qcbits constant time small key code based cryptography
play

QcBits: constant-time small-key code-based cryptography Tung Chou - PowerPoint PPT Presentation

Jul 20, 2023 •226 likes •1k views

QcBits: constant-time small-key code-based cryptography Tung Chou Technische Universiteit Eindhoven, The Netherlands Coding theory 2 Coding theory Linear codes 2 Coding theory Linear codes a linear subspace in F N 2 2 Coding theory

  1. QcBits: constant-time small-key code-based cryptography Tung Chou Technische Universiteit Eindhoven, The Netherlands

  2. Coding theory 2

  3. Coding theory Linear codes 2

  4. Coding theory Linear codes • a linear subspace in F N 2 2

  5. Coding theory Linear codes • a linear subspace in F N 2 • can be defined by a parity-check matrix H , e.g., C = { c | Hc = 0 } 2

  6. Coding theory Linear codes • a linear subspace in F N 2 • can be defined by a parity-check matrix H , e.g., C = { c | Hc = 0 } Decoding 2

  7. Coding theory Linear codes • a linear subspace in F N 2 • can be defined by a parity-check matrix H , e.g., C = { c | Hc = 0 } Decoding • compute e (or c ) given c + e , where e is of weight ≤ t 2

  8. Coding theory Linear codes • a linear subspace in F N 2 • can be defined by a parity-check matrix H , e.g., C = { c | Hc = 0 } Decoding • compute e (or c ) given c + e , where e is of weight ≤ t • compute e given the syndrome He = H ( c + e ) 2

  9. Code-based encryption • McEliece versus Niederreiter plaintext ciphertext McEliece c c + e H ∗ e Niederreiter e 3

  10. Code-based encryption • McEliece versus Niederreiter plaintext ciphertext McEliece c c + e H ∗ e Niederreiter e • General shape McEliece/Niederreiter + some code 3

  11. Binary-Goppa and QC-MDPC McEliece/Niederreiter 4

  12. Binary-Goppa and QC-MDPC McEliece/Niederreiter Binary Goppa codes QC-MDPC codes Confidence unbroken since 1978 unbroken since 2013 4

  13. Binary-Goppa and QC-MDPC McEliece/Niederreiter Binary Goppa codes QC-MDPC codes Confidence unbroken since 1978 unbroken since 2013 Efficiency fast (McBits, CHES 2013) not so fast 4

  14. Binary-Goppa and QC-MDPC McEliece/Niederreiter Binary Goppa codes QC-MDPC codes Confidence unbroken since 1978 unbroken since 2013 Efficiency fast (McBits, CHES 2013) not so fast Key size ≈ 100 kilobytes ≈ 1 kilobyte 4

  15. Timeline 2013 • QC-MDPC McEliece (ISIT) 5

  16. Timeline 2013 • QC-MDPC McEliece (ISIT) • Bochum people felt like implementing it... 5

  17. Timeline 2013 • QC-MDPC McEliece (ISIT) • Bochum people felt like implementing it... • on FPGAs (CHES) 2014 • on FPGAs, microcontrollers (PQCrypto, DATE) 2015 • on Haswell CPUs (ACM-TECS) 2016 • on microcontrollers (PQCrypto) 5

  18. Timeline 2013 • QC-MDPC McEliece (ISIT) • Bochum people felt like implementing it... • on FPGAs (CHES) 2014 • on FPGAs, microcontrollers (PQCrypto, DATE) 2015 • on Haswell CPUs (ACM-TECS) 2016 • on microcontrollers (PQCrypto) • QcBits (new) 5

  19. Timeline 2013 • QC-MDPC McEliece (ISIT) • Bochum people felt like implementing it... • on FPGAs (CHES) 2014 • on FPGAs, microcontrollers (PQCrypto, DATE) 2015 • on Haswell CPUs (ACM-TECS) 2016 • on microcontrollers (PQCrypto) • QcBits (new) The problem is timing attacks. 5

  20. Timeline 2013 • QC-MDPC McEliece (ISIT) • Bochum people felt like implementing it... • on FPGAs (CHES) 2014 • on FPGAs, microcontrollers (PQCrypto, DATE) 2015 • on Haswell CPUs (ACM-TECS) 2016 • on microcontrollers (PQCrypto) • QcBits (new) The problem is timing attacks. 5

  21. Timeline 2013 • QC-MDPC McEliece (ISIT) • Bochum people felt like implementing it... • on FPGAs (CHES) 2014 • on FPGAs, microcontrollers (PQCrypto, DATE) 2015 • on Haswell CPUs (ACM-TECS) 2016 • on microcontrollers (PQCrypto) • QcBits (new) The problem is timing attacks. • PQCrypto 2014: constant-time operations assuming no caches 5

  22. Timeline 2013 • QC-MDPC McEliece (ISIT) • Bochum people felt like implementing it... • on FPGAs (CHES) 2014 • on FPGAs, microcontrollers (PQCrypto, DATE) 2015 • on Haswell CPUs (ACM-TECS) 2016 • on microcontrollers (PQCrypto) • QcBits (new) The problem is timing attacks. • PQCrypto 2014: constant-time operations assuming no caches • QcBits: constant-time for a wide-variety of 32/64-bit platforms 5

  23. Performance results platform key-pair encrypt decrypt reference scheme Haswell 784 192 82 732 1 560 072 (new) QcBits KEM/DEM 14 234 347 34 123 3 104 624 ACMTECS 2015 McEliece Cortex-M4 140 372 822 2 244 489 14 679 937 (new) QcBits KEM/DEM 63 185 108 2 623 432 18 416 012 PQCrypto 2016 KEM/DEM 148 576 008 7 018 493 42 129 589 PQCrypto 2014 McEliece Cycle counts for key-pair generation, encryption, and decryption for 80-bit pre-quantum security. Numbers in RED are non-constant-time. Numbers in BLUE are constant-time. 6

  24. QC-MDPC codes 7

  25. QC-MDPC codes • MDPC: moderate-density-parity-check 7

  26. QC-MDPC codes • MDPC: moderate-density-parity-check • QC: quasi-cyclic (for saving bandwidth and memory) 7

  27. QC-MDPC codes • MDPC: moderate-density-parity-check • QC: quasi-cyclic (for saving bandwidth and memory)   1 0 1 0 0 0 1 0 0 1 0 1 0 1 0 1 0 1 0 0   � �   ∈ F n × 2 n H ( 0 ) H ( 1 ) 0 0 1 0 1 0 1 0 1 0 =   2   1 0 0 1 0 0 0 1 0 1     0 1 0 0 1 1 0 0 1 0 7

  28. QC-MDPC codes • MDPC: moderate-density-parity-check • QC: quasi-cyclic (for saving bandwidth and memory)   1 0 1 0 0 0 1 0 0 1 0 1 0 1 0 1 0 1 0 0   � �   ∈ F n × 2 n H ( 0 ) H ( 1 ) 0 0 1 0 1 0 1 0 1 0 =   2   1 0 0 1 0 0 0 1 0 1     0 1 0 0 1 1 0 0 1 0 QcBits: • [ n = 4801 , w = 90 , t = 84 ] for 80-bit security 7

  29. QC-MDPC codes • MDPC: moderate-density-parity-check • QC: quasi-cyclic (for saving bandwidth and memory)   1 0 1 0 0 0 1 0 0 1 0 1 0 1 0 1 0 1 0 0   � �   ∈ F n × 2 n H ( 0 ) H ( 1 ) 0 0 1 0 1 0 1 0 1 0 =   2   1 0 0 1 0 0 0 1 0 1     0 1 0 0 1 1 0 0 1 0 QcBits: • [ n = 4801 , w = 90 , t = 84 ] for 80-bit security • further requires H ( i ) to have row weight w / 2 (same for the Bochum papers) 7

  30. Statistical decoding Start with finding v = c + e such that H ∗ v = H ∗ e . Compute Hv . 8

  31. Statistical decoding Start with finding v = c + e such that H ∗ v = H ∗ e . Compute Hv .     1 0 1 0 0 0 1 0 0 1 1 0 1 0 1 0 1 0 1 0 0 0         0 0 1 0 1 0 1 0 1 0 0 v =         1 0 0 1 0 0 0 1 0 1 1         0 1 0 0 1 1 0 0 1 0 0 8

  32. Statistical decoding Start with finding v = c + e such that H ∗ v = H ∗ e . Compute Hv .     1 0 1 0 0 0 1 0 0 1 1 0 1 0 1 0 1 0 1 0 0 0         0 0 1 0 1 0 1 0 1 0 0 v =         1 0 0 1 0 0 0 1 0 1 1         0 1 0 0 1 1 0 0 1 0 0 8

  33. Statistical decoding Start with finding v = c + e such that H ∗ v = H ∗ e . Compute Hv .     1 0 1 0 0 0 1 0 0 1 1 0 1 0 1 0 1 0 1 0 0 0         0 0 1 0 1 0 1 0 1 0 0 v =         1 0 0 1 0 0 0 1 0 1 1         0 1 0 0 1 1 0 0 1 0 0 + ) ∈ Z 2 n � 2 0 1 1 0 0 1 1 0 2 � u = 8

  34. Statistical decoding Start with finding v = c + e such that H ∗ v = H ∗ e . Compute Hv .     1 0 1 0 0 0 1 0 0 1 1 0 1 0 1 0 1 0 1 0 0 0         0 0 1 0 1 0 1 0 1 0 0 v =         1 0 0 1 0 0 0 1 0 1 1         0 1 0 0 1 1 0 0 1 0 0 + ) ∈ Z 2 n � 2 0 1 1 0 0 1 1 0 2 � u = Flip v i if u i is large. Repeat until Hv = 0. 8

  35. Statistical decoding Start with finding v = c + e such that H ∗ v = H ∗ e . Compute Hv .     1 0 1 0 0 0 1 0 0 1 1 0 1 0 1 0 1 0 1 0 0 0         0 0 1 0 1 0 1 0 1 0 0 v =         1 0 0 1 0 0 0 1 0 1 1         0 1 0 0 1 1 0 0 1 0 0 + ) ∈ Z 2 n � 2 0 1 1 0 0 1 1 0 2 � u = Flip v i if u i is large. Repeat until Hv = 0. Rationale 8

  36. Statistical decoding Start with finding v = c + e such that H ∗ v = H ∗ e . Compute Hv .     1 0 1 0 0 0 1 0 0 1 1 0 1 0 1 0 1 0 1 0 0 0         0 0 1 0 1 0 1 0 1 0 0 v =         1 0 0 1 0 0 0 1 0 1 1         0 1 0 0 1 1 0 0 1 0 0 + ) ∈ Z 2 n � 2 0 1 1 0 0 1 1 0 2 � u = Flip v i if u i is large. Repeat until Hv = 0. Rationale • parity = 0: perhaps no errors. no information. 8

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

McBits: Objectives fast constant-time Set new speed records code-based cryptography for

McBits: Objectives fast constant-time Set new speed records code-based cryptography for

McBits: Objectives fast constant-time Set new speed records code-based cryptography for public-key cryptography. D. J. Bernstein University of Illinois at Chicago & Technische Universiteit Eindhoven Joint work with: Tung Chou

746 views • 73 slides
McBits: Objectives fast constant-time Set new speed records code-based cryptography for

McBits: Objectives fast constant-time Set new speed records code-based cryptography for

McBits: Objectives fast constant-time Set new speed records code-based cryptography for public-key cryptography. (to appear at CHES 2013) D. J. Bernstein University of Illinois at Chicago & Technische Universiteit Eindhoven Joint work

969 views • 94 slides
McBits: fast constant-time code-based cryptography Tung Chou Technische Universiteit Eindhoven,

McBits: fast constant-time code-based cryptography Tung Chou Technische Universiteit Eindhoven,

McBits: fast constant-time code-based cryptography Tung Chou Technische Universiteit Eindhoven, The Netherlands October 13, 2015 Joint work with Daniel J. Bernstein and Peter Schwabe Outline Summary of Our Work Background Main

439 views • 32 slides
McBits: fast constant-time code-based cryptography (to appear at CHES 2013) D. J. Bernstein

McBits: fast constant-time code-based cryptography (to appear at CHES 2013) D. J. Bernstein

McBits: fast constant-time code-based cryptography (to appear at CHES 2013) D. J. Bernstein University of Illinois at Chicago & Technische Universiteit Eindhoven Joint work with: Tung Chou Technische Universiteit Eindhoven Peter

823 views • 46 slides
McBits: fast constant-time code-based cryptography (to appear at CHES 2013) D. J. Bernstein

McBits: fast constant-time code-based cryptography (to appear at CHES 2013) D. J. Bernstein

McBits: fast constant-time code-based cryptography (to appear at CHES 2013) D. J. Bernstein University of Illinois at Chicago & Technische Universiteit Eindhoven Joint work with: Tung Chou Technische Universiteit Eindhoven Peter

643 views • 52 slides
McBits: fast constant-time code-based cryptography (to appear at CHES 2013) D. J. Bernstein

McBits: fast constant-time code-based cryptography (to appear at CHES 2013) D. J. Bernstein

McBits: fast constant-time code-based cryptography (to appear at CHES 2013) D. J. Bernstein University of Illinois at Chicago & Technische Universiteit Eindhoven Joint work with: Tung Chou Technische Universiteit Eindhoven Peter

625 views • 41 slides
McBits: fast constant-time code-based cryptography D. J. Bernstein University of Illinois at

McBits: fast constant-time code-based cryptography D. J. Bernstein University of Illinois at

McBits: fast constant-time code-based cryptography D. J. Bernstein University of Illinois at Chicago & Technische Universiteit Eindhoven Joint work with: Tung Chou Technische Universiteit Eindhoven Peter Schwabe Radboud University

902 views • 43 slides
Code-based Cryptography Selected publications [1] Carlos Aguilar, Philippe Gaborit, and Julien

Code-based Cryptography Selected publications [1] Carlos Aguilar, Philippe Gaborit, and Julien

1 Code-based Cryptography Code-based Cryptography Selected publications [1] Carlos Aguilar, Philippe Gaborit, and Julien Schrek. A new zero-knowledge code based identification scheme with reduced communication. In ITW 2011 , pages 648

284 views • 6 slides
Public key cryptography on IoT devices Sujoy Sinha Roy COSIC, KU Leuven 1 Small area for HW

Public key cryptography on IoT devices Sujoy Sinha Roy COSIC, KU Leuven 1 Small area for HW

Public key cryptography on IoT devices Sujoy Sinha Roy COSIC, KU Leuven 1 Small area for HW implementations Small code size for SW implementation Low power or energy or both Reasonably fast computation time 2 This talk

675 views • 43 slides
The Support Splitting Algorithm and its Application to Code-based Cryptography Dimitris E. Simos

The Support Splitting Algorithm and its Application to Code-based Cryptography Dimitris E. Simos

The Support Splitting Algorithm and its Application to Code-based Cryptography Dimitris E. Simos ( joint work with Nicolas Sendrier) Project-Team SECRET INRIA Paris-Rocquencourt May 9, 2012 3rd Code-based Cryptography Workshop Technical

301 views • 17 slides
Smaller Keys for Code based Cryptography: QC MDPC McEliece Implementations on Embedded

Smaller Keys for Code based Cryptography: QC MDPC McEliece Implementations on Embedded

Smaller Keys for Code based Cryptography: QC MDPC McEliece Implementations on Embedded Devices 4 th Code based Cryptography Workshop 2013, Rocquencourt, France Stefan Heyse, Ingo von Maurich and Tim Gneysu Horst Grtz Institute for

500 views • 39 slides
Attacks in code based cryptography: a survey, new results and open problems J.-P. Tillich Inria,

Attacks in code based cryptography: a survey, new results and open problems J.-P. Tillich Inria,

Attacks in code based cryptography: a survey, new results and open problems J.-P. Tillich Inria, team-project SECRET April 9, 2018 introduction 1. Code based cryptography Difficult problem in coding theory Problem 1. [Decoding] Input: n, r,

800 views • 53 slides
Constant-time This code uses 256 squarings, square-and-multiply plus 1 extra multiplication for

Constant-time This code uses 256 squarings, square-and-multiply plus 1 extra multiplication for

1 2 Constant-time This code uses 256 squarings, square-and-multiply plus 1 extra multiplication for each bit set in e . D. J. Bernstein Problem when e is secret: time University of Illinois at Chicago; leaks number of bits set in e . Ruhr

381 views • 36 slides
Code-Based Cryptography for FPGAs Dr. Ruben Niederhagen, February 8, 2018 Introduction Global

Code-Based Cryptography for FPGAs Dr. Ruben Niederhagen, February 8, 2018 Introduction Global

Code-Based Cryptography for FPGAs Dr. Ruben Niederhagen, February 8, 2018 Introduction Global Map public-key cryptography classic post-quantum lattice code multivariate hash isogenies . . . McEliece Niederreiter . . . GRS codes

1.04k views • 73 slides
Efficient implementation of Objectives code-based cryptography Set new speed records D. J.

Efficient implementation of Objectives code-based cryptography Set new speed records D. J.

Efficient implementation of Objectives code-based cryptography Set new speed records D. J. Bernstein for public-key cryptography. University of Illinois at Chicago & Technische Universiteit Eindhoven Joint work with: Tung Chou

868 views • 73 slides
Tweaking Code-Based Cryptography for Embedded Systems DIMACS Workshop on The Mathematics of

Tweaking Code-Based Cryptography for Embedded Systems DIMACS Workshop on The Mathematics of

Tweaking Code-Based Cryptography for Embedded Systems DIMACS Workshop on The Mathematics of Post-Quantum Cryptography Tim Gneysu, Ingo von Maurich 1/12/2015 Horst Grtz Institute for IT-Security, Ruhr-Universitt Bochum, Germany Motivation

920 views • 70 slides
FPL 2019 High-performance Decoding of Variable-length Memory Data Packets for FPGA Stream

FPL 2019 High-performance Decoding of Variable-length Memory Data Packets for FPGA Stream

FPL 2019 High-performance Decoding of Variable-length Memory Data Packets for FPGA Stream Processing Roberto Sierra (Integrated Systems Laboratory UPM) Filippo Mangani (Integrated Systems Laboratory - UPM) Carlos Carreras (Integrated

107 views • 6 slides
Light Meson Spectroscopy at BESIII Tianjue Min Institute of High Energy Physics, Chinese Academy

Light Meson Spectroscopy at BESIII Tianjue Min Institute of High Energy Physics, Chinese Academy

Light Meson Spectroscopy at BESIII Tianjue Min Institute of High Energy Physics, Chinese Academy of Sciences On Behalf of f th the BESIII Collaboration th International Workshop on Meson Production, 14 th 14 , Properties and Interaction nd -

397 views • 25 slides
Belle BELLE2-NOTE-PH-2015-011 April 26, 2016 L1 Trigger Menu for Low Multiplicity Physics

Belle BELLE2-NOTE-PH-2015-011 April 26, 2016 L1 Trigger Menu for Low Multiplicity Physics

Belle BELLE2-NOTE-PH-2015-011 April 26, 2016 L1 Trigger Menu for Low Multiplicity Physics (draft version 1.0) T. Ferber and C. Hearty University of British Columbia, Vancouver C. H. Li School of Physics, The University of Melbourne, Victoria

363 views • 23 slides
3D from Photographs: Introduction Dr. Gianpaolo Palma gianpaolo.palam@isti.cnr.it 3D from

3D from Photographs: Introduction Dr. Gianpaolo Palma gianpaolo.palam@isti.cnr.it 3D from

3D from Photographs: Introduction Dr. Gianpaolo Palma gianpaolo.palam@isti.cnr.it 3D from Photographs 3D from photographs is a technology that allows us to do a 3D reconstruction of a real-world scene starting from a set of photographs as

825 views • 80 slides
Massively Parallel Architectures MPP Specifics Cluster Computing No shared memory Scales

Massively Parallel Architectures MPP Specifics Cluster Computing No shared memory Scales

Cluster Computing Massively Parallel Architectures MPP Specifics Cluster Computing No shared memory Scales to hundreds or thousands of processors Homogeneous sub-components Advanced Custom Interconnects MPP Architectures

481 views • 36 slides
ETH Vorlesung Systembau / Lecture System Construction Discussion: Why Build from Scratch? (2)

ETH Vorlesung Systembau / Lecture System Construction Discussion: Why Build from Scratch? (2)

ETH Vorlesung Systembau / Lecture System Construction Discussion: Why Build from Scratch? (2) >252-0286-00L - Dr. Felix Friedrich, Paul Reed - eliminate surprises: deliver on time and on budget > - highly flexible solution >Case

51 views • 3 slides
Pipeline Oriented Implementation of NORX for ARM Processors Luan Cardoso dos Santos

Pipeline Oriented Implementation of NORX for ARM Processors Luan Cardoso dos Santos

Pipeline Oriented Implementation of NORX for ARM Processors Luan Cardoso dos Santos luan@lasca.ic.unicamp.br Julio Lpez jlopez@ic.unicamp.br November 7, 2017 Institute of Computating - UNICAMP LASCA Table of contents 1. Introduction 2.

644 views • 45 slides
ATLAS Detector Commissioning Oslo EPF group aspect Y. Pylypchenko 1 , M. Pedersen 3 O. Rhne 2 ,

ATLAS Detector Commissioning Oslo EPF group aspect Y. Pylypchenko 1 , M. Pedersen 3 O. Rhne 2 ,

ATLAS Detector Commissioning Oslo EPF group aspect Y. Pylypchenko 1 , M. Pedersen 3 O. Rhne 2 , K. Pajchel 4 1 Introduction. Detector Constrol System 2 Data flow & Data Aquisition System 3 Data Quality Online Monitoring 4 Offline Monitoring

348 views • 30 slides

More recommend