McBits Revisited ia.cr/2017/793 Tung Chou Osaka University, Japan - - PowerPoint PPT Presentation

▶

Sep 02, 2022 207 likes •670 views

McBits Revisited ia.cr/2017/793 Tung Chou Osaka University, Japan Code-based cryptography (encryption) Sender Receiver m + e = r r = m m (noisy channel) 1 Code-based cryptography (encryption) Sender

SLIDE 1

McBits Revisited

ia.cr/2017/793 Tung Chou

Osaka University, Japan

SLIDE 2

Code-based cryptography (encryption)

Sender Receiver

e = r

m

(noisy channel) 1

SLIDE 3

Code-based cryptography (encryption)

Sender Receiver

mG

e = r

e = Decode( r)

(noisy channel) 1

SLIDE 4

Code-based cryptography (encryption)

Sender Receiver

mG + e

e = Decode( r)

1

SLIDE 5

Code-based cryptography (encryption)

Sender Receiver

mG + e

e = Decode( r)

McEliece (1978) using binary Goppa code remains secure.
Niederreiter as the dual system.
Confidence-inspiring post-quantum cryptosystems.

1

SLIDE 6

The old and the new McBits

The old McBits (2013)

“McBits: Fast constant-time code-based cryptography”

by Daniel J. Bernstein, Tung Chou, Peter Schwabe

Bitslicing, non-conventional algorithms for decoding
Using external parallelism
High throughput, high latency

2

SLIDE 7

The old and the new McBits

The old McBits (2013)

“McBits: Fast constant-time code-based cryptography”

by Daniel J. Bernstein, Tung Chou, Peter Schwabe

Bitslicing, non-conventional algorithms for decoding
Using external parallelism
High throughput, high latency

The new McBits (2017)

Using internal parallelism
High throughput, low latency

2

SLIDE 8

Bitslicing

“Simulating w copies of a circuit using bitwise logical operations.”

b0

3

SLIDE 9

Bitslicing

“Simulating w copies of a circuit using bitwise logical operations.”

b0 . . . . . . bw−1

3

SLIDE 10

Bitslicing

“Simulating w copies of a circuit using bitwise logical operations.”

b0 . . . . . . bw−1 McBits 2013:

Inst. 1
Inst. w

3

SLIDE 11

Bitslicing

“Simulating w copies of a circuit using bitwise logical operations.”

b0 . . . . . . bw−1 McBits 2013:

Inst. 1
Inst. w

McBits 2017:

Inst. 1
Inst. 1

3

SLIDE 12

Speeds

reference m n t bytes sec perm synd key eq root all arch McBits 2013 13 6624 115 958482 252 23140 83127 102337 65050 444971 IB 13 6960 119 1046739 263 23020 83735 109805 66453 456292 IB McBits 2017 13 8192 128 1357824 297 3783 62170 170576 53825 410132 IB 3444 36076 127070 34491 275092 HW

Timings for decoding

key-generation encryption decryption arch 1552717680 312135 492404 IB 1236054840 289152 343344 HW

Timings for key generation, encryption, and decryption 4

SLIDE 13

Decoder

BM Received word

c + e Syndrome computation Key-equation solving Root finding

5

SLIDE 14

Decoder

BM Received word

c + e Syndrome computation Key-equation solving Root finding

≈ ≈ transposed multi-point evaluation multi-point evaluation 5

SLIDE 15

Decoder

BM Received word

c + e Syndrome computation Key-equation solving Root finding

≈ ≈ transposed multi-point evaluation multi-point evaluation permutation + transposed FFT additive FFT + permutation 5

SLIDE 16

Beneˇ s network

if c, swap(b0, b1)
d ← b0 ⊕ b1; d ← cd; b0 ← b0 ⊕ d; b1 ← b1 ⊕ d;

6

SLIDE 17

Beneˇ s network

1 2 3 4 5 6 7 8 9 10 11 12 13 14 15

7

SLIDE 18

Beneˇ s network

1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 Stage 1

7

SLIDE 19

Beneˇ s network

1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 Stage 2

7

SLIDE 20

Beneˇ s network

1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 Stage 3

7

SLIDE 21

Beneˇ s network

1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 Stage 4

7

SLIDE 22

Beneˇ s network

1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 Stage 5

7

SLIDE 23

Beneˇ s network

1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 Stage 6

7

SLIDE 24

Beneˇ s network

1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 Stage 7

7

SLIDE 25

Bit-matrix transposition

3 2 1

8

SLIDE 26

Bit-matrix transposition

3 2 1

8

SLIDE 27

Bit-matrix transposition

3 2 1 3 1 2

8

SLIDE 28

Bit-matrix transposition

1 2 3 4 5 6 7 8 9 10 11 12 13 14 15

9

SLIDE 29

Bit-matrix transposition

1 2 3 4 5 6 7 8 9 10 11 12 13 14 15

9

SLIDE 30

Bit-matrix transposition

1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 8 9 12 13 2 3 6 7

9

SLIDE 31

Bit-matrix transposition

1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 8 9 12 13 2 3 6 7

9

SLIDE 32

Bit-matrix transposition

1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 8 9 12 13 2 3 6 7 12 14 9 11 4 6 1 3

9

SLIDE 33

The Gao–Mateer Additive FFT

Multiplicative FFT

f(x) = f(0)(x2) + xf(1)(x2)

Additive FFT

f(x) = f(0)(x2 + x) + xf(1)(x2 + x)

10

SLIDE 34

Additive FFT (butterflies)

“Full” FFT

11

SLIDE 35

Additive FFT (butterflies)

transpose

“Full” FFT

11

SLIDE 36

Additive FFT (butterflies)

transpose

Low-degree FFT

11

SLIDE 37

Additive FFT (radix conversions)

f0 f1 f2 f3 f4 f5 f6 f7

12

SLIDE 38

Additive FFT (radix conversions)

+ + f0 f1 f2 f3 f4 f5 f6 f7

12

SLIDE 39

Additive FFT (radix conversions)

+ + + + f0 f1 f2 f3 f4 f5 f6 f7

12

SLIDE 40

Additive FFT (radix conversions)

f0 f1 f2 f3 f4 f5 f6 f7 ∗ = α

12

SLIDE 41

Additive FFT (radix conversions)

+ + + + f0 f1 f2 f3 f4 f5 f6 f7 ∗ = α

12

SLIDE 42

Additive FFT (radix conversions)

+ + + + f0 f1 f2 f3 f4 f5 f6 f7 ∗ = α

Additions: logical operations &, ˆ, ≫, ≪.
Bitsliced multiplications.
Small polynomial degree ⇒ relatively cheap.

12

SLIDE 43

Berlekamp-Massey algorithm

Picture from: “Implementation of Berlekamp-Massey algorithm without inversion” by Xu Youzhi 13

SLIDE 44

Key generation

Public-key generation

Constant-time Gaussian elimination in F2.

H I H′

14

SLIDE 45

Key generation

Public-key generation

Constant-time Gaussian elimination in F2.

H I H′ Secret-key generation

Goppa polynomial: degree-t, irreducible g ∈ F2m[x].
Generating random element α ∈ F2mt.
Derive minimal polynomial of α with Gaussian elimination in F2m.

14

SLIDE 46