ouroboros a simple secure and efficient key exchange
play

Ouroboros: a simple, secure and efficient key exchange protocol based - PowerPoint PPT Presentation

Feb 29, 2024 •693 likes •1.54k views

Ouroboros: a simple, secure and efficient key exchange protocol based on coding theory Jean-Christophe Deneuville < jean-christophe.deneuville@xlim.fr > June the 26 th , 2017 PQCrypto 17 Utrecht Joint work with: P. Gaborit G. Z

  1. Ouroboros: a simple, secure and efficient key exchange protocol based on coding theory Jean-Christophe Deneuville < jean-christophe.deneuville@xlim.fr > June the 26 th , 2017 PQCrypto ’17 Utrecht Joint work with: P. Gaborit G. Z´ emor University of Limoges University of Bordeaux

  2. Motivations [ME78]

  3. Motivations [ME78] [Nie86]

  4. Motivations RS 80’s BCH [ME78] [Nie86] ↓ Goppa 00’s RM

  5. Motivations Key Sizes RS 80’s BCH [ME78] [Nie86] ↓ Goppa 00’s RM Security reduction to a standard problem (random codes)

  6. Motivations Key Sizes RS 80’s BCH Other variations [ME78] [Nie86] ↓ Goppa Most of them broken 00’s RM Security proof

  7. Motivations Key Sizes Rank [Gab91] Metric RS 80’s BCH Other variations [ME78] [Nie86] ↓ Goppa Most of them broken 00’s RM Security proof

  8. Motivations Key Sizes Rank [Gab91] Metric RS 80’s BCH Other variations [ME78] [Nie86] ↓ Goppa Most of them broken 00’s RM Security proof [Ale03]

  9. Motivations Group [Gab05] action Key Sizes Rank [Gab91] Metric RS 80’s BCH Other variations [ME78] [Nie86] ↓ Goppa Most of them broken 00’s RM Security proof [Ale03]

  10. Motivations Group [Gab05] action Key Sizes Rank [Gab91] [Ove07] Metric Attacks RS 80’s BCH Other variations [ME78] [Nie86] ↓ Goppa Most of them broken 00’s RM Security proof [Ale03]

  11. Motivations Group [Gab05] action [BBC08] QC-LDPC Key Sizes Rank [Gab91] [Ove07] Metric Attacks RS 80’s BCH Other variations [ME78] [Nie86] ↓ Goppa Most of them broken 00’s RM Security proof [Ale03]

  12. Motivations [MB09] dyadic [BCGO09] alternant Group [Gab05] action [BBC08] QC-LDPC Key Sizes Rank [Gab91] [Ove07] Metric Attacks RS 80’s BCH Other variations [ME78] [Nie86] ↓ Goppa Most of them broken 00’s RM Security proof [Ale03]

  13. Motivations [MB09] dyadic [BCGO09] alternant Group [Gab05] action [BBC08] QC-LDPC Key Sizes [GMRZ13] Rank [Gab91] QC-LRPC [Ove07] Metric Ntru-like Attacks RS 80’s BCH Other variations [ME78] [Nie86] ↓ Goppa Most of them broken 00’s RM Security proof [Ale03]

  14. Motivations [MB09] dyadic [BCGO09] alternant Group [Gab05] Ntru-like action [BBC08] [MTSB13] QC-LDPC QC-MDPC Key Sizes [GMRZ13] Rank [Gab91] QC-LRPC [Ove07] Metric Ntru-like Attacks RS 80’s BCH Other variations [ME78] [Nie86] ↓ Goppa Most of them broken 00’s RM Security proof [Ale03]

  15. Motivations [MB09] dyadic [BCGO09] alternant Group [Gab05] Ntru-like action [BBC08] [MTSB13] QC-LDPC QC-MDPC Key Sizes [GMRZ13] Rank [Gab91] QC-LRPC [Ove07] Metric Ntru-like Attacks RS 80’s BCH Other variations [ME78] [Nie86] ↓ Goppa Most of them broken 00’s RM HQC Security proof [Ale03] [ABDGZ16] RQC

  16. Motivations [MB09] dyadic [BCGO09] alternant Group [Gab05] Ntru-like action [BBC08] [MTSB13] QC-LDPC QC-MDPC Key Sizes [GMRZ13] Rank [Gab91] QC-LRPC [Ove07] Metric Ntru-like Attacks RS 80’s BCH Other variations [ME78] [Nie86] ↓ Bottom Line Goppa Most of them broken 00’s RM HQC Security proof [Ale03] [ABDGZ16] RQC

  17. Motivations [MB09] dyadic [BCGO09] alternant Group [Gab05] Ntru-like action [BBC08] [MTSB13] QC-LDPC QC-MDPC Key Sizes [GMRZ13] Rank [Gab91] QC-LRPC [Ove07] Metric Ntru-like Attacks RS 80’s BCH Other variations [ME78] [Nie86] ↓ Bottom Line Goppa Most of them broken 00’s RM y c n HQC e i c i Security proof f [Ale03] [ABDGZ16] f E k RQC c a L

  18. Motivations [MB09] dyadic [BCGO09] alternant Group [Gab05] Ntru-like action f [BBC08] [MTSB13] o o QC-LDPC QC-MDPC r P Key Sizes a [GMRZ13] k Rank [Gab91] c QC-LRPC a [Ove07] Metric L Ntru-like Attacks RS 80’s BCH Other variations [ME78] [Nie86] ↓ Bottom Line Goppa Most of them broken 00’s RM y c n HQC e i c i Security proof f [Ale03] [ABDGZ16] f E k RQC c a L

  19. Motivations [MB09] dyadic [BCGO09] alternant Group [Gab05] Ntru-like action f o [BBC08] [MTSB13] o r QC-LDPC QC-MDPC P Key Sizes [GMRZ13] Rank [Gab91] QC-LRPC [Ove07] Metric Ntru-like Attacks RS 80’s BCH Other variations [ME78] [Nie86] ↓ Bottom Line Goppa Most of them broken 00’s RM y c n HQC e i c i f Security proof [Ale03] [ABDGZ16] f E RQC

  20. Reminders on HQC Presentation of the Ouroboros protocol Security Parameters Conclusion Outline Reminders on HQC 1 Presentation of the Ouroboros protocol 2 Security 3 Parameters 4 June the 26th, 2017 J.-C. Deneuville Ouroboros: simple, secure, efficient code-based key exchange 3 / 21

  21. Reminders on HQC Presentation of the Ouroboros protocol Security Parameters Conclusion HQC Encryption Scheme [ABD + 16] Encryption scheme in H amming metric, using Q uasi- C yclic Codes Notation: Secret data - Public data - One-time Randomness G is the generator matrix of some public code C . Alice Bob $ seed h ← { 0 , 1 } λ , h ← F n seed h 2 $ ← S n seed h , s x , y w ( F 2 ), s ← x + hy − − − − − − − − − → $ $ ← S n ← S n r 1 , r 2 w ( F 2 ), ǫ cw ( F 2 ) v ← r 1 + hr 2 , ρ ← µ G + sr 2 + ǫ v , ρ ← − − − − − − − µ ← C . Decode ( ρ − vy ) June the 26th, 2017 J.-C. Deneuville Ouroboros: simple, secure, efficient code-based key exchange 4 / 21

  22. Reminders on HQC Presentation of the Ouroboros protocol Security Parameters Conclusion HQC Encryption Scheme [ABD + 16] Encryption scheme in H amming metric, using Q uasi- C yclic Codes Notation: Secret data - Public data - One-time Randomness G is the generator matrix of some public code C . Alice Bob $ seed h ← { 0 , 1 } λ , h ← F n seed h 2 $ ← S n seed h , s x , y w ( F 2 ), s ← x + hy − − − − − − − − − → $ $ ← S n ← S n r 1 , r 2 w ( F 2 ), ǫ cw ( F 2 ) v ← r 1 + hr 2 , ρ ← µ G + sr 2 + ǫ v , ρ ← − − − − − − − µ ← C . Decode ( ρ − vy ) June the 26th, 2017 J.-C. Deneuville Ouroboros: simple, secure, efficient code-based key exchange 4 / 21

  23. Reminders on HQC Presentation of the Ouroboros protocol Security Parameters Conclusion HQC Encryption Scheme [ABD + 16] Encryption scheme in H amming metric, using Q uasi- C yclic Codes Notation: Secret data - Public data - One-time Randomness G is the generator matrix of some public code C . Alice Bob $ seed h ← { 0 , 1 } λ , h ← F n seed h 2 $ ← S n seed h , s x , y w ( F 2 ), s ← x + hy − − − − − − − − − → $ $ ← S n ← S n r 1 , r 2 w ( F 2 ), ǫ cw ( F 2 ) v ← r 1 + hr 2 , ρ ← µ G + sr 2 + ǫ v , ρ ← − − − − − − − µ ← C . Decode ( ρ − vy ) June the 26th, 2017 J.-C. Deneuville Ouroboros: simple, secure, efficient code-based key exchange 4 / 21

  24. Reminders on HQC Presentation of the Ouroboros protocol Security Parameters Conclusion HQC Encryption Scheme [ABD + 16] Encryption scheme in H amming metric, using Q uasi- C yclic Codes Notation: Secret data - Public data - One-time Randomness G is the generator matrix of some public code C . Alice Bob $ seed h ← { 0 , 1 } λ , h ← F n seed h 2 $ ← S n seed h , s x , y w ( F 2 ), s ← x + hy − − − − − − − − − → $ $ ← S n ← S n r 1 , r 2 w ( F 2 ), ǫ cw ( F 2 ) v ← r 1 + hr 2 , ρ ← µ G + sr 2 + ǫ v , ρ ← − − − − − − − µ ← C . Decode ( ρ − vy ) June the 26th, 2017 J.-C. Deneuville Ouroboros: simple, secure, efficient code-based key exchange 4 / 21

  25. Reminders on HQC Presentation of the Ouroboros protocol Security Parameters Conclusion Correctness Correctness Property Decrypt (sk , Encrypt (pk , µ , θ )) = µ C .Decode correctly decodes ρ − v · y whenever the error term is not too big ω ( s · r 2 − v · y + ǫ ) ≤ δ ω (( x + h · y ) · r 2 − ( r 1 + h · r 2 ) · y + ǫ ) ≤ δ ω ( x · r 2 − r 1 · y + ǫ ) ≤ δ Error distribution analysis → Decryption failure probability better understood June the 26th, 2017 J.-C. Deneuville Ouroboros: simple, secure, efficient code-based key exchange 5 / 21

  26. Reminders on HQC Presentation of the Ouroboros protocol Security Parameters Conclusion Correctness Correctness Property Decrypt (sk , Encrypt (pk , µ , θ )) = µ C .Decode correctly decodes ρ − v · y whenever the error term is not too big ω ( s · r 2 − v · y + ǫ ) ≤ δ ω (( x + h · y ) · r 2 − ( r 1 + h · r 2 ) · y + ǫ ) ≤ δ ω ( x · r 2 − r 1 · y + ǫ ) ≤ δ Error distribution analysis → Decryption failure probability better understood June the 26th, 2017 J.-C. Deneuville Ouroboros: simple, secure, efficient code-based key exchange 5 / 21

  27. Reminders on HQC Presentation of the Ouroboros protocol Security Parameters Conclusion Correctness Correctness Property Decrypt (sk , Encrypt (pk , µ , θ )) = µ C .Decode correctly decodes ρ − v · y whenever the error term is not too big ω ( s · r 2 − v · y + ǫ ) ≤ δ ω (( x + h · y ) · r 2 − ( r 1 + h · r 2 ) · y + ǫ ) ≤ δ ω ( x · r 2 − r 1 · y + ǫ ) ≤ δ Error distribution analysis → Decryption failure probability better understood June the 26th, 2017 J.-C. Deneuville Ouroboros: simple, secure, efficient code-based key exchange 5 / 21

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

Simple and Communication Complexity Efficient Almost Secure and Perfectly Secure Message

Simple and Communication Complexity Efficient Almost Secure and Perfectly Secure Message

Simple and Communication Complexity Efficient Almost Secure and Perfectly Secure Message Transmission Schemes Yvo Desmedt 1 , 2 Stelios Erotokritou 1 Reihaneh Safavi-Naini 3 1 Department of Computer Science University College London, UK 2

459 views • 33 slides
Efficient UC-Secure Authenticated Key-Exchange for Algebraic Languages PKC 2013 , Fabrice Ben

Efficient UC-Secure Authenticated Key-Exchange for Algebraic Languages PKC 2013 , Fabrice Ben

Efficient UC-Secure Authenticated Key-Exchange for Algebraic Languages PKC 2013 , Fabrice Ben Hamouda Olivier Blazy Cline Chevalier David Pointcheval Damien Vergnaud Horst Grtz Institute for IT Security / Ruhr-University Bochum ENS /

914 views • 45 slides
Secure and Efficient Access to Outsourced Data Secure and Efficient Access to Outsourced Data

Secure and Efficient Access to Outsourced Data Secure and Efficient Access to Outsourced Data

Secure and Efficient Access to Outsourced Data Secure and Efficient Access to Outsourced Data Weichao Wang, Zhiwei Li, Rodney Owens, Bharat Bhargava CCSW 2009: The ACM Cloud Computing Security Workshop 1 The Problem Providing secure and

414 views • 19 slides
Secure and efficient deep learning everywhere Octomizer Outline Who we are (recap) Deployment

Secure and efficient deep learning everywhere Octomizer Outline Who we are (recap) Deployment

Secure and efficient deep learning everywhere Octomizer Outline Who we are (recap) Deployment pain The vision The Octomizer: TVM for everyone 2 Simple, secure, and efficient Drive TVM adoption Expand the set of users who can deployment of

370 views • 14 slides
PURPOSE Mission - to support, promote, and encourage the exchange of secure and reliable

PURPOSE Mission - to support, promote, and encourage the exchange of secure and reliable

PURPOSE Mission - to support, promote, and encourage the exchange of secure and reliable health information among stakeholders and regional networks Vision to develop a framework for the efficient exchange of patient-centric health

478 views • 21 slides
Secure Information Exchange for Secure Information Exchange for Omniscience Omniscience Chung

Secure Information Exchange for Secure Information Exchange for Omniscience Omniscience Chung

Secure Information Exchange for Secure Information Exchange for Omniscience Omniscience Chung Chan (CityU) Joint work with Navin Kashyap (IISc), Praneeth Kumar Vippathalla, (IISc) and Qiaoqiao Zhou (CUHK) Audio slides:

443 views • 17 slides
Secure Returns SAFE AS A VAULT Secure SECONDS TO UPLOAD Efficient ACCESSIBLE ANYWHERE

Secure Returns SAFE AS A VAULT Secure SECONDS TO UPLOAD Efficient ACCESSIBLE ANYWHERE

Secure Returns SAFE AS A VAULT Secure SECONDS TO UPLOAD Efficient ACCESSIBLE ANYWHERE Convenient What is Secure Returns ? Secure Returns is a secure website where you and your clients can securely upload &amp; download confidential

202 views • 9 slides
Secure and Efficient Metering Discussion Outline Clarifications Attack on Secure

Secure and Efficient Metering Discussion Outline Clarifications Attack on Secure

Secure and Efficient Metering Discussion Outline Clarifications Attack on Secure Metering Issues and Extensions Real World Other Directions Metering for General Access Structures Understanding the model Audit Agency

480 views • 35 slides
MRA and SPAA Secure Communications The Secure Data Exchange Portal (SDEP) Jonathan Hawkins and

MRA and SPAA Secure Communications The Secure Data Exchange Portal (SDEP) Jonathan Hawkins and

MRA and SPAA Secure Communications The Secure Data Exchange Portal (SDEP) Jonathan Hawkins and Neil Brinkley Background The MRA and SPAA require that Suppliers and Networks Operators work together to resolve a number of issues that may arise

975 views • 28 slides
Secure and Efficient Metering Moni Naor and Benny Pinkas Eurocrypt '98 Contents Motivation

Secure and Efficient Metering Moni Naor and Benny Pinkas Eurocrypt '98 Contents Motivation

Secure and Efficient Metering Moni Naor and Benny Pinkas Eurocrypt '98 Contents Motivation One approach Lightweight Security Secure and Efficient Metering Motivation Advertising Webpage popularity Cost Measure

993 views • 49 slides
Advanced Tools from Modern Cryptography Lecture 12 MPC: UC-secure OT UC-Secure OT UC-secure

Advanced Tools from Modern Cryptography Lecture 12 MPC: UC-secure OT UC-Secure OT UC-secure

Advanced Tools from Modern Cryptography Lecture 12 MPC: UC-secure OT UC-Secure OT UC-secure OT is impossible (even against PPT adversaries) in the plain model (i.e., without the help of another functionality) But possible from simple

527 views • 16 slides
MRA and SPAA Secure Communications The Secure Data Exchange Portal (SDEP) Training Webinar Shane

MRA and SPAA Secure Communications The Secure Data Exchange Portal (SDEP) Training Webinar Shane

MRA and SPAA Secure Communications The Secure Data Exchange Portal (SDEP) Training Webinar Shane Denny and Alessandro Scarlatti Background The majority of communications in the Electricity and Gas Market are managed by sending Data Flows

293 views • 15 slides
An efficient and simple class of functions to M. Boyer model arrival curve of packetised flows

An efficient and simple class of functions to M. Boyer model arrival curve of packetised flows

An efficient and simple class An efficient and simple class of functions to M. Boyer model arrival curve of packetised flows Network calculus Marc Boyer, J orn Migge, Nicolas Navet Shaping, packetization and computation time Swaping

488 views • 26 slides
Efficient Outsourcing GWAS using FHE Wenjie Lu*, Jun Sakuma * * Dept. of CS, University of

Efficient Outsourcing GWAS using FHE Wenjie Lu*, Jun Sakuma * * Dept. of CS, University of

Efficient Outsourcing GWAS using FHE Wenjie Lu*, Jun Sakuma * * Dept. of CS, University of Tsukuba, Japan JST CREST Secure Outsourcing GWAS Secure computation [Cloud] Outline of our solution [data holder] Secure

381 views • 19 slides
OUROBOROS-R, an IND-CPA KEM based on Rank Metric NIST First Post-Quantum Cryptography

OUROBOROS-R, an IND-CPA KEM based on Rank Metric NIST First Post-Quantum Cryptography

Presentation of the rank metric Description of the scheme Security and parameters OUROBOROS-R, an IND-CPA KEM based on Rank Metric NIST First Post-Quantum Cryptography Standardization Conference Carlos AguilarMelchor 2 Nicolas Aragon 1 Slim

157 views • 15 slides
Ensuring a secure, reliable and efficient Power System in a Changing Environment Delivering a

Ensuring a secure, reliable and efficient Power System in a Changing Environment Delivering a

Ensuring a secure, reliable and efficient Power System in a Changing Environment Delivering a Secure Sustainable Power System 17 th August 2011 Outline Agenda Chair: Dick Lewis, Manager, Grid Operations Planning 10.00 a.m. Registration (Tea

833 views • 70 slides
Reflecting cones on boolean algebras David Milovich May 13, 2006 A poset P is is op -like

Reflecting cones on boolean algebras David Milovich May 13, 2006 A poset P is is op -like

Reflecting cones on boolean algebras David Milovich May 13, 2006 A poset P is is op -like if x P | x | = |{ y P : y x }| &lt; . A base of a space X is a family B of open sets such that p X U open p

597 views • 12 slides
Multimodal Database of Negative Emotion Recovery in Dyadic Interactions: Construction and Analysis

Multimodal Database of Negative Emotion Recovery in Dyadic Interactions: Construction and Analysis

Multimodal Database of Negative Emotion Recovery in Dyadic Interactions: Construction and Analysis Nurul l Lu Lubis is, Michael Heck, Sakriani Sakti, Koichiro Yoshino, Satoshi Nakamura Nara Institute of Science and Technology 18-Sep-18 Nurul

580 views • 15 slides
Calder on-Zygmund theory Updated May 23, 2020 Plan 2 Outline: Statement and motivation

Calder on-Zygmund theory Updated May 23, 2020 Plan 2 Outline: Statement and motivation

Calder on-Zygmund theory Updated May 23, 2020 Plan 2 Outline: Statement and motivation Proof via Marcinkiewicz and duality Applications to Hilbert and inverse-Fourier transform General Calder on-Zygmund kernels Motivations 3 Q: What

853 views • 33 slides
Natural Parametrization for the Scaling Limit of Loop-Erased Random Walk in Three Dimensions

Natural Parametrization for the Scaling Limit of Loop-Erased Random Walk in Three Dimensions

Natural Parametrization for the Scaling Limit of Loop-Erased Random Walk in Three Dimensions Xinyi Li , the University of Chicago Peking University joint work with Daisuke Shiraishi (Kyoto University) August 2019, Fukuoka 1 /

732 views • 41 slides
Solving a Dirichlet problem for Poissons Equation on a disc is as hard as integration.

Solving a Dirichlet problem for Poissons Equation on a disc is as hard as integration.

Definitions and examples Complexity of integration Poissons problem on a disc Solving a Dirichlet problem for Poissons Equation on a disc is as hard as integration. Akitoshi Kawamura, Florian Steinberg, Martin Ziegler Technische

725 views • 17 slides
Data Streams &amp; Communication Complexity Lecture 1: Simple Stream Statistics in Small Space

Data Streams &amp; Communication Complexity Lecture 1: Simple Stream Statistics in Small Space

Data Streams &amp; Communication Complexity Lecture 1: Simple Stream Statistics in Small Space Andrew McGregor, UMass Amherst 1/25 Data Stream Model Stream: m elements from universe of size n , e.g., x 1 , x 2 , . . . , x m = 3

1.18k views • 102 slides
Two-Weight Inequalities for Commutators with Calder on-Zygmund Operators Irina Holmes Joint

Two-Weight Inequalities for Commutators with Calder on-Zygmund Operators Irina Holmes Joint

Two-Weight Inequalities for Commutators with Calder on-Zygmund Operators Irina Holmes Joint work with B. D. Wick, M. Lacey, R. Rahm, S. Spencer, S. Petermichl Michigan State University Midwestern Workshop on Asymptotic Analysis IUPUI,

1.33k views • 117 slides
Vectors and Matrices Basilio Bona DAUIN Politecnico di Torino October 2013 B. Bona (DAUIN)

Vectors and Matrices Basilio Bona DAUIN Politecnico di Torino October 2013 B. Bona (DAUIN)

Vectors and Matrices Basilio Bona DAUIN Politecnico di Torino October 2013 B. Bona (DAUIN) Vectors and Matrices October 2013 1 / 40 1. Geometrical vectors A geometrical vector p represents a point P in space. The point P is an

512 views • 40 slides

More recommend