hqc h amming q uasi c yclic
play

HQC: H amming Q uasi- C yclic An IND-CCA2 Code-based Public Key - PowerPoint PPT Presentation

Oct 13, 2023 •38 likes •188 views

HQC: H amming Q uasi- C yclic An IND-CCA2 Code-based Public Key Encryption Scheme August the 24 th , 2019 NIST 2 nd PQC Standardization Conference Santa-Barbara https://pqc-hqc.org C. Aguilar Melchor ISAE-Supa ero, University of Toulouse N.

  1. HQC: H amming Q uasi- C yclic An IND-CCA2 Code-based Public Key Encryption Scheme August the 24 th , 2019 NIST 2 nd PQC Standardization Conference Santa-Barbara https://pqc-hqc.org C. Aguilar Melchor ISAE-Supa´ ero, University of Toulouse N. Aragon University of Limoges S. Bettaieb Worldline L. Bidoux Worldline O. Blazy University of Limoges J.-C. Deneuville ENAC, University of Toulouse P. Gaborit University of Limoges E. Persichetti Florida Atlantic University G. Z´ emor IMB, University of Bordeaux

  2. HQC design rationale and recap NIST’s first round comments and modifications Implementation-related changes Advantages and limitations Outline HQC design rationale and recap 1 NIST’s first round comments and modifications 2 Implementation-related changes 3 Advantages and limitations 4 August the 24th, 2019 P. Gaborit H amming Q uasi- C yclic 2 / 19

  3. HQC design rationale and recap NIST’s first round comments and modifications Implementation-related changes Advantages and limitations HQC Classification / Design Rationale Encryption schemes Important features : Decryption IND-CPA code-based PKE Coding Failure theory Reduction to a well-known and difficult Analysis problem: HQC Decoding random quasi-cyclic codes No hidden trap in the code Efficient decoding (BCH + repetition code) Accurate failure rate Security Efficiency reduction August the 24th, 2019 P. Gaborit H amming Q uasi- C yclic 4 / 19

  4. HQC design rationale and recap NIST’s first round comments and modifications Implementation-related changes Advantages and limitations HQC Encryption Scheme [ABD + 18] Encryption scheme in H amming metric, using Q uasi- C yclic Codes ⋄ Notation: Secret data - Public data - One-time Randomness ⋄ G is the generator matrix of some public code C ⋄ S n w ( F 2 ) = { x ∈ F n 2 such that ω ( x ) = w } Alice Bob $ seed h ← { 0 , 1 } λ , h ← F n seed h 2 $ ← S n seed h , s x , y w ( F 2 ), s ← x + hy − − − − − − − − − → $ $ ← S n ← S n r 1 , r 2 w ( F 2 ), e w ( F 2 ) u ← r 1 + hr 2 , v ← mG + sr 2 + e u , v ← − − − − − − m ← C . Decode ( v − uy ) August the 24th, 2019 P. Gaborit H amming Q uasi- C yclic 5 / 19

  5. HQC design rationale and recap NIST’s first round comments and modifications Implementation-related changes Advantages and limitations NIST’s first round comments ”HQC presents a strong argument that its decryption failure rate is low enough to obtain chosen- ciphertext security. This is the strongest argument, at present, of CCA security among the second-round candidate code-based cryptosystems, where information set decoding is the limiting attack for both private key recovery and message recovery (BIKE, HQC, and LEDAcrypt)”. ”However, it pays a significant penalty in key and ciphertext size in comparison to the others (although it still compares very favorably in key size and overall communication bandwidth to the candidate code-based cryptosystems based on Goppa codes).” August the 24th, 2019 P. Gaborit H amming Q uasi- C yclic 7 / 19

  6. HQC design rationale and recap NIST’s first round comments and modifications Implementation-related changes Advantages and limitations Nist’s comments (seq) ”Possible areas for further analysis related to HQC include investigating the relation between the search and decisional variants of the QCSD problem, and investigating the effect, if any, of the quasi-cyclic code structure on security.” → bandwidth ratio with BIKE is roughly between 3 and 1.5 depending of the version of BIKE → relation between search and decisional problem for QC is an old open question, natural question on the impact of the structure on security (similar case to Euclidean and Rank metrics). August the 24th, 2019 P. Gaborit H amming Q uasi- C yclic 8 / 19

  7. HQC design rationale and recap NIST’s first round comments and modifications Implementation-related changes Advantages and limitations 2nd round modifications ⋄ parameters with DFR below 2 − 128 have been withdrawn ⋄ minor modification on the proof to counter the easy parity distinguisher ⋄ precision in the scheme for the bits not covered by the decoding August the 24th, 2019 P. Gaborit H amming Q uasi- C yclic 9 / 19

  8. HQC design rationale and recap NIST’s first round comments and modifications Implementation-related changes Advantages and limitations Parameters All sizes in bytes NIST pk size sk size Instance ct size DFR Cat. sizeof( h , s ) (sizeof(seed h , s )) sizeof( x , y ) (sizeof(seed sk )) 2 − 128 1 HQC-128-1 6,170 (3,125) 252 (40) 6,234 2 − 192 3 HQC-192-2 11,688 (5,884) 404 (40) 11,752 2 − 256 5 HQC-256-3 17,714 (8,897) 566 (40) 17,778 Best known classical attack: [CS16] → work factor 2 − 2 w log ( 1 − k n ) (1+ o (1)) (Prange [Pra62]) Only minor improvement of a factor √ n known from quasi-cyclicity [Sendrier DOOM 2011] �� n � n − k � � Best known quantum attack: ISD with [Gro96] → work factor / 2 w 2 w August the 24th, 2019 P. Gaborit H amming Q uasi- C yclic 10 / 19

  9. HQC design rationale and recap NIST’s first round comments and modifications Implementation-related changes Advantages and limitations Reference implementation ⋄ New reference implementation ⋄ Depends on NTL and GF2X libraries ⋄ New BCH decoding implementation ⋄ Faster GF arithmetic using hard coded lookup tables ⋄ Syndromes computation uses the faster additive FFT transpose [BCS13, GM10] ⋄ Roots computation uses the faster additive FFT [BCS13, GM10] August the 24th, 2019 P. Gaborit H amming Q uasi- C yclic 12 / 19

  10. HQC design rationale and recap NIST’s first round comments and modifications Implementation-related changes Advantages and limitations Optimized implementation ⋄ AVX2 implementation available ⋄ Significantly improved recently AVX2 Implementation Improvement % wrt 2019/07/05 Keygen Encaps Decaps Keygen Encaps Decaps HQC 128-1 200,580 383,860 508,954 19 29 25 HQC 192-2 403,358 765,146 983,678 21 25 24 HQC 256-3 651,470 1,257,152 1,618,366 21 22 22 Figure: Performances CPU cycles and comparison to optimized implementation from 2019/07/05 package using an i7-7820 @3.6Ghz CPU ⋄ Other implementation from Robert and V´ eron with similar timings. August the 24th, 2019 P. Gaborit H amming Q uasi- C yclic 13 / 19

  11. HQC design rationale and recap NIST’s first round comments and modifications Implementation-related changes Advantages and limitations Constant time implementation ⋄ New constant time BCH decoding algorithm ⋄ Constant time variant of Berlekamp’s simplified algorithm ⋄ Constant time implementation of FFT based algorithms for syndrome computation and roots finding Figure: Performances CPU cycles of constant time decoding algorithm of BCH codes used in HQC August the 24th, 2019 P. Gaborit H amming Q uasi- C yclic 14 / 19

  12. HQC design rationale and recap NIST’s first round comments and modifications Implementation-related changes Advantages and limitations Constant time decoding overhead ⋄ Minimal overhead performance Decaps Overhead % Non constant time Constant time HQC 128-1 508,954 542,880 7 HQC 192-1 934,222 965,272 4 HQC 192-2 983,678 1,020,738 4 HQC 256-1 1,492,840 1,521,206 2 HQC 256-2 1,564,672 1,605,164 3 HQC 256-3 1,618,366 1,665,788 3 Figure: Performances CPU cycles and overhead when original or constant time BCH decoding is used in the decapsulation step August the 24th, 2019 P. Gaborit H amming Q uasi- C yclic 15 / 19

  13. HQC design rationale and recap NIST’s first round comments and modifications Implementation-related changes Advantages and limitations Timing attack against HQC (eprint 2019/909 [WTBBG19]) ⋄ Side-channel chosen ciphertext attack against HQC 5 2 ) (runs in less one minute for HQC-128-1) ⋄ Attack complexity O ( n ⋄ Exploits correlation between the error to be decoded and the running time of the BCH decoding algorithm ⋄ Countermeasure based on constant time BCH decoding algorithm August the 24th, 2019 P. Gaborit H amming Q uasi- C yclic 16 / 19

  14. HQC design rationale and recap NIST’s first round comments and modifications Implementation-related changes Advantages and limitations Pros and cons Advantages: Security reduction to decoding random quasi-cyclic codes Simple and efficient decoding (BCH + Limitations: repetition code) Non-zero decryption failure rate No more hidden trap Larger ciphertexts than BIKE-1 and Makes use of cyclicity for efficiency BIKE-3 KEMs ( ≈ × 2) Well-understood, theoretically bounded, and Larger public key than BIKE KEM fast decreasing DFR ( ≈ × 2), but still reasonable Efficient constant time decryption implementation Attacks on Hamming metric are well understood (50+ years) → Overall: balanced scheme with no major weakness and very good features in term of security reduction or constant time implementation August the 24th, 2019 P. Gaborit H amming Q uasi- C yclic 18 / 19

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

Bay Area UASI UASI FY18 Hub Project Proposal Selections Approval l Auth thorit ity Revie

Bay Area UASI UASI FY18 Hub Project Proposal Selections Approval l Auth thorit ity Revie

Bay Area UASI UASI FY18 Hub Project Proposal Selections Approval l Auth thorit ity Revie view June 14, 2018 FY18 Proposal Selection Process Estimated FY18 funding amount using FY17 as guideline UASI grant compliance review

780 views • 63 slides
UASI FY14 Project Proposal KICK OFF October 3rd, 2013; 9:30-11:30AM Alameda County Sheriffs

UASI FY14 Project Proposal KICK OFF October 3rd, 2013; 9:30-11:30AM Alameda County Sheriffs

UASI FY14 Project Proposal KICK OFF October 3rd, 2013; 9:30-11:30AM Alameda County Sheriffs Office OES 4985 Broder Blvd., Dublin, CA 94568 Assembly Room Welcome Introductions UASI Management Team Janell Myhre, Regional Program

297 views • 25 slides
Ma Match chin ing ti ti e Q e Qua uasi P i Par tp tp n Dis ts ts ibu tj tj on in a Momentu tum

Ma Match chin ing ti ti e Q e Qua uasi P i Par tp tp n Dis ts ts ibu tj tj on in a Momentu tum

Ma Match chin ing ti ti e Q e Qua uasi P i Par tp tp n Dis ts ts ibu tj tj on in a Momentu tum Su Sub ts ts ac ac tj tj on n Sc Sche heme me Yong Zhao Massachusetts Institute of Technology The 36th Annual International Symposium on

668 views • 27 slides
CRE IGHT ON SCHOOL DIST RICT RE IMAGINAT ION Ag e nda T o pic s Pr ogr amming with T

CRE IGHT ON SCHOOL DIST RICT RE IMAGINAT ION Ag e nda T o pic s Pr ogr amming with T

CRE IGHT ON SCHOOL DIST RICT RE IMAGINAT ION Ag e nda T o pic s Pr ogr amming with T hinkSmar t Campus T our & Staff Shadowing L e ar ning Ne ighbor hood E nvir onme nts Co lla b o ra tive Co mpo ne nts Biltmor e Pr

607 views • 29 slides
tScr cratch ch: T Tang ngibl ble P Program amming ng Envi vironmen ent T Targeted ed f

tScr cratch ch: T Tang ngibl ble P Program amming ng Envi vironmen ent T Targeted ed f

tScr cratch ch: T Tang ngibl ble P Program amming ng Envi vironmen ent T Targeted ed f for St Students w who a are Bl e Blin ind or or Visually I y Impa paired ( d (BVIs) DIANNE PAWLUK, VIRGINIA COMMONWEALTH UNIVERSITY (PI)

613 views • 10 slides
C Progra amming A Modern Approach K. N. King, C Progra C P ramming i Approach , A Modern

C Progra amming A Modern Approach K. N. King, C Progra C P ramming i Approach , A Modern

C Progra amming A Modern Approach K. N. King, C Progra C P ramming i Approach , A Modern W. W. Norton & C Company, 1996. Original Notes by Raj Sunderraman Converted to present p ation and updated by p y Michael Weeks Note

853 views • 49 slides
Uplift your Li Linux systems pr progr gramming s amming skills kills w wit ith sy systemd

Uplift your Li Linux systems pr progr gramming s amming skills kills w wit ith sy systemd

Uplift your Li Linux systems pr progr gramming s amming skills kills w wit ith sy systemd and D and D-Bu Bus FOSDEM 2020, Go Devroom (2 nd Feb, 2020) Leonid Vasilyev, <vsleonid@gmail.com> Ag Agenda Scope of this talk

1.26k views • 25 slides
Programming II Objec ect Orien ented ed Progr gram amming ming with Java - Advance ced d

Programming II Objec ect Orien ented ed Progr gram amming ming with Java - Advance ced d

Programming II Objec ect Orien ented ed Progr gram amming ming with Java - Advance ced d Topics cs - Java a 8: Functional al Interfac erfaces, s, Method d Referen erence ces s and Lambda da Expr pressi ssions Alastair

773 views • 32 slides
Progr gram amming ing Rec econf nfigur igurable able Devi vices ces via FPGA Regio vi

Progr gram amming ing Rec econf nfigur igurable able Devi vices ces via FPGA Regio vi

Progr gram amming ing Rec econf nfigur igurable able Devi vices ces via FPGA Regio vi ions ns & De Devi vice e Tre ree Ove verl rlays A User View Benchmark on a Declarative FPGA Reconfiguration Framework Stefan Wiehler

528 views • 9 slides
B AY A REA UASI Barry Fraser General Manager BayRICS Authority July 9, 2015 2 F IRST N ET P

B AY A REA UASI Barry Fraser General Manager BayRICS Authority July 9, 2015 2 F IRST N ET P

B AY RICS U PDATE FOR B AY A REA UASI Barry Fraser General Manager BayRICS Authority July 9, 2015 2 F IRST N ET P ROGRESS Two public comment notices issued Draft Request for Proposals (RFP) State planning process runs

584 views • 9 slides
Bl Blackford Cou County y School hools Progr ogram amming Bl Blackf ckford Cou County

Bl Blackford Cou County y School hools Progr ogram amming Bl Blackf ckford Cou County

Bl Blackford Cou County y School hools Progr ogram amming Bl Blackf ckford Cou County Sc y Schoo ools s Five ve-Year ar V Vision: The Vision of BCS is to become the preeminent school system in the state. Through strong

544 views • 26 slides
ICD-10-CM: The Sage Continues UHIMA Kathy DeVault, MSL, RHIA, CCS, CCS-P, FAHIMA UASI

ICD-10-CM: The Sage Continues UHIMA Kathy DeVault, MSL, RHIA, CCS, CCS-P, FAHIMA UASI

ICD-10-CM: The Sage Continues UHIMA Kathy DeVault, MSL, RHIA, CCS, CCS-P, FAHIMA UASI Kathy.devault@uasisolutions.com Objectives Review quality documentation Discuss use of unspecified codes Discuss opportunities in ICD-10-CM

658 views • 41 slides
Countermeasures Plan Update UASI Approval Authority Meeting 14 July 2016 Dr. Erica Pan Alameda

Countermeasures Plan Update UASI Approval Authority Meeting 14 July 2016 Dr. Erica Pan Alameda

Bay Area Medical Countermeasures Plan Update UASI Approval Authority Meeting 14 July 2016 Dr. Erica Pan Alameda County Public Health Director, Division of Communicable Disease Control & Prevention and Deputy Public Health Officer

356 views • 6 slides
B AY A REA UASI Barry Fraser General Manager BayRICS Authority October 8, 2015 2 B AY RICS R

B AY A REA UASI Barry Fraser General Manager BayRICS Authority October 8, 2015 2 B AY RICS R

B AY RICS U PDATE FOR B AY A REA UASI Barry Fraser General Manager BayRICS Authority October 8, 2015 2 B AY RICS R ESTRUCTURING In July, BayRICS transitioned to a part-time general manager and implemented other cost-saving measures,

216 views • 7 slides
Bay Area UASI Large Special Event Concept of Operations Template Project Janell M Myhre re

Bay Area UASI Large Special Event Concept of Operations Template Project Janell M Myhre re

Bay Area UASI Large Special Event Concept of Operations Template Project Janell M Myhre re Regional al P Program am Manag ager April 14, 2016 Purpose Develop Emergency Management Large Special Event (LSE) Concept of Operations

192 views • 7 slides
Functional Needs Support and Deployment 20 2011 National U 2011 National U 20 National UASI

Functional Needs Support and Deployment 20 2011 National U 2011 National U 20 National UASI

Functional Needs Support and Deployment 20 2011 National U 2011 National U 20 National UASI and National UASI and SI and Homeland Security Conf SI and Homeland Security Conf Homeland Security Conference Homeland Security Conference

638 views • 49 slides
Do immigrants take or create residents jobs? Quasi-experimental evidence from Switzerland

Do immigrants take or create residents jobs? Quasi-experimental evidence from Switzerland

Do immigrants take or create residents jobs? Quasi-experimental evidence from Switzerland Michael Siegenthaler and Christoph Basten KOF, ETH Zurich January 2014 January 2014 1 Introduction Introduction: The question posed I Do

222 views • 18 slides
Roundtable Attendees: In our presentation, we will describe the Community Action system in Oregon

Roundtable Attendees: In our presentation, we will describe the Community Action system in Oregon

Roundtable Attendees: In our presentation, we will describe the Community Action system in Oregon and try to give you a feeling for the diversity and complexity of our agencies. Craig suggested that there were three areas of potential partnership

401 views • 3 slides
Computing the quasipotential for nongradient SDEs in 3D Samuel F. Potter Joint work with Maria

Computing the quasipotential for nongradient SDEs in 3D Samuel F. Potter Joint work with Maria

Computing the quasipotential for nongradient SDEs in 3D Samuel F. Potter Joint work with Maria Cameron and Shuo Yang University of Maryland, College Park, MD Mid-Atlantic Numerical Analysis Day, 2019 What are rare events in SDEs? d x t = b ( x

483 views • 27 slides
TFAWS August 21-25, 2017 NASA Marshall Space Flight Center MSFC 2017 Huntsville, AL

TFAWS August 21-25, 2017 NASA Marshall Space Flight Center MSFC 2017 Huntsville, AL

TFAWS Active Thermal Paper Session AN INNOVATIVE METHODOLOGY FOR ERROR ANALYSIS OF THERMO-FLUID SYSTEMS David Dodoo-Amoo, Julio Mendez, Mookesh Dhanasar, Frederick Ferguson North Carolina A&T State University Presented By David

871 views • 41 slides
Planning Ethics & Ex Parte Communications MPCA Annual Conference Presentation by: Thomas V.

Planning Ethics & Ex Parte Communications MPCA Annual Conference Presentation by: Thomas V.

Planning Ethics & Ex Parte Communications MPCA Annual Conference Presentation by: Thomas V. McCarron , Esq., Semmes, Bowen & Semmes , Mount Airy Town Counsel & Bill Butts , Mount Airy Planning Commission Member FR FR What is Ex

518 views • 30 slides
a 21 st Ce ntur A Ne w Zoning Code for y L os Ang e le s Proc e sse s a nd Proc e dure s City

a 21 st Ce ntur A Ne w Zoning Code for y L os Ang e le s Proc e sse s a nd Proc e dure s City

a 21 st Ce ntur A Ne w Zoning Code for y L os Ang e le s Proc e sse s a nd Proc e dure s City Pla nning Commission , Oc to b e r 11, 2018 CPC-2016-3182-CA De pa r tme nt of City Pla nning Co de Studie s Divisio n WHAT IS re:code LA?

869 views • 30 slides
District of Colum bia Green Bank Recom m endations Sum m ary of Report Recom m endations For the

District of Colum bia Green Bank Recom m endations Sum m ary of Report Recom m endations For the

District of Colum bia Green Bank Recom m endations Sum m ary of Report Recom m endations For the Departm ent of Energy & Environm ent Prepared by the Coalition for Green Capital February 16, 2017 - Stakeholder Briefing Green Bank increases

396 views • 12 slides
Building Black Power & meaningful white allyship Presented by: Adam J. Jackson Chief

Building Black Power & meaningful white allyship Presented by: Adam J. Jackson Chief

Building Black Power & meaningful white allyship Presented by: Adam J. Jackson Chief Executive Officer www.lbsbaltimore.com Mission Leaders of a Beautiful Struggle (LBS) is a grassroots think-tank which advances the public policy

663 views • 28 slides

More recommend