Fast and Secure Root Finding for Code-based Cryptosystems Falko - - PowerPoint PPT Presentation

Fast and Secure Root Finding for Code-based Cryptosystems

Falko Strenzke

Cryptography and Computeralgebra, Department of Computer Science, Technische Universit¨ at Darmstadt, Germany, fstrenzke@crypto-source.de

April 13, 2015

Fast and Secure Root Finding for Code-based Cryptosystems Falko Strenzke 1 / 38

Introduction

Code-based Cryptography employs error corrections codes its security is based on the syndrome decoding problem secure in the presence of quantum computers Code-based Cryptosystems: McEliece and Niederreiter both use the Patterson Algorithm in decryption root-finding of polynomial over F2m

Fast and Secure Root Finding for Code-based Cryptosystems Falko Strenzke 2 / 38

1

Introduction

2

Preliminaries

3

Previous Work

4

Variants of Root-finding

5

Side Channel Security Aspects of Root Finding Message-aimed Attacks Key-aimed Attacks

6

Performance

7

Conclusion

Fast and Secure Root Finding for Code-based Cryptosystems Falko Strenzke 3 / 38

1

Introduction

2

Preliminaries

3

Previous Work

4

Variants of Root-finding

5

Side Channel Security Aspects of Root Finding Message-aimed Attacks Key-aimed Attacks

6

Performance

7

Conclusion

Fast and Secure Root Finding for Code-based Cryptosystems Falko Strenzke 4 / 38

Error Correcting Codes

Fast and Secure Root Finding for Code-based Cryptosystems Falko Strenzke 5 / 38

Goppa Codes

Parameters of a Goppa Code

irreducible polynomial g(Y ) ∈ F2m[Y ] of degree t (the Goppa Polynomial) support Γ = (α0, α1, . . . , αn−1), where αi are pairwise distinct elements of F2m

Properties of the Code

the code has length n ≤ 2m (code word length) , dimension k = n − mt (message length) and can correct up to t errors. a parity check matrix H, where cH⊤ = 0 if c ∈ C example for secure parameters: n = 2048, t = 50 for 100 bit security

Fast and Secure Root Finding for Code-based Cryptosystems Falko Strenzke 6 / 38

The McEliece PKC

key generation

choose the parameters n and t generate randomly g(Y ) and Γ (determining the secret the code) for this private code Cs one has a private generator matrix Gs the public key is Gp = [I|G ′

p] = TGs

encryption: z = mGp + e, wt ( e) = t decryption: knowing g(Y ) and Γ, e and thus also m can be recovered

Fast and Secure Root Finding for Code-based Cryptosystems Falko Strenzke 7 / 38

The McEliece PKC

Fast and Secure Root Finding for Code-based Cryptosystems Falko Strenzke 8 / 38

Syndrome Decoding

secret key: g(Y ), Γ = {α0, α1, . . . , αn−1} error vector e ∈ Fn

2m, wt (

e) = t chosen during encryption S(Y ) ← ( e ⊕ c)H⊤

• ∈Ft

2m

• Y t−1, · · · , Y , 1

⊤ τ(Y ) ←

• S−1(Y ) + Y mod g(Y ) // by EEA

(α(Y ), β(Y )) ← EEA(g(Y ), τ(Y )) σ(Y ) ← α2(Y ) + Y β2(Y ) ei ← 1 iff σ(αi) = 0

Fast and Secure Root Finding for Code-based Cryptosystems Falko Strenzke 9 / 38

1

Introduction

2

Preliminaries

3

Previous Work

4

Variants of Root-finding

5

Side Channel Security Aspects of Root Finding Message-aimed Attacks Key-aimed Attacks

6

Performance

7

Conclusion

Fast and Secure Root Finding for Code-based Cryptosystems Falko Strenzke 10 / 38

Previous Work

Biswas, Sendrier, PQCrypto 2008: HyMES McEliece implementation Strenzke, Tews, Molter, Overbeck, Shoufan, PQCrypto 2008: message-aimed side-channel attack

Fast and Secure Root Finding for Code-based Cryptosystems Falko Strenzke 11 / 38

1

Introduction

2

Preliminaries

3

Previous Work

4

Variants of Root-finding

5

Side Channel Security Aspects of Root Finding Message-aimed Attacks Key-aimed Attacks

6

Performance

7

Conclusion

Fast and Secure Root Finding for Code-based Cryptosystems Falko Strenzke 12 / 38

Exhaustive Evaluation with and without Division

σ(Y ) = w−1

i=0 (αfi − Y )

Require: the polynomial σ(Y ) over F2m Ensure: the set E, where γi is a root of σ(Y ) if and only if i ∈ E

1: E = ∅ 2: for i = 0 up to i = n − 1 do 3:

if σ(γi) = 0 then

4:

E ← E ∪ {i}

5:

σ(Y ) ← σ(Y )/(Y ⊕ γi)

6:

end if

7: end for 8: return E

→ eval-rf , eval-div-rf

Fast and Secure Root Finding for Code-based Cryptosystems Falko Strenzke 13 / 38

Berlekamp Trace Algorithm

Tr(Y ) = Y + Y 2 + Y 22 + . . . + Y 2m−1, and {β1, β2, . . . , βm} is a standard basis of F2m. initial call: BTA(σ(Y ), 1) algorithm BTA(Ω(Y ), i) :

1: if deg (Ω(Y ) ≤ 1) then 2:

return root of Ω(Y )

3: end if 4: Ω0(Y ) ← gcd(Ω(Y ), Tr(βi · Y )) 5: Ω1(Y ) ← gcd(Ω(Y ), 1 + Tr(βi · Y )) 6: return BTA(Ω0(Y ), i + 1)∪BTA(Ω1(Y ), i + 1)

→ BTA-rf

Fast and Secure Root Finding for Code-based Cryptosystems Falko Strenzke 14 / 38

Berlekamp Trace Algorithm - Hybrid Algorithms

Biswas, Herbert 2009: improvement of BTA with root-finding algorithms for low degrees efficient root-finding for degree 2 with lookup tables → BTZ2-rf

Fast and Secure Root Finding for Code-based Cryptosystems Falko Strenzke 15 / 38

Root Finding with Linearized Polynomials

Definition linearized polynomial: L(Y ) =

i LiY 2i, where Li ∈ F2m.

Definition affine polynomial: A(Y ) = L(Y ) + β with β ∈ F2m Federenko, Trifonov 2002: A(xi) = A(xi−1) + L(∆i), ∆i = xi − xi−1 = αδ(xi,xi−1), where {α0, α1, . . . , αm−1} is a standard basis of F2m and wt (xi ⊕ xi−1) = 1

Fast and Secure Root Finding for Code-based Cryptosystems Falko Strenzke 16 / 38

Root Finding with Linearized Polynomials

f (Y ) = f3Y 3 +

⌈(t−4)/5⌉

• i=0

Y 5iAi(Y ), (1) where Ai(Y ) = f5i +

3

• j=0

f5i+2jY 2j. (2) → dcmp-rf

Fast and Secure Root Finding for Code-based Cryptosystems Falko Strenzke 17 / 38

Root Finding with Linearized Polynomials – Hybrid Variant

dcmp-div-rf : perform divisions by found roots (after each 5 roots)

Fast and Secure Root Finding for Code-based Cryptosystems Falko Strenzke 18 / 38

1

Introduction

2

Preliminaries

3

Previous Work

4

Variants of Root-finding

5

Side Channel Security Aspects of Root Finding Message-aimed Attacks Key-aimed Attacks

6

Performance

7

Conclusion

Fast and Secure Root Finding for Code-based Cryptosystems Falko Strenzke 19 / 38

Side Channel Security Aspects of Root Finding

Only timing attacks Message-aimed attacks: observe decryption and recover message Key-aimed attacks: observe decryption and recover key

Fast and Secure Root Finding for Code-based Cryptosystems Falko Strenzke 20 / 38

1

Introduction

2

Preliminaries

3

Previous Work

4

Variants of Root-finding

5

Side Channel Security Aspects of Root Finding Message-aimed Attacks Key-aimed Attacks

6

Performance

7

Conclusion

Fast and Secure Root Finding for Code-based Cryptosystems Falko Strenzke 21 / 38

Previously Known Message-aimed Attacks

deg (σ(Y )) = wt ( e) when wt ( e) ≤ t → known TA against eval-rf : decryption time ∼ wt ( e)

Fast and Secure Root Finding for Code-based Cryptosystems Falko Strenzke 22 / 38

Previously Known Message-aimed Attacks

Fast and Secure Root Finding for Code-based Cryptosystems Falko Strenzke 23 / 38

Vulnerability of eval-div-rf

countermeasure against this vulnerability: ensure deg (σ(Y )) = t number of roots very small when wt ( e) > t also for wt ( e) < t due to countermeasure → number of roots very small when wt ( e) = t

Fast and Secure Root Finding for Code-based Cryptosystems Falko Strenzke 24 / 38

Vulnerability of eval-div-rf

remaining vulnerability of eval-div-rf (t = 33):

1.6e+06 1.8e+06 2e+06 2.2e+06 2.4e+06 2.6e+06 2.8e+06 3e+06 3.2e+06 3.4e+06 3.6e+06 20 25 30 35 40 cycles taken by eval-div-rf error weight w

number of roots very small when wt ( e) = t → two-bit-flip attack is still successful: attacker learns when he flipped one error and one non-error position

Fast and Secure Root Finding for Code-based Cryptosystems Falko Strenzke 25 / 38

Vulnerability of BTA-rf

1.9e+06 1.95e+06 2e+06 2.05e+06 2.1e+06 2.15e+06 2.2e+06 2.25e+06 2.3e+06 2.35e+06 20 25 30 35 40 cycles taken by bta-rf error weight w

Fast and Secure Root Finding for Code-based Cryptosystems Falko Strenzke 26 / 38

1

Introduction

2

Preliminaries

3

Previous Work

4

Variants of Root-finding

5

Side Channel Security Aspects of Root Finding Message-aimed Attacks Key-aimed Attacks

6

Performance

7

Conclusion

Fast and Secure Root Finding for Code-based Cryptosystems Falko Strenzke 27 / 38

Error Positions and Support Elements

• e =

( . . . 1 . . . 1 . . . ) indexes: 1 . . . f1 f2 αf1 αf2 σ(Y ) = w−1

i=0 (αfi − Y )

Γ = {α0, α1, . . . αn−1}

Fast and Secure Root Finding for Code-based Cryptosystems Falko Strenzke 28 / 38

Vulnerability of eval-div-rf

implementation evaluates σ(Y ) in order 0, 1, x, x + 1, . . . (lexicographical ordering) “support-scan”: t − 1 error positions fixed and the t − th position varies (same order)

2.05e+06 2.06e+06 2.07e+06 2.08e+06 2.09e+06 2.1e+06 2.11e+06 2.12e+06 2.13e+06 2.14e+06 2.15e+06 100 200 300 400 500 600 cycles taken by root-finding lex(αft)

Fast and Secure Root Finding for Code-based Cryptosystems Falko Strenzke 29 / 38

Vulnerability of BTA-rf ?

2.08e+06 2.1e+06 2.12e+06 2.14e+06 2.16e+06 2.18e+06 2.2e+06 2.22e+06 2.24e+06 100 200 300 400 500 600 cycles taken by root-finding lex(αft)

Fast and Secure Root Finding for Code-based Cryptosystems Falko Strenzke 30 / 38

1

Introduction

2

Preliminaries

3

Previous Work

4

Variants of Root-finding

5

Side Channel Security Aspects of Root Finding Message-aimed Attacks Key-aimed Attacks

6

Performance

7

Conclusion

Fast and Secure Root Finding for Code-based Cryptosystems Falko Strenzke 31 / 38

Parameters and Platforms

n = 2960, t = 56 with more than 122 bit security Atmel AVR32 AP7000

Fast and Secure Root Finding for Code-based Cryptosystems Falko Strenzke 32 / 38

Performance – Decryption Time

ms 1 2 Decryption Time on AP7000 @ 30 MHz 1.42 eval-rf 0.90 eval-div-rf 1.00 BTA-rf 0.82 BTZ2-rf 0.95 dcmp-rf 0.77 dcmp-div-rf cycles 1·106 2·106 Decryption Cycles on Intel Core2 Duo 2.12·106 eval-rf 1.63·106 eval-div-rf 0.88·106 BTA-rf 0.63·106 BTZ2-rf 0.65·106 dcmp-rf 0.54·106 dcmp-div-rf

Fast and Secure Root Finding for Code-based Cryptosystems Falko Strenzke 33 / 38

Performance – Code Size

Bytes 10, 000 20, 000 30, 000 Code size on AP7000 2.35·104 eval-rf 2.35·104 eval-div-rf 2.87·104 BTA-rf 3.04·104 BTZ2-rf 2.92·104 dcmp-rf 2.92·104 dcmp-div-rf

Fast and Secure Root Finding for Code-based Cryptosystems Falko Strenzke 34 / 38

Performance – RAM Usage

Bytes 1, 000 2, 000 Stack usage AP7000 0.72·103 eval-rf 0.72·103 eval-div-rf 1.98·103 BTA-rf 1.88·103 BTZ2-rf 0.72·103 dcmp-rf 0.78·103 dcmp-div-rf Bytes 10, 000 Heap usage AP7000 0.066·104 eval-rf 0.066·104 eval-div-rf 0.926·104 BTA-rf 0.926·104 BTZ2-rf 0.066·104 dcmp-rf 0.082·104 dcmp-div-rf

Fast and Secure Root Finding for Code-based Cryptosystems Falko Strenzke 35 / 38

1

Introduction

2

Preliminaries

3

Previous Work

4

Variants of Root-finding

5

Side Channel Security Aspects of Root Finding Message-aimed Attacks Key-aimed Attacks

6

Performance

7

Conclusion

Fast and Secure Root Finding for Code-based Cryptosystems Falko Strenzke 36 / 38

Conclusion

many side-channel security issues in root-finding algorithms performance result: high RAM demands of BTA-rf dcmp-rf offers both side-channel security and good performance hardware implementation: parallelization issues

Fast and Secure Root Finding for Code-based Cryptosystems Falko Strenzke 37 / 38

Thank you!

download the McEliece implementation and these slides: http://crypto-source.de

Fast and Secure Root Finding for Code-based Cryptosystems Falko Strenzke 38 / 38