error amplification in code based cryptography
play

Error Amplification in Code-based Cryptography Alexander Nilsson 1,2 - PowerPoint PPT Presentation

Sep 02, 2023 •464 likes •1.24k views

Error Amplification in Code-based Cryptography Alexander Nilsson 1,2 Thomas Johansson 1 Paul Stankovski Wagner 1 August 27, 2019 1 Dept. of Electrical and Information Technology, Lund University, Sweden 2 Advenica AB, Malm, Sweden WALLENBERG

  1. Error Amplification in Code-based Cryptography Alexander Nilsson 1,2 Thomas Johansson 1 Paul Stankovski Wagner 1 August 27, 2019 1 Dept. of Electrical and Information Technology, Lund University, Sweden 2 Advenica AB, Malmö, Sweden WALLENBERG AI, AUTONOMOUS SYSTEMS AND SOFTWARE PROGRAM

  2. Background Code-based Cryptography Previous work Attack Scenario Contributions The Chaining method Generating e 0 Results Amplification effect Wrapping it up

  3. • Security based on hardness of decoding random linear codes. • The McElice cryptosystem from 1978, using binary Goppa codes, is still secure today. • Large keys! Code-based Cryptography • One of the major branches of cryptographic post-quantum research. 1

  4. • The McElice cryptosystem from 1978, using binary Goppa codes, is still secure today. • Large keys! Code-based Cryptography • One of the major branches of cryptographic post-quantum research. • Security based on hardness of decoding random linear codes. 1

  5. • Large keys! Code-based Cryptography • One of the major branches of cryptographic post-quantum research. • Security based on hardness of decoding random linear codes. • The McElice cryptosystem from 1978, using binary Goppa codes, is still secure today. 1

  6. Code-based Cryptography • One of the major branches of cryptographic post-quantum research. • Security based on hardness of decoding random linear codes. • The McElice cryptosystem from 1978, using binary Goppa codes, is still secure today. • Large keys! 1

  7. • More compact keys by using cyclic structures in the key-matrices. • Encryption simply: c mG e • Uses iterative bitflipping decoding in the decryption stage • Decryption Failure Rate (DFR), is non-zero. QC-MDPC (1/5) Quasi-Cyclic Medium Density Parity Check is a variant of the McEliece cryptosystem [Mis+12]: 2

  8. • Encryption simply: c mG e • Uses iterative bitflipping decoding in the decryption stage • Decryption Failure Rate (DFR), is non-zero. QC-MDPC (1/5) Quasi-Cyclic Medium Density Parity Check is a variant of the McEliece cryptosystem [Mis+12]: • More compact keys by using cyclic structures in the key-matrices. 2

  9. • Uses iterative bitflipping decoding in the decryption stage • Decryption Failure Rate (DFR), is non-zero. QC-MDPC (1/5) Quasi-Cyclic Medium Density Parity Check is a variant of the McEliece cryptosystem [Mis+12]: • More compact keys by using cyclic structures in the key-matrices. • Encryption simply: c ← mG + e 2

  10. • Decryption Failure Rate (DFR), is non-zero. QC-MDPC (1/5) Quasi-Cyclic Medium Density Parity Check is a variant of the McEliece cryptosystem [Mis+12]: • More compact keys by using cyclic structures in the key-matrices. • Encryption simply: c ← mG + e • Uses iterative bitflipping decoding in the decryption stage 2

  11. QC-MDPC (1/5) Quasi-Cyclic Medium Density Parity Check is a variant of the McEliece cryptosystem [Mis+12]: • More compact keys by using cyclic structures in the key-matrices. • Encryption simply: c ← mG + e • Uses iterative bitflipping decoding in the decryption stage • Decryption Failure Rate (DFR), is non-zero. 2

  12. Suggested parameters for 80-bit security: n 0 2 n 9602 r 4801 w 90 t 84 Sparse! 99 bits out of 100 are zero in H . QC-MDPC (2/5) A ( n , r , w )-QC-MDPC code, is a linear code with an error correcting capability t , length n , codimension r and with a row weight w in the parity check matrix H . Additionally we have that n = n 0 r . 3

  13. Sparse! 99 bits out of 100 are zero in H . QC-MDPC (2/5) A ( n , r , w )-QC-MDPC code, is a linear code with an error correcting capability t , length n , codimension r and with a row weight w in the parity check matrix H . Additionally we have that n = n 0 r . Suggested parameters for 80-bit security: n 0 = 2 , n = 9602 , r = 4801 , w = 90 , t = 84 3

  14. QC-MDPC (2/5) A ( n , r , w )-QC-MDPC code, is a linear code with an error correcting capability t , length n , codimension r and with a row weight w in the parity check matrix H . Additionally we have that n = n 0 r . Suggested parameters for 80-bit security: n 0 = 2 , n = 9602 , r = 4801 , w = 90 , t = 84 Sparse! ≈ 99 bits out of 100 are zero in H . 3

  15. For n 0 2, we get h 0 0 h 0 1 h 0 r h 1 0 h 1 1 h 1 r 1 1 h 0 r h 0 0 h 0 r h 1 r h 1 0 h 1 r 1 2 1 2 H . . . . . . ... ... . . . . . . . . . . . . h 0 1 h 0 2 h 0 0 h 1 1 h 1 2 h 1 0 Knowledge of h 0 (the first row of H 0 ) is sufficient for complete key recovery. QC-MDPC (3/5) The secret key H ∈ F r × n is constructed as 2 H = [ H 0 | H 1 | . . . | H n 0 − 1 ] , where H i is a circulant r × r matrix. 4

  16. Knowledge of h 0 (the first row of H 0 ) is sufficient for complete key recovery. QC-MDPC (3/5) The secret key H ∈ F r × n is constructed as 2 H = [ H 0 | H 1 | . . . | H n 0 − 1 ] , where H i is a circulant r × r matrix. For n 0 = 2, we get   h 0 , 0 h 0 , 1 h 0 , r − 1   h 1 , 0 h 1 , 1 h 1 , r − 1   · · · · · · h 0 , r − 1 h 0 , 0 h 0 , r − 2 h 1 , r − 1 h 1 , 0 h 1 , r − 2 · · · · · ·       H =       . . . . . . ... ... . . . . . .       . . . . . .             h 0 , 1 h 0 , 2 h 0 , 0 h 1 , 1 h 1 , 2 h 1 , 0 · · · · · · 4

  17. QC-MDPC (3/5) The secret key H ∈ F r × n is constructed as 2 H = [ H 0 | H 1 | . . . | H n 0 − 1 ] , where H i is a circulant r × r matrix. For n 0 = 2, we get   h 0 , 0 h 0 , 1 h 0 , r − 1   h 1 , 0 h 1 , 1 h 1 , r − 1   · · · · · · h 0 , r − 1 h 0 , 0 h 0 , r − 2 h 1 , r − 1 h 1 , 0 h 1 , r − 2 · · · · · ·       H =       . . . . . . ... ... . . . . . .       . . . . . .             h 0 , 1 h 0 , 2 h 0 , 0 h 1 , 1 h 1 , 2 h 1 , 0 · · · · · · Knowledge of h 0 (the first row of H 0 ) is sufficient for complete key recovery. 4

  18. n r n Encryption of plaintext m into c 2 is given by: 2 n 1. Generating random e 2 with Hamming weight, wt e , less than t . 2. Computing c mG e . QC-MDPC (4/5) Public key G ∈ F ( n − r ) × n is constructed as follows: 2   ( H − 1 n 0 − 1 · H 0 ) T     ( H − 1 n 0 − 1 · H 1 ) T     G =  I    .   .   .         ( H − 1 n 0 − 1 · H n 0 − 2 ) T   5

  19. n 1. Generating random e 2 with Hamming weight, wt e , less than t . 2. Computing c mG e . QC-MDPC (4/5) Public key G ∈ F ( n − r ) × n is constructed as follows: 2   ( H − 1 n 0 − 1 · H 0 ) T     ( H − 1 n 0 − 1 · H 1 ) T     G =  I    .   .   .         ( H − 1 n 0 − 1 · H n 0 − 2 ) T   Encryption of plaintext m ∈ F n − r into c ∈ F n 2 is given by: 2 5

  20. 2. Computing c mG e . QC-MDPC (4/5) Public key G ∈ F ( n − r ) × n is constructed as follows: 2   ( H − 1 n 0 − 1 · H 0 ) T     ( H − 1 n 0 − 1 · H 1 ) T     G =  I    .   .   .         ( H − 1 n 0 − 1 · H n 0 − 2 ) T   Encryption of plaintext m ∈ F n − r into c ∈ F n 2 is given by: 2 1. Generating random e ∈ F n 2 with Hamming weight, wt ( e ) , less than t . 5

  21. QC-MDPC (4/5) Public key G ∈ F ( n − r ) × n is constructed as follows: 2   ( H − 1 n 0 − 1 · H 0 ) T     ( H − 1 n 0 − 1 · H 1 ) T     G =  I    .   .   .         ( H − 1 n 0 − 1 · H n 0 − 2 ) T   Encryption of plaintext m ∈ F n − r into c ∈ F n 2 is given by: 2 1. Generating random e ∈ F n 2 with Hamming weight, wt ( e ) , less than t . 2. Computing c ← mG + e . 5

  22. 1. Decode mG H mG e 2. Plaintext m is first n r positions of mG . The decoding algorithms ( H ) are based on variants of the original Gallager’s bitflipping algorithm. QC-MDPC (5/5) 2 into m ∈ F n − r To decrypt c ∈ F n we need a decoding algorithm, 2 Ψ H , with knowledge of H . 6

  23. 2. Plaintext m is first n r positions of mG . The decoding algorithms ( H ) are based on variants of the original Gallager’s bitflipping algorithm. QC-MDPC (5/5) 2 into m ∈ F n − r To decrypt c ∈ F n we need a decoding algorithm, 2 Ψ H , with knowledge of H . 1. Decode mG ← Ψ H ( mG + e ) 6

  24. The decoding algorithms ( H ) are based on variants of the original Gallager’s bitflipping algorithm. QC-MDPC (5/5) 2 into m ∈ F n − r To decrypt c ∈ F n we need a decoding algorithm, 2 Ψ H , with knowledge of H . 1. Decode mG ← Ψ H ( mG + e ) 2. Plaintext m is first ( n − r ) positions of mG . 6

  25. QC-MDPC (5/5) 2 into m ∈ F n − r To decrypt c ∈ F n we need a decoding algorithm, 2 Ψ H , with knowledge of H . 1. Decode mG ← Ψ H ( mG + e ) 2. Plaintext m is first ( n − r ) positions of mG . The decoding algorithms ( Ψ H ) are based on variants of the original Gallager’s bitflipping algorithm. 6

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

Error-correcting codes and Cryptography Henk van Tilborg Code-based Cryptography Workshop

Error-correcting codes and Cryptography Henk van Tilborg Code-based Cryptography Workshop

Error-correcting codes and Cryptography Henk van Tilborg Code-based Cryptography Workshop Eindhoven, May 11-12, 2011 1/45 CONTENTS I Error-correcting codes; the basics II Quasi-cyclic codes; codes generated by circulants III Cyclic codes

556 views • 45 slides
Code-Based Cryptography Tanja Lange with some slides by Tung Chou and Christiane Peters

Code-Based Cryptography Tanja Lange with some slides by Tung Chou and Christiane Peters

Code-Based Cryptography Tanja Lange with some slides by Tung Chou and Christiane Peters Technische Universiteit Eindhoven Post-Quantum Cryptography Winter School 23 February 2016 Error correction Digital media is exposed to memory

519 views • 38 slides
Code-Based Cryptography Tanja Lange with some slides by Tung Chou and Christiane Peters

Code-Based Cryptography Tanja Lange with some slides by Tung Chou and Christiane Peters

Code-Based Cryptography Tanja Lange with some slides by Tung Chou and Christiane Peters Technische Universiteit Eindhoven Executive School on Post-Quantum Cryptography 02 July 2019 Error correction Digital media is exposed to memory

1.83k views • 96 slides
Code-Based Cryptography Tanja Lange with some slides by Tung Chou and Christiane Peters

Code-Based Cryptography Tanja Lange with some slides by Tung Chou and Christiane Peters

Code-Based Cryptography Tanja Lange with some slides by Tung Chou and Christiane Peters Technische Universiteit Eindhoven PQCRYPTO Mini-School and Workshop 28 June 2018 Error correction Digital media is exposed to memory corruption.

1.54k views • 72 slides
Code-based Cryptography Selected publications [1] Carlos Aguilar, Philippe Gaborit, and Julien

Code-based Cryptography Selected publications [1] Carlos Aguilar, Philippe Gaborit, and Julien

1 Code-based Cryptography Code-based Cryptography Selected publications [1] Carlos Aguilar, Philippe Gaborit, and Julien Schrek. A new zero-knowledge code based identification scheme with reduced communication. In ITW 2011 , pages 648

284 views • 6 slides
Smaller Keys for Code based Cryptography: QC MDPC McEliece Implementations on Embedded

Smaller Keys for Code based Cryptography: QC MDPC McEliece Implementations on Embedded

Smaller Keys for Code based Cryptography: QC MDPC McEliece Implementations on Embedded Devices 4 th Code based Cryptography Workshop 2013, Rocquencourt, France Stefan Heyse, Ingo von Maurich and Tim Gneysu Horst Grtz Institute for

500 views • 39 slides
The Support Splitting Algorithm and its Application to Code-based Cryptography Dimitris E. Simos

The Support Splitting Algorithm and its Application to Code-based Cryptography Dimitris E. Simos

The Support Splitting Algorithm and its Application to Code-based Cryptography Dimitris E. Simos ( joint work with Nicolas Sendrier) Project-Team SECRET INRIA Paris-Rocquencourt May 9, 2012 3rd Code-based Cryptography Workshop Technical

301 views • 17 slides
Code-Based Cryptography Tung Chou with some slides by Tanja Lange and Christiane Peters Academia

Code-Based Cryptography Tung Chou with some slides by Tanja Lange and Christiane Peters Academia

Code-Based Cryptography Tung Chou with some slides by Tanja Lange and Christiane Peters Academia Sinica PQCRYPTO Mini-School 2020 20 July, 2020 Basics of coding theory Error correction Goal: protect against errors in a noisy channel.

1.18k views • 92 slides
/k Introduction and content 2/37 Error-correcting pair - Generalized Reed-Solomon codes -

/k Introduction and content 2/37 Error-correcting pair - Generalized Reed-Solomon codes -

Error-correcting Pairs for a Public-key Cryptosystem Ruud Pellikaan g.r.pellikaan@tue.nl joint work with Irene Mrquez-Corbella Code-based Cryptography Workshop 2012 Lyngby, 9 May 2012 /k Introduction and content 2/37 Error-correcting

687 views • 37 slides
Lehrstuhl fr Systemsicherheit Amplification DDoS Attacks Marc Khrer SPRING 9 Bochum, 31.

Lehrstuhl fr Systemsicherheit Amplification DDoS Attacks Marc Khrer SPRING 9 Bochum, 31.

Lehrstuhl fr Systemsicherheit Amplification DDoS Attacks Marc Khrer SPRING 9 Bochum, 31. Juli 2014 Outline Background UDP-based Amplification TCP-based Amplification Comparison UDP- / TCP-based Amplification 2 AMPLIFICATION

731 views • 27 slides
Attacks in code based cryptography: a survey, new results and open problems J.-P. Tillich Inria,

Attacks in code based cryptography: a survey, new results and open problems J.-P. Tillich Inria,

Attacks in code based cryptography: a survey, new results and open problems J.-P. Tillich Inria, team-project SECRET April 9, 2018 introduction 1. Code based cryptography Difficult problem in coding theory Problem 1. [Decoding] Input: n, r,

800 views • 53 slides
Code-Based Cryptography for FPGAs Dr. Ruben Niederhagen, February 8, 2018 Introduction Global

Code-Based Cryptography for FPGAs Dr. Ruben Niederhagen, February 8, 2018 Introduction Global

Code-Based Cryptography for FPGAs Dr. Ruben Niederhagen, February 8, 2018 Introduction Global Map public-key cryptography classic post-quantum lattice code multivariate hash isogenies . . . McEliece Niederreiter . . . GRS codes

1.04k views • 73 slides
Efficient implementation of Objectives code-based cryptography Set new speed records D. J.

Efficient implementation of Objectives code-based cryptography Set new speed records D. J.

Efficient implementation of Objectives code-based cryptography Set new speed records D. J. Bernstein for public-key cryptography. University of Illinois at Chicago & Technische Universiteit Eindhoven Joint work with: Tung Chou

868 views • 73 slides
Tweaking Code-Based Cryptography for Embedded Systems DIMACS Workshop on The Mathematics of

Tweaking Code-Based Cryptography for Embedded Systems DIMACS Workshop on The Mathematics of

Tweaking Code-Based Cryptography for Embedded Systems DIMACS Workshop on The Mathematics of Post-Quantum Cryptography Tim Gneysu, Ingo von Maurich 1/12/2015 Horst Grtz Institute for IT-Security, Ruhr-Universitt Bochum, Germany Motivation

920 views • 70 slides
Code-based Cryptography Christiane Peters Technical University of Denmark ECC 2011 September

Code-based Cryptography Christiane Peters Technical University of Denmark ECC 2011 September

Code-based Cryptography Christiane Peters Technical University of Denmark ECC 2011 September 20, 2011 Code-based cryptography 1. Background 2. The McEliece cryptosystem 3. Information-set-decoding attacks 4. Designs: Wild McEliece 5.

721 views • 55 slides
Code-based Cryptography ECRYPT-CSA Executive School on Post-Quantum Cryptography 2017 TU

Code-based Cryptography ECRYPT-CSA Executive School on Post-Quantum Cryptography 2017 TU

Code-based Cryptography ECRYPT-CSA Executive School on Post-Quantum Cryptography 2017 TU Eindhoven Nicolas Sendrier Linear Codes for Telecommunication linear expansion data codeword k n > k noisy channel noisy

783 views • 52 slides
A pointwise ergodic theorem for quasi-pmp graphs Anush Tserunyan University of Illinois at

A pointwise ergodic theorem for quasi-pmp graphs Anush Tserunyan University of Illinois at

A pointwise ergodic theorem for quasi-pmp graphs Anush Tserunyan University of Illinois at Urbana-Champaign pmp actions of groups and ergodicity ( X , ) a standard probability space, e.g. [0 , 1] with Lebesgue measure a

244 views • 22 slides
A Timeless Model for the Verification of Quasi-Periodic Distributed Systems Maryam Dabaghchian

A Timeless Model for the Verification of Quasi-Periodic Distributed Systems Maryam Dabaghchian

A Timeless Model for the Verification of Quasi-Periodic Distributed Systems Maryam Dabaghchian Zvonimir Rakamari School of Computing University of Utah Motivating Example Safety property: speed is always in a valid range Liveness property:

596 views • 3 slides
Sta$s$cs & Experimental Design with R Barbara Kitchenham

Sta$s$cs & Experimental Design with R Barbara Kitchenham

Sta$s$cs & Experimental Design with R Barbara Kitchenham Keele University 1 Quasi-Experiments 2 Quasi-Experiments Experiments where it is

558 views • 28 slides
Quasi-Elastic Neutrino Scattering at MINER A Cheryl Patrick, Northwestern University New

Quasi-Elastic Neutrino Scattering at MINER A Cheryl Patrick, Northwestern University New

Quasi-Elastic Neutrino Scattering at MINER A Cheryl Patrick, Northwestern University New Perspectives 2014, Fermilab 1 MINERvA detector 2 MINERvA detector Scintillator (CH) tracker allows reconstruction of tracks for one and two-track

614 views • 44 slides
Quasi-Cartan companions of cluster-tilted quivers Ahmet Seven Middle East Technical University,

Quasi-Cartan companions of cluster-tilted quivers Ahmet Seven Middle East Technical University,

Quasi-Cartan companions of cluster-tilted quivers Ahmet Seven Middle East Technical University, Ankara, Turkey April 2013 B : square matrix B is skew-symmetrizable if DA is skew-symmetric for some diagonal matrix D with positive diagonal

446 views • 17 slides
Lecture 12. Quasi-likelihood Nan Ye School of Mathematics and Physics University of Queensland

Lecture 12. Quasi-likelihood Nan Ye School of Mathematics and Physics University of Queensland

Lecture 12. Quasi-likelihood Nan Ye School of Mathematics and Physics University of Queensland 1 / 28 Looking Back: Course Overview Generalized linear models (GLMs) Building blocks systematic and random components, exponential familes

437 views • 28 slides
Camera Networks Dimensioning and Scheduling with Quasi Worst-Case Transmission Time Viktor Edpalm

Camera Networks Dimensioning and Scheduling with Quasi Worst-Case Transmission Time Viktor Edpalm

Camera Networks Dimensioning and Scheduling with Quasi Worst-Case Transmission Time Viktor Edpalm Alexandre Martins Martina Maggio Karl-Erik rzn Axis Communications Axis Communications | Lund University Lund University Lund University

1.07k views • 71 slides
Extremality and dynamically defined measures Diophantine preliminaries First results Main

Extremality and dynamically defined measures Diophantine preliminaries First results Main

Extremality and dynamically defined measures David Simmons Extremality and dynamically defined measures Diophantine preliminaries First results Main results David Simmons Quasi- decaying University of York measures Extremality and

903 views • 51 slides

More recommend