ3 = 6

j=3

j−1

k=2

k−1

l=1 αfjαfkαfl = 0

Efficiency and Implementation Security of Code-based Cryptosyst. Falko Strenzke 32 / 37

Weight 6 Vulnerability

S(Y ) ≡ σ5Y 4 ⊕ σ3Y 2 ⊕ σ1 Y 6 ⊕ σ5Y 5 ⊕ σ4Y 4 ⊕ σ3Y 3 ⊕ σ2Y 2 ⊕ σ1Y + σ0 mod g(Y ),

σ5 = 6

i=1 αfi

σ3 = 6

j=3

j−1

k=2

k−1

l=1 αfjαfkαfl = 0

Efficiency and Implementation Security of Code-based Cryptosyst. Falko Strenzke 32 / 37

Weight 6 Vulnerability

S(Y ) ≡ σ5Y 4 ⊕ σ3Y 2 ⊕ σ1 Y 6 ⊕ σ5Y 5 ⊕ σ4Y 4 ⊕ σ3Y 3 ⊕ σ2Y 2 ⊕ σ1Y + σ0 mod g(Y ),

σ5 = 6

i=1 αfi

σ3 = 6

j=3

j−1

k=2

k−1

l=1 αfjαfkαfl = 0

Efficiency and Implementation Security of Code-based Cryptosyst. Falko Strenzke 32 / 37

Building the Attack

from the linear equations: α0 α1 . . . αi . . . αn−m−3 αn−m−2 β0 . . . βm−1 1 . . . . . . X . . . X . . . . . . 1 . . . X . . . X . . . . . . . . . 1 X . . . X αi =

j∈Bi βj

→ collect cubic equations s.th. system can be solved

Efficiency and Implementation Security of Code-based Cryptosyst. Falko Strenzke 33 / 37

Building the Attack

from the linear equations: α0 α1 . . . αi . . . αn−m−3 αn−m−2 β0 . . . βm−1 1 . . . . . . X . . . X . . . . . . 1 . . . X . . . X . . . . . . . . . 1 X . . . X αi =

j∈Bi βj

→ collect cubic equations s.th. system can be solved

Efficiency and Implementation Security of Code-based Cryptosyst. Falko Strenzke 33 / 37

Building the Attack

from the linear equations: α0 α1 . . . αi . . . αn−m−3 αn−m−2 β0 . . . βm−1 1 . . . . . . X . . . X . . . . . . 1 . . . X . . . X . . . . . . . . . 1 X . . . X αi =

j∈Bi βj

→ collect cubic equations s.th. system can be solved

Efficiency and Implementation Security of Code-based Cryptosyst. Falko Strenzke 33 / 37

Building the Attack

from the linear equations: α0 α1 . . . αi . . . αn−m−3 αn−m−2 β0 . . . βm−1 1 . . . . . . X . . . X . . . . . . 1 . . . X . . . X . . . . . . . . . 1 X . . . X αi =

j∈Bi βj

→ collect cubic equations s.th. system can be solved

Efficiency and Implementation Security of Code-based Cryptosyst. Falko Strenzke 33 / 37

Collecting cubic Equations

Ω(Y ) = σ5Y 4 ⊕ σ3Y 2 ⊕ σ1

C1: β3 ← β0, β1, β2 C2: β4 ← β0, β1, β2, β3 . . . . . . . . . . . . . . . Cm−3: βm−1 ← β0, β1, . . . βm−2 practical timing attack on Intel Core2 Duo CPU number of queries ≈ millions

Efficiency and Implementation Security of Code-based Cryptosyst. Falko Strenzke 34 / 37

Collecting cubic Equations

Ω(Y ) = σ5Y 4 ⊕ σ3Y 2 ⊕ σ1

C1: β3 ← β0, β1, β2 C2: β4 ← β0, β1, β2, β3 . . . . . . . . . . . . . . . Cm−3: βm−1 ← β0, β1, . . . βm−2 practical timing attack on Intel Core2 Duo CPU number of queries ≈ millions

Efficiency and Implementation Security of Code-based Cryptosyst. Falko Strenzke 34 / 37

Collecting cubic Equations

Ω(Y ) = σ5Y 4 ⊕ σ3Y 2 ⊕ σ1

C1: β3 ← β0, β1, β2 C2: β4 ← β0, β1, β2, β3 . . . . . . . . . . . . . . . Cm−3: βm−1 ← β0, β1, . . . βm−2 practical timing attack on Intel Core2 Duo CPU number of queries ≈ millions

Efficiency and Implementation Security of Code-based Cryptosyst. Falko Strenzke 34 / 37

Conclusion

Efficiency issues

handling of public key keys on embedded devices investigation of a number of time-memory tradeoffs

Implementation Security

message-aimed side-channel issues key-aimed side-channel issues

choice of root-finding algorithm is crucial for performance and security security against timing attacks is achievable the decryption operation can be implemented on embedded systems without hardware support the encryption on embedded systems remains as a problem

Efficiency and Implementation Security of Code-based Cryptosyst. Falko Strenzke 35 / 37

Conclusion

Efficiency issues

handling of public key keys on embedded devices investigation of a number of time-memory tradeoffs

Implementation Security

message-aimed side-channel issues key-aimed side-channel issues

choice of root-finding algorithm is crucial for performance and security security against timing attacks is achievable the decryption operation can be implemented on embedded systems without hardware support the encryption on embedded systems remains as a problem

Efficiency and Implementation Security of Code-based Cryptosyst. Falko Strenzke 35 / 37

Conclusion

Efficiency issues

handling of public key keys on embedded devices investigation of a number of time-memory tradeoffs

Implementation Security

message-aimed side-channel issues key-aimed side-channel issues

choice of root-finding algorithm is crucial for performance and security security against timing attacks is achievable the decryption operation can be implemented on embedded systems without hardware support the encryption on embedded systems remains as a problem

Efficiency and Implementation Security of Code-based Cryptosyst. Falko Strenzke 35 / 37

Conclusion

Efficiency issues

handling of public key keys on embedded devices investigation of a number of time-memory tradeoffs

Implementation Security

message-aimed side-channel issues key-aimed side-channel issues

choice of root-finding algorithm is crucial for performance and security security against timing attacks is achievable the decryption operation can be implemented on embedded systems without hardware support the encryption on embedded systems remains as a problem

Efficiency and Implementation Security of Code-based Cryptosyst. Falko Strenzke 35 / 37

Conclusion

Efficiency issues

handling of public key keys on embedded devices investigation of a number of time-memory tradeoffs

Implementation Security

message-aimed side-channel issues key-aimed side-channel issues

choice of root-finding algorithm is crucial for performance and security security against timing attacks is achievable the decryption operation can be implemented on embedded systems without hardware support the encryption on embedded systems remains as a problem

Efficiency and Implementation Security of Code-based Cryptosyst. Falko Strenzke 35 / 37

Conclusion

Efficiency issues

handling of public key keys on embedded devices investigation of a number of time-memory tradeoffs

Implementation Security

message-aimed side-channel issues key-aimed side-channel issues

choice of root-finding algorithm is crucial for performance and security security against timing attacks is achievable the decryption operation can be implemented on embedded systems without hardware support the encryption on embedded systems remains as a problem

Efficiency and Implementation Security of Code-based Cryptosyst. Falko Strenzke 35 / 37

Conclusion

Efficiency issues

handling of public key keys on embedded devices investigation of a number of time-memory tradeoffs

Implementation Security

message-aimed side-channel issues key-aimed side-channel issues

choice of root-finding algorithm is crucial for performance and security security against timing attacks is achievable the decryption operation can be implemented on embedded systems without hardware support the encryption on embedded systems remains as a problem

Efficiency and Implementation Security of Code-based Cryptosyst. Falko Strenzke 35 / 37

Conclusion

Efficiency issues

handling of public key keys on embedded devices investigation of a number of time-memory tradeoffs

Implementation Security

message-aimed side-channel issues key-aimed side-channel issues

choice of root-finding algorithm is crucial for performance and security security against timing attacks is achievable the decryption operation can be implemented on embedded systems without hardware support the encryption on embedded systems remains as a problem

Efficiency and Implementation Security of Code-based Cryptosyst. Falko Strenzke 35 / 37

Conclusion

Efficiency issues

handling of public key keys on embedded devices investigation of a number of time-memory tradeoffs

Implementation Security

message-aimed side-channel issues key-aimed side-channel issues

choice of root-finding algorithm is crucial for performance and security security against timing attacks is achievable the decryption operation can be implemented on embedded systems without hardware support the encryption on embedded systems remains as a problem

Efficiency and Implementation Security of Code-based Cryptosyst. Falko Strenzke 35 / 37

Conclusion

Efficiency issues

handling of public key keys on embedded devices investigation of a number of time-memory tradeoffs

Implementation Security

message-aimed side-channel issues key-aimed side-channel issues

choice of root-finding algorithm is crucial for performance and security security against timing attacks is achievable the decryption operation can be implemented on embedded systems without hardware support the encryption on embedded systems remains as a problem

Efficiency and Implementation Security of Code-based Cryptosyst. Falko Strenzke 35 / 37

Contributions

Strenzke, F., Tews, E., Molter, H., Overbeck, R., Shoufan, A.: Side Channels in the McEliece PKC. In: The third international Workshop on Post-Quantum Cryptography, PQC 2008. Lecture Notes in Computer Science., Springer Berlin / Heidelberg (2008) Shoufan, A., Strenzke, F., Molter, H., St¨

• ttinger, M.: A Timing Attack against Patterson Algorithm in the

McEliece PKC. In: Information, Security and Cryptology, ICISC 2009. Lecture Notes in Computer Science, Springer Berlin / Heidelberg (2009) Strenzke, F.: A Timing Attack against the secret Permutation in the McEliece PKC. In: The third international Workshop on Post-Quantum Cryptography, PQC 2010. Lecture Notes in Computer Science, Springer Berlin / Heidelberg (2010) Strenzke, F.: A Smart Card Implementation of the McEliece PKC. In: Workshop in Information Security Theory and Practices. Security and Privacy of Pervasive Systems and Smart Devices, WISTP 2010. Lecture Notes in Computer Science, Springer Berlin / Heidelberg (2010) Strenzke, F.: Message-aimed Side Channel and Fault Attacks against Public Key Cryptosystems with homomorphic Properties. In: Journal of Cryptographic Engineering (2011) Molter, H.G., St¨

• tinger, M., Shoufan, A., Strenzke, F.: A Simple Power Analysis Attack on a McEliece
• Cryptoprocessor. In: Journal of Cryptographic Engineering (2011)

Strenzke, F.: Fast and Secure Root-Finding for Code-based Cryptosystems. In: The 11th International Conference on Cryptology and Network Security, CANS 2012. Lecture Notes in Computer Science, Springer Berlin / Heidelberg (2012) Strenzke, F.: Solutions for the Storage Problem of McEliece Public and Private Keys on Memory-constrained Platforms. In: Proceedings of the 15th international conference on Information Security, ISC 2012. Lecture Notes in Computer Science, Springer Berlin / Heidelberg (2012) Strenzke, F.: Timing Attacks against the Syndrome Inversion in Code-based Cryptosystems. In: The fifth international Workshop on Post-Quantum Cryptography, PQC 2013. Lecture Notes in Computer Science, Springer Berlin / Heidelberg (2013) Efficiency and Implementation Security of Code-based Cryptosyst. Falko Strenzke 36 / 37

McEliece and Niederreiter

McEliece

Gp = [I|G2] = GT ∈ Fn×k

2

G2 ∈ Fmt×k

2

T ∈ Fk×k

2

Niederreiter

Hp = [I|H2] = TH ∈ Fmt×n

2

H2 ∈ Fmt×k

2

secret key contains T ∈ Fmt×mt

2

Efficiency and Implementation Security of Code-based Cryptosyst. Falko Strenzke 37 / 37