McBits Revisited ia.cr/2017/793 Tung Chou Osaka University, Japan - PowerPoint PPT Presentation

McBits Revisited ia.cr/2017/793 Tung Chou Osaka University, Japan

Code-based cryptography (encryption) Sender Receiver m + � e = � � r � r � = � m m � (noisy channel) 1

Code-based cryptography (encryption) Sender Receiver c + � e = � � r � c, � e = Decode ( � r ) � c = � mG (noisy channel) 1

Code-based cryptography (encryption) Sender Receiver � r r = � mG + � � c, � e = Decode ( � r ) � e 1

Code-based cryptography (encryption) Sender Receiver � r r = � mG + � � c, � e = Decode ( � r ) � e • McEliece (1978) using binary Goppa code remains secure. • Niederreiter as the dual system. • Confidence-inspiring post-quantum cryptosystems. 1

The old and the new McBits The old McBits (2013) • “ McBits: Fast constant-time code-based cryptography ” by Daniel J. Bernstein, Tung Chou, Peter Schwabe • Bitslicing, non-conventional algorithms for decoding • Using external parallelism • High throughput, high latency 2

The old and the new McBits The old McBits (2013) • “ McBits: Fast constant-time code-based cryptography ” by Daniel J. Bernstein, Tung Chou, Peter Schwabe • Bitslicing, non-conventional algorithms for decoding • Using external parallelism • High throughput, high latency The new McBits (2017) • Using internal parallelism • High throughput, low latency 2

Bitslicing “Simulating w copies of a circuit using bitwise logical operations.” b 0 3

Bitslicing “Simulating w copies of a circuit using bitwise logical operations.” b w − 1 b 0 . . . . . . 3

Bitslicing “Simulating w copies of a circuit using bitwise logical operations.” b w − 1 b 0 . . . . . . McBits 2013: Inst. 1 Inst. w 3

Bitslicing “Simulating w copies of a circuit using bitwise logical operations.” b w − 1 b 0 . . . . . . McBits 2013: Inst. 1 Inst. w McBits 2017: Inst. 1 Inst. 1 3

Speeds reference m n t bytes sec perm synd key eq root all arch 13 6624 115 958482 252 23140 83127 102337 65050 444971 IB McBits 2013 13 6960 119 1046739 263 23020 83735 109805 66453 456292 IB 3783 62170 170576 53825 410132 IB McBits 2017 13 8192 128 1357824 297 3444 36076 127070 34491 275092 HW Timings for decoding key-generation encryption decryption arch 1552717680 312135 492404 IB 1236054840 289152 343344 HW Timings for key generation, encryption, and decryption 4

Decoder Received word � r = � c + � e Syndrome computation Key-equation BM solving Root finding � e 5

Decoder Received word � r = � c + � e transposed Syndrome multi-point ≈ computation evaluation Key-equation BM solving Root multi-point ≈ finding evaluation � e 5

Decoder Received word � r = � c + � e permutation transposed Syndrome + multi-point ≈ computation evaluation transposed FFT Key-equation BM solving additive FFT Root multi-point + ≈ finding evaluation permutation � e 5

Beneˇ s network • if c , swap( b 0 , b 1 ) • d ← b 0 ⊕ b 1 ; d ← cd ; b 0 ← b 0 ⊕ d ; b 1 ← b 1 ⊕ d ; 6

Beneˇ s network 0 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 7

Beneˇ s network 0 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 Stage 1 7

Beneˇ s network 0 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 Stage 2 7

Beneˇ s network 0 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 Stage 3 7

Beneˇ s network 0 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 Stage 4 7

Beneˇ s network 0 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 Stage 5 7

Beneˇ s network 0 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 Stage 6 7

Beneˇ s network 0 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 Stage 7 7

Bit-matrix transposition 0 1 2 3 8

Bit-matrix transposition 0 1 2 3 8

Bit-matrix transposition 0 0 1 2 2 1 3 3 8

Bit-matrix transposition 0 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 9

Bit-matrix transposition 0 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 9

Bit-matrix transposition 0 1 2 8 9 3 4 5 12 6 13 7 2 8 9 3 10 11 12 6 13 7 14 15 9

Bit-matrix transposition 0 1 2 8 9 3 4 5 12 6 13 7 2 8 9 3 10 11 12 6 13 7 14 15 9

Bit-matrix transposition 0 1 4 8 2 12 3 9 4 1 5 12 9 6 13 7 2 8 9 3 6 10 11 14 12 3 6 13 7 11 14 15 9

The Gao–Mateer Additive FFT • Multiplicative FFT f ( x ) = f (0) ( x 2 ) + xf (1) ( x 2 ) • Additive FFT f ( x ) = f (0) ( x 2 + x ) + xf (1) ( x 2 + x ) 10

Additive FFT (butterflies) “Full” FFT 11

Additive FFT (butterflies) transpose “Full” FFT 11

Additive FFT (butterflies) transpose Low-degree FFT 11

Additive FFT (radix conversions) f 0 f 1 f 2 f 3 f 4 f 5 f 6 f 7 12

Additive FFT (radix conversions) + + f 0 f 1 f 2 f 3 f 4 f 5 f 6 f 7 12

Additive FFT (radix conversions) + + + + f 0 f 1 f 2 f 3 f 4 f 5 f 6 f 7 12

Additive FFT (radix conversions) f 0 f 1 f 2 f 3 f 4 f 5 f 6 f 7 ∗ = α 12

Additive FFT (radix conversions) + + + + f 0 f 1 f 2 f 3 f 4 f 5 f 6 f 7 ∗ = α 12

Additive FFT (radix conversions) + + + + f 0 f 1 f 2 f 3 f 4 f 5 f 6 f 7 ∗ = α • Additions: logical operations & , ˆ, ≫ , ≪ . • Bitsliced multiplications. • Small polynomial degree ⇒ relatively cheap. 12

Berlekamp-Massey algorithm Picture from: “Implementation of Berlekamp-Massey algorithm without inversion” by Xu Youzhi 13

Key generation Public-key generation • Constant-time Gaussian elimination in F 2 . H I H ′ 14

Key generation Public-key generation • Constant-time Gaussian elimination in F 2 . H I H ′ Secret-key generation • Goppa polynomial: degree- t , irreducible g ∈ F 2 m [ x ] . • Generating random element α ∈ F 2 mt . • Derive minimal polynomial of α with Gaussian elimination in F 2 m . 14

tungchou.github.io/mcbits/