qc mdpc a timing attack and a cca2 kem
play

QC-MDPC: A Timing Attack and a CCA2 KEM PQCrypto April 9, 2018 - PowerPoint PPT Presentation

Oct 29, 2023 •134 likes •1.05k views

QC-MDPC: A Timing Attack and a CCA2 KEM PQCrypto April 9, 2018 Edward Eaton 1 , Matthieu Lequesne 2,3 , Alex Parent 1 and Nicolas Sendrier 3 1 - ISARA Corporation, Waterloo, Canada 2 - Sorbonne Universit Paris, France 3 - Inria Paris,

  1. QC-MDPC: A Timing Attack and a CCA2 KEM PQCrypto – April 9, 2018 Edward Eaton 1 , Matthieu Lequesne 2,3 , Alex Parent 1 and Nicolas Sendrier 3 1 - ISARA Corporation, Waterloo, Canada 2 - Sorbonne Université Paris, France 3 - Inria Paris, France – team Secret

  2. Context

  3. Public Key Cryptography ... 1011010001101 RSA [1977]

  4. Public Key Cryptography + + [1994] ... 1011010001101 /////////// RSA [1977] ??? 2

  5. Post-Quantum Cryptography Post-Quantum Cryptography Isogenies Lattice Codes Hash Multivariate McEliece MDPC Goppa [2013] [1978] QC-MDPC [2013] 3

  6. Post-Quantum Cryptography Post-Quantum Cryptography Isogenies Lattice Codes Hash Multivariate McEliece MDPC Goppa [2013] [1978] QC-MDPC [2013] Code-based cryptosystem (à la McEliece) 3

  7. Post-Quantum Cryptography Post-Quantum Cryptography Isogenies Lattice Codes Hash Multivariate McEliece MDPC Goppa [2013] [1978] QC-MDPC [2013] Code-based cryptosystem (à la McEliece) Goal: achieve relatively short keys 3

  8. Post-Quantum Cryptography Post-Quantum Cryptography Isogenies Lattice Codes Hash Multivariate McEliece MDPC Goppa [2013] [1978] QC-MDPC [2013] Code-based cryptosystem (à la McEliece) Goal: achieve relatively short keys Idea: use (quasi)-cyclic structure. 3

  9. Post-Quantum Cryptography Post-Quantum Cryptography Isogenies Lattice Codes Hash Multivariate McEliece MDPC Goppa [2013] [1978] QC-MDPC [2013] Code-based cryptosystem (à la McEliece) Goal: achieve relatively short keys Idea: use (quasi)-cyclic structure. 3

  10. Post-Quantum Cryptography Post-Quantum Cryptography Isogenies Lattice Codes Hash Multivariate McEliece MDPC Goppa [2013] [1978] QC-MDPC [2013] Code-based cryptosystem (à la McEliece) Goal: achieve relatively short keys Idea: use (quasi)-cyclic structure. 3

  11. QC-MDPC McEliece

  12. QC-MDPC scheme k , d , t ∈ N parameters √ ( k prime, d odd, 2 d ∼ t ∼ 2 k ) R = F 2 [ X ] / ( X k − 1 )

  13. QC-MDPC scheme k , d , t ∈ N parameters √ ( k prime, d odd, 2 d ∼ t ∼ 2 k ) R = F 2 [ X ] / ( X k − 1 ) private key � �� � ( h 0 , h 1 ) ← R | h 0 | = | h 1 | = d

  14. QC-MDPC scheme k , d , t ∈ N parameters √ ( k prime, d odd, 2 d ∼ t ∼ 2 k ) R = F 2 [ X ] / ( X k − 1 ) public key � �� � q = h 1 · h − 1 private key 0 � �� � ( h 0 , h 1 ) ← R | h 0 | = | h 1 | = d

  15. QC-MDPC scheme k , d , t ∈ N parameters √ ( k prime, d odd, 2 d ∼ t ∼ 2 k ) R = F 2 [ X ] / ( X k − 1 ) public key � �� � q = h 1 · h − 1 private key 0 � �� � ( h 0 , h 1 ) ← R | h 0 | = | h 1 | = d ( e 0 , e 1 ) ← R | e 0 | + | e 1 | = t

  16. QC-MDPC scheme k , d , t ∈ N parameters √ ( k prime, d odd, 2 d ∼ t ∼ 2 k ) R = F 2 [ X ] / ( X k − 1 ) public key � �� � q = h 1 · h − 1 private key 0 � �� � ( h 0 , h 1 ) ← R | h 0 | = | h 1 | = d ( e 0 , e 1 ) ← R | e 0 | + | e 1 | = t c = e 0 + e 1 · q

  17. QC-MDPC scheme k , d , t ∈ N parameters √ ( k prime, d odd, 2 d ∼ t ∼ 2 k ) R = F 2 [ X ] / ( X k − 1 ) public key � �� � q = h 1 · h − 1 private key 0 � �� � ( h 0 , h 1 ) ← R | h 0 | = | h 1 | = d ( e 0 , e 1 ) ← R | e 0 | + | e 1 | = t c = e 0 + e 1 · q c · h 0 = e 0 h 0 + e 1 h 1 ( e 0 , e 1 ) = Decode ( h 0 , h 1 , e 0 h 0 + e 1 h 1 )

  18. QC-MDPC scheme k , d , t ∈ N parameters √ ( k prime, d odd, 2 d ∼ t ∼ 2 k ) R = F 2 [ X ] / ( X k − 1 ) public key � �� � q = h 1 · h − 1 private key 0 � �� � ( h 0 , h 1 ) ← R | h 0 | = | h 1 | = d ( e 0 , e 1 ) ← R | e 0 | + | e 1 | = t c = e 0 + e 1 · q c · h 0 = e 0 h 0 + e 1 h 1 ( e 0 , e 1 ) = Decode ( h 0 , h 1 , e 0 h 0 + e 1 h 1 ) Shared secret: ( e 0 , e 1 ) .

  19. QC-MDPC scheme k , d , t ∈ N parameters √ ( k prime, d odd, 2 d ∼ t ∼ 2 k ) R = F 2 [ X ] / ( X k − 1 ) public key � �� � q = h 1 · h − 1 private key 0 � �� � ( h 0 , h 1 ) ← R | h 0 | = | h 1 | = d ( e 0 , e 1 ) ← R | e 0 | + | e 1 | = t c = e 0 + e 1 · q c · h 0 = e 0 h 0 + e 1 h 1 ( e 0 , e 1 ) = Decode ( h 0 , h 1 , e 0 h 0 + e 1 h 1 ) Shared secret: ( e 0 , e 1 ) . 5

  20. QC-MDPC McEliece: Bit Flip Decoding ( e 0 , e 1 ) = Decode ( h 0 , h 1 , e 0 h 0 + e 1 h 1 ) � �� � s 6

  21. QC-MDPC McEliece: Bit Flip Decoding ( e 0 , e 1 ) = Decode ( h 0 , h 1 , e 0 h 0 + e 1 h 1 ) � �� � s Find a sparse solution ( e 0 , e 1 ) such that:         e 0         h 0 h 1               � �       · = s                             e 1         6

  22. QC-MDPC McEliece: Bit Flip Syndrome Decoding Input: H the parity-check matrix of the code C , s the syndrome Output: An error e of small weight such that He ⊺ = s e ← 0; s ′ ← s − He ⊺ while s ′ � = 0 do for j = 1 , . . . , n do if σ j = � s ′ , h j � ≥ threshold then Flip( e j ) s ′ ← s − He ⊺ return e 7

  23. QC-MDPC McEliece: Bit Flip Syndrome Decoding Input: H the parity-check matrix of the code C , s the syndrome Output: An error e of small weight such that He ⊺ = s e ← 0; s ′ ← s − He ⊺ while s ′ � = 0 do for j = 1 , . . . , n do if σ j = � s ′ , h j � ≥ threshold then Flip( e j ) s ′ ← s − He ⊺ return e - While loop: variable number of iterations. 7

  24. QC-MDPC McEliece: Bit Flip Syndrome Decoding Input: H the parity-check matrix of the code C , s the syndrome Output: An error e of small weight such that He ⊺ = s e ← 0; s ′ ← s − He ⊺ while s ′ � = 0 do for j = 1 , . . . , n do if σ j = � s ′ , h j � ≥ threshold then Flip( e j ) s ′ ← s − He ⊺ return e - While loop: variable number of iterations. - Decoding algorithm fails with a small probability (DFR). 7

  25. QC-MDPC McEliece: Bit Flip Syndrome Decoding Input: H the parity-check matrix of the code C , s the syndrome Output: An error e of small weight such that He ⊺ = s e ← 0; s ′ ← s − He ⊺ while s ′ � = 0 do for j = 1 , . . . , n do if σ j = � s ′ , h j � ≥ threshold then Flip( e j ) s ′ ← s − He ⊺ return e - While loop: variable number of iterations. - Decoding algorithm fails with a small probability (DFR). - Thresholds? 7

  26. The GJS Attack

  27. The GJS Attack [GJS] Guo, Johansson, Stankovski, Asiacrypt 2016 Observation [GJS] When two non-zero bits appear at a distance δ both in the secret key and in the error vector, a decoding failure is less likely to occur. 9

  28. Example: δ = 1     1 1 0 0 1 1 0 0 0 0   0 1 1 0 0 1 1 0 0   1          0 0 1 1 0 0 1 1 0  0         0 0 0 1 1 0 0 1 1 0           H = s = 1 0 0 0 1 1 0 0 1 1           0 1 1 0 0 0 1 1 0 0          1  0 1 1 0 0 0 1 1 0           0 0 0 1 1 0 0 0 1 1     1 1 0 0 1 1 0 0 0 1 � � e = 1 1 0 0 0 0 0 0 0 10

  29. Example: δ = 1     1 1 0 0 1 1 0 0 0 0   0 1 1 0 0 1 1 0 0   1          0 0 1 1 0 0 1 1 0  0         0 0 0 1 1 0 0 1 1 0           H = s = 1 0 0 0 1 1 0 0 1 1           0 1 1 0 0 0 1 1 0 0          1  0 1 1 0 0 0 1 1 0           0 0 0 1 1 0 0 0 1 1     1 1 0 0 1 1 0 0 0 1 � � e = 1 1 0 0 0 0 0 0 0 10

  30. Example: δ = 1     1 1 0 0 1 1 0 0 0 0   0 1 1 0 0 1 1 0 0   1          0 0 1 1 0 0 1 1 0  0         0 0 0 1 1 0 0 1 1 0           H = s = 1 0 0 0 1 1 0 0 1 1           0 1 1 0 0 0 1 1 0 0          1  0 1 1 0 0 0 1 1 0           0 0 0 1 1 0 0 0 1 1     1 1 0 0 1 1 0 0 0 1 � � e = 1 1 0 0 0 0 0 0 0 10

  31. The GJS Attack [GJS] Guo, Johansson, Stankovski, Asiacrypt 2016 Observation [GJS] When two non-zero bits appear at a distance δ both in the secret key and in the error vector, a decoding failure is less likely to occur. ⇒ By observing the DFR for different error paterns we can recover information on the key. 11

  32. The Distance Spectrum [GJS] Definition (Distance Spectrum) h = 1001000001 12

  33. The Distance Spectrum [GJS] Definition (Distance Spectrum) h = 1001000001 ∆( h ) ⊇ { 1 } 12

  34. The Distance Spectrum [GJS] Definition (Distance Spectrum) h = 1001000001 ∆( h ) ⊇ { 1 , 3 } 12

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

A Reaction Attack on the QC-LDPC McEliece Cryptosystem Tomas Fabsic 1 , Viliam Hromada 1 , Paul

A Reaction Attack on the QC-LDPC McEliece Cryptosystem Tomas Fabsic 1 , Viliam Hromada 1 , Paul

LDPC and MDPC Codes QC-MDPC McEliece Attack of Guo et al. QC-LDPC McEliece Our Attack A Reaction Attack on the QC-LDPC McEliece Cryptosystem Tomas Fabsic 1 , Viliam Hromada 1 , Paul Stankovski 2 , Pavol Zajac 1 , Qian Guo 2 , Thomas Johansson

693 views • 37 slides
A Key Recovery Attack on QC-MDPC Using Decoding Errors Qian Guo Selmer Center, University of

A Key Recovery Attack on QC-MDPC Using Decoding Errors Qian Guo Selmer Center, University of

A Key Recovery Attack on QC-MDPC Using Decoding Errors Qian Guo Selmer Center, University of Bergen. This is a joint work with Thomas Johansson and Paul Stankovski. Finse winter school 2018 May 11th, 2018 Outline 1 Motivation 2 Background on

813 views • 38 slides
A Key Recovery Attack on MDPC with CCA Security Using Decoding Errors Qian Guo Thomas Johansson

A Key Recovery Attack on MDPC with CCA Security Using Decoding Errors Qian Guo Thomas Johansson

A Key Recovery Attack on MDPC with CCA Security Using Decoding Errors Qian Guo Thomas Johansson Paul Stankovski Dept. of Electrical and Information Technology, Lund University ASIACRYPT 2016 Dec 8th, 2016 Outline 1 Motivation 2 Background on

381 views • 36 slides
A key-recovery timing attack on post-quantum primitives using the Fujisaki-Okamoto transformation

A key-recovery timing attack on post-quantum primitives using the Fujisaki-Okamoto transformation

A key-recovery timing attack on post-quantum primitives using the Fujisaki-Okamoto transformation and its application on FrodoKEM Qian Guo, Thomas Johansson, Alexander Nilsson August 10, 2020 Preliminaries Implementing Crypto Is Hard

994 views • 80 slides
A Timing Attack on Hyperelliptic Curve Cryptosystems Asiacrypt 2003 rump session on Dec. 2 nd ,

A Timing Attack on Hyperelliptic Curve Cryptosystems Asiacrypt 2003 rump session on Dec. 2 nd ,

A Timing Attack on Hyperelliptic Curve Cryptosystems Asiacrypt 2003 rump session on Dec. 2 nd , 2003 M.Katagi, I.Kitamura, T.Akishita, and T. Takagi(*) Sony Corporation (*)Technische Universitaet Darmstadt Introduction Optimization of

229 views • 5 slides
17-654: Analysis of Software Systems Spring 2005 4/21/2005 Topics Timing attack

17-654: Analysis of Software Systems Spring 2005 4/21/2005 Topics Timing attack

17-654: Analysis of Software Systems Spring 2005 4/21/2005 Topics Timing attack Algorithms leak information Nice example of practice trumping theoretical security Hardening algorithms: randomization Privilege separation

1.11k views • 69 slides
Skiplist Timing Attack Vulnerability Eyal Nussbaum PhD Student, Communication Systems Engineering

Skiplist Timing Attack Vulnerability Eyal Nussbaum PhD Student, Communication Systems Engineering

Skiplist Timing Attack Vulnerability Eyal Nussbaum PhD Student, Communication Systems Engineering School of Electrical and Computer Engineering Ben-Gurion University of the Negev Advisor: Professor Michael Segal Talk Overview Introduction

203 views • 19 slides
Ransomware Attack Briefing Presidents Leadership Council October 21, 2019 August 8 Cyberattack

Ransomware Attack Briefing Presidents Leadership Council October 21, 2019 August 8 Cyberattack

Ransomware Attack Briefing Presidents Leadership Council October 21, 2019 August 8 Cyberattack Summary : The attack was severe and sophisticated; categorized as a catastrophic attack. It was highly strategic with regard to timing

329 views • 16 slides
IND-CCA2 secure cryptosystems Dan Bogdanov University of Tartu db@ut.ee Research Seminar in

IND-CCA2 secure cryptosystems Dan Bogdanov University of Tartu db@ut.ee Research Seminar in

MTAT.07.006 Research Seminar in Cryptography IND-CCA2 secure cryptosystems Dan Bogdanov University of Tartu db@ut.ee Research Seminar in Cryptography, 31.10.2005 IND-CCA2 secure cryptosystems, Dan Bogdanov 1 Overview Notion of

396 views • 20 slides
Active Timing-Based Correlation of Perturbed Traffic Flows with Chaff Packets Pai Peng, Peng

Active Timing-Based Correlation of Perturbed Traffic Flows with Chaff Packets Pai Peng, Peng

Computer Science Active Timing-Based Correlation of Perturbed Traffic Flows with Chaff Packets Pai Peng, Peng Ning, Douglas Reeves North Carolina State Univ. Xinyuan Wang George Mason Univ. 1 Attack Through Stepping Stones Telnet/ Attack

460 views • 20 slides
The Clock is Still Ticking: Timing Attacks in the Modern Web Tom Van Goethem, Wouter Joosen,

The Clock is Still Ticking: Timing Attacks in the Modern Web Tom Van Goethem, Wouter Joosen,

The Clock is Still Ticking: Timing Attacks in the Modern Web Tom Van Goethem, Wouter Joosen, Nick Nikiforakis Background: Timing attacks Introduced by Felten et al. in 2000. A side-channel attack analyzing the time that it takes to a

642 views • 21 slides
HQC: H amming Q uasi- C yclic An IND-CCA2 Code-based Public Key Encryption Scheme August the 24 th

HQC: H amming Q uasi- C yclic An IND-CCA2 Code-based Public Key Encryption Scheme August the 24 th

HQC: H amming Q uasi- C yclic An IND-CCA2 Code-based Public Key Encryption Scheme August the 24 th , 2019 NIST 2 nd PQC Standardization Conference Santa-Barbara https://pqc-hqc.org C. Aguilar Melchor ISAE-Supa ero, University of Toulouse N.

188 views • 15 slides
Smaller Keys for Code based Cryptography: QC MDPC McEliece Implementations on Embedded

Smaller Keys for Code based Cryptography: QC MDPC McEliece Implementations on Embedded

Smaller Keys for Code based Cryptography: QC MDPC McEliece Implementations on Embedded Devices 4 th Code based Cryptography Workshop 2013, Rocquencourt, France Stefan Heyse, Ingo von Maurich and Tim Gneysu Horst Grtz Institute for

500 views • 39 slides
Remote Timing Attacks are Still Practical Billy Brumley Nicola Tuveri Aalto University School of

Remote Timing Attacks are Still Practical Billy Brumley Nicola Tuveri Aalto University School of

Remote Timing Attacks are Still Practical Billy Brumley Nicola Tuveri Aalto University School of Science, Finland {bbrumley,ntuveri}@tcs.hut.fi Synopsis New remote timing attack vulnerability in OpenSSLs implementation of Montgomerys

487 views • 25 slides
Cache-Timing Attacks Matteo BOCCHI System Research & Applications STMicroelectronics S.r.l.

Cache-Timing Attacks Matteo BOCCHI System Research & Applications STMicroelectronics S.r.l.

Cache-Timing Attacks Matteo BOCCHI System Research & Applications STMicroelectronics S.r.l. 2018/12/06 Agenda 2 STM32 Nucleo Boards STM32 Firewall Cache-Timing Attack Evict&Time vs. MbedTLS AES on STM32

477 views • 20 slides
Attack on Traffic Systems These attack examples have happened in the past. We will take an

Attack on Traffic Systems These attack examples have happened in the past. We will take an

From start to finish how a cyber attack would be performed on traffic system, we will go over first day >> exploitation of the device >> the real-world aftermath. Mission Secure, Inc. Attack on Traffic Systems These attack examples

556 views • 18 slides
Shared Decision Making May 18, 2015 1:00 p.m. 2:30 p.m. ET Sponsored by: Agency for

Shared Decision Making May 18, 2015 1:00 p.m. 2:30 p.m. ET Sponsored by: Agency for

Overcoming Barriers To Shared Decision Making May 18, 2015 1:00 p.m. 2:30 p.m. ET Sponsored by: Agency for Healthcare Research and Quality (AHRQ) 1 Presenters and moderator disclosures The following presenters and moderator have no

938 views • 79 slides
NEW ZEALAND NEW ZEALAND NEW ZEALAND NEW ZEALAND AND THE WOODY ALLEN AND THE WOODY ALLEN AND

NEW ZEALAND NEW ZEALAND NEW ZEALAND NEW ZEALAND AND THE WOODY ALLEN AND THE WOODY ALLEN AND

NEW ZEALAND NEW ZEALAND NEW ZEALAND NEW ZEALAND AND THE WOODY ALLEN AND THE WOODY ALLEN AND THE WOODY ALLEN AND THE WOODY ALLEN SYNDROME SYNDROME SYNDROME SYNDROME by by SEBASTIAN EDWARDS SEBASTIAN EDWARDS University of California,

555 views • 22 slides
Address Subcommittee Meeting August 14, 2019 11:00 am 12:30 pm Eastern US Department of

Address Subcommittee Meeting August 14, 2019 11:00 am 12:30 pm Eastern US Department of

Address Subcommittee Meeting August 14, 2019 11:00 am 12:30 pm Eastern US Department of Transportation Meeting Agenda 1. Welcome and Introductions/Roll Call 2. NAD Updates Steve Lewis 3. Address Content Subgroup Recommendations for the

681 views • 31 slides
CMB and Kinetic Inductance Detectors Clarence Chang ANL & KICP MKIDs & Cosmology

CMB and Kinetic Inductance Detectors Clarence Chang ANL & KICP MKIDs & Cosmology

CMB and Kinetic Inductance Detectors Clarence Chang ANL & KICP MKIDs & Cosmology Workshop FNAL August 26-27, 2013 Outline Quick (and incomplete) overview of CMB science Key concepts for CMB technology Current &

570 views • 40 slides
A few thoughts on eee Chih-Hsiang Cheng, Bertrand Echenard, David Hitlin, Frank Porter

A few thoughts on eee Chih-Hsiang Cheng, Bertrand Echenard, David Hitlin, Frank Porter

A few thoughts on eee Chih-Hsiang Cheng, Bertrand Echenard, David Hitlin, Frank Porter California Institute of Technology Intensity frontier workshop Argonne April 2013 Probing Lorentz structure of New Physics Y. Okada et al. , PRD 61

325 views • 8 slides
802.1 Plenary July 2019 Vienna, Austria Closing Agenda John Messenger IEEE 802.1 Acting

802.1 Plenary July 2019 Vienna, Austria Closing Agenda John Messenger IEEE 802.1 Acting

802.1 Plenary July 2019 Vienna, Austria Closing Agenda John Messenger IEEE 802.1 Acting WG Chair JMessenger@advaoptical.com 802.1 plenary agenda Monday opening Thursday closing Call for Patents Call for Patents

1.36k views • 106 slides
DE1.3 - Electronics 1 TOPIC 1 Introducing the Module Prof Peter YK Cheung Dyson School of

DE1.3 - Electronics 1 TOPIC 1 Introducing the Module Prof Peter YK Cheung Dyson School of

Design Engineering Year 1 DE1.3 - Electronics 1 TOPIC 1 Introducing the Module Prof Peter YK Cheung Dyson School of Design Engineering Imperial College London URL: www.ee.ic.ac.uk/pcheung/teaching/DE1_EE/ E-mail: p.cheung@imperial.ac.uk

437 views • 6 slides
Model Theory of the Reflection Scheme Ali Enayat (+ Shahram Mohsenipour) Fifty Years of

Model Theory of the Reflection Scheme Ali Enayat (+ Shahram Mohsenipour) Fifty Years of

Model Theory of the Reflection Scheme Ali Enayat (+ Shahram Mohsenipour) Fifty Years of Generalized Quantifiers Warsaw, Banach Center, June 2007 The reflection principle for ZF : for any set theoretical formula ( x ) (possibly with

201 views • 19 slides

More recommend