efficiency and implementation security of code based
play

Efficiency and Implementation Security of Code-based Cryptosystems - PowerPoint PPT Presentation

Apr 21, 2023 •110 likes •1.73k views

Efficiency and Implementation Security of Code-based Cryptosystems PhD Thesis by Falko Strenzke Falko Strenzke Cryptography and Computeralgebra, Department of Computer Science, Technische Universit at Darmstadt, Germany,

  1. Goppa Codes Parameters of a Goppa Code irreducible polynomial g ( Y ) ∈ F 2 m [ Y ] of degree t (the Goppa Polynomial) support Γ = ( α 0 , α 1 , . . . , α n − 1 ), where α i are pairwise distinct elements of F 2 m Properties of the Code the code has length n ≤ 2 m (code word length) , dimension k = n − mt (message length) and can correct up to t errors. a parity check matrix H , where cH ⊤ = 0 if c ∈ C example for secure parameters: n = 2048, t = 50 for 100 bit security Efficiency and Implementation Security of Code-based Cryptosyst. Falko Strenzke 6 / 37

  2. Goppa Codes Parameters of a Goppa Code irreducible polynomial g ( Y ) ∈ F 2 m [ Y ] of degree t (the Goppa Polynomial) support Γ = ( α 0 , α 1 , . . . , α n − 1 ), where α i are pairwise distinct elements of F 2 m Properties of the Code the code has length n ≤ 2 m (code word length) , dimension k = n − mt (message length) and can correct up to t errors. a parity check matrix H , where cH ⊤ = 0 if c ∈ C example for secure parameters: n = 2048, t = 50 for 100 bit security Efficiency and Implementation Security of Code-based Cryptosyst. Falko Strenzke 6 / 37

  3. Goppa Codes Parameters of a Goppa Code irreducible polynomial g ( Y ) ∈ F 2 m [ Y ] of degree t (the Goppa Polynomial) support Γ = ( α 0 , α 1 , . . . , α n − 1 ), where α i are pairwise distinct elements of F 2 m Properties of the Code the code has length n ≤ 2 m (code word length) , dimension k = n − mt (message length) and can correct up to t errors. a parity check matrix H , where cH ⊤ = 0 if c ∈ C example for secure parameters: n = 2048, t = 50 for 100 bit security Efficiency and Implementation Security of Code-based Cryptosyst. Falko Strenzke 6 / 37

  4. Goppa Codes Parameters of a Goppa Code irreducible polynomial g ( Y ) ∈ F 2 m [ Y ] of degree t (the Goppa Polynomial) support Γ = ( α 0 , α 1 , . . . , α n − 1 ), where α i are pairwise distinct elements of F 2 m Properties of the Code the code has length n ≤ 2 m (code word length) , dimension k = n − mt (message length) and can correct up to t errors. a parity check matrix H , where cH ⊤ = 0 if c ∈ C example for secure parameters: n = 2048, t = 50 for 100 bit security Efficiency and Implementation Security of Code-based Cryptosyst. Falko Strenzke 6 / 37

  5. Goppa Codes Parameters of a Goppa Code irreducible polynomial g ( Y ) ∈ F 2 m [ Y ] of degree t (the Goppa Polynomial) support Γ = ( α 0 , α 1 , . . . , α n − 1 ), where α i are pairwise distinct elements of F 2 m Properties of the Code the code has length n ≤ 2 m (code word length) , dimension k = n − mt (message length) and can correct up to t errors. a parity check matrix H , where cH ⊤ = 0 if c ∈ C example for secure parameters: n = 2048, t = 50 for 100 bit security Efficiency and Implementation Security of Code-based Cryptosyst. Falko Strenzke 6 / 37

  6. Goppa Codes Parameters of a Goppa Code irreducible polynomial g ( Y ) ∈ F 2 m [ Y ] of degree t (the Goppa Polynomial) support Γ = ( α 0 , α 1 , . . . , α n − 1 ), where α i are pairwise distinct elements of F 2 m Properties of the Code the code has length n ≤ 2 m (code word length) , dimension k = n − mt (message length) and can correct up to t errors. a parity check matrix H , where cH ⊤ = 0 if c ∈ C example for secure parameters: n = 2048, t = 50 for 100 bit security Efficiency and Implementation Security of Code-based Cryptosyst. Falko Strenzke 6 / 37

  7. Goppa Codes Parameters of a Goppa Code irreducible polynomial g ( Y ) ∈ F 2 m [ Y ] of degree t (the Goppa Polynomial) support Γ = ( α 0 , α 1 , . . . , α n − 1 ), where α i are pairwise distinct elements of F 2 m Properties of the Code the code has length n ≤ 2 m (code word length) , dimension k = n − mt (message length) and can correct up to t errors. a parity check matrix H , where cH ⊤ = 0 if c ∈ C example for secure parameters: n = 2048, t = 50 for 100 bit security Efficiency and Implementation Security of Code-based Cryptosyst. Falko Strenzke 6 / 37

  8. Goppa Codes Parameters of a Goppa Code irreducible polynomial g ( Y ) ∈ F 2 m [ Y ] of degree t (the Goppa Polynomial) support Γ = ( α 0 , α 1 , . . . , α n − 1 ), where α i are pairwise distinct elements of F 2 m Properties of the Code the code has length n ≤ 2 m (code word length) , dimension k = n − mt (message length) and can correct up to t errors. a parity check matrix H , where cH ⊤ = 0 if c ∈ C example for secure parameters: n = 2048, t = 50 for 100 bit security Efficiency and Implementation Security of Code-based Cryptosyst. Falko Strenzke 6 / 37

  9. The McEliece PKC Efficiency and Implementation Security of Code-based Cryptosyst. Falko Strenzke 7 / 37

  10. Syndrome Decoding: Patterson Algorithm secret key: g ( Y ), Γ = ( α 0 , α 1 , . . . , α n − 1 ) input: distorted codeword � e ⊕ � c e ∈ F n output: error vector � 2 m � � ⊤ c ) H ⊤ Y t − 1 , · · · , Y , 1 S ( Y ) ← ( � e ⊕ � � �� � ∈ F t 2 m U ( Y ) ← S − 1 mod g ( Y ) // by EEA � τ ( Y ) ← U ( Y ) + Y mod g ( Y ) ( α ( Y ) , β ( Y )) ← EEA ( g ( Y ) , τ ( Y )) // β ( Y ) τ ( Y ) ≡ α ( Y ) mod g ( Y ) σ ( Y ) ← α 2 ( Y ) + Y β 2 ( Y ) // σ ( Y ) = � t − 1 i =0 ( α f i − Y ) e i ← 1 iff σ ( α i ) = 0 // root finding Efficiency and Implementation Security of Code-based Cryptosyst. Falko Strenzke 8 / 37

  11. Syndrome Decoding: Patterson Algorithm secret key: g ( Y ), Γ = ( α 0 , α 1 , . . . , α n − 1 ) input: distorted codeword � e ⊕ � c e ∈ F n output: error vector � 2 m � � ⊤ c ) H ⊤ Y t − 1 , · · · , Y , 1 S ( Y ) ← ( � e ⊕ � � �� � ∈ F t 2 m U ( Y ) ← S − 1 mod g ( Y ) // by EEA � τ ( Y ) ← U ( Y ) + Y mod g ( Y ) ( α ( Y ) , β ( Y )) ← EEA ( g ( Y ) , τ ( Y )) // β ( Y ) τ ( Y ) ≡ α ( Y ) mod g ( Y ) σ ( Y ) ← α 2 ( Y ) + Y β 2 ( Y ) // σ ( Y ) = � t − 1 i =0 ( α f i − Y ) e i ← 1 iff σ ( α i ) = 0 // root finding Efficiency and Implementation Security of Code-based Cryptosyst. Falko Strenzke 8 / 37

  12. Syndrome Decoding: Patterson Algorithm secret key: g ( Y ), Γ = ( α 0 , α 1 , . . . , α n − 1 ) input: distorted codeword � e ⊕ � c e ∈ F n output: error vector � 2 m � � ⊤ c ) H ⊤ Y t − 1 , · · · , Y , 1 S ( Y ) ← ( � e ⊕ � � �� � ∈ F t 2 m U ( Y ) ← S − 1 mod g ( Y ) // by EEA � τ ( Y ) ← U ( Y ) + Y mod g ( Y ) ( α ( Y ) , β ( Y )) ← EEA ( g ( Y ) , τ ( Y )) // β ( Y ) τ ( Y ) ≡ α ( Y ) mod g ( Y ) σ ( Y ) ← α 2 ( Y ) + Y β 2 ( Y ) // σ ( Y ) = � t − 1 i =0 ( α f i − Y ) e i ← 1 iff σ ( α i ) = 0 // root finding Efficiency and Implementation Security of Code-based Cryptosyst. Falko Strenzke 8 / 37

  13. Syndrome Decoding: Patterson Algorithm secret key: g ( Y ), Γ = ( α 0 , α 1 , . . . , α n − 1 ) input: distorted codeword � e ⊕ � c e ∈ F n output: error vector � 2 m � � ⊤ c ) H ⊤ Y t − 1 , · · · , Y , 1 S ( Y ) ← ( � e ⊕ � � �� � ∈ F t 2 m U ( Y ) ← S − 1 mod g ( Y ) // by EEA � τ ( Y ) ← U ( Y ) + Y mod g ( Y ) ( α ( Y ) , β ( Y )) ← EEA ( g ( Y ) , τ ( Y )) // β ( Y ) τ ( Y ) ≡ α ( Y ) mod g ( Y ) σ ( Y ) ← α 2 ( Y ) + Y β 2 ( Y ) // σ ( Y ) = � t − 1 i =0 ( α f i − Y ) e i ← 1 iff σ ( α i ) = 0 // root finding Efficiency and Implementation Security of Code-based Cryptosyst. Falko Strenzke 8 / 37

  14. Syndrome Decoding: Patterson Algorithm secret key: g ( Y ), Γ = ( α 0 , α 1 , . . . , α n − 1 ) input: distorted codeword � e ⊕ � c e ∈ F n output: error vector � 2 m � � ⊤ c ) H ⊤ Y t − 1 , · · · , Y , 1 S ( Y ) ← ( � e ⊕ � � �� � ∈ F t 2 m U ( Y ) ← S − 1 mod g ( Y ) // by EEA � τ ( Y ) ← U ( Y ) + Y mod g ( Y ) ( α ( Y ) , β ( Y )) ← EEA ( g ( Y ) , τ ( Y )) // β ( Y ) τ ( Y ) ≡ α ( Y ) mod g ( Y ) σ ( Y ) ← α 2 ( Y ) + Y β 2 ( Y ) // σ ( Y ) = � t − 1 i =0 ( α f i − Y ) e i ← 1 iff σ ( α i ) = 0 // root finding Efficiency and Implementation Security of Code-based Cryptosyst. Falko Strenzke 8 / 37

  15. Syndrome Decoding: Patterson Algorithm secret key: g ( Y ), Γ = ( α 0 , α 1 , . . . , α n − 1 ) input: distorted codeword � e ⊕ � c e ∈ F n output: error vector � 2 m � � ⊤ c ) H ⊤ Y t − 1 , · · · , Y , 1 S ( Y ) ← ( � e ⊕ � � �� � ∈ F t 2 m U ( Y ) ← S − 1 mod g ( Y ) // by EEA � τ ( Y ) ← U ( Y ) + Y mod g ( Y ) ( α ( Y ) , β ( Y )) ← EEA ( g ( Y ) , τ ( Y )) // β ( Y ) τ ( Y ) ≡ α ( Y ) mod g ( Y ) σ ( Y ) ← α 2 ( Y ) + Y β 2 ( Y ) // σ ( Y ) = � t − 1 i =0 ( α f i − Y ) e i ← 1 iff σ ( α i ) = 0 // root finding Efficiency and Implementation Security of Code-based Cryptosyst. Falko Strenzke 8 / 37

  16. Syndrome Decoding: Patterson Algorithm secret key: g ( Y ), Γ = ( α 0 , α 1 , . . . , α n − 1 ) input: distorted codeword � e ⊕ � c e ∈ F n output: error vector � 2 m � � ⊤ c ) H ⊤ Y t − 1 , · · · , Y , 1 S ( Y ) ← ( � e ⊕ � � �� � ∈ F t 2 m U ( Y ) ← S − 1 mod g ( Y ) // by EEA � τ ( Y ) ← U ( Y ) + Y mod g ( Y ) ( α ( Y ) , β ( Y )) ← EEA ( g ( Y ) , τ ( Y )) // β ( Y ) τ ( Y ) ≡ α ( Y ) mod g ( Y ) σ ( Y ) ← α 2 ( Y ) + Y β 2 ( Y ) // σ ( Y ) = � t − 1 i =0 ( α f i − Y ) e i ← 1 iff σ ( α i ) = 0 // root finding Efficiency and Implementation Security of Code-based Cryptosyst. Falko Strenzke 8 / 37

  17. Syndrome Decoding: Patterson Algorithm secret key: g ( Y ), Γ = ( α 0 , α 1 , . . . , α n − 1 ) input: distorted codeword � e ⊕ � c e ∈ F n output: error vector � 2 m � � ⊤ c ) H ⊤ Y t − 1 , · · · , Y , 1 S ( Y ) ← ( � e ⊕ � � �� � ∈ F t 2 m U ( Y ) ← S − 1 mod g ( Y ) // by EEA � τ ( Y ) ← U ( Y ) + Y mod g ( Y ) ( α ( Y ) , β ( Y )) ← EEA ( g ( Y ) , τ ( Y )) // β ( Y ) τ ( Y ) ≡ α ( Y ) mod g ( Y ) σ ( Y ) ← α 2 ( Y ) + Y β 2 ( Y ) // σ ( Y ) = � t − 1 i =0 ( α f i − Y ) e i ← 1 iff σ ( α i ) = 0 // root finding Efficiency and Implementation Security of Code-based Cryptosyst. Falko Strenzke 8 / 37

  18. Syndrome Decoding: Patterson Algorithm secret key: g ( Y ), Γ = ( α 0 , α 1 , . . . , α n − 1 ) input: distorted codeword � e ⊕ � c e ∈ F n output: error vector � 2 m � � ⊤ c ) H ⊤ Y t − 1 , · · · , Y , 1 S ( Y ) ← ( � e ⊕ � � �� � ∈ F t 2 m U ( Y ) ← S − 1 mod g ( Y ) // by EEA � τ ( Y ) ← U ( Y ) + Y mod g ( Y ) ( α ( Y ) , β ( Y )) ← EEA ( g ( Y ) , τ ( Y )) // β ( Y ) τ ( Y ) ≡ α ( Y ) mod g ( Y ) σ ( Y ) ← α 2 ( Y ) + Y β 2 ( Y ) // σ ( Y ) = � t − 1 i =0 ( α f i − Y ) e i ← 1 iff σ ( α i ) = 0 // root finding Efficiency and Implementation Security of Code-based Cryptosyst. Falko Strenzke 8 / 37

  19. Implementation Aspects of Cryptograpic Algorithms Efficiency and Implementation Security of Code-based Cryptosyst. Falko Strenzke 9 / 37

  20. Implementation Aspects of Cryptograpic Algorithms RAM Efficiency and Implementation Security of Code-based Cryptosyst. Falko Strenzke 9 / 37

  21. Implementation Aspects of Cryptograpic Algorithms RAM ROM Efficiency and Implementation Security of Code-based Cryptosyst. Falko Strenzke 9 / 37

  22. Implementation Aspects of Cryptograpic Algorithms RAM ROM input ∆ t output Efficiency and Implementation Security of Code-based Cryptosyst. Falko Strenzke 9 / 37

  23. Implementation Aspects of Cryptograpic Algorithms Efficiency RAM ROM input ∆ t output Efficiency and Implementation Security of Code-based Cryptosyst. Falko Strenzke 9 / 37

  24. Implementation Aspects of Cryptograpic Algorithms Efficiency RAM ROM input ∆ t output Efficiency and Implementation Security of Code-based Cryptosyst. Falko Strenzke 9 / 37

  25. Implementation Aspects of Cryptograpic Algorithms Efficiency RAM ROM input input ∆ t ∆ t output output Efficiency and Implementation Security of Code-based Cryptosyst. Falko Strenzke 9 / 37

  26. Implementation Aspects of Cryptograpic Algorithms Efficiency RAM ROM input input ∆ t ∆ t output output Efficiency and Implementation Security of Code-based Cryptosyst. Falko Strenzke 9 / 37

  27. Implementation Aspects of Cryptograpic Algorithms Efficiency Side Channel Security RAM ROM input input ∆ t ∆ t output output Efficiency and Implementation Security of Code-based Cryptosyst. Falko Strenzke 9 / 37

  28. The Challenges of Code-based Encryption Code-based schemes known to be fast fast enough on embedded systems (smart cards)? time memory trade-offs? Large public-key size what does this mean for embedded systems? Side Channel Security no previous works Efficiency and Implementation Security of Code-based Cryptosyst. Falko Strenzke 10 / 37

  29. The Challenges of Code-based Encryption Code-based schemes known to be fast fast enough on embedded systems (smart cards)? time memory trade-offs? Large public-key size what does this mean for embedded systems? Side Channel Security no previous works Efficiency and Implementation Security of Code-based Cryptosyst. Falko Strenzke 10 / 37

  30. The Challenges of Code-based Encryption Code-based schemes known to be fast fast enough on embedded systems (smart cards)? time memory trade-offs? Large public-key size what does this mean for embedded systems? Side Channel Security no previous works Efficiency and Implementation Security of Code-based Cryptosyst. Falko Strenzke 10 / 37

  31. The Challenges of Code-based Encryption Code-based schemes known to be fast fast enough on embedded systems (smart cards)? time memory trade-offs? Large public-key size what does this mean for embedded systems? Side Channel Security no previous works Efficiency and Implementation Security of Code-based Cryptosyst. Falko Strenzke 10 / 37

  32. The Challenges of Code-based Encryption Code-based schemes known to be fast fast enough on embedded systems (smart cards)? time memory trade-offs? Large public-key size what does this mean for embedded systems? Side Channel Security no previous works Efficiency and Implementation Security of Code-based Cryptosyst. Falko Strenzke 10 / 37

  33. The Challenges of Code-based Encryption Code-based schemes known to be fast fast enough on embedded systems (smart cards)? time memory trade-offs? Large public-key size what does this mean for embedded systems? Side Channel Security no previous works Efficiency and Implementation Security of Code-based Cryptosyst. Falko Strenzke 10 / 37

  34. The Challenges of Code-based Encryption Code-based schemes known to be fast fast enough on embedded systems (smart cards)? time memory trade-offs? Large public-key size what does this mean for embedded systems? Side Channel Security no previous works Efficiency and Implementation Security of Code-based Cryptosyst. Falko Strenzke 10 / 37

  35. Overview RSA Efficiency Key-aimed SCA Message-aimed SCA (Message-aimed SCA) PQCrypto 2008 Timing Attack ICISC 2009 Timing Attack PQCrypto 2010 JCEN 2011 ISICS 2010 Timing Attack Power Analysis Attack ISC 2012 PQCrypto 2013 JCEN 2011 Key Storage Timing Attack Generalization CANS 2012 Root finding Efficiency and Implementation Security of Code-based Cryptosyst. Falko Strenzke 11 / 37

  36. Overview Efficiency Key-aimed SCA Message-aimed SCA Decryption: � � ⊤ c ) H ⊤ Y t − 1 , · · · , Y , 1 S ( Y ) ← ( � e ⊕ � PQCrypto 2008 � �� � Timing Attack ∈ F t 2 m U ( Y ) ← S − 1 ( Y ) mod g ( Y ) � ICISC 2009 τ ( Y ) ← U ( Y ) + Y mod g ( Y ) Timing Attack ( α ( Y ) , β ( Y )) ← EEA ( g ( Y ) , τ ( Y )) σ ( Y ) ← α 2 ( Y ) + Y β 2 ( Y ) PQCrypto 2010 JCEN 2011 Timing Attack Power Analysis Attack e i ← 1 iff σ ( α i ) = 0 ISC 2012 PQCrypto 2013 JCEN 2011 Key Storage Timing Attack Generalization Encryption: z ′ = � � mG p CANS 2012 z ′ ⊕ � � z = � e Root finding Efficiency and Implementation Security of Code-based Cryptosyst. Falko Strenzke 12 / 37

  37. Message-aimed Timing Attack Efficiency Key-aimed SCA Message-aimed SCA Decryption: � � ⊤ c ) H ⊤ Y t − 1 , · · · , Y , 1 S ( Y ) ← ( � e ⊕ � PQCrypto 2008 � �� � Timing Attack ∈ F t 2 m U ( Y ) ← S − 1 ( Y ) mod g ( Y ) � ICISC 2009 τ ( Y ) ← U ( Y ) + Y mod g ( Y ) Timing Attack ( α ( Y ) , β ( Y )) ← EEA ( g ( Y ) , τ ( Y )) σ ( Y ) ← α 2 ( Y ) + Y β 2 ( Y ) PQCrypto 2010 JCEN 2011 Timing Attack Power Analysis Attack e i ← 1 iff σ ( α i ) = 0 ISC 2012 PQCrypto 2013 JCEN 2011 Key Storage Timing Attack Generalization Encryption: z ′ = � � mG p CANS 2012 z ′ ⊕ � � z = � e Root finding Efficiency and Implementation Security of Code-based Cryptosyst. Falko Strenzke 13 / 37

  38. Message-aimed Timing Attack (I) let w = wt ( � e ) deg ( σ ( Y )) = w for w ≤ t basically any root-finding variant: (at least) linear dependency of root-finding time on deg ( σ ( Y )) Efficiency and Implementation Security of Code-based Cryptosyst. Falko Strenzke 14 / 37

  39. Message-aimed Timing Attack (I) let w = wt ( � e ) deg ( σ ( Y )) = w for w ≤ t basically any root-finding variant: (at least) linear dependency of root-finding time on deg ( σ ( Y )) Efficiency and Implementation Security of Code-based Cryptosyst. Falko Strenzke 14 / 37

  40. Message-aimed Timing Attack (I) let w = wt ( � e ) deg ( σ ( Y )) = w for w ≤ t basically any root-finding variant: (at least) linear dependency of root-finding time on deg ( σ ( Y )) Efficiency and Implementation Security of Code-based Cryptosyst. Falko Strenzke 14 / 37

  41. Message-aimed Timing Attack (I) let w = wt ( � e ) deg ( σ ( Y )) = w for w ≤ t basically any root-finding variant: (at least) linear dependency of root-finding time on deg ( σ ( Y )) Efficiency and Implementation Security of Code-based Cryptosyst. Falko Strenzke 14 / 37

  42. Message-aimed Timing Attack (II) t = 50 Efficiency and Implementation Security of Code-based Cryptosyst. Falko Strenzke 15 / 37

  43. Overview Efficiency Key-aimed SCA Message-aimed SCA Decryption: � � ⊤ c ) H ⊤ Y t − 1 , · · · , Y , 1 S ( Y ) ← ( � e ⊕ � PQCrypto 2008 � �� � Timing Attack ∈ F t 2 m U ( Y ) ← S − 1 ( Y ) mod g ( Y ) � ICISC 2009 τ ( Y ) ← U ( Y ) + Y mod g ( Y ) Timing Attack ( α ( Y ) , β ( Y )) ← EEA ( g ( Y ) , τ ( Y )) σ ( Y ) ← α 2 ( Y ) + Y β 2 ( Y ) PQCrypto 2010 JCEN 2011 Timing Attack Power Analysis Attack e i ← 1 iff σ ( α i ) = 0 ISC 2012 PQCrypto 2013 JCEN 2011 Key Storage Timing Attack Generalization Encryption: z ′ = � � mG p CANS 2012 z ′ ⊕ � � z = � e Root finding Efficiency and Implementation Security of Code-based Cryptosyst. Falko Strenzke 16 / 37

  44. Refinements of the Message-aimed Attack Efficiency Key-aimed SCA Message-aimed SCA Decryption: � � ⊤ c ) H ⊤ Y t − 1 , · · · , Y , 1 S ( Y ) ← ( � e ⊕ � PQCrypto 2008 � �� � Timing Attack ∈ F t 2 m U ( Y ) ← S − 1 ( Y ) mod g ( Y ) � ICISC 2009 τ ( Y ) ← U ( Y ) + Y mod g ( Y ) Timing Attack ( α ( Y ) , β ( Y )) ← EEA ( g ( Y ) , τ ( Y )) σ ( Y ) ← α 2 ( Y ) + Y β 2 ( Y ) PQCrypto 2010 JCEN 2011 Timing Attack Power Analysis Attack e i ← 1 iff σ ( α i ) = 0 ISC 2012 PQCrypto 2013 JCEN 2011 Key Storage Timing Attack Generalization Encryption: z ′ = � � mG p CANS 2012 z ′ ⊕ � � z = � e Root finding Efficiency and Implementation Security of Code-based Cryptosyst. Falko Strenzke 17 / 37

  45. Refinements of the Message-aimed Attack (outline) Number of iterations in the EEA already dependent on w smaller timing differences, allowing same attack countermeasure: avoid “premature” abortion of the EEA Related simple power analysis attack on the number of iterations in EEA similar countermeasure Efficiency and Implementation Security of Code-based Cryptosyst. Falko Strenzke 18 / 37

  46. Refinements of the Message-aimed Attack (outline) Number of iterations in the EEA already dependent on w smaller timing differences, allowing same attack countermeasure: avoid “premature” abortion of the EEA Related simple power analysis attack on the number of iterations in EEA similar countermeasure Efficiency and Implementation Security of Code-based Cryptosyst. Falko Strenzke 18 / 37

  47. Refinements of the Message-aimed Attack (outline) Number of iterations in the EEA already dependent on w smaller timing differences, allowing same attack countermeasure: avoid “premature” abortion of the EEA Related simple power analysis attack on the number of iterations in EEA similar countermeasure Efficiency and Implementation Security of Code-based Cryptosyst. Falko Strenzke 18 / 37

  48. Refinements of the Message-aimed Attack (outline) Number of iterations in the EEA already dependent on w smaller timing differences, allowing same attack countermeasure: avoid “premature” abortion of the EEA Related simple power analysis attack on the number of iterations in EEA similar countermeasure Efficiency and Implementation Security of Code-based Cryptosyst. Falko Strenzke 18 / 37

  49. Refinements of the Message-aimed Attack (outline) Number of iterations in the EEA already dependent on w smaller timing differences, allowing same attack countermeasure: avoid “premature” abortion of the EEA Related simple power analysis attack on the number of iterations in EEA similar countermeasure Efficiency and Implementation Security of Code-based Cryptosyst. Falko Strenzke 18 / 37

  50. Overview Efficiency Key-aimed SCA Message-aimed SCA Decryption: � � ⊤ c ) H ⊤ Y t − 1 , · · · , Y , 1 S ( Y ) ← ( � e ⊕ � PQCrypto 2008 � �� � Timing Attack ∈ F t 2 m U ( Y ) ← S − 1 ( Y ) mod g ( Y ) � ICISC 2009 τ ( Y ) ← U ( Y ) + Y mod g ( Y ) Timing Attack ( α ( Y ) , β ( Y )) ← EEA ( g ( Y ) , τ ( Y )) σ ( Y ) ← α 2 ( Y ) + Y β 2 ( Y ) PQCrypto 2010 JCEN 2011 Timing Attack Power Analysis Attack e i ← 1 iff σ ( α i ) = 0 ISC 2012 PQCrypto 2013 JCEN 2011 Key Storage Timing Attack Generalization Encryption: z ′ = � � mG p CANS 2012 z ′ ⊕ � � z = � e Root finding Efficiency and Implementation Security of Code-based Cryptosyst. Falko Strenzke 19 / 37

  51. Analysis of Root-Finding Variants Efficiency Key-aimed SCA Message-aimed SCA Decryption: � � ⊤ c ) H ⊤ Y t − 1 , · · · , Y , 1 S ( Y ) ← ( � e ⊕ � PQCrypto 2008 � �� � Timing Attack ∈ F t 2 m U ( Y ) ← S − 1 ( Y ) mod g ( Y ) � ICISC 2009 τ ( Y ) ← U ( Y ) + Y mod g ( Y ) Timing Attack ( α ( Y ) , β ( Y )) ← EEA ( g ( Y ) , τ ( Y )) σ ( Y ) ← α 2 ( Y ) + Y β 2 ( Y ) PQCrypto 2010 JCEN 2011 Timing Attack Power Analysis Attack e i ← 1 iff σ ( α i ) = 0 ISC 2012 PQCrypto 2013 JCEN 2011 Key Storage Timing Attack Generalization Encryption: z ′ = � � mG p CANS 2012 z ′ ⊕ � � z = � e Root finding Efficiency and Implementation Security of Code-based Cryptosyst. Falko Strenzke 20 / 37

  52. Analysis of Root-Finding Variants RAM Mess.- Key-aim. Speed demands aim. TA TA Efficiency and Implementation Security of Code-based Cryptosyst. Falko Strenzke 21 / 37

  53. Analysis of Root-Finding Variants using parameters n = 6624, t = 115 (244 bit security); Atmel AP7000, 30 MHz RAM Mess.- Key-aim. Speed demands aim. TA TA Efficiency and Implementation Security of Code-based Cryptosyst. Falko Strenzke 21 / 37

  54. Analysis of Root-Finding Variants using parameters n = 6624, t = 115 (244 bit security); Atmel AP7000, 30 MHz RAM Mess.- Key-aim. Speed demands aim. TA TA exh. evaluation Efficiency and Implementation Security of Code-based Cryptosyst. Falko Strenzke 21 / 37

  55. Analysis of Root-Finding Variants using parameters n = 6624, t = 115 (244 bit security); Atmel AP7000, 30 MHz RAM Mess.- Key-aim. Speed demands aim. TA TA exh. evaluation 1269ms Efficiency and Implementation Security of Code-based Cryptosyst. Falko Strenzke 21 / 37

  56. Analysis of Root-Finding Variants using parameters n = 6624, t = 115 (244 bit security); Atmel AP7000, 30 MHz RAM Mess.- Key-aim. Speed demands aim. TA TA exh. evaluation 1269ms 2344 byte Efficiency and Implementation Security of Code-based Cryptosyst. Falko Strenzke 21 / 37

  57. Analysis of Root-Finding Variants using parameters n = 6624, t = 115 (244 bit security); Atmel AP7000, 30 MHz RAM Mess.- Key-aim. Speed demands aim. TA TA exh. evaluation 1269ms 2344 byte safe Efficiency and Implementation Security of Code-based Cryptosyst. Falko Strenzke 21 / 37

  58. Analysis of Root-Finding Variants using parameters n = 6624, t = 115 (244 bit security); Atmel AP7000, 30 MHz RAM Mess.- Key-aim. Speed demands aim. TA TA exh. evaluation 1269ms 2344 byte safe safe Efficiency and Implementation Security of Code-based Cryptosyst. Falko Strenzke 21 / 37

  59. Analysis of Root-Finding Variants using parameters n = 6624, t = 115 (244 bit security); Atmel AP7000, 30 MHz RAM Mess.- Key-aim. Speed demands aim. TA TA exh. evaluation 1269ms 2344 byte safe safe exh. evalua- tion w/ division Efficiency and Implementation Security of Code-based Cryptosyst. Falko Strenzke 21 / 37

  60. Analysis of Root-Finding Variants using parameters n = 6624, t = 115 (244 bit security); Atmel AP7000, 30 MHz RAM Mess.- Key-aim. Speed demands aim. TA TA exh. evaluation 1269ms 2344 byte safe safe exh. evalua- 638ms tion w/ division Efficiency and Implementation Security of Code-based Cryptosyst. Falko Strenzke 21 / 37

  61. Analysis of Root-Finding Variants using parameters n = 6624, t = 115 (244 bit security); Atmel AP7000, 30 MHz RAM Mess.- Key-aim. Speed demands aim. TA TA exh. evaluation 1269ms 2344 byte safe safe exh. evalua- 638ms 2344 byte tion w/ division Efficiency and Implementation Security of Code-based Cryptosyst. Falko Strenzke 21 / 37

  62. Analysis of Root-Finding Variants using parameters n = 6624, t = 115 (244 bit security); Atmel AP7000, 30 MHz RAM Mess.- Key-aim. Speed demands aim. TA TA exh. evaluation 1269ms 2344 byte safe safe exh. evalua- 638ms 2344 byte unsafe tion w/ division Efficiency and Implementation Security of Code-based Cryptosyst. Falko Strenzke 21 / 37

  63. Analysis of Root-Finding Variants using parameters n = 6624, t = 115 (244 bit security); Atmel AP7000, 30 MHz RAM Mess.- Key-aim. Speed demands aim. TA TA exh. evaluation 1269ms 2344 byte safe safe exh. evalua- 638ms 2344 byte unsafe safe with tion w/ division c.m. Efficiency and Implementation Security of Code-based Cryptosyst. Falko Strenzke 21 / 37

  64. Analysis of Root-Finding Variants using parameters n = 6624, t = 115 (244 bit security); Atmel AP7000, 30 MHz RAM Mess.- Key-aim. Speed demands aim. TA TA exh. evaluation 1269ms 2344 byte safe safe exh. evalua- 638ms 2344 byte unsafe safe with tion w/ division c.m. BTZ 2 Efficiency and Implementation Security of Code-based Cryptosyst. Falko Strenzke 21 / 37

  65. Analysis of Root-Finding Variants using parameters n = 6624, t = 115 (244 bit security); Atmel AP7000, 30 MHz RAM Mess.- Key-aim. Speed demands aim. TA TA exh. evaluation 1269ms 2344 byte safe safe exh. evalua- 638ms 2344 byte unsafe safe with tion w/ division c.m. BTZ 2 272ms Efficiency and Implementation Security of Code-based Cryptosyst. Falko Strenzke 21 / 37

  66. Analysis of Root-Finding Variants using parameters n = 6624, t = 115 (244 bit security); Atmel AP7000, 30 MHz RAM Mess.- Key-aim. Speed demands aim. TA TA exh. evaluation 1269ms 2344 byte safe safe exh. evalua- 638ms 2344 byte unsafe safe with tion w/ division c.m. BTZ 2 272ms 34886 byte Efficiency and Implementation Security of Code-based Cryptosyst. Falko Strenzke 21 / 37

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

Australias Implementation of the ISPS Code ARF 4th Inter Sessional Meeting Maritime Security

Australias Implementation of the ISPS Code ARF 4th Inter Sessional Meeting Maritime Security

Australias Implementation of the ISPS Code ARF 4th Inter Sessional Meeting Maritime Security Anthony Gibson Maritime Operational Policy Office of Transport Security Department of Infrastructure and Transport For Thought Does voluntary

303 views • 13 slides
Model-based Security Engineering: Models vs. Code Jan Jrjens Department of Computing The

Model-based Security Engineering: Models vs. Code Jan Jrjens Department of Computing The

Model-based Security Engineering: Models vs. Code Jan Jrjens Department of Computing The Open University, GB http://www.umlsec.org Challenge: Security Security is holistic property: Attackers often circumvent (not: break) mechanisms.

639 views • 36 slides
Scenarios of Energy Efficiency in the industry sector Wojciech Staczyk, Pawe nitko, KAPE

Scenarios of Energy Efficiency in the industry sector Wojciech Staczyk, Pawe nitko, KAPE

EU MERCI EU coordinated ME thods and procedures based on R eal C ases for the effective implementation of policies and measures supporting energy efficiency in the I ndustry Fostering the growth of energy efficiency in the EU industry

515 views • 12 slides
EU - Me EU Merci Conference Good Practices of Energy Efficiency in the European Industry

EU - Me EU Merci Conference Good Practices of Energy Efficiency in the European Industry

EU-MERCI EU coordinated ME thods and procedures based on R eal C ases for the effective implementation of policies and measures supporting energy efficiency in the I ndustry Fostering the growth of energy efficiency in the EU industry EU - Me EU

459 views • 15 slides
Security and the .NET Framework Code Access Security Enforces security policy on code

Security and the .NET Framework Code Access Security Enforces security policy on code

Security and the .NET Framework Code Access Security Enforces security policy on code Regardless of user running the code Regardless of whether the code is in the same application with other code Other code can be more, less, or

695 views • 21 slides
Efficient implementation of Objectives code-based cryptography Set new speed records D. J.

Efficient implementation of Objectives code-based cryptography Set new speed records D. J.

Efficient implementation of Objectives code-based cryptography Set new speed records D. J. Bernstein for public-key cryptography. University of Illinois at Chicago & Technische Universiteit Eindhoven Joint work with: Tung Chou

868 views • 73 slides
Implementation of an RTZ code Implementation of an RTZ code for feedback DAC on a for feedback

Implementation of an RTZ code Implementation of an RTZ code for feedback DAC on a for feedback

DCIS04 Intro WA modelling RTZ study Conclusions 1 Implementation of an RTZ code Implementation of an RTZ code for feedback DAC on a for feedback DAC on a Sigma-Delta modulator Sigma-Delta modulator Jofre Pallars 1 , Xavier Redondo 1

340 views • 16 slides
Biometrics & Security Seminar Fingerprint-based Fuzzy Vault: Implementation and Performance

Biometrics & Security Seminar Fingerprint-based Fuzzy Vault: Implementation and Performance

Biometrics & Security Seminar Fingerprint-based Fuzzy Vault: Implementation and Performance Based on the journal article of K. Nandakumar, A. K. Jain and S. Pankanti Presenter: Marko Pascan Seminar instructors: Laila El Aimani and Deniz

831 views • 50 slides
The Implementation of the European Energy Efficiency Directive: Will Austria achieve its

The Implementation of the European Energy Efficiency Directive: Will Austria achieve its

The Implementation of the European Energy Efficiency Directive: Will Austria achieve its Efficiency Targets in 2020? Austrian Energy Agency (AEA) Gnter Simader | September 4th, 2017 Energy Efficiency Directive (EED 2012/27/EU) 20 - 20 -

555 views • 16 slides
European Network Code Implementation Overview Wednesday 3 May 2017 EU Code Implementation

European Network Code Implementation Overview Wednesday 3 May 2017 EU Code Implementation

European Network Code Implementation Overview Wednesday 3 May 2017 EU Code Implementation Overview Background and purpose More detail on: Connection Codes Requirements for Generators Operational Codes Balancing Codes

779 views • 33 slides
Taken Out of Context: Security Risks with Security Code AutoFill in iOS & macOS Andreas

Taken Out of Context: Security Risks with Security Code AutoFill in iOS & macOS Andreas

Cambridge Innovation Centre Taken Out of Context: Security Risks with Security Code AutoFill in iOS & macOS Andreas Gutmann, Steven J. Mudoch, WAY19 | @kryptoandi PLEASE RAISE YOUR HAND Have you ever received a security code via SMS

289 views • 24 slides
Increased efficiency and functionality through lattice-based cryptography Michele Minelli ENS,

Increased efficiency and functionality through lattice-based cryptography Michele Minelli ENS,

Increased efficiency and functionality through lattice-based cryptography Michele Minelli ENS, CNRS, PSL Research University, INRIA (Internship at CryptoExperts, Paris) ECRYPT-NET School on Correct and Secure Implementation Crete, Greece 8

850 views • 67 slides
Code Based Software Security Assessments CoBaSSA 2005 November 7 th 2005, Pittsburgh, PA

Code Based Software Security Assessments CoBaSSA 2005 November 7 th 2005, Pittsburgh, PA

Proceedings of the First International Workshop on Code Based Software Security Assessments CoBaSSA 2005 November 7 th 2005, Pittsburgh, PA Organized by Leon Moonen and Spiros Mancoridis Co-located with the 12 th IEEE Working Conference

458 views • 27 slides
Moving to performance based energy code December 11, 2013 Ian Finlayson Deputy Director, Energy

Moving to performance based energy code December 11, 2013 Ian Finlayson Deputy Director, Energy

Creating A Cleaner Energy Future For the Commonwealth Moving to performance based energy code December 11, 2013 Ian Finlayson Deputy Director, Energy Efficiency Division Outline Energy Context in MA Why Performance based code ?

176 views • 17 slides
Approaches Based on guided code generation Based on exploring existing code Based on

Approaches Based on guided code generation Based on exploring existing code Based on

Approaches Based on guided code generation Based on exploring existing code Based on spreadsheet interaction Using R for teaching statistics to nonmajors: Comparing experiences of 2.5 different approaches Thomas Baier University of

639 views • 7 slides
Application Security The source code perspective Authors: Francesco Consiglio Marco Borza

Application Security The source code perspective Authors: Francesco Consiglio Marco Borza

Application Security The source code perspective Authors: Francesco Consiglio Marco Borza Implementation Challenges Iron Triangle Security as an afterthought The Secure SDLC in the Waterfall Model SDLC vs Secure SDLC Cost Reduction

1.3k views • 11 slides
Cryptosystems That Resist Quantum Fourier Sampling Attacks Hang Dinh Indiana University South

Cryptosystems That Resist Quantum Fourier Sampling Attacks Hang Dinh Indiana University South

McEliece and Niederreiter Cryptosystems That Resist Quantum Fourier Sampling Attacks Hang Dinh Indiana University South Bend joint work with Cristopher Moore Alexander Russell University of New Mexico University of Connecticut Post-quantum

401 views • 18 slides
Code-Based Post-Quantum Cryptography Wijik Lee 1 , Young-Sik Kim 2 , and Jong-Seon No 1 1

Code-Based Post-Quantum Cryptography Wijik Lee 1 , Young-Sik Kim 2 , and Jong-Seon No 1 1

Mathematical Methods for Cryptography 2017, Svolvaer, Lofoten, Norway 1 / 41 Code-Based Post-Quantum Cryptography Wijik Lee 1 , Young-Sik Kim 2 , and Jong-Seon No 1 1 Department of ECE, INMC, Seoul National University, Seoul, Korea 2 Chosun

565 views • 41 slides
A distinguisher for high-rate McEliece Cryptosystems J.C. Faug` ere (INRIA, SALSA project),

A distinguisher for high-rate McEliece Cryptosystems J.C. Faug` ere (INRIA, SALSA project),

A distinguisher for high-rate McEliece Cryptosystems J.C. Faug` ere (INRIA, SALSA project), Val erie Gauthier (Math. dep. Tech. Univ. of Denmark), A. Otmani (Universit e Caen- INRIA, SECRET project), L. Perret (INRIA, SALSA project),

734 views • 35 slides
Words of Minimal Weight and Weight Distribution in Binary Goppa Codes Matthieu Finiasz ISIT 2003

Words of Minimal Weight and Weight Distribution in Binary Goppa Codes Matthieu Finiasz ISIT 2003

Words of Minimal Weight and Weight Distribution in Binary Goppa Codes Matthieu Finiasz ISIT 2003 Yokohama Binary Goppa Codes Introduction Used for cryptography ( McEliece cryptosystem) Indistinguishable from a random linear code

138 views • 11 slides
Towards One Cycle per Bit Asymmetric Encryption: Code-Based Cryptography on Reconfigurable

Towards One Cycle per Bit Asymmetric Encryption: Code-Based Cryptography on Reconfigurable

Towards One Cycle per Bit Asymmetric Encryption: Code-Based Cryptography on Reconfigurable Hardware Stefan Heyse, Tim Gneysu Towards One Cycle per Bit Asymmetric Encryption: Code-Based Cryptography on Reconfigurable Hardware Stefan Heyse, Tim

590 views • 22 slides
Cryptanalysis of a variant of the McEliece encryption scheme Julien Lavauzelle IRMAR,

Cryptanalysis of a variant of the McEliece encryption scheme Julien Lavauzelle IRMAR,

Cryptanalysis of a variant of the McEliece encryption scheme Julien Lavauzelle IRMAR, Universit de Rennes 1 Journes Nationales de Calcul Formel 2020 03/03/2020 Outline 1. McEliece cryptosystem and variants 2. Attack on the ReedSolomon

782 views • 52 slides
On the security of Some Compact Keys for McEliece Scheme lise Barelli INRIA Saclay and LIX,

On the security of Some Compact Keys for McEliece Scheme lise Barelli INRIA Saclay and LIX,

On the security of Some Compact Keys for McEliece Scheme lise Barelli INRIA Saclay and LIX, CNRS UMR 7161 cole Polytechnique, 91120 Palaiseau Cedex June 16, 2017 E. Barelli (INRIA Saclay and LIX) Security of Compact McEliece Scheme June

1.01k views • 61 slides
Decoding challenge Assessing the practical hardness of syndrome decoding for code-based

Decoding challenge Assessing the practical hardness of syndrome decoding for code-based

Decoding challenge Assessing the practical hardness of syndrome decoding for code-based cryptography Matthieu Lequesne Sorbonne Universit Inria Paris, team Cosmiq February 27, 2020 All you ever wanted to know about code-based crypto

1.53k views • 132 slides

More recommend