fast and secure root finding for code based cryptosystems
play

Fast and Secure Root Finding for Code-based Cryptosystems Falko - PowerPoint PPT Presentation

Dec 14, 2022 •107 likes •494 views

Fast and Secure Root Finding for Code-based Cryptosystems Falko Strenzke Cryptography and Computeralgebra, Department of Computer Science, Technische Universit at Darmstadt, Germany, fstrenzke@crypto-source.de April 13, 2015 Fast and

  1. Fast and Secure Root Finding for Code-based Cryptosystems Falko Strenzke Cryptography and Computeralgebra, Department of Computer Science, Technische Universit¨ at Darmstadt, Germany, fstrenzke@crypto-source.de April 13, 2015 Fast and Secure Root Finding for Code-based Cryptosystems Falko Strenzke 1 / 38

  2. Introduction Code-based Cryptography employs error corrections codes its security is based on the syndrome decoding problem secure in the presence of quantum computers Code-based Cryptosystems: McEliece and Niederreiter both use the Patterson Algorithm in decryption root-finding of polynomial over F 2 m Fast and Secure Root Finding for Code-based Cryptosystems Falko Strenzke 2 / 38

  3. Introduction 1 Preliminaries 2 Previous Work 3 Variants of Root-finding 4 Side Channel Security Aspects of Root Finding 5 Message-aimed Attacks Key-aimed Attacks Performance 6 Conclusion 7 Fast and Secure Root Finding for Code-based Cryptosystems Falko Strenzke 3 / 38

  4. Introduction 1 Preliminaries 2 Previous Work 3 Variants of Root-finding 4 Side Channel Security Aspects of Root Finding 5 Message-aimed Attacks Key-aimed Attacks Performance 6 Conclusion 7 Fast and Secure Root Finding for Code-based Cryptosystems Falko Strenzke 4 / 38

  5. Error Correcting Codes Fast and Secure Root Finding for Code-based Cryptosystems Falko Strenzke 5 / 38

  6. Goppa Codes Parameters of a Goppa Code irreducible polynomial g ( Y ) ∈ F 2 m [ Y ] of degree t (the Goppa Polynomial) support Γ = ( α 0 , α 1 , . . . , α n − 1 ), where α i are pairwise distinct elements of F 2 m Properties of the Code the code has length n ≤ 2 m (code word length) , dimension k = n − mt (message length) and can correct up to t errors. a parity check matrix H , where cH ⊤ = 0 if c ∈ C example for secure parameters: n = 2048, t = 50 for 100 bit security Fast and Secure Root Finding for Code-based Cryptosystems Falko Strenzke 6 / 38

  7. The McEliece PKC key generation choose the parameters n and t generate randomly g ( Y ) and Γ (determining the secret the code) for this private code C s one has a private generator matrix G s the public key is G p = [ I | G ′ p ] = TG s encryption: � z = � mG p + � e , wt ( � e ) = t decryption: knowing g ( Y ) and Γ, � e and thus also � m can be recovered Fast and Secure Root Finding for Code-based Cryptosystems Falko Strenzke 7 / 38

  8. The McEliece PKC Fast and Secure Root Finding for Code-based Cryptosystems Falko Strenzke 8 / 38

  9. Syndrome Decoding secret key: g ( Y ), Γ = { α 0 , α 1 , . . . , α n − 1 } e ∈ F n error vector � 2 m , wt ( � e ) = t chosen during encryption � � ⊤ c ) H ⊤ Y t − 1 , · · · , Y , 1 S ( Y ) ← ( � e ⊕ � � �� � ∈ F t 2 m � S − 1 ( Y ) + Y mod g ( Y ) // by EEA τ ( Y ) ← ( α ( Y ) , β ( Y )) ← EEA ( g ( Y ) , τ ( Y )) σ ( Y ) ← α 2 ( Y ) + Y β 2 ( Y ) e i ← 1 iff σ ( α i ) = 0 Fast and Secure Root Finding for Code-based Cryptosystems Falko Strenzke 9 / 38

  10. Introduction 1 Preliminaries 2 Previous Work 3 Variants of Root-finding 4 Side Channel Security Aspects of Root Finding 5 Message-aimed Attacks Key-aimed Attacks Performance 6 Conclusion 7 Fast and Secure Root Finding for Code-based Cryptosystems Falko Strenzke 10 / 38

  11. Previous Work Biswas, Sendrier, PQCrypto 2008: HyMES McEliece implementation Strenzke, Tews, Molter, Overbeck, Shoufan, PQCrypto 2008: message-aimed side-channel attack Fast and Secure Root Finding for Code-based Cryptosystems Falko Strenzke 11 / 38

  12. Introduction 1 Preliminaries 2 Previous Work 3 Variants of Root-finding 4 Side Channel Security Aspects of Root Finding 5 Message-aimed Attacks Key-aimed Attacks Performance 6 Conclusion 7 Fast and Secure Root Finding for Code-based Cryptosystems Falko Strenzke 12 / 38

  13. Exhaustive Evaluation with and without Division σ ( Y ) = � w − 1 i =0 ( α f i − Y ) Require: the polynomial σ ( Y ) over F 2 m Ensure: the set E , where γ i is a root of σ ( Y ) if and only if i ∈ E 1: E = ∅ 2: for i = 0 up to i = n − 1 do if σ ( γ i ) = 0 then 3: E ← E ∪ { i } 4: σ ( Y ) ← σ ( Y ) / ( Y ⊕ γ i ) 5: end if 6: 7: end for 8: return E → eval-rf , eval-div-rf Fast and Secure Root Finding for Code-based Cryptosystems Falko Strenzke 13 / 38

  14. Berlekamp Trace Algorithm Tr ( Y ) = Y + Y 2 + Y 2 2 + . . . + Y 2 m − 1 , and { β 1 , β 2 , . . . , β m } is a standard basis of F 2 m . initial call: BTA( σ ( Y ), 1) algorithm BTA(Ω( Y ), i) : 1: if deg (Ω( Y ) ≤ 1) then return root of Ω( Y ) 2: 3: end if 4: Ω 0 ( Y ) ← gcd(Ω( Y ) , Tr ( β i · Y )) 5: Ω 1 ( Y ) ← gcd(Ω( Y ) , 1 + Tr ( β i · Y )) 6: return BTA(Ω 0 ( Y ) , i + 1) ∪ BTA(Ω 1 ( Y ) , i + 1) → BTA-rf Fast and Secure Root Finding for Code-based Cryptosystems Falko Strenzke 14 / 38

  15. Berlekamp Trace Algorithm - Hybrid Algorithms Biswas, Herbert 2009: improvement of BTA with root-finding algorithms for low degrees efficient root-finding for degree 2 with lookup tables → BTZ 2 -rf Fast and Secure Root Finding for Code-based Cryptosystems Falko Strenzke 15 / 38

  16. Root Finding with Linearized Polynomials Definition linearized polynomial: L ( Y ) = � i L i Y 2 i , where L i ∈ F 2 m . Definition affine polynomial: A ( Y ) = L ( Y ) + β with β ∈ F 2 m Federenko, Trifonov 2002: A ( x i ) = A ( x i − 1 ) + L (∆ i ) , ∆ i = x i − x i − 1 = α δ ( x i , x i − 1 ) , where { α 0 , α 1 , . . . , α m − 1 } is a standard basis of F 2 m and wt ( x i ⊕ x i − 1 ) = 1 Fast and Secure Root Finding for Code-based Cryptosystems Falko Strenzke 16 / 38

  17. Root Finding with Linearized Polynomials ⌈ ( t − 4) / 5 ⌉ � f ( Y ) = f 3 Y 3 + Y 5 i A i ( Y ) , (1) i =0 where 3 � f 5 i +2 j Y 2 j . A i ( Y ) = f 5 i + (2) j =0 → dcmp-rf Fast and Secure Root Finding for Code-based Cryptosystems Falko Strenzke 17 / 38

  18. Root Finding with Linearized Polynomials – Hybrid Variant dcmp-div-rf : perform divisions by found roots (after each 5 roots) Fast and Secure Root Finding for Code-based Cryptosystems Falko Strenzke 18 / 38

  19. Introduction 1 Preliminaries 2 Previous Work 3 Variants of Root-finding 4 Side Channel Security Aspects of Root Finding 5 Message-aimed Attacks Key-aimed Attacks Performance 6 Conclusion 7 Fast and Secure Root Finding for Code-based Cryptosystems Falko Strenzke 19 / 38

  20. Side Channel Security Aspects of Root Finding Only timing attacks Message-aimed attacks: observe decryption and recover message Key-aimed attacks: observe decryption and recover key Fast and Secure Root Finding for Code-based Cryptosystems Falko Strenzke 20 / 38

  21. Introduction 1 Preliminaries 2 Previous Work 3 Variants of Root-finding 4 Side Channel Security Aspects of Root Finding 5 Message-aimed Attacks Key-aimed Attacks Performance 6 Conclusion 7 Fast and Secure Root Finding for Code-based Cryptosystems Falko Strenzke 21 / 38

  22. Previously Known Message-aimed Attacks deg ( σ ( Y )) = wt ( � e ) when wt ( � e ) ≤ t → known TA against eval-rf : decryption time ∼ wt ( � e ) Fast and Secure Root Finding for Code-based Cryptosystems Falko Strenzke 22 / 38

  23. Previously Known Message-aimed Attacks Fast and Secure Root Finding for Code-based Cryptosystems Falko Strenzke 23 / 38

  24. Vulnerability of eval-div-rf countermeasure against this vulnerability: ensure deg ( σ ( Y )) = t number of roots very small when wt ( � e ) > t also for wt ( � e ) < t due to countermeasure → number of roots very small when wt ( � e ) � = t Fast and Secure Root Finding for Code-based Cryptosystems Falko Strenzke 24 / 38

  25. Vulnerability of eval-div-rf remaining vulnerability of eval-div-rf ( t = 33): 3.6e+06 3.4e+06 cycles taken by eval-div-rf 3.2e+06 3e+06 2.8e+06 2.6e+06 2.4e+06 2.2e+06 2e+06 1.8e+06 1.6e+06 20 25 30 35 40 error weight w number of roots very small when wt ( � e ) � = t → two-bit-flip attack is still successful: attacker learns when he flipped one error and one non-error position Fast and Secure Root Finding for Code-based Cryptosystems Falko Strenzke 25 / 38

  26. Vulnerability of BTA-rf 2.35e+06 2.3e+06 2.25e+06 cycles taken by bta-rf 2.2e+06 2.15e+06 2.1e+06 2.05e+06 2e+06 1.95e+06 1.9e+06 20 25 30 35 40 error weight w Fast and Secure Root Finding for Code-based Cryptosystems Falko Strenzke 26 / 38

  27. Introduction 1 Preliminaries 2 Previous Work 3 Variants of Root-finding 4 Side Channel Security Aspects of Root Finding 5 Message-aimed Attacks Key-aimed Attacks Performance 6 Conclusion 7 Fast and Secure Root Finding for Code-based Cryptosystems Falko Strenzke 27 / 38

  28. Error Positions and Support Elements � e = ( 0 0 . . . 0 1 0 . . . 0 1 0 . . . ) indexes: 0 1 . . . f 1 f 2 α f 1 α f 2 σ ( Y ) = � w − 1 i =0 ( α f i − Y ) Γ = { α 0 , α 1 , . . . α n − 1 } Fast and Secure Root Finding for Code-based Cryptosystems Falko Strenzke 28 / 38

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

Outline Threshold Homomorphic Cryptosystems (THCs) Basic examples Secure multiparty

Outline Threshold Homomorphic Cryptosystems (THCs) Basic examples Secure multiparty

ECRYPT: Achievements and Perspectives Antwerp / May 27, 2008 PROVILAB Focus 2 Secure Multiparty Computation Based on Threshold Homomorphic Cryptosystems Berry Schoenmakers Coding &amp; Crypto group Dept. Math &amp; CS TU Eindhoven Outline

583 views • 13 slides
Section 2 Solutions of Equations in One Variable (Root-Finding) Numerical Analysis I

Section 2 Solutions of Equations in One Variable (Root-Finding) Numerical Analysis I

Section 2 Solutions of Equations in One Variable (Root-Finding) Numerical Analysis I Xiaojing Ye, Math &amp; Stat, Georgia State University 21 Root-finding Definition Let f : R R (univariate), then x is called a root , or zero , of f

347 views • 7 slides
Efficiency and Implementation Security of Code-based Cryptosystems PhD Thesis by Falko Strenzke

Efficiency and Implementation Security of Code-based Cryptosystems PhD Thesis by Falko Strenzke

Efficiency and Implementation Security of Code-based Cryptosystems PhD Thesis by Falko Strenzke Falko Strenzke Cryptography and Computeralgebra, Department of Computer Science, Technische Universit at Darmstadt, Germany,

1.73k views • 160 slides
Root-finding and Optimization Ryan Martin UIC www.math.uic.edu/~rgmartin 1 Based on parts of:

Root-finding and Optimization Ryan Martin UIC www.math.uic.edu/~rgmartin 1 Based on parts of:

Stat 451 Lecture Notes 02 12 Root-finding and Optimization Ryan Martin UIC www.math.uic.edu/~rgmartin 1 Based on parts of: Dalgaards ISwR book, Chapter 1 in Givens &amp; Hoeting, and Chapter 7 of Lange 2 Updated: February 8, 2016 1 / 49

830 views • 49 slides
Bisection Method For Finding Roots Root of function f: Value x such that f(x)=0 Many

Bisection Method For Finding Roots Root of function f: Value x such that f(x)=0 Many

Bisection Method For Finding Roots Root of function f: Value x such that f(x)=0 Many problems can be expressed as finding roots, e.g. square root of w is the same as root of f(x) = x 2 w Requirement: Need to be able to

421 views • 25 slides
IND-CCA2 secure cryptosystems Dan Bogdanov University of Tartu db@ut.ee Research Seminar in

IND-CCA2 secure cryptosystems Dan Bogdanov University of Tartu db@ut.ee Research Seminar in

MTAT.07.006 Research Seminar in Cryptography IND-CCA2 secure cryptosystems Dan Bogdanov University of Tartu db@ut.ee Research Seminar in Cryptography, 31.10.2005 IND-CCA2 secure cryptosystems, Dan Bogdanov 1 Overview Notion of

396 views • 20 slides
Discrete-Log Based Public Key Cryptosystems Jim Royer September 25, 2018 Introduction to

Discrete-Log Based Public Key Cryptosystems Jim Royer September 25, 2018 Introduction to

Note: Log = logarithm, not Discrete-Log Based Public Key Cryptosystems Jim Royer September 25, 2018 Introduction to Cryptography 1 References Symmetric and Asymmetric Cryptosystems Public-Key Cryptosystems Based on the Discrete

436 views • 9 slides
Security Bounds for the Design of Code-Based Cryptosystems M. Finiasz and N. Sendrier The

Security Bounds for the Design of Code-Based Cryptosystems M. Finiasz and N. Sendrier The

Security Bounds for the Design of Code-Based Cryptosystems M. Finiasz and N. Sendrier The Syndrome Decoding Problem e S r H n Syndrome Decoding (SD) Does e { 0 , 1 } n of weight w such that e H = S exist? NP-complete problem.

908 views • 31 slides
Security Bounds for the Design of Code-based Cryptosystems M. Finiasz et N. Sendrier The

Security Bounds for the Design of Code-based Cryptosystems M. Finiasz et N. Sendrier The

Security Bounds for the Design of Code-based Cryptosystems M. Finiasz et N. Sendrier The Syndrome Decoding Problem e S r H n Syndrome Decoding (SD) Does e { 0 , 1 } n of weight w such that e H = S exist? NP-complete problem.

445 views • 31 slides
Line Search 2 Lecture 4 ME EN 575 Andrew Ning aning@byu.edu Outline Root Finding Methods 1D

Line Search 2 Lecture 4 ME EN 575 Andrew Ning aning@byu.edu Outline Root Finding Methods 1D

Line Search 2 Lecture 4 ME EN 575 Andrew Ning aning@byu.edu Outline Root Finding Methods 1D Optimization Methods Root Finding Methods Root Finding Methods How do we know when we have reached a local minimum? Bisection Example:

329 views • 12 slides
Fred a new GPU-based fast-MC code and its applications in proton beam therapy A. Schiavi Fast

Fred a new GPU-based fast-MC code and its applications in proton beam therapy A. Schiavi Fast

MCMA 2017 - Napoli Fred a new GPU-based fast-MC code and its applications in proton beam therapy A. Schiavi Fast paRticle thErapy Dose evaluator Collaboration A. Schiavi, V. Patera, M. Senzacqua, Univ. La Sapienza Roma /INFN (Italy)

1.67k views • 26 slides
CSE 421 Divide and Conquer: Finding Root Closest Pair of Points Shayan Oveis Gharan 1 Finding

CSE 421 Divide and Conquer: Finding Root Closest Pair of Points Shayan Oveis Gharan 1 Finding

CSE 421 Divide and Conquer: Finding Root Closest Pair of Points Shayan Oveis Gharan 1 Finding the Root of a Function Finding the Root of a Function Given a continuous function f and two points a &lt; b such that ! &quot; 0 ! % 0

768 views • 25 slides
Finding one root of a polynomial system Smales 17th problem Pierre Lairez Inria Saclay FoCM

Finding one root of a polynomial system Smales 17th problem Pierre Lairez Inria Saclay FoCM

Finding one root of a polynomial system Smales 17th problem Pierre Lairez Inria Saclay FoCM 2017 Foundations of computational mathematics 15 july 2017, Barcelona Solving polynomial systems subdivision finding one root finding all roots

362 views • 33 slides
The RSA Algorithm Private-key cryptosystems: - Alice and Bob agree on the key before the

The RSA Algorithm Private-key cryptosystems: - Alice and Bob agree on the key before the

The RSA Algorithm Private-key cryptosystems: - Alice and Bob agree on the key before the communication - all cryptosystems we discussed so far - also called: symmetric-key cryptosystems Public-key cryptosystems (Chapter 6) : - what to do if

281 views • 4 slides
Secure hashing, authen/ca/on root@topi:/etc# more shadow

Secure hashing, authen/ca/on root@topi:/etc# more shadow

Secure hashing, authen/ca/on root@topi:/etc# more shadow root:$6$1z2.CqoJ$bIb7HOC7ByvSVcLmpc1C5F/H.gAddflg1xa2fQKnMAOabwZI1YSLDiK2gIKuEbeo uGj33w8H4QDiWYvamlfIj2eu.:15138:0:99999:7:::

809 views • 25 slides
CS 221 Tuesday 8 November 2011 Agenda 1. Announcements 2. Review: Solving Equations (Text

CS 221 Tuesday 8 November 2011 Agenda 1. Announcements 2. Review: Solving Equations (Text

CS 221 Tuesday 8 November 2011 Agenda 1. Announcements 2. Review: Solving Equations (Text 6.1-6.3) 3. Root-finding with Excel (Goal Seek, Text 6.5) 4. Example Root-finding Problems 5. The Fixed-point root-finding method

695 views • 30 slides
Partial Evaluation Dr. Mattox Beckman University of Illinois at Urbana-Champaign Department of

Partial Evaluation Dr. Mattox Beckman University of Illinois at Urbana-Champaign Department of

Introduction Interpreters and Compilers Partial Evaluation Dr. Mattox Beckman University of Illinois at Urbana-Champaign Department of Computer Science Introduction Interpreters and Compilers Objectives You should be able to... Explain

300 views • 13 slides
Taxing Carbon along the Value Chain. A WIOD CGE Application. Oliver Schenker, Simon Koesler,

Taxing Carbon along the Value Chain. A WIOD CGE Application. Oliver Schenker, Simon Koesler,

Motivation WIOD CGE Model Simulation Results Conclusion www.zew.de www.zew.eu Taxing Carbon along the Value Chain. A WIOD CGE Application. Oliver Schenker, Simon Koesler, Andreas Lschel Zentrum fr Europische Wirtschaftsforschung

610 views • 16 slides
Exploitation techniques for NT kernel Introduction General concepts Internals Adrien

Exploitation techniques for NT kernel Introduction General concepts Internals Adrien

Exploitation techniques for NT kernel Adrien Adr1 Garin Exploitation techniques for NT kernel Introduction General concepts Internals Adrien Adr1 Garin Exploitation Stack overflow Integer overflow Write What Where EPITA

623 views • 47 slides
Trusted Components Bertrand Meyer Lecture 9: Testing Object-Oriented Software Ilinca Ciupa

Trusted Components Bertrand Meyer Lecture 9: Testing Object-Oriented Software Ilinca Ciupa

Trusted Components Bertrand Meyer Lecture 9: Testing Object-Oriented Software Ilinca Ciupa Chair of Software Engineering Agenda for today 2 Introduction What is software testing? Why do we need software testing? Testing

1.05k views • 58 slides
Acumen A Cyber-Physical (CPS) Modeling Language Rigorous Simulation Walid Taha Halmstad

Acumen A Cyber-Physical (CPS) Modeling Language Rigorous Simulation Walid Taha Halmstad

Acumen A Cyber-Physical (CPS) Modeling Language Rigorous Simulation Walid Taha Halmstad University and Rice University Rigorous Simulation Aaron Ames, Kevin Atkinson , Jerker Bengtsson, Raktim Bhattacharya, Paul Brauner, Robert Cartwright,

887 views • 44 slides
FUTURE FERMILAB NANOCAM DEVELOPMENT fast NIR/Optical/UV spectroscopic counters Estrada /

FUTURE FERMILAB NANOCAM DEVELOPMENT fast NIR/Optical/UV spectroscopic counters Estrada /

FUTURE FERMILAB NANOCAM DEVELOPMENT fast NIR/Optical/UV spectroscopic counters Estrada / Stebbins 2018-04-11 Fermilab Fermilab Batavia, USA TECHNICAL MILESTONE: coherence GROUND BASED OPTICAL patches distance size x c

499 views • 12 slides
JUNIT JUnit ( http://www.junit.org ) is a framework for writing tests in Java, written by Erich

JUNIT JUnit ( http://www.junit.org ) is a framework for writing tests in Java, written by Erich

JUNIT JUnit ( http://www.junit.org ) is a framework for writing tests in Java, written by Erich Gamma (of Design Patterns fame) and Kent Beck (creator of Extreme Programming methodology). It has become the unofcial standard for Java testing

528 views • 7 slides
Starforming rings in lenticular galaxies Olga K. Silchenko, Sternberg Astronomical Institute

Starforming rings in lenticular galaxies Olga K. Silchenko, Sternberg Astronomical Institute

Starforming rings in lenticular galaxies Olga K. Silchenko, Sternberg Astronomical Institute of the Lomonosov Moscow State University, in collaboration with Irina Proshina, Irina Kostiuk, Marina Ilyina, Ivan Katkov, Alexei Kniazev, Alexei

471 views • 13 slides

More recommend