mctiny mceliece for tiny network servers daniel j
play

McTiny: McEliece for tiny network servers Daniel J. Bernstein, - PDF document

Jun 19, 2023 •279 likes •899 views

1 McTiny: McEliece for tiny network servers Daniel J. Bernstein, uic.edu , rub.de Tanja Lange, tue.nl Fundamental literature: 1962 Prange (attack) + many more attack papers. 1968 Berlekamp (decoder). 19701971 Goppa (codes). 1978 McEliece

  1. 1 McTiny: McEliece for tiny network servers Daniel J. Bernstein, uic.edu , rub.de Tanja Lange, tue.nl Fundamental literature: 1962 Prange (attack) + many more attack papers. 1968 Berlekamp (decoder). 1970–1971 Goppa (codes). 1978 McEliece (cryptosystem). 1986 Niederreiter (compression) + many more optimizations.

  2. 2 Encoding and decoding 1978 McEliece public key: matrix G over F 2 . Normally m �→ mG is injective.

  3. 2 Encoding and decoding 1978 McEliece public key: matrix G over F 2 . Normally m �→ mG is injective. Ciphertext: vector C = mG + e . Uses secret codeword mG , weight- w error vector e .

  4. 2 Encoding and decoding 1978 McEliece public key: matrix G over F 2 . Normally m �→ mG is injective. Ciphertext: vector C = mG + e . Uses secret codeword mG , weight- w error vector e . 1978 parameters for 2 64 security goal: 512 × 1024 matrix, w = 50.

  5. 2 Encoding and decoding 1978 McEliece public key: matrix G over F 2 . Normally m �→ mG is injective. Ciphertext: vector C = mG + e . Uses secret codeword mG , weight- w error vector e . 1978 parameters for 2 64 security goal: 512 × 1024 matrix, w = 50. Public key is secretly generated with binary Goppa code structure that allows efficient decoding: C �→ mG; e .

  6. 3 Binary Goppa codes Parameters: q ∈ { 8 ; 16 ; 32 ; : : : } ; w ∈ { 2 ; 3 ; : : : ; ⌊ ( q − 1) = lg q ⌋} ; n ∈ { w lg q + 1 ; : : : ; q − 1 ; q } .

  7. 3 Binary Goppa codes Parameters: q ∈ { 8 ; 16 ; 32 ; : : : } ; w ∈ { 2 ; 3 ; : : : ; ⌊ ( q − 1) = lg q ⌋} ; n ∈ { w lg q + 1 ; : : : ; q − 1 ; q } . Secrets: distinct ¸ 1 ; : : : ; ¸ n ∈ F q ; monic irreducible degree- w polynomial g ∈ F q [ x ].

  8. 3 Binary Goppa codes Parameters: q ∈ { 8 ; 16 ; 32 ; : : : } ; w ∈ { 2 ; 3 ; : : : ; ⌊ ( q − 1) = lg q ⌋} ; n ∈ { w lg q + 1 ; : : : ; q − 1 ; q } . Secrets: distinct ¸ 1 ; : : : ; ¸ n ∈ F q ; monic irreducible degree- w polynomial g ∈ F q [ x ]. Goppa code: kernel of the map v �→ P i v i = ( x − ¸ i ) from F n 2 to F q [ x ] =g . Normally dimension n − w lg q .

  9. 3 Binary Goppa codes Parameters: q ∈ { 8 ; 16 ; 32 ; : : : } ; w ∈ { 2 ; 3 ; : : : ; ⌊ ( q − 1) = lg q ⌋} ; n ∈ { w lg q + 1 ; : : : ; q − 1 ; q } . Secrets: distinct ¸ 1 ; : : : ; ¸ n ∈ F q ; monic irreducible degree- w polynomial g ∈ F q [ x ]. Goppa code: kernel of the map v �→ P i v i = ( x − ¸ i ) from F n 2 to F q [ x ] =g . Normally dimension n − w lg q . McEliece uses random G ∈ F k × n 2 whose image is this code.

  10. 4 One-wayness (“OW-Passive”) Fundamental security question: Can attacker efficiently find random m; e given random public key G and ciphertext mG + e ?

  11. 4 One-wayness (“OW-Passive”) Fundamental security question: Can attacker efficiently find random m; e given random public key G and ciphertext mG + e ? 1962 Prange: simple attack idea guiding sizes in 1978 McEliece.

  12. 4 One-wayness (“OW-Passive”) Fundamental security question: Can attacker efficiently find random m; e given random public key G and ciphertext mG + e ? 1962 Prange: simple attack idea guiding sizes in 1978 McEliece. The McEliece system (with later key-size optimizations) uses ( c 0 + o (1)) – 2 (lg – ) 2 -bit keys as – → ∞ to achieve 2 – security against Prange’s attack. Here c 0 ≈ 0 : 7418860694.

  13. 5 ≥ 26 subsequent publications analyzing one-wayness of system: 1981 Clark–Cain, crediting Omura. 1988 Lee–Brickell. 1988 Leon. 1989 Krouk. 1989 Stern. 1989 Dumer. 1990 Coffey–Goodman. 1990 van Tilburg. 1991 Dumer. 1991 Coffey–Goodman–Farrell. 1993 Chabanne–Courteau. 1993 Chabaud.

  14. 6 1994 van Tilburg. 1994 Canteaut–Chabanne. 1998 Canteaut–Chabaud. 1998 Canteaut–Sendrier. 2008 Bernstein–Lange–Peters. 2009 Bernstein–Lange–Peters– van Tilborg. 2009 Finiasz–Sendrier. 2011 Bernstein–Lange–Peters. 2011 May–Meurer–Thomae. 2012 Becker–Joux–May–Meurer. 2013 Hamdaoui–Sendrier. 2015 May–Ozerov. 2016 Canto Torres–Sendrier. 2017 Both–May.

  15. 7 The McEliece system uses ( c 0 + o (1)) – 2 (lg – ) 2 -bit keys as – → ∞ to achieve 2 – security against all attacks known today. Same c 0 ≈ 0 : 7418860694.

  16. 7 The McEliece system uses ( c 0 + o (1)) – 2 (lg – ) 2 -bit keys as – → ∞ to achieve 2 – security against all attacks known today. Same c 0 ≈ 0 : 7418860694. Replacing – with 2 – stops all known quantum attacks: 2008 Bernstein, 2017 Kachigar– Tillich, 2018 Kirshanova.

  17. 7 The McEliece system uses ( c 0 + o (1)) – 2 (lg – ) 2 -bit keys as – → ∞ to achieve 2 – security against all attacks known today. Same c 0 ≈ 0 : 7418860694. Replacing – with 2 – stops all known quantum attacks: 2008 Bernstein, 2017 Kachigar– Tillich, 2018 Kirshanova. Modern example, mceliece6960119 parameter set (2008 Bernstein–Lange–Peters): q = 8192, n = 6960, w = 119.

  18. 8 NIST competition 2016: U.S. National Institute of Standards and Technology starts “post-quantum” competition. 2017: 69 complete submissions. 2019: NIST selects 26 submissions for round 2.

  19. 8 NIST competition 2016: U.S. National Institute of Standards and Technology starts “post-quantum” competition. 2017: 69 complete submissions. 2019: NIST selects 26 submissions for round 2. “Classic McEliece”: submission from team of 12 people. Round-2 options: 8192128 , 6960119 , 6688128 , 460896 , 348864 .

  20. 9 Is Classic McEliece same as 1978 McEliece? Not exactly. 1978 McEliece prompted a huge amount of followup work. Some work improves efficiency while clearly preserving security: e.g., Niederreiter compression; e.g., many decoding speedups. Classic McEliece uses all this. Classic McEliece also aims for more than OW-Passive security.

  21. 10 Niederreiter key compression Generator matrix for code Γ of length n and dimension k : G ′ ∈ F k × n with Γ = F k 2 · G ′ . 2 McEliece public key: G = SG ′ for random invertible S ∈ F k × k . 2

  22. 10 Niederreiter key compression Generator matrix for code Γ of length n and dimension k : G ′ ∈ F k × n with Γ = F k 2 · G ′ . 2 McEliece public key: G = SG ′ for random invertible S ∈ F k × k . 2 Niederreiter instead reduces G ′ to the unique generator matrix in systematic form: G = ( I k | R ).

  23. 10 Niederreiter key compression Generator matrix for code Γ of length n and dimension k : G ′ ∈ F k × n with Γ = F k 2 · G ′ . 2 McEliece public key: G = SG ′ for random invertible S ∈ F k × k . 2 Niederreiter instead reduces G ′ to the unique generator matrix in systematic form: G = ( I k | R ). Pr ≈ 29% that systematic form exists. Security loss: < 2 bits.

  24. 11 Niederreiter ciphertext compression Use Niederreiter key G = ( I k | R ). McEliece ciphertext: mG + e ∈ F n 2 .

  25. 11 Niederreiter ciphertext compression Use Niederreiter key G = ( I k | R ). McEliece ciphertext: mG + e ∈ F n 2 . Niederreiter ciphertext, shorter: He ⊤ ∈ F ( n − k ) × 1 2 where H = ( R ⊤ | I n − k ).

  26. 11 Niederreiter ciphertext compression Use Niederreiter key G = ( I k | R ). McEliece ciphertext: mG + e ∈ F n 2 . Niederreiter ciphertext, shorter: He ⊤ ∈ F ( n − k ) × 1 2 where H = ( R ⊤ | I n − k ). Given H and Niederreiter’s He ⊤ , can attacker efficiently find e ?

  27. 11 Niederreiter ciphertext compression Use Niederreiter key G = ( I k | R ). McEliece ciphertext: mG + e ∈ F n 2 . Niederreiter ciphertext, shorter: He ⊤ ∈ F ( n − k ) × 1 2 where H = ( R ⊤ | I n − k ). Given H and Niederreiter’s He ⊤ , can attacker efficiently find e ? If so, attacker can efficiently find m; e given G and mG + e :

  28. 11 Niederreiter ciphertext compression Use Niederreiter key G = ( I k | R ). McEliece ciphertext: mG + e ∈ F n 2 . Niederreiter ciphertext, shorter: He ⊤ ∈ F ( n − k ) × 1 2 where H = ( R ⊤ | I n − k ). Given H and Niederreiter’s He ⊤ , can attacker efficiently find e ? If so, attacker can efficiently find m; e given G and mG + e : compute H ( mG + e ) ⊤ = He ⊤ ; find e ; compute m from mG .

  29. 12 Other choices of codes Niederreiter suggested Reed– Solomon codes. Broken in 1992 by Sidelnikov and Shestakov. More corpses: e.g., concatenated codes, Reed–Muller codes, several AG codes, Gabidulin codes, several LDPC codes.

  30. 12 Other choices of codes Niederreiter suggested Reed– Solomon codes. Broken in 1992 by Sidelnikov and Shestakov. More corpses: e.g., concatenated codes, Reed–Muller codes, several AG codes, Gabidulin codes, several LDPC codes. No proof that changing codes preserves security level. Classic McEliece: binary Goppa.

  31. 13 IND-CCA2 security OW-Passive security is too weak. Messages are not random. Attackers choose ciphertexts and observe reactions.

  32. 13 IND-CCA2 security OW-Passive security is too weak. Messages are not random. Attackers choose ciphertexts and observe reactions. Classic McEliece does more work for “IND-CCA2 security”. Combines coding theory with AES-GCM “authenticated cipher” and SHA-3 “hash function”. All messages are safe. Reusing keys is safe.

  33. 14 Time Cycles on Intel Haswell CPU core: params op cycles 45888 348864 enc 82684 460896 enc 6688128 enc 153372 6960119 enc 154972 8192128 enc 183892 dec 136840 348864 dec 273872 460896 6688128 dec 320428 6960119 dec 302460 8192128 dec 324008

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

McTiny: McEliece for tiny network servers Daniel J. Bernstein, uic.edu , rub.de Joint work with:

McTiny: McEliece for tiny network servers Daniel J. Bernstein, uic.edu , rub.de Joint work with:

1 McTiny: McEliece for tiny network servers Daniel J. Bernstein, uic.edu , rub.de Joint work with: Tanja Lange, tue.nl My main question in this talk: Shouldnt NIST PQC simply standardize Classic McEliece, discard the other 25 proposals?

1.18k views • 79 slides
McTiny: classic.mceliece.org McEliece for tiny network servers submission team (alphabetical):

McTiny: classic.mceliece.org McEliece for tiny network servers submission team (alphabetical):

1 2 McTiny: classic.mceliece.org McEliece for tiny network servers submission team (alphabetical): me; Daniel J. Bernstein, Tung Chou, osaka-u.ac.jp ; uic.edu , rub.de Tanja Lange, tue.nl ; Joint work with: Ingo von Maurich;

1.87k views • 162 slides
McTiny: Encoding and decoding McEliece for tiny network servers 1978 McEliece public key:

McTiny: Encoding and decoding McEliece for tiny network servers 1978 McEliece public key:

1 2 McTiny: Encoding and decoding McEliece for tiny network servers 1978 McEliece public key: Daniel J. Bernstein, matrix G over F 2 . uic.edu , rub.de Normally m mG is injective. Tanja Lange, tue.nl Fundamental literature: 1962

2.16k views • 132 slides
McTiny: Fast High-Confidence Post-Quantum Key Erasure for Tiny Network Servers Daniel J.

McTiny: Fast High-Confidence Post-Quantum Key Erasure for Tiny Network Servers Daniel J.

McTiny: Fast High-Confidence Post-Quantum Key Erasure for Tiny Network Servers Daniel J. Bernstein 1,2 and Tanja Lange 3 1 University of Illinois at Chicago 2 Ruhr University Bochum 3 Eindhoven University of Technology USENIX Security 2020

388 views • 19 slides
Classic McEliece: conservative code-based cryptography Round 2 https://classic.mceliece.org/

Classic McEliece: conservative code-based cryptography Round 2 https://classic.mceliece.org/

Classic McEliece: conservative code-based cryptography Round 2 https://classic.mceliece.org/ Daniel J. Bernstein 1 , Tung Chou 2 , Tanja Lange 3 , Ingo von Maurich, Rafael Misoczki 4 , Ruben Niederhagen 5 , Edoardo Persichetti 6 , Christiane

439 views • 28 slides
Classic McEliece: conservative code-based cryptography D. J. Bernstein classic.mceliece.org

Classic McEliece: conservative code-based cryptography D. J. Bernstein classic.mceliece.org

1 Classic McEliece: conservative code-based cryptography D. J. Bernstein classic.mceliece.org Fundamental literature: 1962 Prange (attack) + many more attack papers. 1968 Berlekamp (decoder). 19701971 Goppa (codes). 1978 McEliece

775 views • 58 slides
Tiny%Packet%Programs% for%low4latency%network%control% Vimal %

Tiny%Packet%Programs% for%low4latency%network%control% Vimal %

Tiny%Packet%Programs% for%low4latency%network%control% Vimal % Mohammad%Alizadeh,%Yilong%Geng,%Changhoon%Kim,%David%Mazires% Timescales%of%Network%FuncFons% Network% Load%Balancing% Virtual%Network% CongesFon% Forwarding%% Provisioning%

567 views • 29 slides
Classic McEliece: conservative code-based cryptography Daniel J. Bernstein 1 , Tung Chou 2 , Tanja

Classic McEliece: conservative code-based cryptography Daniel J. Bernstein 1 , Tung Chou 2 , Tanja

Classic McEliece: conservative code-based cryptography Daniel J. Bernstein 1 , Tung Chou 2 , Tanja Lange 3 , Ingo von Maurich, Rafael Misoczki 4 , Ruben Niederhagen 5 , Edoardo Persichetti 6 , Christiane Peters, Peter Schwabe 7 , Nicolas Sendrier 8

684 views • 25 slides
McEliece type Cryptosystem based on Gabidulin Codes Joachim Rosenthal University of Z urich

McEliece type Cryptosystem based on Gabidulin Codes Joachim Rosenthal University of Z urich

Traditional McEliece Crypto System Variants of McEliece System Distinguisher Attacks McEliece for Rank Metric Codes McEliece type Cryptosystem based on Gabidulin Codes Joachim Rosenthal University of Z urich ALCOMA, March 19, 2015 joint

763 views • 54 slides
Why OpenSCL ? Network servers have become increasingly powerful over the years to the point

Why OpenSCL ? Network servers have become increasingly powerful over the years to the point

A detailed overview of OpenSCL from EBE Computing Why OpenSCL ? Network servers have become increasingly powerful over the years to the point where they now rival the performance of mainframe systems Network servers provide freedom of

1.17k views • 31 slides
WHERE CAN I PUT MY TINY HOUSE? TINY HOMES CARNIVAL 8 MARCH 2020 1 08 MAR 2020 WHO ARE WE? 2

WHERE CAN I PUT MY TINY HOUSE? TINY HOMES CARNIVAL 8 MARCH 2020 1 08 MAR 2020 WHO ARE WE? 2

WHERE CAN I PUT MY TINY HOUSE? TINY HOMES CARNIVAL 8 MARCH 2020 1 08 MAR 2020 WHO ARE WE? 2 08 MAR 2020 2017 JUNE LAUNCH TINY HOUSE PLANNING RESOURCE OUR GOAL: TO EXPLORE TINY HOUSES AS A MAINSTREAM HOUSING OPTION 3 08 MAR

770 views • 34 slides
Peak Efficiency Aware Scheduling for Highly Energy Proportional Servers Daniel Wong University

Peak Efficiency Aware Scheduling for Highly Energy Proportional Servers Daniel Wong University

Peak Efficiency Aware Scheduling for Highly Energy Proportional Servers Daniel Wong University of California, Riverside dwong@ece.ucr.edu Department of Electrical and Computer Engineering 2 Main Observations Servers are nearly energy

454 views • 21 slides
The Statistics Network The Statistics Network Statistics network Compute servers Desktop PCs

The Statistics Network The Statistics Network Statistics network Compute servers Desktop PCs

Where are my files? The Statistics Network The Statistics Network Statistics network Compute servers Desktop PCs fs0x: /homes Susan Hutchinson (Oxford) Computing in Statistics October 2018 1/1 Where are my files? Your local desktop

598 views • 16 slides
How to achieve a McEliece-based Digital Signature Scheme Nicolas Courtois Matthieu Finiasz

How to achieve a McEliece-based Digital Signature Scheme Nicolas Courtois Matthieu Finiasz

How to achieve a McEliece-based Digital Signature Scheme Nicolas Courtois Matthieu Finiasz Nicolas Sendrier ASIACRYPT 2001 Brisbane McEliece in a nutshell (Niederreiter version) This scheme is equivalent to the original McEliece

432 views • 12 slides
The Internet Session 2 INST 346 Technologies, Infrastructure and Architecture Network structure

The Internet Session 2 INST 346 Technologies, Infrastructure and Architecture Network structure

The Internet Session 2 INST 346 Technologies, Infrastructure and Architecture Network structure network edge: mobile network hosts: clients and servers global ISP servers often in data centers home access networks, physical

394 views • 27 slides
1 Data-dr Data-driven philosophy n philosophy Data-dr Data-driven: push n: push 7 8

1 Data-dr Data-driven philosophy n philosophy Data-dr Data-driven: push n: push 7 8

What What is is a a senso sensor network? network? 2 Tiny, untethered nodes with severe resource constraints Sensors, e.g., light, moisture, Tiny CPU and memory Da Data ta-Driven Pr -Driven Proc ocessing essing

177 views • 7 slides
On the q -Analogue of Cauchy Matrices Alessandro Neri 17-21 June 2019 - VUB Alessandro Neri 19

On the q -Analogue of Cauchy Matrices Alessandro Neri 17-21 June 2019 - VUB Alessandro Neri 19

On the q -Analogue of Cauchy Matrices Alessandro Neri 17-21 June 2019 - VUB Alessandro Neri 19 June 2019 1 / 19 On the q -Analogue of Cauchy Matrices Alessandro Neri I am a friend of Finite Geometry! 17-21 June 2019 - VUB Alessandro Neri

631 views • 50 slides
Generalization of the Ball-Collision Algorithm Violetta Weger joint work with Carmelo Interlando,

Generalization of the Ball-Collision Algorithm Violetta Weger joint work with Carmelo Interlando,

Generalization of the Ball-Collision Algorithm Violetta Weger joint work with Carmelo Interlando, Karan Khathuria, Nicole Rohrer and Joachim Rosenthal University of Zurich 7th Code-Based Cryptography Workshop 19 May 2019 Violetta Weger

522 views • 34 slides
Generalized Gabidulin Codes and their Generator Matrices Alessandro Neri 23 July 2018 - LAWCI

Generalized Gabidulin Codes and their Generator Matrices Alessandro Neri 23 July 2018 - LAWCI

Generalized Gabidulin Codes and their Generator Matrices Alessandro Neri 23 July 2018 - LAWCI Alessandro Neri 11 June 2018 1 / 6 Generalized Reed-Solomon Codes Reed, Solomon (1960) F q [ x ] &lt; k := { f ( x ) F q [ x ] | deg f &lt; k }

255 views • 21 slides
Lattice Basis Reduction Part 1: Concepts Sanzheng Qiao Department of Computing and Software

Lattice Basis Reduction Part 1: Concepts Sanzheng Qiao Department of Computing and Software

Introduction Applications Notions of Reduced Bases Examples Lattice Basis Reduction Part 1: Concepts Sanzheng Qiao Department of Computing and Software McMaster University, Canada qiao@mcmaster.ca www.cas.mcmaster.ca/ qiao October 25,

757 views • 50 slides
Error Codes Correcting Gary Lecture 11 toolkit CMU Preliminaries Setting Error of

Error Codes Correcting Gary Lecture 11 toolkit CMU Preliminaries Setting Error of

Rohan Error Codes Correcting Gary Lecture 11 toolkit CMU Preliminaries Setting Error of Correcting Codes Linear Error Correcting codes and Hadamard Codes Hamming Reed Solomon Code Definitions Basic Def An Error code is

291 views • 18 slides
Some aspects of codes over rings Peter J. Cameron p.j.cameron@qmul.ac.uk Galway, July 2009 This

Some aspects of codes over rings Peter J. Cameron p.j.cameron@qmul.ac.uk Galway, July 2009 This

Some aspects of codes over rings Peter J. Cameron p.j.cameron@qmul.ac.uk Galway, July 2009 This is work by two of my students, Josephine Kusuma and Fatma Al-Kharoosi Summary Codes over rings and orthogonal arrays Summary Codes over

1.07k views • 70 slides
of Software and the ATLAS project* Software Engineering Seminar Pascal Sprri *R. Clint Whaley,

of Software and the ATLAS project* Software Engineering Seminar Pascal Sprri *R. Clint Whaley,

Automated Empirical Optimizations of Software and the ATLAS project* Software Engineering Seminar Pascal Sprri *R. Clint Whaley, Antoine Petitet and Jack Dongarra. Parallel Computing, 27(1-2):3-35, 2001. Is Search Really Necessary to Generate

396 views • 27 slides
Non-Binary Polar Codes using Reed-Solomon Codes and Algebraic Geometry Codes Ryuhei Mori

Non-Binary Polar Codes using Reed-Solomon Codes and Algebraic Geometry Codes Ryuhei Mori

Non-Binary Polar Codes using Reed-Solomon Codes and Algebraic Geometry Codes Ryuhei Mori Toshiyuki Tanaka Graduate School of Informatics, Kyoto University Information Theory Workshop 2010 Contents Exponent of matrix Reed-Solomon matrix

307 views • 20 slides

More recommend