McTiny: Encoding and decoding McEliece for tiny network servers - - PowerPoint PPT Presentation

1

McTiny: McEliece for tiny network servers Daniel J. Bernstein, uic.edu, rub.de Tanja Lange, tue.nl Fundamental literature: 1962 Prange (attack) + many more attack papers. 1968 Berlekamp (decoder). 1970–1971 Goppa (codes). 1978 McEliece (cryptosystem). 1986 Niederreiter (compression) + many more optimizations.

2

Encoding and decoding 1978 McEliece public key: matrix G over F2. Normally m → mG is injective.

1

McTiny: McEliece for tiny network servers Daniel J. Bernstein, uic.edu, rub.de Tanja Lange, tue.nl Fundamental literature: 1962 Prange (attack) + many more attack papers. 1968 Berlekamp (decoder). 1970–1971 Goppa (codes). 1978 McEliece (cryptosystem). 1986 Niederreiter (compression) + many more optimizations.

2

Encoding and decoding 1978 McEliece public key: matrix G over F2. Normally m → mG is injective. Ciphertext: vector C = mG + e. Uses secret codeword mG, weight-w error vector e.

1

McTiny: McEliece for tiny network servers Daniel J. Bernstein, uic.edu, rub.de Tanja Lange, tue.nl Fundamental literature: 1962 Prange (attack) + many more attack papers. 1968 Berlekamp (decoder). 1970–1971 Goppa (codes). 1978 McEliece (cryptosystem). 1986 Niederreiter (compression) + many more optimizations.

2

Encoding and decoding 1978 McEliece public key: matrix G over F2. Normally m → mG is injective. Ciphertext: vector C = mG + e. Uses secret codeword mG, weight-w error vector e. 1978 parameters for 264 security goal: 512 × 1024 matrix, w = 50.

1

McTiny: McEliece for tiny network servers Daniel J. Bernstein, uic.edu, rub.de Tanja Lange, tue.nl Fundamental literature: 1962 Prange (attack) + many more attack papers. 1968 Berlekamp (decoder). 1970–1971 Goppa (codes). 1978 McEliece (cryptosystem). 1986 Niederreiter (compression) + many more optimizations.

2

Encoding and decoding 1978 McEliece public key: matrix G over F2. Normally m → mG is injective. Ciphertext: vector C = mG + e. Uses secret codeword mG, weight-w error vector e. 1978 parameters for 264 security goal: 512 × 1024 matrix, w = 50. Public key is secretly generated with binary Goppa code structure that allows efficient decoding: C → mG; e.

1

McTiny: McEliece for tiny network servers

• J. Bernstein,

uic.edu, rub.de Lange, tue.nl undamental literature: Prange (attack) many more attack papers. Berlekamp (decoder). 1970–1971 Goppa (codes). McEliece (cryptosystem). Niederreiter (compression) many more optimizations.

2

Encoding and decoding 1978 McEliece public key: matrix G over F2. Normally m → mG is injective. Ciphertext: vector C = mG + e. Uses secret codeword mG, weight-w error vector e. 1978 parameters for 264 security goal: 512 × 1024 matrix, w = 50. Public key is secretly generated with binary Goppa code structure that allows efficient decoding: C → mG; e. Binary Goppa Paramete w ∈ {2; 3 n ∈ {w lg

1

tiny network servers Bernstein, tue.nl iterature: (attack) attack papers. (decoder). Goppa (codes). (cryptosystem). Niederreiter (compression)

• ptimizations.

2

Encoding and decoding 1978 McEliece public key: matrix G over F2. Normally m → mG is injective. Ciphertext: vector C = mG + e. Uses secret codeword mG, weight-w error vector e. 1978 parameters for 264 security goal: 512 × 1024 matrix, w = 50. Public key is secretly generated with binary Goppa code structure that allows efficient decoding: C → mG; e. Binary Goppa codes Parameters: q ∈ { w ∈ {2; 3; : : : ; ⌊(q n ∈ {w lg q + 1; : :

1

servers ers. der). des). (cryptosystem). ression)

• ptimizations.

2

Encoding and decoding 1978 McEliece public key: matrix G over F2. Normally m → mG is injective. Ciphertext: vector C = mG + e. Uses secret codeword mG, weight-w error vector e. 1978 parameters for 264 security goal: 512 × 1024 matrix, w = 50. Public key is secretly generated with binary Goppa code structure that allows efficient decoding: C → mG; e. Binary Goppa codes Parameters: q ∈ {8; 16; 32; : w ∈ {2; 3; : : : ; ⌊(q − 1)= lg q n ∈ {w lg q + 1; : : : ; q − 1; q

2

Encoding and decoding 1978 McEliece public key: matrix G over F2. Normally m → mG is injective. Ciphertext: vector C = mG + e. Uses secret codeword mG, weight-w error vector e. 1978 parameters for 264 security goal: 512 × 1024 matrix, w = 50. Public key is secretly generated with binary Goppa code structure that allows efficient decoding: C → mG; e.

3

Binary Goppa codes Parameters: q ∈ {8; 16; 32; : : :}; w ∈ {2; 3; : : : ; ⌊(q − 1)= lg q⌋}; n ∈ {w lg q + 1; : : : ; q − 1; q}.

2

Encoding and decoding 1978 McEliece public key: matrix G over F2. Normally m → mG is injective. Ciphertext: vector C = mG + e. Uses secret codeword mG, weight-w error vector e. 1978 parameters for 264 security goal: 512 × 1024 matrix, w = 50. Public key is secretly generated with binary Goppa code structure that allows efficient decoding: C → mG; e.

3

Binary Goppa codes Parameters: q ∈ {8; 16; 32; : : :}; w ∈ {2; 3; : : : ; ⌊(q − 1)= lg q⌋}; n ∈ {w lg q + 1; : : : ; q − 1; q}. Secrets: distinct ¸1; : : : ; ¸n ∈ Fq; monic irreducible degree-w polynomial g ∈ Fq[x].

2

Encoding and decoding 1978 McEliece public key: matrix G over F2. Normally m → mG is injective. Ciphertext: vector C = mG + e. Uses secret codeword mG, weight-w error vector e. 1978 parameters for 264 security goal: 512 × 1024 matrix, w = 50. Public key is secretly generated with binary Goppa code structure that allows efficient decoding: C → mG; e.

3

Binary Goppa codes Parameters: q ∈ {8; 16; 32; : : :}; w ∈ {2; 3; : : : ; ⌊(q − 1)= lg q⌋}; n ∈ {w lg q + 1; : : : ; q − 1; q}. Secrets: distinct ¸1; : : : ; ¸n ∈ Fq; monic irreducible degree-w polynomial g ∈ Fq[x]. Goppa code: kernel of the map v → P

i vi=(x − ¸i)

from Fn

2 to Fq[x]=g.

Normally dimension n − w lg q.

2

Encoding and decoding 1978 McEliece public key: matrix G over F2. Normally m → mG is injective. Ciphertext: vector C = mG + e. Uses secret codeword mG, weight-w error vector e. 1978 parameters for 264 security goal: 512 × 1024 matrix, w = 50. Public key is secretly generated with binary Goppa code structure that allows efficient decoding: C → mG; e.

3

Binary Goppa codes Parameters: q ∈ {8; 16; 32; : : :}; w ∈ {2; 3; : : : ; ⌊(q − 1)= lg q⌋}; n ∈ {w lg q + 1; : : : ; q − 1; q}. Secrets: distinct ¸1; : : : ; ¸n ∈ Fq; monic irreducible degree-w polynomial g ∈ Fq[x]. Goppa code: kernel of the map v → P

i vi=(x − ¸i)

from Fn

2 to Fq[x]=g.

Normally dimension n − w lg q. McEliece uses random G ∈ Fk×n

2

whose image is this code.

2

ding and decoding McEliece public key: G over F2. rmally m → mG is injective. Ciphertext: vector C = mG + e. secret codeword mG, eight-w error vector e. parameters for 264 security 512 × 1024 matrix, w = 50. key is secretly generated binary Goppa code structure allows efficient decoding: G; e.

3

Binary Goppa codes Parameters: q ∈ {8; 16; 32; : : :}; w ∈ {2; 3; : : : ; ⌊(q − 1)= lg q⌋}; n ∈ {w lg q + 1; : : : ; q − 1; q}. Secrets: distinct ¸1; : : : ; ¸n ∈ Fq; monic irreducible degree-w polynomial g ∈ Fq[x]. Goppa code: kernel of the map v → P

i vi=(x − ¸i)

from Fn

2 to Fq[x]=g.

Normally dimension n − w lg q. McEliece uses random G ∈ Fk×n

2

whose image is this code. One-wayness Fundamental Can attack random m key G and

2

decoding public key: . G is injective. vector C = mG + e. deword mG, vector e. for 264 security 1024 matrix, w = 50. secretly generated Goppa code structure efficient decoding:

3

Binary Goppa codes Parameters: q ∈ {8; 16; 32; : : :}; w ∈ {2; 3; : : : ; ⌊(q − 1)= lg q⌋}; n ∈ {w lg q + 1; : : : ; q − 1; q}. Secrets: distinct ¸1; : : : ; ¸n ∈ Fq; monic irreducible degree-w polynomial g ∈ Fq[x]. Goppa code: kernel of the map v → P

i vi=(x − ¸i)

from Fn

2 to Fq[x]=g.

Normally dimension n − w lg q. McEliece uses random G ∈ Fk×n

2

whose image is this code. One-wayness (“OW-P Fundamental securit Can attacker efficiently random m; e given key G and ciphertext

2

injective. G + e. , security w = 50. generated structure ding:

3

Binary Goppa codes Parameters: q ∈ {8; 16; 32; : : :}; w ∈ {2; 3; : : : ; ⌊(q − 1)= lg q⌋}; n ∈ {w lg q + 1; : : : ; q − 1; q}. Secrets: distinct ¸1; : : : ; ¸n ∈ Fq; monic irreducible degree-w polynomial g ∈ Fq[x]. Goppa code: kernel of the map v → P

i vi=(x − ¸i)

from Fn

2 to Fq[x]=g.

Normally dimension n − w lg q. McEliece uses random G ∈ Fk×n

2

whose image is this code. One-wayness (“OW-Passive”) Fundamental security question: Can attacker efficiently find random m; e given random public key G and ciphertext mG+e

3

Binary Goppa codes Parameters: q ∈ {8; 16; 32; : : :}; w ∈ {2; 3; : : : ; ⌊(q − 1)= lg q⌋}; n ∈ {w lg q + 1; : : : ; q − 1; q}. Secrets: distinct ¸1; : : : ; ¸n ∈ Fq; monic irreducible degree-w polynomial g ∈ Fq[x]. Goppa code: kernel of the map v → P

i vi=(x − ¸i)

from Fn

2 to Fq[x]=g.

Normally dimension n − w lg q. McEliece uses random G ∈ Fk×n

2

whose image is this code.

4

One-wayness (“OW-Passive”) Fundamental security question: Can attacker efficiently find random m; e given random public key G and ciphertext mG+e?

3

Binary Goppa codes Parameters: q ∈ {8; 16; 32; : : :}; w ∈ {2; 3; : : : ; ⌊(q − 1)= lg q⌋}; n ∈ {w lg q + 1; : : : ; q − 1; q}. Secrets: distinct ¸1; : : : ; ¸n ∈ Fq; monic irreducible degree-w polynomial g ∈ Fq[x]. Goppa code: kernel of the map v → P

i vi=(x − ¸i)

from Fn

2 to Fq[x]=g.

Normally dimension n − w lg q. McEliece uses random G ∈ Fk×n

2

whose image is this code.

4

One-wayness (“OW-Passive”) Fundamental security question: Can attacker efficiently find random m; e given random public key G and ciphertext mG+e? 1962 Prange: simple attack idea guiding sizes in 1978 McEliece.

3

Binary Goppa codes Parameters: q ∈ {8; 16; 32; : : :}; w ∈ {2; 3; : : : ; ⌊(q − 1)= lg q⌋}; n ∈ {w lg q + 1; : : : ; q − 1; q}. Secrets: distinct ¸1; : : : ; ¸n ∈ Fq; monic irreducible degree-w polynomial g ∈ Fq[x]. Goppa code: kernel of the map v → P

i vi=(x − ¸i)

from Fn

2 to Fq[x]=g.

Normally dimension n − w lg q. McEliece uses random G ∈ Fk×n

2

whose image is this code.

4

One-wayness (“OW-Passive”) Fundamental security question: Can attacker efficiently find random m; e given random public key G and ciphertext mG+e? 1962 Prange: simple attack idea guiding sizes in 1978 McEliece. The McEliece system (with later key-size optimizations) uses (c0 + o(1))–2(lg –)2-bit keys as – → ∞ to achieve 2– security against Prange’s attack. Here c0 ≈ 0:7418860694.

3

Goppa codes rameters: q ∈ {8; 16; 32; : : :}; 2; 3; : : : ; ⌊(q − 1)= lg q⌋}; lg q + 1; : : : ; q − 1; q}. Secrets: distinct ¸1; : : : ; ¸n ∈ Fq; irreducible degree-w

• lynomial g ∈ Fq[x].

code: kernel of map v → P

i vi=(x − ¸i) n 2 to Fq[x]=g.

rmally dimension n − w lg q. McEliece uses random G ∈ Fk×n

2

image is this code.

4

One-wayness (“OW-Passive”) Fundamental security question: Can attacker efficiently find random m; e given random public key G and ciphertext mG+e? 1962 Prange: simple attack idea guiding sizes in 1978 McEliece. The McEliece system (with later key-size optimizations) uses (c0 + o(1))–2(lg –)2-bit keys as – → ∞ to achieve 2– security against Prange’s attack. Here c0 ≈ 0:7418860694. ≥26 subsequent analyzing 1981 Cla crediting 1988 Lee–Brick 1988 Leon. 1989 Krouk. 1989 Stern. 1989 Dumer. 1990 Coffey–Go 1990 van 1991 Dumer. 1991 Coffey–Go 1993 Chabanne–Courteau. 1993 Chabaud.

3

des {8; 16; 32; : : :}; (q − 1)= lg q⌋}; : : : ; q − 1; q}. ¸1; : : : ; ¸n ∈ Fq; irreducible degree-w Fq[x]. ernel of

i vi=(x − ¸i)

]=g. dimension n − w lg q. random G ∈ Fk×n

2

this code.

4

One-wayness (“OW-Passive”) Fundamental security question: Can attacker efficiently find random m; e given random public key G and ciphertext mG+e? 1962 Prange: simple attack idea guiding sizes in 1978 McEliece. The McEliece system (with later key-size optimizations) uses (c0 + o(1))–2(lg –)2-bit keys as – → ∞ to achieve 2– security against Prange’s attack. Here c0 ≈ 0:7418860694. ≥26 subsequent publication analyzing one-wayness 1981 Clark–Cain, crediting Omura. 1988 Lee–Brickell. 1988 Leon. 1989 Krouk. 1989 Stern. 1989 Dumer. 1990 Coffey–Goodman. 1990 van Tilburg. 1991 Dumer. 1991 Coffey–Goodman–F 1993 Chabanne–Courteau. 1993 Chabaud.

3

; : : :}; q⌋}; ; q}.

n ∈ Fq;

¸i) lg q. ∈ Fk×n

2

4

One-wayness (“OW-Passive”) Fundamental security question: Can attacker efficiently find random m; e given random public key G and ciphertext mG+e? 1962 Prange: simple attack idea guiding sizes in 1978 McEliece. The McEliece system (with later key-size optimizations) uses (c0 + o(1))–2(lg –)2-bit keys as – → ∞ to achieve 2– security against Prange’s attack. Here c0 ≈ 0:7418860694. ≥26 subsequent publications analyzing one-wayness of system 1981 Clark–Cain, crediting Omura. 1988 Lee–Brickell. 1988 Leon. 1989 Krouk. 1989 Stern. 1989 Dumer. 1990 Coffey–Goodman. 1990 van Tilburg. 1991 Dumer. 1991 Coffey–Goodman–Farrell. 1993 Chabanne–Courteau. 1993 Chabaud.

4

One-wayness (“OW-Passive”) Fundamental security question: Can attacker efficiently find random m; e given random public key G and ciphertext mG+e? 1962 Prange: simple attack idea guiding sizes in 1978 McEliece. The McEliece system (with later key-size optimizations) uses (c0 + o(1))–2(lg –)2-bit keys as – → ∞ to achieve 2– security against Prange’s attack. Here c0 ≈ 0:7418860694.

5

≥26 subsequent publications analyzing one-wayness of system: 1981 Clark–Cain, crediting Omura. 1988 Lee–Brickell. 1988 Leon. 1989 Krouk. 1989 Stern. 1989 Dumer. 1990 Coffey–Goodman. 1990 van Tilburg. 1991 Dumer. 1991 Coffey–Goodman–Farrell. 1993 Chabanne–Courteau. 1993 Chabaud.

4

ayness (“OW-Passive”) undamental security question: attacker efficiently find m; e given random public and ciphertext mG+e? Prange: simple attack idea guiding sizes in 1978 McEliece. McEliece system later key-size optimizations)

0 + o(1))–2(lg –)2-bit keys

∞ to achieve 2– security against Prange’s attack.

0 ≈ 0:7418860694.

5

≥26 subsequent publications analyzing one-wayness of system: 1981 Clark–Cain, crediting Omura. 1988 Lee–Brickell. 1988 Leon. 1989 Krouk. 1989 Stern. 1989 Dumer. 1990 Coffey–Goodman. 1990 van Tilburg. 1991 Dumer. 1991 Coffey–Goodman–Farrell. 1993 Chabanne–Courteau. 1993 Chabaud. 1994 van 1994 Canteaut–Chabanne. 1998 Canteaut–Chabaud. 1998 Canteaut–Sendrier. 2008 Bernstein–Lange–P 2009 Bernstein–Lange–P van 2009 Finiasz–Sendrier. 2011 Bernstein–Lange–P 2011 Ma 2012 Beck 2013 Hamdaoui–Sendrier. 2015 Ma 2016 Canto 2017 Both–Ma

4

W-Passive”) security question: efficiently find given random public ciphertext mG+e? simple attack idea 1978 McEliece. system ey-size optimizations) –2(lg –)2-bit keys achieve 2– security attack. 7418860694.

5

≥26 subsequent publications analyzing one-wayness of system: 1981 Clark–Cain, crediting Omura. 1988 Lee–Brickell. 1988 Leon. 1989 Krouk. 1989 Stern. 1989 Dumer. 1990 Coffey–Goodman. 1990 van Tilburg. 1991 Dumer. 1991 Coffey–Goodman–Farrell. 1993 Chabanne–Courteau. 1993 Chabaud. 1994 van Tilburg. 1994 Canteaut–Chabanne. 1998 Canteaut–Chabaud. 1998 Canteaut–Sendrier. 2008 Bernstein–Lange–P 2009 Bernstein–Lange–P van Tilborg. 2009 Finiasz–Sendrier. 2011 Bernstein–Lange–P 2011 May–Meurer–Th 2012 Becker–Joux–Ma 2013 Hamdaoui–Sendrier. 2015 May–Ozerov. 2016 Canto Torres–Sendrier. 2017 Both–May.

4

assive”) question: find public e? attack idea McEliece.

• ptimizations)
• bit keys

security

5

≥26 subsequent publications analyzing one-wayness of system: 1981 Clark–Cain, crediting Omura. 1988 Lee–Brickell. 1988 Leon. 1989 Krouk. 1989 Stern. 1989 Dumer. 1990 Coffey–Goodman. 1990 van Tilburg. 1991 Dumer. 1991 Coffey–Goodman–Farrell. 1993 Chabanne–Courteau. 1993 Chabaud. 1994 van Tilburg. 1994 Canteaut–Chabanne. 1998 Canteaut–Chabaud. 1998 Canteaut–Sendrier. 2008 Bernstein–Lange–Peters. 2009 Bernstein–Lange–Peters– van Tilborg. 2009 Finiasz–Sendrier. 2011 Bernstein–Lange–Peters. 2011 May–Meurer–Thomae. 2012 Becker–Joux–May–Meurer. 2013 Hamdaoui–Sendrier. 2015 May–Ozerov. 2016 Canto Torres–Sendrier. 2017 Both–May.

5

≥26 subsequent publications analyzing one-wayness of system: 1981 Clark–Cain, crediting Omura. 1988 Lee–Brickell. 1988 Leon. 1989 Krouk. 1989 Stern. 1989 Dumer. 1990 Coffey–Goodman. 1990 van Tilburg. 1991 Dumer. 1991 Coffey–Goodman–Farrell. 1993 Chabanne–Courteau. 1993 Chabaud.

6

1994 van Tilburg. 1994 Canteaut–Chabanne. 1998 Canteaut–Chabaud. 1998 Canteaut–Sendrier. 2008 Bernstein–Lange–Peters. 2009 Bernstein–Lange–Peters– van Tilborg. 2009 Finiasz–Sendrier. 2011 Bernstein–Lange–Peters. 2011 May–Meurer–Thomae. 2012 Becker–Joux–May–Meurer. 2013 Hamdaoui–Sendrier. 2015 May–Ozerov. 2016 Canto Torres–Sendrier. 2017 Both–May.

5

subsequent publications analyzing one-wayness of system: Clark–Cain, crediting Omura. Lee–Brickell. Leon. Krouk. Stern. Dumer. Coffey–Goodman. van Tilburg. Dumer. Coffey–Goodman–Farrell. Chabanne–Courteau. Chabaud.

6

1994 van Tilburg. 1994 Canteaut–Chabanne. 1998 Canteaut–Chabaud. 1998 Canteaut–Sendrier. 2008 Bernstein–Lange–Peters. 2009 Bernstein–Lange–Peters– van Tilborg. 2009 Finiasz–Sendrier. 2011 Bernstein–Lange–Peters. 2011 May–Meurer–Thomae. 2012 Becker–Joux–May–Meurer. 2013 Hamdaoui–Sendrier. 2015 May–Ozerov. 2016 Canto Torres–Sendrier. 2017 Both–May. The McEliece uses (c0 as – → ∞ against all Same c0

5

publications ayness of system: k–Cain, Omura. ell.

• dman.

urg.

• dman–Farrell.

Chabanne–Courteau.

6

1994 van Tilburg. 1994 Canteaut–Chabanne. 1998 Canteaut–Chabaud. 1998 Canteaut–Sendrier. 2008 Bernstein–Lange–Peters. 2009 Bernstein–Lange–Peters– van Tilborg. 2009 Finiasz–Sendrier. 2011 Bernstein–Lange–Peters. 2011 May–Meurer–Thomae. 2012 Becker–Joux–May–Meurer. 2013 Hamdaoui–Sendrier. 2015 May–Ozerov. 2016 Canto Torres–Sendrier. 2017 Both–May. The McEliece system uses (c0 + o(1))–2 as – → ∞ to achieve against all attacks Same c0 ≈ 0:7418860694.

5

publications system: rrell. Chabanne–Courteau.

6

1994 van Tilburg. 1994 Canteaut–Chabanne. 1998 Canteaut–Chabaud. 1998 Canteaut–Sendrier. 2008 Bernstein–Lange–Peters. 2009 Bernstein–Lange–Peters– van Tilborg. 2009 Finiasz–Sendrier. 2011 Bernstein–Lange–Peters. 2011 May–Meurer–Thomae. 2012 Becker–Joux–May–Meurer. 2013 Hamdaoui–Sendrier. 2015 May–Ozerov. 2016 Canto Torres–Sendrier. 2017 Both–May. The McEliece system uses (c0 + o(1))–2(lg –)2-bit as – → ∞ to achieve 2– securit against all attacks known to Same c0 ≈ 0:7418860694.

6

1994 van Tilburg. 1994 Canteaut–Chabanne. 1998 Canteaut–Chabaud. 1998 Canteaut–Sendrier. 2008 Bernstein–Lange–Peters. 2009 Bernstein–Lange–Peters– van Tilborg. 2009 Finiasz–Sendrier. 2011 Bernstein–Lange–Peters. 2011 May–Meurer–Thomae. 2012 Becker–Joux–May–Meurer. 2013 Hamdaoui–Sendrier. 2015 May–Ozerov. 2016 Canto Torres–Sendrier. 2017 Both–May.

7

The McEliece system uses (c0 + o(1))–2(lg –)2-bit keys as – → ∞ to achieve 2– security against all attacks known today. Same c0 ≈ 0:7418860694.

6

1994 van Tilburg. 1994 Canteaut–Chabanne. 1998 Canteaut–Chabaud. 1998 Canteaut–Sendrier. 2008 Bernstein–Lange–Peters. 2009 Bernstein–Lange–Peters– van Tilborg. 2009 Finiasz–Sendrier. 2011 Bernstein–Lange–Peters. 2011 May–Meurer–Thomae. 2012 Becker–Joux–May–Meurer. 2013 Hamdaoui–Sendrier. 2015 May–Ozerov. 2016 Canto Torres–Sendrier. 2017 Both–May.

7

The McEliece system uses (c0 + o(1))–2(lg –)2-bit keys as – → ∞ to achieve 2– security against all attacks known today. Same c0 ≈ 0:7418860694. Replacing – with 2– stops all known quantum attacks: 2008 Bernstein, 2017 Kachigar– Tillich, 2018 Kirshanova.

6

1994 van Tilburg. 1994 Canteaut–Chabanne. 1998 Canteaut–Chabaud. 1998 Canteaut–Sendrier. 2008 Bernstein–Lange–Peters. 2009 Bernstein–Lange–Peters– van Tilborg. 2009 Finiasz–Sendrier. 2011 Bernstein–Lange–Peters. 2011 May–Meurer–Thomae. 2012 Becker–Joux–May–Meurer. 2013 Hamdaoui–Sendrier. 2015 May–Ozerov. 2016 Canto Torres–Sendrier. 2017 Both–May.

7

The McEliece system uses (c0 + o(1))–2(lg –)2-bit keys as – → ∞ to achieve 2– security against all attacks known today. Same c0 ≈ 0:7418860694. Replacing – with 2– stops all known quantum attacks: 2008 Bernstein, 2017 Kachigar– Tillich, 2018 Kirshanova. Modern example, mceliece6960119 parameter set (2008 Bernstein–Lange–Peters): q = 8192, n = 6960, w = 119.

6

van Tilburg. Canteaut–Chabanne. Canteaut–Chabaud. Canteaut–Sendrier. Bernstein–Lange–Peters. Bernstein–Lange–Peters– van Tilborg. Finiasz–Sendrier. Bernstein–Lange–Peters. May–Meurer–Thomae. Becker–Joux–May–Meurer. Hamdaoui–Sendrier. May–Ozerov. Canto Torres–Sendrier. Both–May.

7

The McEliece system uses (c0 + o(1))–2(lg –)2-bit keys as – → ∞ to achieve 2– security against all attacks known today. Same c0 ≈ 0:7418860694. Replacing – with 2– stops all known quantum attacks: 2008 Bernstein, 2017 Kachigar– Tillich, 2018 Kirshanova. Modern example, mceliece6960119 parameter set (2008 Bernstein–Lange–Peters): q = 8192, n = 6960, w = 119. NIST comp 2016: U.S. Standards “post-quantum” 2017: 69 2019: NIST 26 submissions

6

rg. Canteaut–Chabanne. Canteaut–Chabaud. Canteaut–Sendrier. Bernstein–Lange–Peters. Bernstein–Lange–Peters– rg. Finiasz–Sendrier. Bernstein–Lange–Peters. y–Meurer–Thomae. er–Joux–May–Meurer. Hamdaoui–Sendrier. y–Ozerov. rres–Sendrier. .

7

The McEliece system uses (c0 + o(1))–2(lg –)2-bit keys as – → ∞ to achieve 2– security against all attacks known today. Same c0 ≈ 0:7418860694. Replacing – with 2– stops all known quantum attacks: 2008 Bernstein, 2017 Kachigar– Tillich, 2018 Kirshanova. Modern example, mceliece6960119 parameter set (2008 Bernstein–Lange–Peters): q = 8192, n = 6960, w = 119. NIST competition 2016: U.S. National Standards and Technology “post-quantum” comp 2017: 69 complete 2019: NIST selects 26 submissions for

6

Canteaut–Chabanne. eters. eters– eters. ae. y–Meurer. rres–Sendrier.

7

The McEliece system uses (c0 + o(1))–2(lg –)2-bit keys as – → ∞ to achieve 2– security against all attacks known today. Same c0 ≈ 0:7418860694. Replacing – with 2– stops all known quantum attacks: 2008 Bernstein, 2017 Kachigar– Tillich, 2018 Kirshanova. Modern example, mceliece6960119 parameter set (2008 Bernstein–Lange–Peters): q = 8192, n = 6960, w = 119. NIST competition 2016: U.S. National Institute Standards and Technology sta “post-quantum” competition. 2017: 69 complete submissions. 2019: NIST selects 26 submissions for round 2.

7

The McEliece system uses (c0 + o(1))–2(lg –)2-bit keys as – → ∞ to achieve 2– security against all attacks known today. Same c0 ≈ 0:7418860694. Replacing – with 2– stops all known quantum attacks: 2008 Bernstein, 2017 Kachigar– Tillich, 2018 Kirshanova. Modern example, mceliece6960119 parameter set (2008 Bernstein–Lange–Peters): q = 8192, n = 6960, w = 119.

8

NIST competition 2016: U.S. National Institute of Standards and Technology starts “post-quantum” competition. 2017: 69 complete submissions. 2019: NIST selects 26 submissions for round 2.

7

The McEliece system uses (c0 + o(1))–2(lg –)2-bit keys as – → ∞ to achieve 2– security against all attacks known today. Same c0 ≈ 0:7418860694. Replacing – with 2– stops all known quantum attacks: 2008 Bernstein, 2017 Kachigar– Tillich, 2018 Kirshanova. Modern example, mceliece6960119 parameter set (2008 Bernstein–Lange–Peters): q = 8192, n = 6960, w = 119.

8

NIST competition 2016: U.S. National Institute of Standards and Technology starts “post-quantum” competition. 2017: 69 complete submissions. 2019: NIST selects 26 submissions for round 2. “Classic McEliece”: submission from team of 12 people. Round-2 options: 8192128, 6960119, 6688128, 460896, 348864.

7

McEliece system

0 + o(1))–2(lg –)2-bit keys

∞ to achieve 2– security against all attacks known today. c0 ≈ 0:7418860694. Replacing – with 2– all known quantum attacks: Bernstein, 2017 Kachigar– Tillich, 2018 Kirshanova. dern example, mceliece6960119 parameter set Bernstein–Lange–Peters): 8192, n = 6960, w = 119.

8

NIST competition 2016: U.S. National Institute of Standards and Technology starts “post-quantum” competition. 2017: 69 complete submissions. 2019: NIST selects 26 submissions for round 2. “Classic McEliece”: submission from team of 12 people. Round-2 options: 8192128, 6960119, 6688128, 460896, 348864. Is Classic 1978 McEliece 1978 McEliece huge amount Some wo while clea e.g., Niederreiter e.g., many Classic McEliec Classic McEliec more than

7

system –2(lg –)2-bit keys achieve 2– security attacks known today. 7418860694. 2– quantum attacks: 2017 Kachigar– Kirshanova. example, mceliece6960119 parameter set Bernstein–Lange–Peters): 6960, w = 119.

8

NIST competition 2016: U.S. National Institute of Standards and Technology starts “post-quantum” competition. 2017: 69 complete submissions. 2019: NIST selects 26 submissions for round 2. “Classic McEliece”: submission from team of 12 people. Round-2 options: 8192128, 6960119, 6688128, 460896, 348864. Is Classic McEliece 1978 McEliece? Not 1978 McEliece prompted huge amount of follo Some work improves while clearly preserving e.g., Niederreiter comp e.g., many decoding Classic McEliece uses Classic McEliece also more than OW-Passive

7

• bit keys

security today. attacks: Kachigar– rameter set eters): 119.

8

NIST competition 2016: U.S. National Institute of Standards and Technology starts “post-quantum” competition. 2017: 69 complete submissions. 2019: NIST selects 26 submissions for round 2. “Classic McEliece”: submission from team of 12 people. Round-2 options: 8192128, 6960119, 6688128, 460896, 348864. Is Classic McEliece same as 1978 McEliece? Not exactly. 1978 McEliece prompted a huge amount of followup wo Some work improves efficiency while clearly preserving secur e.g., Niederreiter compression; e.g., many decoding speedups. Classic McEliece uses all this. Classic McEliece also aims fo more than OW-Passive securit

8

NIST competition 2016: U.S. National Institute of Standards and Technology starts “post-quantum” competition. 2017: 69 complete submissions. 2019: NIST selects 26 submissions for round 2. “Classic McEliece”: submission from team of 12 people. Round-2 options: 8192128, 6960119, 6688128, 460896, 348864.

9

Is Classic McEliece same as 1978 McEliece? Not exactly. 1978 McEliece prompted a huge amount of followup work. Some work improves efficiency while clearly preserving security: e.g., Niederreiter compression; e.g., many decoding speedups. Classic McEliece uses all this. Classic McEliece also aims for more than OW-Passive security.

8

competition U.S. National Institute of Standards and Technology starts

• st-quantum” competition.

69 complete submissions. NIST selects submissions for round 2. “Classic McEliece”: submission team of 12 people. Round-2 options: 8192128, 6960119, 6688128, , 348864.

9

Is Classic McEliece same as 1978 McEliece? Not exactly. 1978 McEliece prompted a huge amount of followup work. Some work improves efficiency while clearly preserving security: e.g., Niederreiter compression; e.g., many decoding speedups. Classic McEliece uses all this. Classic McEliece also aims for more than OW-Passive security. Niederreiter Generato

• f length

G′ ∈ Fk×

2

McEliece random invertible

8

etition National Institute of echnology starts competition. complete submissions. selects for round 2. e”: submission people.

• ptions:

6960119, 6688128, .

9

Is Classic McEliece same as 1978 McEliece? Not exactly. 1978 McEliece prompted a huge amount of followup work. Some work improves efficiency while clearly preserving security: e.g., Niederreiter compression; e.g., many decoding speedups. Classic McEliece uses all this. Classic McEliece also aims for more than OW-Passive security. Niederreiter key comp Generator matrix fo

• f length n and dimension

G′ ∈ Fk×n

2

with Γ McEliece public key: random invertible S

8

Institute of starts etition. submissions. 2. submission 6688128,

9

Is Classic McEliece same as 1978 McEliece? Not exactly. 1978 McEliece prompted a huge amount of followup work. Some work improves efficiency while clearly preserving security: e.g., Niederreiter compression; e.g., many decoding speedups. Classic McEliece uses all this. Classic McEliece also aims for more than OW-Passive security. Niederreiter key compression Generator matrix for code Γ

• f length n and dimension k

G′ ∈ Fk×n

2

with Γ = Fk

2 · G′.

McEliece public key: G = SG random invertible S ∈ Fk×k

2

.

9

Is Classic McEliece same as 1978 McEliece? Not exactly. 1978 McEliece prompted a huge amount of followup work. Some work improves efficiency while clearly preserving security: e.g., Niederreiter compression; e.g., many decoding speedups. Classic McEliece uses all this. Classic McEliece also aims for more than OW-Passive security.

10

Niederreiter key compression Generator matrix for code Γ

• f length n and dimension k:

G′ ∈ Fk×n

2

with Γ = Fk

2 · G′.

McEliece public key: G = SG′ for random invertible S ∈ Fk×k

2

.

9

Is Classic McEliece same as 1978 McEliece? Not exactly. 1978 McEliece prompted a huge amount of followup work. Some work improves efficiency while clearly preserving security: e.g., Niederreiter compression; e.g., many decoding speedups. Classic McEliece uses all this. Classic McEliece also aims for more than OW-Passive security.

10

Niederreiter key compression Generator matrix for code Γ

• f length n and dimension k:

G′ ∈ Fk×n

2

with Γ = Fk

2 · G′.

McEliece public key: G = SG′ for random invertible S ∈ Fk×k

2

. Niederreiter instead reduces G′ to the unique generator matrix in systematic form: G = (Ik|R).

9

Is Classic McEliece same as 1978 McEliece? Not exactly. 1978 McEliece prompted a huge amount of followup work. Some work improves efficiency while clearly preserving security: e.g., Niederreiter compression; e.g., many decoding speedups. Classic McEliece uses all this. Classic McEliece also aims for more than OW-Passive security.

10

Niederreiter key compression Generator matrix for code Γ

• f length n and dimension k:

G′ ∈ Fk×n

2

with Γ = Fk

2 · G′.

McEliece public key: G = SG′ for random invertible S ∈ Fk×k

2

. Niederreiter instead reduces G′ to the unique generator matrix in systematic form: G = (Ik|R). Pr ≈29% that systematic form

• exists. Security loss: <2 bits.

9

Classic McEliece same as McEliece? Not exactly. McEliece prompted a amount of followup work. work improves efficiency clearly preserving security: Niederreiter compression; many decoding speedups. McEliece uses all this. McEliece also aims for than OW-Passive security.

10

Niederreiter key compression Generator matrix for code Γ

• f length n and dimension k:

G′ ∈ Fk×n

2

with Γ = Fk

2 · G′.

McEliece public key: G = SG′ for random invertible S ∈ Fk×k

2

. Niederreiter instead reduces G′ to the unique generator matrix in systematic form: G = (Ik|R). Pr ≈29% that systematic form

• exists. Security loss: <2 bits.

Niederreiter Use Niede McEliece

9

McEliece same as Not exactly. rompted a followup work. roves efficiency reserving security: Niederreiter compression; ding speedups. uses all this. also aims for W-Passive security.

10

Niederreiter key compression Generator matrix for code Γ

• f length n and dimension k:

G′ ∈ Fk×n

2

with Γ = Fk

2 · G′.

McEliece public key: G = SG′ for random invertible S ∈ Fk×k

2

. Niederreiter instead reduces G′ to the unique generator matrix in systematic form: G = (Ik|R). Pr ≈29% that systematic form

• exists. Security loss: <2 bits.

Niederreiter ciphertext Use Niederreiter key McEliece ciphertext:

9

as exactly. work. efficiency curity: ression; edups. this. for security.

10

Niederreiter key compression Generator matrix for code Γ

• f length n and dimension k:

G′ ∈ Fk×n

2

with Γ = Fk

2 · G′.

McEliece public key: G = SG′ for random invertible S ∈ Fk×k

2

. Niederreiter instead reduces G′ to the unique generator matrix in systematic form: G = (Ik|R). Pr ≈29% that systematic form

• exists. Security loss: <2 bits.

Niederreiter ciphertext comp Use Niederreiter key G = (Ik McEliece ciphertext: mG+e

10

Niederreiter key compression Generator matrix for code Γ

• f length n and dimension k:

G′ ∈ Fk×n

2

with Γ = Fk

2 · G′.

McEliece public key: G = SG′ for random invertible S ∈ Fk×k

2

. Niederreiter instead reduces G′ to the unique generator matrix in systematic form: G = (Ik|R). Pr ≈29% that systematic form

• exists. Security loss: <2 bits.

11

Niederreiter ciphertext compression Use Niederreiter key G = (Ik|R). McEliece ciphertext: mG+e ∈ Fn

2.

10

Niederreiter key compression Generator matrix for code Γ

• f length n and dimension k:

G′ ∈ Fk×n

2

with Γ = Fk

2 · G′.

McEliece public key: G = SG′ for random invertible S ∈ Fk×k

2

. Niederreiter instead reduces G′ to the unique generator matrix in systematic form: G = (Ik|R). Pr ≈29% that systematic form

• exists. Security loss: <2 bits.

11

Niederreiter ciphertext compression Use Niederreiter key G = (Ik|R). McEliece ciphertext: mG+e ∈ Fn

2.

Niederreiter ciphertext, shorter: He⊤ ∈ F(n−k)×1

2

where H = (R⊤|In−k).

10

Niederreiter key compression Generator matrix for code Γ

• f length n and dimension k:

G′ ∈ Fk×n

2

with Γ = Fk

2 · G′.

McEliece public key: G = SG′ for random invertible S ∈ Fk×k

2

. Niederreiter instead reduces G′ to the unique generator matrix in systematic form: G = (Ik|R). Pr ≈29% that systematic form

• exists. Security loss: <2 bits.

11

Niederreiter ciphertext compression Use Niederreiter key G = (Ik|R). McEliece ciphertext: mG+e ∈ Fn

2.

Niederreiter ciphertext, shorter: He⊤ ∈ F(n−k)×1

2

where H = (R⊤|In−k). Given H and Niederreiter’s He⊤, can attacker efficiently find e?

10

Niederreiter key compression Generator matrix for code Γ

• f length n and dimension k:

G′ ∈ Fk×n

2

with Γ = Fk

2 · G′.

McEliece public key: G = SG′ for random invertible S ∈ Fk×k

2

. Niederreiter instead reduces G′ to the unique generator matrix in systematic form: G = (Ik|R). Pr ≈29% that systematic form

• exists. Security loss: <2 bits.

11

Niederreiter ciphertext compression Use Niederreiter key G = (Ik|R). McEliece ciphertext: mG+e ∈ Fn

2.

Niederreiter ciphertext, shorter: He⊤ ∈ F(n−k)×1

2

where H = (R⊤|In−k). Given H and Niederreiter’s He⊤, can attacker efficiently find e? If so, attacker can efficiently find m; e given G and mG + e:

10

Niederreiter key compression Generator matrix for code Γ

• f length n and dimension k:

G′ ∈ Fk×n

2

with Γ = Fk

2 · G′.

McEliece public key: G = SG′ for random invertible S ∈ Fk×k

2

. Niederreiter instead reduces G′ to the unique generator matrix in systematic form: G = (Ik|R). Pr ≈29% that systematic form

• exists. Security loss: <2 bits.

11

Niederreiter ciphertext compression Use Niederreiter key G = (Ik|R). McEliece ciphertext: mG+e ∈ Fn

2.

Niederreiter ciphertext, shorter: He⊤ ∈ F(n−k)×1

2

where H = (R⊤|In−k). Given H and Niederreiter’s He⊤, can attacker efficiently find e? If so, attacker can efficiently find m; e given G and mG + e: compute H(mG + e)⊤ = He⊤; find e; compute m from mG.

10

Niederreiter key compression Generator matrix for code Γ length n and dimension k:

k×n 2

with Γ = Fk

2 · G′.

McEliece public key: G = SG′ for invertible S ∈ Fk×k

2

. Niederreiter instead reduces G′ unique generator matrix in systematic form: G = (Ik|R). 29% that systematic form Security loss: <2 bits.

11

Niederreiter ciphertext compression Use Niederreiter key G = (Ik|R). McEliece ciphertext: mG+e ∈ Fn

2.

Niederreiter ciphertext, shorter: He⊤ ∈ F(n−k)×1

2

where H = (R⊤|In−k). Given H and Niederreiter’s He⊤, can attacker efficiently find e? If so, attacker can efficiently find m; e given G and mG + e: compute H(mG + e)⊤ = He⊤; find e; compute m from mG. Other choices Niederreiter Solomon by Sidelnik More corpses: codes, Reed–Muller AG codes, several LDPC

10

compression ix for code Γ dimension k: Γ = Fk

2 · G′.

key: G = SG′ for invertible S ∈ Fk×k

2

. instead reduces G′ generator matrix in rm: G = (Ik|R). systematic form loss: <2 bits.

11

Niederreiter ciphertext compression Use Niederreiter key G = (Ik|R). McEliece ciphertext: mG+e ∈ Fn

2.

Niederreiter ciphertext, shorter: He⊤ ∈ F(n−k)×1

2

where H = (R⊤|In−k). Given H and Niederreiter’s He⊤, can attacker efficiently find e? If so, attacker can efficiently find m; e given G and mG + e: compute H(mG + e)⊤ = He⊤; find e; compute m from mG. Other choices of co Niederreiter sugges Solomon codes. Brok by Sidelnikov and Shestak More corpses: e.g., codes, Reed–Muller AG codes, Gabidulin several LDPC code

10

ression Γ k:

′.

SG′ for

k.

reduces G′ matrix in |R). form bits.

11

Niederreiter ciphertext compression Use Niederreiter key G = (Ik|R). McEliece ciphertext: mG+e ∈ Fn

2.

Niederreiter ciphertext, shorter: He⊤ ∈ F(n−k)×1

2

where H = (R⊤|In−k). Given H and Niederreiter’s He⊤, can attacker efficiently find e? If so, attacker can efficiently find m; e given G and mG + e: compute H(mG + e)⊤ = He⊤; find e; compute m from mG. Other choices of codes Niederreiter suggested Reed– Solomon codes. Broken in 1992 by Sidelnikov and Shestakov. More corpses: e.g., concatenated codes, Reed–Muller codes, several AG codes, Gabidulin codes, several LDPC codes.

11

Niederreiter ciphertext compression Use Niederreiter key G = (Ik|R). McEliece ciphertext: mG+e ∈ Fn

2.

Niederreiter ciphertext, shorter: He⊤ ∈ F(n−k)×1

2

where H = (R⊤|In−k). Given H and Niederreiter’s He⊤, can attacker efficiently find e? If so, attacker can efficiently find m; e given G and mG + e: compute H(mG + e)⊤ = He⊤; find e; compute m from mG.

12

Other choices of codes Niederreiter suggested Reed– Solomon codes. Broken in 1992 by Sidelnikov and Shestakov. More corpses: e.g., concatenated codes, Reed–Muller codes, several AG codes, Gabidulin codes, several LDPC codes.

11

Niederreiter ciphertext compression Use Niederreiter key G = (Ik|R). McEliece ciphertext: mG+e ∈ Fn

2.

Niederreiter ciphertext, shorter: He⊤ ∈ F(n−k)×1

2

where H = (R⊤|In−k). Given H and Niederreiter’s He⊤, can attacker efficiently find e? If so, attacker can efficiently find m; e given G and mG + e: compute H(mG + e)⊤ = He⊤; find e; compute m from mG.

12

Other choices of codes Niederreiter suggested Reed– Solomon codes. Broken in 1992 by Sidelnikov and Shestakov. More corpses: e.g., concatenated codes, Reed–Muller codes, several AG codes, Gabidulin codes, several LDPC codes. No proof that changing codes preserves security level. Classic McEliece: binary Goppa.

11

Niederreiter ciphertext compression Niederreiter key G = (Ik|R). McEliece ciphertext: mG+e ∈ Fn

2.

Niederreiter ciphertext, shorter: F(n−k)×1

2

H = (R⊤|In−k). H and Niederreiter’s He⊤, attacker efficiently find e? attacker can efficiently ; e given G and mG + e: compute H(mG + e)⊤ = He⊤; compute m from mG.

12

Other choices of codes Niederreiter suggested Reed– Solomon codes. Broken in 1992 by Sidelnikov and Shestakov. More corpses: e.g., concatenated codes, Reed–Muller codes, several AG codes, Gabidulin codes, several LDPC codes. No proof that changing codes preserves security level. Classic McEliece: binary Goppa. IND-CCA2 OW-Pass Messages Attacker and observe

11

ciphertext compression key G = (Ik|R). ciphertext: mG+e ∈ Fn

2.

ciphertext, shorter: |In−k). Niederreiter’s He⊤, efficiently find e? can efficiently and mG + e: + e)⊤ = He⊤; m from mG.

12

Other choices of codes Niederreiter suggested Reed– Solomon codes. Broken in 1992 by Sidelnikov and Shestakov. More corpses: e.g., concatenated codes, Reed–Muller codes, several AG codes, Gabidulin codes, several LDPC codes. No proof that changing codes preserves security level. Classic McEliece: binary Goppa. IND-CCA2 security OW-Passive securit Messages are not random. Attackers choose ciphertexts and observe reactions.

11

compression (Ik|R). e ∈ Fn

2.

shorter: Niederreiter’s He⊤, find e? efficiently + e: e⊤; G.

12

Other choices of codes Niederreiter suggested Reed– Solomon codes. Broken in 1992 by Sidelnikov and Shestakov. More corpses: e.g., concatenated codes, Reed–Muller codes, several AG codes, Gabidulin codes, several LDPC codes. No proof that changing codes preserves security level. Classic McEliece: binary Goppa. IND-CCA2 security OW-Passive security is too w Messages are not random. Attackers choose ciphertexts and observe reactions.

12

Other choices of codes Niederreiter suggested Reed– Solomon codes. Broken in 1992 by Sidelnikov and Shestakov. More corpses: e.g., concatenated codes, Reed–Muller codes, several AG codes, Gabidulin codes, several LDPC codes. No proof that changing codes preserves security level. Classic McEliece: binary Goppa.

13

IND-CCA2 security OW-Passive security is too weak. Messages are not random. Attackers choose ciphertexts and observe reactions.

12

Other choices of codes Niederreiter suggested Reed– Solomon codes. Broken in 1992 by Sidelnikov and Shestakov. More corpses: e.g., concatenated codes, Reed–Muller codes, several AG codes, Gabidulin codes, several LDPC codes. No proof that changing codes preserves security level. Classic McEliece: binary Goppa.

13

IND-CCA2 security OW-Passive security is too weak. Messages are not random. Attackers choose ciphertexts and observe reactions. Classic McEliece does more work for “IND-CCA2 security”. Combines coding theory with AES-GCM “authenticated cipher” and SHA-3 “hash function”. All messages are safe. Reusing keys is safe.

12

choices of codes Niederreiter suggested Reed– Solomon codes. Broken in 1992 delnikov and Shestakov. corpses: e.g., concatenated Reed–Muller codes, several des, Gabidulin codes, several LDPC codes.

• f that changing codes

reserves security level. McEliece: binary Goppa.

13

IND-CCA2 security OW-Passive security is too weak. Messages are not random. Attackers choose ciphertexts and observe reactions. Classic McEliece does more work for “IND-CCA2 security”. Combines coding theory with AES-GCM “authenticated cipher” and SHA-3 “hash function”. All messages are safe. Reusing keys is safe. Time Cycles on params 348864 460896 6688128 6960119 8192128 348864 460896 6688128 6960119 8192128

12

codes suggested Reed– Broken in 1992 and Shestakov. e.g., concatenated Reed–Muller codes, several Gabidulin codes, des. changing codes y level. e: binary Goppa.

13

IND-CCA2 security OW-Passive security is too weak. Messages are not random. Attackers choose ciphertexts and observe reactions. Classic McEliece does more work for “IND-CCA2 security”. Combines coding theory with AES-GCM “authenticated cipher” and SHA-3 “hash function”. All messages are safe. Reusing keys is safe. Time Cycles on Intel Hasw params

• p

cycles 348864 enc 45888 460896 enc 82684 6688128 enc 153372 6960119 enc 154972 8192128 enc 183892 348864 dec 136840 460896 dec 273872 6688128 dec 320428 6960119 dec 302460 8192128 dec 324008

12

Reed– 1992

• v.

concatenated des, several des, des Goppa.

13

IND-CCA2 security OW-Passive security is too weak. Messages are not random. Attackers choose ciphertexts and observe reactions. Classic McEliece does more work for “IND-CCA2 security”. Combines coding theory with AES-GCM “authenticated cipher” and SHA-3 “hash function”. All messages are safe. Reusing keys is safe. Time Cycles on Intel Haswell CPU params

• p

cycles 348864 enc 45888 460896 enc 82684 6688128 enc 153372 6960119 enc 154972 8192128 enc 183892 348864 dec 136840 460896 dec 273872 6688128 dec 320428 6960119 dec 302460 8192128 dec 324008

13

IND-CCA2 security OW-Passive security is too weak. Messages are not random. Attackers choose ciphertexts and observe reactions. Classic McEliece does more work for “IND-CCA2 security”. Combines coding theory with AES-GCM “authenticated cipher” and SHA-3 “hash function”. All messages are safe. Reusing keys is safe.

14

Time Cycles on Intel Haswell CPU core: params

• p

cycles 348864 enc 45888 460896 enc 82684 6688128 enc 153372 6960119 enc 154972 8192128 enc 183892 348864 dec 136840 460896 dec 273872 6688128 dec 320428 6960119 dec 302460 8192128 dec 324008

13

IND-CCA2 security assive security is too weak. Messages are not random. ers choose ciphertexts

• bserve reactions.

McEliece does more work D-CCA2 security”. Combines coding theory with AES-GCM “authenticated cipher” SHA-3 “hash function”. messages are safe. Reusing keys is safe.

14

Time Cycles on Intel Haswell CPU core: params

• p

cycles 348864 enc 45888 460896 enc 82684 6688128 enc 153372 6960119 enc 154972 8192128 enc 183892 348864 dec 136840 460896 dec 273872 6688128 dec 320428 6960119 dec 302460 8192128 dec 324008 “Wait, y most imp to have such params 348864 348864f 460896 460896f 6688128 6688128f 6960119 6960119f 8192128 8192128f

13

rity security is too weak. not random.

• se ciphertexts

reactions. does more work security”. ding theory with “authenticated cipher” h function”. safe. safe.

14

Time Cycles on Intel Haswell CPU core: params

• p

cycles 348864 enc 45888 460896 enc 82684 6688128 enc 153372 6960119 enc 154972 8192128 enc 183892 348864 dec 136840 460896 dec 273872 6688128 dec 320428 6960119 dec 302460 8192128 dec 324008 “Wait, you’re leaving most important cost! to have such slow params

• p

348864 keygen 348864f keygen 460896 keygen 460896f keygen 6688128 keygen 6688128f keygen 6960119 keygen 6960119f keygen 8192128 keygen 8192128f keygen

13

weak. ciphertexts re work with cipher” function”.

14

Time Cycles on Intel Haswell CPU core: params

• p

cycles 348864 enc 45888 460896 enc 82684 6688128 enc 153372 6960119 enc 154972 8192128 enc 183892 348864 dec 136840 460896 dec 273872 6688128 dec 320428 6960119 dec 302460 8192128 dec 324008 “Wait, you’re leaving out the most important cost! It’s crazy to have such slow keygen!” params

• p

cycles 348864 keygen 140870324 348864f keygen 82232360 460896 keygen 441517292 460896f keygen 282869316 6688128 keygen 1180468912 6688128f keygen 625470504 6960119 keygen 1109340668 6960119f keygen 564570384 8192128 keygen 933422948 8192128f keygen 678860388

14

Time Cycles on Intel Haswell CPU core: params

• p

cycles 348864 enc 45888 460896 enc 82684 6688128 enc 153372 6960119 enc 154972 8192128 enc 183892 348864 dec 136840 460896 dec 273872 6688128 dec 320428 6960119 dec 302460 8192128 dec 324008

15

“Wait, you’re leaving out the most important cost! It’s crazy to have such slow keygen!” params

• p

cycles 348864 keygen 140870324 348864f keygen 82232360 460896 keygen 441517292 460896f keygen 282869316 6688128 keygen 1180468912 6688128f keygen 625470504 6960119 keygen 1109340668 6960119f keygen 564570384 8192128 keygen 933422948 8192128f keygen 678860388

14

• n Intel Haswell CPU core:

rams

• p

cycles enc 45888 enc 82684 6688128 enc 153372 6960119 enc 154972 8192128 enc 183892 dec 136840 dec 273872 6688128 dec 320428 6960119 dec 302460 8192128 dec 324008

15

“Wait, you’re leaving out the most important cost! It’s crazy to have such slow keygen!” params

• p

cycles 348864 keygen 140870324 348864f keygen 82232360 460896 keygen 441517292 460896f keygen 282869316 6688128 keygen 1180468912 6688128f keygen 625470504 6960119 keygen 1109340668 6960119f keygen 564570384 8192128 keygen 933422948 8192128f keygen 678860388

• 1. What

that this a problem

14

Haswell CPU core: cycles 45888 82684 153372 154972 183892 136840 273872 320428 302460 324008

15

“Wait, you’re leaving out the most important cost! It’s crazy to have such slow keygen!” params

• p

cycles 348864 keygen 140870324 348864f keygen 82232360 460896 keygen 441517292 460896f keygen 282869316 6688128 keygen 1180468912 6688128f keygen 625470504 6960119 keygen 1109340668 6960119f keygen 564570384 8192128 keygen 933422948 8192128f keygen 678860388

• 1. What evidence

that this keygen time a problem for applications?

14

CPU core:

15

“Wait, you’re leaving out the most important cost! It’s crazy to have such slow keygen!” params

• p

cycles 348864 keygen 140870324 348864f keygen 82232360 460896 keygen 441517292 460896f keygen 282869316 6688128 keygen 1180468912 6688128f keygen 625470504 6960119 keygen 1109340668 6960119f keygen 564570384 8192128 keygen 933422948 8192128f keygen 678860388

• 1. What evidence do we have

that this keygen time is a problem for applications?

15

“Wait, you’re leaving out the most important cost! It’s crazy to have such slow keygen!” params

• p

cycles 348864 keygen 140870324 348864f keygen 82232360 460896 keygen 441517292 460896f keygen 282869316 6688128 keygen 1180468912 6688128f keygen 625470504 6960119 keygen 1109340668 6960119f keygen 564570384 8192128 keygen 933422948 8192128f keygen 678860388

16

• 1. What evidence do we have

that this keygen time is a problem for applications?

15

“Wait, you’re leaving out the most important cost! It’s crazy to have such slow keygen!” params

• p

cycles 348864 keygen 140870324 348864f keygen 82232360 460896 keygen 441517292 460896f keygen 282869316 6688128 keygen 1180468912 6688128f keygen 625470504 6960119 keygen 1109340668 6960119f keygen 564570384 8192128 keygen 933422948 8192128f keygen 678860388

16

• 1. What evidence do we have

that this keygen time is a problem for applications?

• 2. Classic McEliece is designed

for IND-CCA2 security, so a key can be generated once and used a huge number of times.

15

“Wait, you’re leaving out the most important cost! It’s crazy to have such slow keygen!” params

• p

cycles 348864 keygen 140870324 348864f keygen 82232360 460896 keygen 441517292 460896f keygen 282869316 6688128 keygen 1180468912 6688128f keygen 625470504 6960119 keygen 1109340668 6960119f keygen 564570384 8192128 keygen 933422948 8192128f keygen 678860388

16

• 1. What evidence do we have

that this keygen time is a problem for applications?

• 2. Classic McEliece is designed

for IND-CCA2 security, so a key can be generated once and used a huge number of times.

• 3. McEliece’s binary operations

are very well suited for hardware. See 2018 Wang–Szefer–

• Niederhagen. Isn’t this what’s

most important for the future?

15

ait, you’re leaving out the important cost! It’s crazy have such slow keygen!” rams

• p

cycles keygen 140870324 348864f keygen 82232360 keygen 441517292 460896f keygen 282869316 6688128 keygen 1180468912 6688128f keygen 625470504 6960119 keygen 1109340668 6960119f keygen 564570384 8192128 keygen 933422948 8192128f keygen 678860388

16

• 1. What evidence do we have

that this keygen time is a problem for applications?

• 2. Classic McEliece is designed

for IND-CCA2 security, so a key can be generated once and used a huge number of times.

• 3. McEliece’s binary operations

are very well suited for hardware. See 2018 Wang–Szefer–

• Niederhagen. Isn’t this what’s

most important for the future? Bytes com params 348864 460896 6688128 6960119 8192128 348864 460896 6688128 6960119 8192128 “It’s crazy

15

leaving out the cost! It’s crazy w keygen!” cycles keygen 140870324 keygen 82232360 keygen 441517292 keygen 282869316 keygen 1180468912 keygen 625470504 keygen 1109340668 keygen 564570384 keygen 933422948 keygen 678860388

16

• 1. What evidence do we have

that this keygen time is a problem for applications?

• 2. Classic McEliece is designed

for IND-CCA2 security, so a key can be generated once and used a huge number of times.

• 3. McEliece’s binary operations

are very well suited for hardware. See 2018 Wang–Szefer–

• Niederhagen. Isn’t this what’s

most important for the future? Bytes communicat params

• bject

348864 ciphertext 460896 ciphertext 6688128 ciphertext 6960119 ciphertext 8192128 ciphertext 348864 key 460896 key 6688128 key 6960119 key 8192128 key “It’s crazy to have

15

the crazy eygen!” cycles 140870324 82232360 441517292 282869316 1180468912 625470504 1109340668 564570384 933422948 678860388

16

• 1. What evidence do we have

that this keygen time is a problem for applications?

• 2. Classic McEliece is designed

for IND-CCA2 security, so a key can be generated once and used a huge number of times.

• 3. McEliece’s binary operations

are very well suited for hardware. See 2018 Wang–Szefer–

• Niederhagen. Isn’t this what’s

most important for the future? Bytes communicated params

• bject

bytes 348864 ciphertext 128 460896 ciphertext 188 6688128 ciphertext 240 6960119 ciphertext 226 8192128 ciphertext 240 348864 key 261120 460896 key 524160 6688128 key 1044992 6960119 key 1047319 8192128 key 1357824 “It’s crazy to have big keys!”

16

• 1. What evidence do we have

that this keygen time is a problem for applications?

• 2. Classic McEliece is designed

for IND-CCA2 security, so a key can be generated once and used a huge number of times.

• 3. McEliece’s binary operations

are very well suited for hardware. See 2018 Wang–Szefer–

• Niederhagen. Isn’t this what’s

most important for the future?

17

Bytes communicated params

• bject

bytes 348864 ciphertext 128 460896 ciphertext 188 6688128 ciphertext 240 6960119 ciphertext 226 8192128 ciphertext 240 348864 key 261120 460896 key 524160 6688128 key 1044992 6960119 key 1047319 8192128 key 1357824 “It’s crazy to have big keys!”

16

What evidence do we have this keygen time is roblem for applications? Classic McEliece is designed D-CCA2 security, so can be generated once and huge number of times. McEliece’s binary operations very well suited for hardware. 2018 Wang–Szefer–

• Niederhagen. Isn’t this what’s

important for the future?

17

Bytes communicated params

• bject

bytes 348864 ciphertext 128 460896 ciphertext 188 6688128 ciphertext 240 6960119 ciphertext 226 8192128 ciphertext 240 348864 key 261120 460896 key 524160 6688128 key 1044992 6960119 key 1047319 8192128 key 1357824 “It’s crazy to have big keys!” What evidence that these a problem

16

evidence do we have time is applications? McEliece is designed security, so generated once and number of times. inary operations suited for hardware. ang–Szefer– Isn’t this what’s for the future?

17

Bytes communicated params

• bject

bytes 348864 ciphertext 128 460896 ciphertext 188 6688128 ciphertext 240 6960119 ciphertext 226 8192128 ciphertext 240 348864 key 261120 460896 key 524160 6688128 key 1044992 6960119 key 1047319 8192128 key 1357824 “It’s crazy to have big keys!” What evidence do that these key sizes a problem for applications?

16

ave applications? designed

• nce and

times. erations rdware. what’s future?

17

Bytes communicated params

• bject

bytes 348864 ciphertext 128 460896 ciphertext 188 6688128 ciphertext 240 6960119 ciphertext 226 8192128 ciphertext 240 348864 key 261120 460896 key 524160 6688128 key 1044992 6960119 key 1047319 8192128 key 1357824 “It’s crazy to have big keys!” What evidence do we have that these key sizes are a problem for applications?

17

Bytes communicated params

• bject

bytes 348864 ciphertext 128 460896 ciphertext 188 6688128 ciphertext 240 6960119 ciphertext 226 8192128 ciphertext 240 348864 key 261120 460896 key 524160 6688128 key 1044992 6960119 key 1047319 8192128 key 1357824 “It’s crazy to have big keys!”

18

What evidence do we have that these key sizes are a problem for applications?

17

Bytes communicated params

• bject

bytes 348864 ciphertext 128 460896 ciphertext 188 6688128 ciphertext 240 6960119 ciphertext 226 8192128 ciphertext 240 348864 key 261120 460896 key 524160 6688128 key 1044992 6960119 key 1047319 8192128 key 1357824 “It’s crazy to have big keys!”

18

What evidence do we have that these key sizes are a problem for applications? Compare to, e.g., web-page size. httparchive.org statistics: 50% of web pages are >1.8MB. 25% of web pages are >3.5MB. 10% of web pages are >6.5MB. The sizes keep growing. Typically browser receives one web page from multiple servers, but reuses servers for more pages. Is key size a big part of this?

17

communicated rams

• bject

bytes ciphertext 128 ciphertext 188 6688128 ciphertext 240 6960119 ciphertext 226 8192128 ciphertext 240 key 261120 key 524160 6688128 key 1044992 6960119 key 1047319 8192128 key 1357824 crazy to have big keys!”

18

What evidence do we have that these key sizes are a problem for applications? Compare to, e.g., web-page size. httparchive.org statistics: 50% of web pages are >1.8MB. 25% of web pages are >3.5MB. 10% of web pages are >6.5MB. The sizes keep growing. Typically browser receives one web page from multiple servers, but reuses servers for more pages. Is key size a big part of this? 2015 McGrew postquantum Use standa techniques etc.) to reduce communicating Each ciphertext the way the server, can often much faster Again IND-CCA2

17

ated bytes ciphertext 128 ciphertext 188 ciphertext 240 ciphertext 226 ciphertext 240 261120 524160 1044992 1047319 1357824 have big keys!”

18

What evidence do we have that these key sizes are a problem for applications? Compare to, e.g., web-page size. httparchive.org statistics: 50% of web pages are >1.8MB. 25% of web pages are >3.5MB. 10% of web pages are >6.5MB. The sizes keep growing. Typically browser receives one web page from multiple servers, but reuses servers for more pages. Is key size a big part of this? 2015 McGrew “Living postquantum cryptography”: Use standard netw techniques (multicasts, etc.) to reduce cost communicating public Each ciphertext has the way between the the server, but public can often be retrieved much faster local net Again IND-CCA2 is

17

ytes 128 188 240 226 240 261120 524160 1044992 1047319 1357824 eys!”

18

What evidence do we have that these key sizes are a problem for applications? Compare to, e.g., web-page size. httparchive.org statistics: 50% of web pages are >1.8MB. 25% of web pages are >3.5MB. 10% of web pages are >6.5MB. The sizes keep growing. Typically browser receives one web page from multiple servers, but reuses servers for more pages. Is key size a big part of this? 2015 McGrew “Living with postquantum cryptography”: Use standard networking techniques (multicasts, caching, etc.) to reduce cost of communicating public keys. Each ciphertext has to travel the way between the client and the server, but public keys can often be retrieved through much faster local network. Again IND-CCA2 is critical.

18

What evidence do we have that these key sizes are a problem for applications? Compare to, e.g., web-page size. httparchive.org statistics: 50% of web pages are >1.8MB. 25% of web pages are >3.5MB. 10% of web pages are >6.5MB. The sizes keep growing. Typically browser receives one web page from multiple servers, but reuses servers for more pages. Is key size a big part of this?

19

2015 McGrew “Living with postquantum cryptography”: Use standard networking techniques (multicasts, caching, etc.) to reduce cost of communicating public keys. Each ciphertext has to travel all the way between the client and the server, but public keys can often be retrieved through much faster local network. Again IND-CCA2 is critical.

18

evidence do we have these key sizes are roblem for applications? Compare to, e.g., web-page size. httparchive.org statistics:

• f web pages are >1.8MB.
• f web pages are >3.5MB.
• f web pages are >6.5MB.

sizes keep growing. ypically browser receives one web from multiple servers, but servers for more pages. size a big part of this?

19

2015 McGrew “Living with postquantum cryptography”: Use standard networking techniques (multicasts, caching, etc.) to reduce cost of communicating public keys. Each ciphertext has to travel all the way between the client and the server, but public keys can often be retrieved through much faster local network. Again IND-CCA2 is critical. Denial of Standard strategy:

• f connections

up all memo for keeping SYN floo Server is some con connections

18

do we have sizes are applications? e.g., web-page size. httparchive.org statistics: pages are >1.8MB. pages are >3.5MB. pages are >6.5MB. growing. wser receives one web multiple servers, but r more pages. part of this?

19

2015 McGrew “Living with postquantum cryptography”: Use standard networking techniques (multicasts, caching, etc.) to reduce cost of communicating public keys. Each ciphertext has to travel all the way between the client and the server, but public keys can often be retrieved through much faster local network. Again IND-CCA2 is critical. Denial of service Standard low-cost strategy: make a huge

• f connections to a

up all memory available for keeping track of SYN flood, HTTP Server is forced to some connections, connections from honest

18

applications? eb-page size. statistics: 1.8MB. 3.5MB. 6.5MB.

• ne web

servers, but pages. this?

19

2015 McGrew “Living with postquantum cryptography”: Use standard networking techniques (multicasts, caching, etc.) to reduce cost of communicating public keys. Each ciphertext has to travel all the way between the client and the server, but public keys can often be retrieved through much faster local network. Again IND-CCA2 is critical. Denial of service Standard low-cost attack strategy: make a huge numb

• f connections to a server, filling

up all memory available on server for keeping track of connections. SYN flood, HTTP flood, etc. Server is forced to stop serving some connections, including connections from honest clients.

19

2015 McGrew “Living with postquantum cryptography”: Use standard networking techniques (multicasts, caching, etc.) to reduce cost of communicating public keys. Each ciphertext has to travel all the way between the client and the server, but public keys can often be retrieved through much faster local network. Again IND-CCA2 is critical.

20

Denial of service Standard low-cost attack strategy: make a huge number

• f connections to a server, filling

up all memory available on server for keeping track of connections. SYN flood, HTTP flood, etc. Server is forced to stop serving some connections, including connections from honest clients.

19

2015 McGrew “Living with postquantum cryptography”: Use standard networking techniques (multicasts, caching, etc.) to reduce cost of communicating public keys. Each ciphertext has to travel all the way between the client and the server, but public keys can often be retrieved through much faster local network. Again IND-CCA2 is critical.

20

Denial of service Standard low-cost attack strategy: make a huge number

• f connections to a server, filling

up all memory available on server for keeping track of connections. SYN flood, HTTP flood, etc. Server is forced to stop serving some connections, including connections from honest clients. But some Internet protocols are not vulnerable to this attack.

19

McGrew “Living with

• stquantum cryptography”:

standard networking techniques (multicasts, caching, to reduce cost of communicating public keys. ciphertext has to travel all y between the client and server, but public keys

• ften be retrieved through

faster local network. IND-CCA2 is critical.

20

Denial of service Standard low-cost attack strategy: make a huge number

• f connections to a server, filling

up all memory available on server for keeping track of connections. SYN flood, HTTP flood, etc. Server is forced to stop serving some connections, including connections from honest clients. But some Internet protocols are not vulnerable to this attack. A tiny net handles and each incoming without

19

“Living with cryptography”: networking (multicasts, caching, cost of public keys. has to travel all the client and public keys retrieved through cal network. IND-CCA2 is critical.

20

Denial of service Standard low-cost attack strategy: make a huge number

• f connections to a server, filling

up all memory available on server for keeping track of connections. SYN flood, HTTP flood, etc. Server is forced to stop serving some connections, including connections from honest clients. But some Internet protocols are not vulnerable to this attack. A tiny network server handles and immediately each incoming netw without allocating

19

with cryptography”: caching, eys. travel all client and through rk. critical.

20

Denial of service Standard low-cost attack strategy: make a huge number

• f connections to a server, filling

up all memory available on server for keeping track of connections. SYN flood, HTTP flood, etc. Server is forced to stop serving some connections, including connections from honest clients. But some Internet protocols are not vulnerable to this attack. A tiny network server handles and immediately forgets each incoming network pack without allocating any memo

20

Denial of service Standard low-cost attack strategy: make a huge number

• f connections to a server, filling

up all memory available on server for keeping track of connections. SYN flood, HTTP flood, etc. Server is forced to stop serving some connections, including connections from honest clients. But some Internet protocols are not vulnerable to this attack.

21

A tiny network server handles and immediately forgets each incoming network packet, without allocating any memory.

20

Denial of service Standard low-cost attack strategy: make a huge number

• f connections to a server, filling

up all memory available on server for keeping track of connections. SYN flood, HTTP flood, etc. Server is forced to stop serving some connections, including connections from honest clients. But some Internet protocols are not vulnerable to this attack.

21

A tiny network server handles and immediately forgets each incoming network packet, without allocating any memory. Can use tiny network servers to publish information. Unauthenticated example from last century: “anonymous NFS”.

20

Denial of service Standard low-cost attack strategy: make a huge number

• f connections to a server, filling

up all memory available on server for keeping track of connections. SYN flood, HTTP flood, etc. Server is forced to stop serving some connections, including connections from honest clients. But some Internet protocols are not vulnerable to this attack.

21

A tiny network server handles and immediately forgets each incoming network packet, without allocating any memory. Can use tiny network servers to publish information. Unauthenticated example from last century: “anonymous NFS”. 1997 Aura–Nikander, 2005 Shieh– Myers–Sirer modify any protocol to use a tiny network server if an “input continuation” fits into a network packet.

20

• f service

Standard low-cost attack strategy: make a huge number connections to a server, filling memory available on server eeping track of connections. flood, HTTP flood, etc. is forced to stop serving connections, including connections from honest clients. some Internet protocols not vulnerable to this attack.

21

A tiny network server handles and immediately forgets each incoming network packet, without allocating any memory. Can use tiny network servers to publish information. Unauthenticated example from last century: “anonymous NFS”. 1997 Aura–Nikander, 2005 Shieh– Myers–Sirer modify any protocol to use a tiny network server if an “input continuation” fits into a network packet. “Here’s a McEliece

20

w-cost attack a huge number to a server, filling available on server

• f connections.

HTTP flood, etc. to stop serving tions, including honest clients. Internet protocols vulnerable to this attack.

21

A tiny network server handles and immediately forgets each incoming network packet, without allocating any memory. Can use tiny network servers to publish information. Unauthenticated example from last century: “anonymous NFS”. 1997 Aura–Nikander, 2005 Shieh– Myers–Sirer modify any protocol to use a tiny network server if an “input continuation” fits into a network packet. “Here’s a natural scena McEliece can’t possibly

20

number server, filling server connections. etc. serving including clients. cols attack.

21

A tiny network server handles and immediately forgets each incoming network packet, without allocating any memory. Can use tiny network servers to publish information. Unauthenticated example from last century: “anonymous NFS”. 1997 Aura–Nikander, 2005 Shieh– Myers–Sirer modify any protocol to use a tiny network server if an “input continuation” fits into a network packet. “Here’s a natural scenario that McEliece can’t possibly handle:

21

A tiny network server handles and immediately forgets each incoming network packet, without allocating any memory. Can use tiny network servers to publish information. Unauthenticated example from last century: “anonymous NFS”. 1997 Aura–Nikander, 2005 Shieh– Myers–Sirer modify any protocol to use a tiny network server if an “input continuation” fits into a network packet.

22

“Here’s a natural scenario that McEliece can’t possibly handle:

21

A tiny network server handles and immediately forgets each incoming network packet, without allocating any memory. Can use tiny network servers to publish information. Unauthenticated example from last century: “anonymous NFS”. 1997 Aura–Nikander, 2005 Shieh– Myers–Sirer modify any protocol to use a tiny network server if an “input continuation” fits into a network packet.

22

“Here’s a natural scenario that McEliece can’t possibly handle:

• To stop memory floods,

I want a tiny network server.

21

A tiny network server handles and immediately forgets each incoming network packet, without allocating any memory. Can use tiny network servers to publish information. Unauthenticated example from last century: “anonymous NFS”. 1997 Aura–Nikander, 2005 Shieh– Myers–Sirer modify any protocol to use a tiny network server if an “input continuation” fits into a network packet.

22

“Here’s a natural scenario that McEliece can’t possibly handle:

• To stop memory floods,

I want a tiny network server.

• For forward secrecy,

I want the server to encrypt a session key to an ephemeral public key sent by the client.

21

A tiny network server handles and immediately forgets each incoming network packet, without allocating any memory. Can use tiny network servers to publish information. Unauthenticated example from last century: “anonymous NFS”. 1997 Aura–Nikander, 2005 Shieh– Myers–Sirer modify any protocol to use a tiny network server if an “input continuation” fits into a network packet.

22

“Here’s a natural scenario that McEliece can’t possibly handle:

• To stop memory floods,

I want a tiny network server.

• For forward secrecy,

I want the server to encrypt a session key to an ephemeral public key sent by the client.

• This forces the public key

to fit into a network packet. Is that 1500 bytes? Or 1280? Either way, your key is too big.

21

A tiny network server handles and immediately forgets each incoming network packet, without allocating any memory. Can use tiny network servers to publish information. Unauthenticated example from last century: “anonymous NFS”. 1997 Aura–Nikander, 2005 Shieh– Myers–Sirer modify any protocol to use a tiny network server if an “input continuation” fits into a network packet.

22

“Here’s a natural scenario that McEliece can’t possibly handle:

• To stop memory floods,

I want a tiny network server.

• For forward secrecy,

I want the server to encrypt a session key to an ephemeral public key sent by the client.

• This forces the public key

to fit into a network packet. Is that 1500 bytes? Or 1280? Either way, your key is too big. It’s crazy if post-quantum standards can’t handle this!”

21

network server handles and immediately forgets incoming network packet, without allocating any memory. use tiny network servers publish information. Unauthenticated example from century: “anonymous NFS”. Aura–Nikander, 2005 Shieh– ers–Sirer modify any protocol a tiny network server “input continuation” into a network packet.

22

“Here’s a natural scenario that McEliece can’t possibly handle:

• To stop memory floods,

I want a tiny network server.

• For forward secrecy,

I want the server to encrypt a session key to an ephemeral public key sent by the client.

• This forces the public key

to fit into a network packet. Is that 1500 bytes? Or 1280? Either way, your key is too big. It’s crazy if post-quantum standards can’t handle this!” Bernstein–Lange handles this

21

server mediately forgets network packet, cating any memory. work servers rmation. example from “anonymous NFS”. ander, 2005 Shieh– dify any protocol work server tinuation” rk packet.

22

“Here’s a natural scenario that McEliece can’t possibly handle:

• To stop memory floods,

I want a tiny network server.

• For forward secrecy,

I want the server to encrypt a session key to an ephemeral public key sent by the client.

• This forces the public key

to fit into a network packet. Is that 1500 bytes? Or 1280? Either way, your key is too big. It’s crazy if post-quantum standards can’t handle this!” Bernstein–Lange “McTiny” handles this scenario.

21

forgets packet, memory. servers from NFS”. Shieh– rotocol server

22

“Here’s a natural scenario that McEliece can’t possibly handle:

• To stop memory floods,

I want a tiny network server.

• For forward secrecy,

I want the server to encrypt a session key to an ephemeral public key sent by the client.

• This forces the public key

to fit into a network packet. Is that 1500 bytes? Or 1280? Either way, your key is too big. It’s crazy if post-quantum standards can’t handle this!” Bernstein–Lange “McTiny” handles this scenario.

22

“Here’s a natural scenario that McEliece can’t possibly handle:

• To stop memory floods,

I want a tiny network server.

• For forward secrecy,

I want the server to encrypt a session key to an ephemeral public key sent by the client.

• This forces the public key

to fit into a network packet. Is that 1500 bytes? Or 1280? Either way, your key is too big. It’s crazy if post-quantum standards can’t handle this!”

23

Bernstein–Lange “McTiny” handles this scenario.

22

“Here’s a natural scenario that McEliece can’t possibly handle:

• To stop memory floods,

I want a tiny network server.

• For forward secrecy,

I want the server to encrypt a session key to an ephemeral public key sent by the client.

• This forces the public key

to fit into a network packet. Is that 1500 bytes? Or 1280? Either way, your key is too big. It’s crazy if post-quantum standards can’t handle this!”

23

Bernstein–Lange “McTiny” handles this scenario.

• 1. The easy part: Client

encrypts session key to server’s long-term McEliece public key. This establishes an encrypted authenticated session.

22

“Here’s a natural scenario that McEliece can’t possibly handle:

• To stop memory floods,

I want a tiny network server.

• For forward secrecy,

I want the server to encrypt a session key to an ephemeral public key sent by the client.

• This forces the public key

to fit into a network packet. Is that 1500 bytes? Or 1280? Either way, your key is too big. It’s crazy if post-quantum standards can’t handle this!”

23

Bernstein–Lange “McTiny” handles this scenario.

• 1. The easy part: Client

encrypts session key to server’s long-term McEliece public key. This establishes an encrypted authenticated session. Attacker who records this session and later steals server’s secret key can then decrypt everything. Remaining problem: within this session, encrypt to an ephemeral key for forward secrecy.

22

“Here’s a natural scenario that McEliece can’t possibly handle: stop memory floods, ant a tiny network server. forward secrecy, ant the server to encrypt a session key to an ephemeral public key sent by the client. forces the public key fit into a network packet. that 1500 bytes? Or 1280? Either way, your key is too big. crazy if post-quantum rds can’t handle this!”

23

Bernstein–Lange “McTiny” handles this scenario.

• 1. The easy part: Client

encrypts session key to server’s long-term McEliece public key. This establishes an encrypted authenticated session. Attacker who records this session and later steals server’s secret key can then decrypt everything. Remaining problem: within this session, encrypt to an ephemeral key for forward secrecy.

• 2. Client

public ke B B @ K1;1 K2;1 . . . Kr;1 Each blo to fit into

22

natural scenario that

• ssibly handle:

ry floods, network server. secrecy, server to encrypt a an ephemeral sent by the client. the public key network packet. ytes? Or 1280?

• ur key is too big.
• st-quantum

handle this!”

23

Bernstein–Lange “McTiny” handles this scenario.

• 1. The easy part: Client

encrypts session key to server’s long-term McEliece public key. This establishes an encrypted authenticated session. Attacker who records this session and later steals server’s secret key can then decrypt everything. Remaining problem: within this session, encrypt to an ephemeral key for forward secrecy.

• 2. Client decomposes

public key K = R⊤ B B @ K1;1 K1;2 K1 K2;1 K2;2 K2 . . . . . . . . . Kr;1 Kr;2 Kr Each block is small to fit into a network

22

that handle: server. encrypt a ephemeral client. ey packet. 1280? too big. this!”

23

Bernstein–Lange “McTiny” handles this scenario.

• 1. The easy part: Client

encrypts session key to server’s long-term McEliece public key. This establishes an encrypted authenticated session. Attacker who records this session and later steals server’s secret key can then decrypt everything. Remaining problem: within this session, encrypt to an ephemeral key for forward secrecy.

• 2. Client decomposes ephemeral

public key K = R⊤ into blocks: B B @ K1;1 K1;2 K1;3 : : : K K2;1 K2;2 K2;3 : : : K . . . . . . . . . ... Kr;1 Kr;2 Kr;3 : : : K Each block is small enough to fit into a network packet.

23

Bernstein–Lange “McTiny” handles this scenario.

• 1. The easy part: Client

encrypts session key to server’s long-term McEliece public key. This establishes an encrypted authenticated session. Attacker who records this session and later steals server’s secret key can then decrypt everything. Remaining problem: within this session, encrypt to an ephemeral key for forward secrecy.

24

• 2. Client decomposes ephemeral

public key K = R⊤ into blocks: B B @ K1;1 K1;2 K1;3 : : : K1;‘ K2;1 K2;2 K2;3 : : : K2;‘ . . . . . . . . . ... . . . Kr;1 Kr;2 Kr;3 : : : Kr;‘ 1 C C A : Each block is small enough to fit into a network packet.

23

Bernstein–Lange “McTiny” handles this scenario.

• 1. The easy part: Client

encrypts session key to server’s long-term McEliece public key. This establishes an encrypted authenticated session. Attacker who records this session and later steals server’s secret key can then decrypt everything. Remaining problem: within this session, encrypt to an ephemeral key for forward secrecy.

24

• 2. Client decomposes ephemeral

public key K = R⊤ into blocks: B B @ K1;1 K1;2 K1;3 : : : K1;‘ K2;1 K2;2 K2;3 : : : K2;‘ . . . . . . . . . ... . . . Kr;1 Kr;2 Kr;3 : : : Kr;‘ 1 C C A : Each block is small enough to fit into a network packet.

• 3. Client sends Ki;j to server.

Server sends back Ki;je⊤

j

encrypted to a server cookie key. Server cookie key is not per-client. Key is erased after a few minutes.

23

Bernstein–Lange “McTiny” handles this scenario. The easy part: Client encrypts session key to server’s long-term McEliece public key. establishes an encrypted authenticated session. er who records this session later steals server’s secret key then decrypt everything. Remaining problem: this session, encrypt to an ephemeral key for forward secrecy.

24

• 2. Client decomposes ephemeral

public key K = R⊤ into blocks: B B @ K1;1 K1;2 K1;3 : : : K1;‘ K2;1 K2;2 K2;3 : : : K2;‘ . . . . . . . . . ... . . . Kr;1 Kr;2 Kr;3 : : : Kr;‘ 1 C C A : Each block is small enough to fit into a network packet.

• 3. Client sends Ki;j to server.

Server sends back Ki;je⊤

j

encrypted to a server cookie key. Server cookie key is not per-client. Key is erased after a few minutes.

• 4. Client

containing Server sends

23

“McTiny” scenario. rt: Client key to server’s McEliece public key. an encrypted session. records this session server’s secret key decrypt everything. lem: session, encrypt to an r forward secrecy.

24

• 2. Client decomposes ephemeral

public key K = R⊤ into blocks: B B @ K1;1 K1;2 K1;3 : : : K1;‘ K2;1 K2;2 K2;3 : : : K2;‘ . . . . . . . . . ... . . . Kr;1 Kr;2 Kr;3 : : : Kr;‘ 1 C C A : Each block is small enough to fit into a network packet.

• 3. Client sends Ki;j to server.

Server sends back Ki;je⊤

j

encrypted to a server cookie key. Server cookie key is not per-client. Key is erased after a few minutes.

• 4. Client sends one

containing several Server sends back

23

“McTiny” server’s key. encrypted session secret key everything. encrypt to an secrecy.

24

• 2. Client decomposes ephemeral

public key K = R⊤ into blocks: B B @ K1;1 K1;2 K1;3 : : : K1;‘ K2;1 K2;2 K2;3 : : : K2;‘ . . . . . . . . . ... . . . Kr;1 Kr;2 Kr;3 : : : Kr;‘ 1 C C A : Each block is small enough to fit into a network packet.

• 3. Client sends Ki;j to server.

Server sends back Ki;je⊤

j

encrypted to a server cookie key. Server cookie key is not per-client. Key is erased after a few minutes.

• 4. Client sends one packet

containing several Ki;je⊤

j .

Server sends back combination.

24

• 2. Client decomposes ephemeral

public key K = R⊤ into blocks: B B @ K1;1 K1;2 K1;3 : : : K1;‘ K2;1 K2;2 K2;3 : : : K2;‘ . . . . . . . . . ... . . . Kr;1 Kr;2 Kr;3 : : : Kr;‘ 1 C C A : Each block is small enough to fit into a network packet.

• 3. Client sends Ki;j to server.

Server sends back Ki;je⊤

j

encrypted to a server cookie key. Server cookie key is not per-client. Key is erased after a few minutes.

25

• 4. Client sends one packet

containing several Ki;je⊤

j .

Server sends back combination.

24

• 2. Client decomposes ephemeral

public key K = R⊤ into blocks: B B @ K1;1 K1;2 K1;3 : : : K1;‘ K2;1 K2;2 K2;3 : : : K2;‘ . . . . . . . . . ... . . . Kr;1 Kr;2 Kr;3 : : : Kr;‘ 1 C C A : Each block is small enough to fit into a network packet.

• 3. Client sends Ki;j to server.

Server sends back Ki;je⊤

j

encrypted to a server cookie key. Server cookie key is not per-client. Key is erased after a few minutes.

25

• 4. Client sends one packet

containing several Ki;je⊤

j .

Server sends back combination.

• 5. Repeat to combine everything,

including In−k part of H.

24

• 2. Client decomposes ephemeral

public key K = R⊤ into blocks: B B @ K1;1 K1;2 K1;3 : : : K1;‘ K2;1 K2;2 K2;3 : : : K2;‘ . . . . . . . . . ... . . . Kr;1 Kr;2 Kr;3 : : : Kr;‘ 1 C C A : Each block is small enough to fit into a network packet.

• 3. Client sends Ki;j to server.

Server sends back Ki;je⊤

j

encrypted to a server cookie key. Server cookie key is not per-client. Key is erased after a few minutes.

25

• 4. Client sends one packet

containing several Ki;je⊤

j .

Server sends back combination.

• 5. Repeat to combine everything,

including In−k part of H.

• 6. Server sends final He⊤

directly to client, encrypted by session key but not by cookie key.

• 7. Client decrypts.

24

• 2. Client decomposes ephemeral

public key K = R⊤ into blocks: B B @ K1;1 K1;2 K1;3 : : : K1;‘ K2;1 K2;2 K2;3 : : : K2;‘ . . . . . . . . . ... . . . Kr;1 Kr;2 Kr;3 : : : Kr;‘ 1 C C A : Each block is small enough to fit into a network packet.

• 3. Client sends Ki;j to server.

Server sends back Ki;je⊤

j

encrypted to a server cookie key. Server cookie key is not per-client. Key is erased after a few minutes.

25

• 4. Client sends one packet

containing several Ki;je⊤

j .

Server sends back combination.

• 5. Repeat to combine everything,

including In−k part of H.

• 6. Server sends final He⊤

directly to client, encrypted by session key but not by cookie key.

• 7. Client decrypts.

Forward secrecy: Once cookie key and secret key for H are erased, client and server cannot decrypt.

24

Client decomposes ephemeral key K = R⊤ into blocks: K1;2 K1;3 : : : K1;‘ K2;2 K2;3 : : : K2;‘ . . . . . . ... . . . Kr;2 Kr;3 : : : Kr;‘ 1 C C A : block is small enough into a network packet. Client sends Ki;j to server. sends back Ki;je⊤

j

encrypted to a server cookie key. cookie key is not per-client. erased after a few minutes.

25

• 4. Client sends one packet

containing several Ki;je⊤

j .

Server sends back combination.

• 5. Repeat to combine everything,

including In−k part of H.

• 6. Server sends final He⊤

directly to client, encrypted by session key but not by cookie key.

• 7. Client decrypts.

Forward secrecy: Once cookie key and secret key for H are erased, client and server cannot decrypt. Classic McEliec Security by 40 yea Ciphertexts IND-CCA2 Open-source fast constant-time also FPGA No patents. Big keys, with tiny https://classic.mceliece.org

24

decomposes ephemeral R⊤ into blocks: K1;3 : : : K1;‘ K2;3 : : : K2;‘ . . . ... . . . Kr;3 : : : Kr;‘ 1 C C A : small enough

• rk packet.

Ki;j to server. back Ki;je⊤

j

server cookie key. ey is not per-client. after a few minutes.

25

• 4. Client sends one packet

containing several Ki;je⊤

j .

Server sends back combination.

• 5. Repeat to combine everything,

including In−k part of H.

• 6. Server sends final He⊤

directly to client, encrypted by session key but not by cookie key.

• 7. Client decrypts.

Forward secrecy: Once cookie key and secret key for H are erased, client and server cannot decrypt. Classic McEliece recap Security asymptotics by 40 years of cryptanalysis. Ciphertexts among IND-CCA2 security Open-source implementations: fast constant-time also FPGA implementation. No patents. Big keys, but still com with tiny network servers. https://classic.mceliece.org

24

ephemeral blocks: K1;‘ K2;‘ . . . Kr;‘ 1 C C A : enough et. server.

• kie key.

er-client. minutes.

25

• 4. Client sends one packet

containing several Ki;je⊤

j .

Server sends back combination.

• 5. Repeat to combine everything,

including In−k part of H.

• 6. Server sends final He⊤

directly to client, encrypted by session key but not by cookie key.

• 7. Client decrypts.

Forward secrecy: Once cookie key and secret key for H are erased, client and server cannot decrypt. Classic McEliece recap Security asymptotics unchanged by 40 years of cryptanalysis. Ciphertexts among the shortest. IND-CCA2 security. Open-source implementations: fast constant-time software, also FPGA implementation. No patents. Big keys, but still compatible with tiny network servers. https://classic.mceliece.org

25

• 4. Client sends one packet

containing several Ki;je⊤

j .

Server sends back combination.

• 5. Repeat to combine everything,

including In−k part of H.

• 6. Server sends final He⊤

directly to client, encrypted by session key but not by cookie key.

• 7. Client decrypts.

Forward secrecy: Once cookie key and secret key for H are erased, client and server cannot decrypt.

26

Classic McEliece recap Security asymptotics unchanged by 40 years of cryptanalysis. Ciphertexts among the shortest. IND-CCA2 security. Open-source implementations: fast constant-time software, also FPGA implementation. No patents. Big keys, but still compatible with tiny network servers. https://classic.mceliece.org