for mceliece im implementations
play

for McEliece Im Implementations Thomas Eisenbarth Joint work with - PowerPoint PPT Presentation

Aug 29, 2023 •154 likes •593 views

Sid ide Channel Analysis and Protection for McEliece Im Implementations Thomas Eisenbarth Joint work with Cong Chen, Ingo von Maurich and Rainer Steinwandt 9/27/2016 NATO Workshop- Tel Aviv University Overview Motivation QC-MDPC

  1. Sid ide Channel Analysis and Protection for McEliece Im Implementations Thomas Eisenbarth Joint work with Cong Chen, Ingo von Maurich and Rainer Steinwandt 9/27/2016 NATO Workshop- Tel Aviv University

  2. Overview • Motivation • QC-MDPC McEliece • Horizontal and Vertical Side Channel Analysis of McEliece • Masking a QC-MDPC McEliece implementation 2

  3. Motivation 3

  4. Post-Quantum Cryptography? • Internet Security rests on Public Key Cryptography • Digital Signatures (RSA, (EC)-DSA) • Key Exchange ((EC)DH) • Public Key Encryption (RSA) • Security Relies on Hardness of Factoring or Discrete Logarithm Problem • Quantum Computers: • Shor’s Algorithm solves DL/Factoring in polynomial time • Prediction: 10 – 30 years from now  Can You afford to disclose your current secrets in 10 years? 4

  5. Timeline for PQC Standardization • NSA 2015: Time to switch to “Quantum - Secure Cryptography” • August 2016: NIST Post Quantum Crypto Project NIST announces PQC Standardization Process Deadline: November 2017 5

  6. McEliece Cryptosystem • Code-based Cryptosystem • PK Encryption • Proposed by McEliece in 1978 • Fairly efficient • No efficient attacks • Large key size 6

  7. QC-MDPC McEliece 7

  8. QC-MDPC as Public Key Scheme [1] McEliece based on Quasi-Cyclic Moderate Density Parity-Check code Key Generation: Public Key −1 ⋅ 𝐼 0 𝑈 , 𝐽 ∈ 𝔾 2 • Parity Check Matrix 4801×4801 𝐻 = 𝐽 𝐼 1 4801×4801 𝐼 = 𝐼 0 𝐼 1 , 𝐼 0 , 𝐼 1 ∈ 𝔾 2 • 𝑥𝑢(ℎ 0 ) = 𝑥𝑢(ℎ 1 ) = 45 ℎ 1 ℎ 0 I 𝐼 0 𝐼 1 8 1. Misoczki, R. etc, "MDPC-McEliece: New McEliece variants from Moderate Density Parity-Check codes," Information Theory Proceedings (ISIT), 2013

  9. QC-MDPC McEliece Encryption 4801 , error vector 𝑓 ∈ 𝑆 𝔾 2 9602 , 𝑥𝑢(𝑓) ≤ 84 Message 𝑛 ∈ 𝔾 2 x ← 𝑛𝐻 + 𝑓 Decryption Compute the syndrome 𝑡 = 𝐼𝑦 𝑈 1. 2. Count # 𝑣𝑞𝑑 for each ciphertext bit If # 𝑣𝑞𝑑 exceeds threshold 𝑐 𝑗 , flip the ciphertext bit a) b) Add current row ℎ 𝑘 to the syndrome 3. Repeat 2. until either 𝑡 = 𝟏 or exceeding max. iterations 9

  10. Side Channel Analysis 10

  11. Side Channel Attacks ciphertext Leakage plaintext • Critical information leaked through side channels • Adversary can extract critical secrets (keys etc.) • Usually require physical access (proximity) 11

  12. Power Analysis of McEliece [HMP10] • AVR Software implementation of classic McEliece • SPA based approaches on various key parts • Finds HW of key information via SPA • Final key recovery requires significant guessing • DPA not possible , as key not classically mixed into state. 12 [3] Heyse, Moradi, Paar: Practical Power Analysis Attacks on Software Implementations of McEliece PQCrypto 2010

  13. Efficient FPGA Implementation [MG14] Key rotation Syndrome computation   T s H x        ( ) ( ) s s h i x h i x  0 1 4801 i i 13 [MG14] von Maurich, I.; Güneysu, T., "Lightweight code-based cryptography: QC-MDPC McEliece encryption on reconfigurable devices," DATE 2014

  14. Key Rotation (KR) of 4801-bit h 0 [0:4800]  4801 = 150×32 + 1 bits  150 clock cycles per rotation 1-bit carry 63 4800:30 95 31  63:94 31:62 150 bits overwrite register 63 4800 31  4801 rotations during KR;  4801×150 times overwriting;  Each bit has 150 chances Read-First overwriting the carry reg 150 32:63 0:31 64:95 BRAM during one decryption Horiz izontal l Attack: 32-  bit Use 150 leakages from one trace! 14

  15. Leakage Model i   For any key bit , the leakage when , , {0,1}, j [0,4800] h i j it overwrites carry register:   1-bit ... ... h h h   ℎ 𝑗,𝑘 carry , 32 , , 32 i j i j i j ℎ 𝑗,𝑘−32       ... ... h h ... h h h h      , 32 , 1 , 1 , 32 , 31 , i j i j i j i j i j i j 15

  16. Leakage Exploitation 16

  17. Experiment Setup  SASEBO-GII SCA evaluation board  Tektronix DPO 5104 oscilloscope -- Clocked at 3MHz -- Sampling rate: 100MS/s bit 31 overwrites carry 17

  18. Differential Trace 18

  19. Key Bits Recovery  Shape Definition  Shape Detection • Find a clear characteristic shape • Browse the differential trace to caused by a set bit in the find more characteristic shapes differential trace • Recover bit 0 and bit 1 • Define threshold based on this shape   ...... ...... h h h   , 32 , , 32 i j i j i j 1 0 0 …0… …0… …0… 0 0 0 0 0 0 0 0 0 …0… …0… …0… 1 0 0 0 …0… 0 1 0 …0… 0 0 …0… 0 0 0 …0… 0 19

  20. DPA results for (h 1 + h 0 ) Recovered key bits of 0 vs. false positives Recovered key bits of 1 vs. false positives 20

  21. Vertical Attack on Syndrome Computation Key rotation Syndrome computation   T s H x        ( ) ( ) s s h i x h i x  0 1 4801 i i Idea: set single bit in 𝑦 𝑗 and see ℎ 0 written in 𝑡  4801 different leakages for ℎ 0 22

  22. Vertical Attack on Syndrome Leakage • Leakage model: Hamming weight of 𝐼 written to empty syndrome: • Differential Trace: • Subtract base behavior (leakage w/o syndrome update)  Sparse 1’s leave clear mark in trace 23

  23. Vertical Attack: Leakage 24

  24. Vertical Attack: Leakage • Each 1 leaks in 32 neighboring bits • Low HW key makes attack feasible 25

  25. Full Key Recovery 26

  26. Relationship between h 0 and h 1 −1 · 𝐼 0 𝑈 𝑅 = 𝐼 1 Known public key:   T h h Q 0 1        T T h h ( ) h Q h h Q I 0 1 1 1 1 48 01 DPA recovers : h 0 + h 1 [0 0 1 0 * 0 0 1 0 0 …… * 0 0 1 0 0 1] h 0 ⊕ h 1 [0 0 * 0 * 0 0 * 0 0 …… * 0 0 * 0 0 *] h 1 [0 0 * 0 * 0 0 * 0 0 …… * 0 0 * 0 0 *] 27

  27. Solving the equation     T ( ) h h h Q I 0 1 1 48 01 = × 0 * 0 … … * 0 0 0 * … * 0 * … * 1 0 ….. 0 1 1 1 …… 0 0 > N 4801-N …… …… …… …… …… => N > 2400 1 0 …… 1 0 DPA recovers 4400 0s with some errors 0 1 …… 1 1 Select N=2401 from 4400 without error.     4398 4395 The probability is between         2401   2401 0.02 0.21     4400 4400       2401  2401  28

  28. Summary  Post-Quantum Cryptography does not solve implementation issues of cryptography  QC-MDPC code reduces the key size but makes DPA feasible  Vertical attack more generic  Horizontal attack more efficient  Full key recovery using secret key’s algebraic property [CEMS15] Chen, Eisenbarth, von Maurich, Steinwandt : Differential Power Analysis of a McEliece Cryptosystem ACNS 2015 [CEMS16] Chen, Eisenbarth, von Maurich, Steinwandt : Horizontal and Vertical Side Channel Analysis of a McEliece 29 Cryptosystem IEEE TIFS 2016

  29. Masking McEliece 30

  30. Masked syndrome computation parity-check matrix 𝐼 has quasi-cyclic structure use uniformly random masks m 0 , …, m n 0  1 to mask h 0 , …, h n 0  1 quasi-cyclic shifting yields mask matrix M split H into two shares H  H m  M masked syndrome s m  H m x T and syndrome mask m s  Mx T can be computed independently one mask suffices! 31

  31. Masked error-correction decoder 32

  32. SecAND: bitwise AND of syndrome and row of H • Adopt Threshold Implementation (TI) for bit-wise AND of 𝐼 and 𝑡 [NRR06]  requires three shares • expand syndrome representation s m  m s 1  m s 2 • expand key representation H m , j  M 1, j  M 2, j  Additional random vectors r 1 , r 2 • to ensure uniformity • Shares of the result (bitwise AND): • ( s m  H m , j )  ( s m  M 1, j )  ( H m , j  m s 1 )  r 1 • ( m s 1  M 1, j )  ( m s 1  M 2, j )  ( M 1, j  m s 2 )  r 2 • ( m s 2  M 2, j )  ( m s 2  H m , j )  ( M 2, j  s m )  r 1  r 2 33 [NRR06] Nikova, Rechberger, Rjimen Threshold Implementations against sidechannel attacks and glitches ISC 2006

  33. SecHW: Secure Hamming weight computation • Unprotected implementation: obtain Hamming weight wt as accumulation of look-ups with pre-computed table • Here: secure conversion from Boolean to arithmetic masking to facilitate secure accumulation [CGV14] Independent sums for each bit position wt ( sh )  ( sh 1, 1  sh 2, 1  sh 3, 1 )  …  ( sh 1, | sh |  sh 2, | sh |  sh 3, | sh | ) wt ( sh )  A 1,1  A 2,1 ,  …  A 1, | sh |  A 2, | sh |  ( A 1,1  …  A 1, | sh | )  ( A 2,1  …  A 2, | sh | ) 34 [CGV14] Coron Großschädl Vadnala Secure Conversion between Boolean and Arithmetic Masking of Any Order CHES 2014

  34. Overview of Decoder 35

  35. Overview of masked implementation 36

  36. Implementation results VHDL design, synthesized for Virtex-5 XC5VLX50 FPGA, FFs LUTs Slices BRAMs Freq. Unprotected 412 568 148 3 318 Masked 3045 4672 1549 3 73 Overhead 7.4x 8.2x 10.5x 1x 4.3x Overhead (4x) not out of line (cf. Moradi et al.’s AES implementation – EC 2011) 37

  37. Leakage Analysis 38

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

Smaller Keys for Code based Cryptography: QC MDPC McEliece Implementations on Embedded

Smaller Keys for Code based Cryptography: QC MDPC McEliece Implementations on Embedded

Smaller Keys for Code based Cryptography: QC MDPC McEliece Implementations on Embedded Devices 4 th Code based Cryptography Workshop 2013, Rocquencourt, France Stefan Heyse, Ingo von Maurich and Tim Gneysu Horst Grtz Institute for

500 views • 39 slides
Classic McEliece: conservative code-based cryptography D. J. Bernstein classic.mceliece.org

Classic McEliece: conservative code-based cryptography D. J. Bernstein classic.mceliece.org

1 Classic McEliece: conservative code-based cryptography D. J. Bernstein classic.mceliece.org Fundamental literature: 1962 Prange (attack) + many more attack papers. 1968 Berlekamp (decoder). 19701971 Goppa (codes). 1978 McEliece

775 views • 58 slides
McEliece type Cryptosystem based on Gabidulin Codes Joachim Rosenthal University of Z urich

McEliece type Cryptosystem based on Gabidulin Codes Joachim Rosenthal University of Z urich

Traditional McEliece Crypto System Variants of McEliece System Distinguisher Attacks McEliece for Rank Metric Codes McEliece type Cryptosystem based on Gabidulin Codes Joachim Rosenthal University of Z urich ALCOMA, March 19, 2015 joint

763 views • 54 slides
Decoding random codes: asymptotics, benchmarks, challenges, and implementations D. J.

Decoding random codes: asymptotics, benchmarks, challenges, and implementations D. J.

Decoding random codes: asymptotics, benchmarks, challenges, and implementations D. J. Bernstein University of Illinois at Chicago Assume that were using the McEliece cryptosystem (or Neiderreiter or ) to encrypt a plaintext.

1.17k views • 71 slides
Classic McEliece: conservative code-based cryptography Round 2 https://classic.mceliece.org/

Classic McEliece: conservative code-based cryptography Round 2 https://classic.mceliece.org/

Classic McEliece: conservative code-based cryptography Round 2 https://classic.mceliece.org/ Daniel J. Bernstein 1 , Tung Chou 2 , Tanja Lange 3 , Ingo von Maurich, Rafael Misoczki 4 , Ruben Niederhagen 5 , Edoardo Persichetti 6 , Christiane

439 views • 28 slides
McTiny: classic.mceliece.org McEliece for tiny network servers submission team (alphabetical):

McTiny: classic.mceliece.org McEliece for tiny network servers submission team (alphabetical):

1 2 McTiny: classic.mceliece.org McEliece for tiny network servers submission team (alphabetical): me; Daniel J. Bernstein, Tung Chou, osaka-u.ac.jp ; uic.edu , rub.de Tanja Lange, tue.nl ; Joint work with: Ingo von Maurich;

1.87k views • 162 slides
McTiny: Encoding and decoding McEliece for tiny network servers 1978 McEliece public key:

McTiny: Encoding and decoding McEliece for tiny network servers 1978 McEliece public key:

1 2 McTiny: Encoding and decoding McEliece for tiny network servers 1978 McEliece public key: Daniel J. Bernstein, matrix G over F 2 . uic.edu , rub.de Normally m mG is injective. Tanja Lange, tue.nl Fundamental literature: 1962

2.16k views • 132 slides
How to achieve a McEliece-based Digital Signature Scheme Nicolas Courtois Matthieu Finiasz

How to achieve a McEliece-based Digital Signature Scheme Nicolas Courtois Matthieu Finiasz

How to achieve a McEliece-based Digital Signature Scheme Nicolas Courtois Matthieu Finiasz Nicolas Sendrier ASIACRYPT 2001 Brisbane McEliece in a nutshell (Niederreiter version) This scheme is equivalent to the original McEliece

432 views • 12 slides
A Reaction Attack on the QC-LDPC McEliece Cryptosystem Tomas Fabsic 1 , Viliam Hromada 1 , Paul

A Reaction Attack on the QC-LDPC McEliece Cryptosystem Tomas Fabsic 1 , Viliam Hromada 1 , Paul

LDPC and MDPC Codes QC-MDPC McEliece Attack of Guo et al. QC-LDPC McEliece Our Attack A Reaction Attack on the QC-LDPC McEliece Cryptosystem Tomas Fabsic 1 , Viliam Hromada 1 , Paul Stankovski 2 , Pavol Zajac 1 , Qian Guo 2 , Thomas Johansson

693 views • 37 slides
McTiny: McEliece for tiny network servers Daniel J. Bernstein, uic.edu , rub.de Joint work with:

McTiny: McEliece for tiny network servers Daniel J. Bernstein, uic.edu , rub.de Joint work with:

1 McTiny: McEliece for tiny network servers Daniel J. Bernstein, uic.edu , rub.de Joint work with: Tanja Lange, tue.nl My main question in this talk: Shouldnt NIST PQC simply standardize Classic McEliece, discard the other 25 proposals?

1.18k views • 79 slides
Cryptanalysis of a variant of the McEliece encryption scheme Julien Lavauzelle IRMAR,

Cryptanalysis of a variant of the McEliece encryption scheme Julien Lavauzelle IRMAR,

Cryptanalysis of a variant of the McEliece encryption scheme Julien Lavauzelle IRMAR, Universit de Rennes 1 Journes Nationales de Calcul Formel 2020 03/03/2020 Outline 1. McEliece cryptosystem and variants 2. Attack on the ReedSolomon

782 views • 52 slides
McTiny: McEliece for tiny network servers Daniel J. Bernstein, uic.edu , rub.de Tanja Lange,

McTiny: McEliece for tiny network servers Daniel J. Bernstein, uic.edu , rub.de Tanja Lange,

1 McTiny: McEliece for tiny network servers Daniel J. Bernstein, uic.edu , rub.de Tanja Lange, tue.nl Fundamental literature: 1962 Prange (attack) + many more attack papers. 1968 Berlekamp (decoder). 19701971 Goppa (codes). 1978 McEliece

899 views • 61 slides
What is... the McEliece system? Violetta Weger University of Zurich Zurich Graduate Colloquium

What is... the McEliece system? Violetta Weger University of Zurich Zurich Graduate Colloquium

What is... the McEliece system? Violetta Weger University of Zurich Zurich Graduate Colloquium 20 November 2018 Violetta Weger What is... the McEliece system? Outline Violetta Weger What is... the McEliece system? 1 Coding Theory 2 Public

779 views • 28 slides
Making McEliece and Regev meet Gilles Zmor based on common work with C. Aguilar, O. Blazy, J-C.

Making McEliece and Regev meet Gilles Zmor based on common work with C. Aguilar, O. Blazy, J-C.

Making McEliece and Regev meet Gilles Zmor based on common work with C. Aguilar, O. Blazy, J-C. Deneuville, P . Gaborit Bordeaux Mathematics Institute March 21, 2019, Oberwolfach the McEliece paridigm Choose a code C that comes with a

680 views • 20 slides
Threshold Implementations Svetla Nikova Threshold Implementations A provably secure

Threshold Implementations Svetla Nikova Threshold Implementations A provably secure

Threshold Implementations Svetla Nikova Threshold Implementations A provably secure countermeasure Against (first) order power analysis based on multi party computation and secret sharing 2 Outline Threshold Implementations

990 views • 58 slides
Weight two Masking in the McEliece system Violetta Weger University of Zurich The 13th

Weight two Masking in the McEliece system Violetta Weger University of Zurich The 13th

Weight two Masking in the McEliece system Violetta Weger University of Zurich The 13th International Conference on Finite Fields and their Applications June 5, 2017 Violetta Weger Weight two Masking in the McEliece system Outline 1

1.31k views • 34 slides
Ins Instanc nce segm segmen enta tati tion on CV3DST | Prof. Leal-Taix 1 Se Semanti

Ins Instanc nce segm segmen enta tati tion on CV3DST | Prof. Leal-Taix 1 Se Semanti

Ins Instanc nce segm segmen enta tati tion on CV3DST | Prof. Leal-Taix 1 Se Semanti ntic c segmenta ntati tion Label every pixel, including the background (sky, grass, road) Do not differentiate between the pixels coming from

1.29k views • 106 slides
Sentence and Contextualised Word Representations Graham Neubig Site

Sentence and Contextualised Word Representations Graham Neubig Site

CS11-747 Neural Networks for NLP Sentence and Contextualised Word Representations Graham Neubig Site https://phontron.com/class/nn4nlp2019/ (w/ slides by Antonis Anastasopoulos) Sentence Representations We can create a vector or sequence

619 views • 43 slides
Compiler Assisted Masking A. Moss, E. Oswald, D. Page and M. Tunstall School of Computing,

Compiler Assisted Masking A. Moss, E. Oswald, D. Page and M. Tunstall School of Computing,

Compiler Assisted Masking A. Moss, E. Oswald, D. Page and M. Tunstall School of Computing, Blekinge Institute of Technology, Karlskrona, Sweden. andrew.moss@bth.se Department of Computer Science, University of Bristol, Merchant Venturers

522 views • 38 slides
Improving PixelCNN Vertical stack oblem with this m of masked convolution. Blind spot

Improving PixelCNN Vertical stack oblem with this m of masked convolution. Blind spot

Improving PixelCNN Vertical stack oblem with this m of masked convolution. Blind spot Horizontal stack Solution: use two stacks of Stacking layers of masked convolution, convolution creates convolution creates a blindspot a blindspot a

489 views • 48 slides
openvswitch.ko minus Open vSwitch Joe Stringer, VMware

openvswitch.ko minus Open vSwitch Joe Stringer, VMware

openvswitch.ko minus Open vSwitch Joe Stringer, VMware http://garfieldminusgarfield.net/post/26843739 2 Software-Defined Networking 3 Flows Classify a set of packets that have some common criteria Not all flows are created equal

755 views • 32 slides
COSC 5351 Advanced Computer Architecture Slides modified from Hennessy CS252 course slides

COSC 5351 Advanced Computer Architecture Slides modified from Hennessy CS252 course slides

COSC 5351 Advanced Computer Architecture Slides modified from Hennessy CS252 course slides Definition of a supercomputer: Fastest machine in world at given task A device to turn a compute-bound problem into an I/O bound problem Any

911 views • 55 slides
Deep Learning for Natural Language processing Jindich Libovick March 1, 2017 Introduction

Deep Learning for Natural Language processing Jindich Libovick March 1, 2017 Introduction

Deep Learning for Natural Language processing Jindich Libovick March 1, 2017 Introduction to Natural Language Processing Charles University Faculty of Mathematics and Physics Institute of Formal and Applied Linguistics unless otherwise

1.33k views • 103 slides
Welcome! Todays Agenda: Recap Flow Control AVX, Larrabee, GPGPU Further

Welcome! Todays Agenda: Recap Flow Control AVX, Larrabee, GPGPU Further

/INFOMOV/ Optimization & Vectorization J. Bikker - Sep-Nov 2018 - Lecture 6: SIMD (2) Welcome! Todays Agenda: Recap Flow Control AVX, Larrabee, GPGPU Further Reading INFOMOV Lecture 6 SIMD (2)

654 views • 32 slides

More recommend