QcBits: constant-time small-key code-based cryptography Tung Chou - - PowerPoint PPT Presentation

qcbits constant time small key code based cryptography
SMART_READER_LITE
LIVE PREVIEW

QcBits: constant-time small-key code-based cryptography Tung Chou - - PowerPoint PPT Presentation

Jul 20, 2023 226 likes •1k views

QcBits: constant-time small-key code-based cryptography Tung Chou Technische Universiteit Eindhoven, The Netherlands Coding theory 2 Coding theory Linear codes 2 Coding theory Linear codes a linear subspace in F N 2 2 Coding theory

slide-1
SLIDE 1

QcBits: constant-time small-key code-based cryptography

Tung Chou

Technische Universiteit Eindhoven, The Netherlands

slide-2
SLIDE 2

Coding theory

2

slide-3
SLIDE 3

Coding theory

Linear codes

2

slide-4
SLIDE 4

Coding theory

Linear codes

  • a linear subspace in FN

2

2

slide-5
SLIDE 5

Coding theory

Linear codes

  • a linear subspace in FN

2

  • can be defined by a parity-check matrix H, e.g.,

C = {c | Hc = 0}

2

slide-6
SLIDE 6

Coding theory

Linear codes

  • a linear subspace in FN

2

  • can be defined by a parity-check matrix H, e.g.,

C = {c | Hc = 0} Decoding

2

slide-7
SLIDE 7

Coding theory

Linear codes

  • a linear subspace in FN

2

  • can be defined by a parity-check matrix H, e.g.,

C = {c | Hc = 0} Decoding

  • compute e (or c) given c +e, where e is of weight ≤ t

2

slide-8
SLIDE 8

Coding theory

Linear codes

  • a linear subspace in FN

2

  • can be defined by a parity-check matrix H, e.g.,

C = {c | Hc = 0} Decoding

  • compute e (or c) given c +e, where e is of weight ≤ t
  • compute e given the syndrome He = H(c +e)

2

slide-9
SLIDE 9

Code-based encryption

  • McEliece versus Niederreiter

plaintext ciphertext McEliece c c +e Niederreiter e H∗e

3

slide-10
SLIDE 10

Code-based encryption

  • McEliece versus Niederreiter

plaintext ciphertext McEliece c c +e Niederreiter e H∗e

  • General shape

McEliece/Niederreiter + some code

3

slide-11
SLIDE 11

Binary-Goppa and QC-MDPC McEliece/Niederreiter

4

slide-12
SLIDE 12

Binary-Goppa and QC-MDPC McEliece/Niederreiter

Binary Goppa codes QC-MDPC codes Confidence unbroken since 1978 unbroken since 2013

4

slide-13
SLIDE 13

Binary-Goppa and QC-MDPC McEliece/Niederreiter

Binary Goppa codes QC-MDPC codes Confidence unbroken since 1978 unbroken since 2013 Efficiency fast (McBits, CHES 2013) not so fast

4

slide-14
SLIDE 14

Binary-Goppa and QC-MDPC McEliece/Niederreiter

Binary Goppa codes QC-MDPC codes Confidence unbroken since 1978 unbroken since 2013 Efficiency fast (McBits, CHES 2013) not so fast Key size

≈ 100 kilobytes ≈ 1 kilobyte

4

slide-15
SLIDE 15

Timeline

2013 • QC-MDPC McEliece (ISIT)

5

slide-16
SLIDE 16

Timeline

2013 • QC-MDPC McEliece (ISIT)

  • Bochum people felt like implementing it...

5

slide-17
SLIDE 17

Timeline

2013 • QC-MDPC McEliece (ISIT)

  • Bochum people felt like implementing it...
  • n FPGAs (CHES)

2014 •

  • n FPGAs, microcontrollers (PQCrypto, DATE)

2015 •

  • n Haswell CPUs (ACM-TECS)

2016 •

  • n microcontrollers (PQCrypto)

5

slide-18
SLIDE 18

Timeline

2013 • QC-MDPC McEliece (ISIT)

  • Bochum people felt like implementing it...
  • n FPGAs (CHES)

2014 •

  • n FPGAs, microcontrollers (PQCrypto, DATE)

2015 •

  • n Haswell CPUs (ACM-TECS)

2016 •

  • n microcontrollers (PQCrypto)
  • QcBits (new)

5

slide-19
SLIDE 19

Timeline

2013 • QC-MDPC McEliece (ISIT)

  • Bochum people felt like implementing it...
  • n FPGAs (CHES)

2014 •

  • n FPGAs, microcontrollers (PQCrypto, DATE)

2015 •

  • n Haswell CPUs (ACM-TECS)

2016 •

  • n microcontrollers (PQCrypto)
  • QcBits (new)

The problem is timing attacks.

5

slide-20
SLIDE 20

Timeline

2013 • QC-MDPC McEliece (ISIT)

  • Bochum people felt like implementing it...
  • n FPGAs (CHES)

2014 •

  • n FPGAs, microcontrollers (PQCrypto, DATE)

2015 •

  • n Haswell CPUs (ACM-TECS)

2016 •

  • n microcontrollers (PQCrypto)
  • QcBits (new)

The problem is timing attacks.

5

slide-21
SLIDE 21

Timeline

2013 • QC-MDPC McEliece (ISIT)

  • Bochum people felt like implementing it...
  • n FPGAs (CHES)

2014 •

  • n FPGAs, microcontrollers (PQCrypto, DATE)

2015 •

  • n Haswell CPUs (ACM-TECS)

2016 •

  • n microcontrollers (PQCrypto)
  • QcBits (new)

The problem is timing attacks.

  • PQCrypto 2014: constant-time operations assuming no caches

5

slide-22
SLIDE 22

Timeline

2013 • QC-MDPC McEliece (ISIT)

  • Bochum people felt like implementing it...
  • n FPGAs (CHES)

2014 •

  • n FPGAs, microcontrollers (PQCrypto, DATE)

2015 •

  • n Haswell CPUs (ACM-TECS)

2016 •

  • n microcontrollers (PQCrypto)
  • QcBits (new)

The problem is timing attacks.

  • PQCrypto 2014: constant-time operations assuming no caches
  • QcBits: constant-time for a wide-variety of 32/64-bit platforms

5

slide-23
SLIDE 23

Performance results

platform key-pair encrypt decrypt reference scheme Haswell 784 192 82 732 1 560 072 (new) QcBits KEM/DEM 14 234 347 34 123 3 104 624 ACMTECS 2015 McEliece Cortex-M4 140 372 822 2 244 489 14 679 937 (new) QcBits KEM/DEM 63 185 108 2 623 432 18 416 012 PQCrypto 2016 KEM/DEM 148 576 008 7 018 493 42 129 589 PQCrypto 2014 McEliece

Cycle counts for key-pair generation, encryption, and decryption for 80-bit pre-quantum security. Numbers in RED are non-constant-time. Numbers in BLUE are constant-time.

6

slide-24
SLIDE 24

QC-MDPC codes

7

slide-25
SLIDE 25

QC-MDPC codes

  • MDPC: moderate-density-parity-check

7

slide-26
SLIDE 26

QC-MDPC codes

  • MDPC: moderate-density-parity-check
  • QC: quasi-cyclic (for saving bandwidth and memory)

7

slide-27
SLIDE 27

QC-MDPC codes

  • MDPC: moderate-density-parity-check
  • QC: quasi-cyclic (for saving bandwidth and memory)
  • H(0)

H(1)

  • =

      

1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1

       ∈ Fn×2n 2

7

slide-28
SLIDE 28

QC-MDPC codes

  • MDPC: moderate-density-parity-check
  • QC: quasi-cyclic (for saving bandwidth and memory)
  • H(0)

H(1)

  • =

      

1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1

       ∈ Fn×2n 2

QcBits:

  • [n = 4801,w = 90,t = 84] for 80-bit security

7

slide-29
SLIDE 29

QC-MDPC codes

  • MDPC: moderate-density-parity-check
  • QC: quasi-cyclic (for saving bandwidth and memory)
  • H(0)

H(1)

  • =

      

1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1

       ∈ Fn×2n 2

QcBits:

  • [n = 4801,w = 90,t = 84] for 80-bit security
  • further requires H(i) to have row weight w/2

(same for the Bochum papers)

7

slide-30
SLIDE 30

Statistical decoding

Start with finding v = c +e such that H∗v = H∗e. Compute Hv.

8

slide-31
SLIDE 31

Statistical decoding

Start with finding v = c +e such that H∗v = H∗e. Compute Hv.

      

1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1

      

v =

      

1 1

      

8

slide-32
SLIDE 32

Statistical decoding

Start with finding v = c +e such that H∗v = H∗e. Compute Hv.

      

1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1

      

v =

      

1 1

      

8

slide-33
SLIDE 33

Statistical decoding

Start with finding v = c +e such that H∗v = H∗e. Compute Hv.

      

1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1

      

v =

      

1 1

       +)

u =

2

1 1 1 1 2

  • ∈ Z2n

8

slide-34
SLIDE 34

Statistical decoding

Start with finding v = c +e such that H∗v = H∗e. Compute Hv.

      

1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1

      

v =

      

1 1

       +)

u =

2

1 1 1 1 2

  • ∈ Z2n

Flip vi if ui is large. Repeat until Hv = 0.

8

slide-35
SLIDE 35

Statistical decoding

Start with finding v = c +e such that H∗v = H∗e. Compute Hv.

      

1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1

      

v =

      

1 1

       +)

u =

2

1 1 1 1 2

  • ∈ Z2n

Flip vi if ui is large. Repeat until Hv = 0. Rationale

8

slide-36
SLIDE 36

Statistical decoding

Start with finding v = c +e such that H∗v = H∗e. Compute Hv.

      

1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1

      

v =

      

1 1

       +)

u =

2

1 1 1 1 2

  • ∈ Z2n

Flip vi if ui is large. Repeat until Hv = 0. Rationale

  • parity= 0: perhaps no errors. no information.

8

slide-37
SLIDE 37

Statistical decoding

Start with finding v = c +e such that H∗v = H∗e. Compute Hv.

      

1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1

      

v =

      

1 1

       +)

u =

2

1 1 1 1 2

  • ∈ Z2n

Flip vi if ui is large. Repeat until Hv = 0. Rationale

  • parity= 0: perhaps no errors. no information.
  • parity= 1: one score for each possible position.

8

slide-38
SLIDE 38

Statistical decoding

Natural questions

9

slide-39
SLIDE 39

Statistical decoding

Natural questions

  • what do you mean by higher probability? (don’t know)

9

slide-40
SLIDE 40

Statistical decoding

Natural questions

  • what do you mean by higher probability? (don’t know)
  • repeat how many times? (don’t know)

9

slide-41
SLIDE 41

Statistical decoding

Natural questions

  • what do you mean by higher probability? (don’t know)
  • repeat how many times? (don’t know)
  • always work? (probably not)

9

slide-42
SLIDE 42

Statistical decoding

Natural questions

  • what do you mean by higher probability? (don’t know)
  • repeat how many times? (don’t know)
  • always work? (probably not)
  • constant-time iterations?

9

slide-43
SLIDE 43

Statistical decoding: naive approach

      

1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1

      

v =

      

1 1

      

10

slide-44
SLIDE 44

Statistical decoding: naive approach

      

1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1

      

v =

      

1 1

       +)

u =

2

1 1 1 1 2

  • ∈ Z2n

10

slide-45
SLIDE 45

Statistical decoding: naive approach

      

1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1

      

v =

      

1 1

       +)

u =

2

1 1 1 1 2

  • ∈ Z2n

Step 1 computing the syndrome: O(n2)

10

slide-46
SLIDE 46

Statistical decoding: naive approach

      

1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1

      

v =

      

1 1

       +)

u =

2

1 1 1 1 2

  • ∈ Z2n

Step 1 computing the syndrome: O(n2) Step 2 computing the unsatisfied parity checks: O(n2)

10

slide-47
SLIDE 47

Statistical decoding: naive approach

      

1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1

      

v =

      

1 1

       +)

u =

2

1 1 1 1 2

  • ∈ Z2n

Step 1 computing the syndrome: O(n2) Step 2 computing the unsatisfied parity checks: O(n2)

  • Bochum strategy: compute u0, flip v0, compute u1, flip u1, etc.

10

slide-48
SLIDE 48

Syndrome computation: polynomial view

f ,g ∈ F2[x]/(xn −1)

11

slide-49
SLIDE 49

Syndrome computation: polynomial view

f ,g ∈ F2[x]/(xn −1)

↓      

f0 fn−1

...

f1 g0 gn−1

...

g1 f1 f0

...

f2 g1 g0

...

g2 . . . . . . . . . . . . . . . . . . fn−1 fn−2

...

f0 gn−1 gn−2

...

g0

           

v0 v1 . . . v2n−1

      = s

11

slide-50
SLIDE 50

Syndrome computation: polynomial view

f ,g ∈ F2[x]/(xn −1)

↓      

f0 fn−1

...

f1 g0 gn−1

...

g1 f1 f0

...

f2 g1 g0

...

g2 . . . . . . . . . . . . . . . . . . fn−1 fn−2

...

f0 gn−1 gn−2

...

g0

           

v0 v1 . . . v2n−1

      = s ↓

  • f

xf

···

xn−1f g xg

···

xn−1g

    

v0 v1 . . . v2n−1

      = s

11

slide-51
SLIDE 51

Syndrome computation: polynomial view

f ,g ∈ F2[x]/(xn −1)

↓      

f0 fn−1

...

f1 g0 gn−1

...

g1 f1 f0

...

f2 g1 g0

...

g2 . . . . . . . . . . . . . . . . . . fn−1 fn−2

...

f0 gn−1 gn−2

...

g0

           

v0 v1 . . . v2n−1

      = s ↓

  • f

xf

···

xn−1f g xg

···

xn−1g

    

v0 v1 . . . v2n−1

      = s ↓

s = v(0)f +v(1)g ∈ F2[x]/(xn −1)

11

slide-52
SLIDE 52

Sparse-times-dense polynomial in F2[x]/(xn −1)

QcBits computes vf as

xi1v + xi2v + ···

  • Each xiv is simply a rotation of v.

12

slide-53
SLIDE 53

Sparse-times-dense polynomial in F2[x]/(xn −1)

QcBits computes vf as

xi1v + xi2v + ···

  • Each xiv is simply a rotation of v.

12

slide-54
SLIDE 54

Sparse-times-dense polynomial in F2[x]/(xn −1)

QcBits computes vf as

xi1v + xi2v + ···

  • Each xiv is simply a rotation of v.
  • Addition can be carried out using XOR instrctions.

12

slide-55
SLIDE 55

Sparse-times-dense polynomial in F2[x]/(xn −1)

QcBits computes vf as

xi1v + xi2v + ···

  • Each xiv is simply a rotation of v.
  • Addition can be carried out using XOR instrctions.
  • Constant-time rotations?

12

slide-56
SLIDE 56

Barrel Shifter

Rotating by i = (ikik−1 ...i0)2 bits:

13

slide-57
SLIDE 57

Barrel Shifter

Rotating by i = (ikik−1 ...i0)2 bits:

  • conditionally rotate by 2k bits.

13

slide-58
SLIDE 58

Barrel Shifter

Rotating by i = (ikik−1 ...i0)2 bits:

  • conditionally rotate by 2k bits.
  • conditionally rotate by 2k−1 bits, and so on.

13

slide-59
SLIDE 59

Barrel Shifter

Rotating by i = (ikik−1 ...i0)2 bits:

  • conditionally rotate by 2k bits.
  • conditionally rotate by 2k−1 bits, and so on.
  • Example for i = 0100112 and polynomial

(x8 +x10 +x12 +x14)+(x16 +x17 +x20 +x21)+(x24 +x25 +x26 +x27)+(x36 +x37 +x38 +x39)

13

slide-60
SLIDE 60

Barrel Shifter

Rotating by i = (ikik−1 ...i0)2 bits:

  • conditionally rotate by 2k bits.
  • conditionally rotate by 2k−1 bits, and so on.
  • Example for i = 0100112 and polynomial

(x8 +x10 +x12 +x14)+(x16 +x17 +x20 +x21)+(x24 +x25 +x26 +x27)+(x36 +x37 +x38 +x39)

000000002 010101012 001100112 000011112 111100002

13

slide-61
SLIDE 61

Barrel Shifter

Rotating by i = (ikik−1 ...i0)2 bits:

  • conditionally rotate by 2k bits.
  • conditionally rotate by 2k−1 bits, and so on.
  • Example for i = 0100112 and polynomial

(x8 +x10 +x12 +x14)+(x16 +x17 +x20 +x21)+(x24 +x25 +x26 +x27)+(x36 +x37 +x38 +x39)

000000002 010101012 001100112 000011112 111100002 0100112 010101012 001100112 000011112 111100002 000000002

13

slide-62
SLIDE 62

Barrel Shifter

Rotating by i = (ikik−1 ...i0)2 bits:

  • conditionally rotate by 2k bits.
  • conditionally rotate by 2k−1 bits, and so on.
  • Example for i = 0100112 and polynomial

(x8 +x10 +x12 +x14)+(x16 +x17 +x20 +x21)+(x24 +x25 +x26 +x27)+(x36 +x37 +x38 +x39)

000000002 010101012 001100112 000011112 111100002 0100112 010101012 001100112 000011112 111100002 000000002 0100112 000011112 111100002 000000002 010101012 001100112

13

slide-63
SLIDE 63

Barrel Shifter

Rotating by i = (ikik−1 ...i0)2 bits:

  • conditionally rotate by 2k bits.
  • conditionally rotate by 2k−1 bits, and so on.
  • Example for i = 0100112 and polynomial

(x8 +x10 +x12 +x14)+(x16 +x17 +x20 +x21)+(x24 +x25 +x26 +x27)+(x36 +x37 +x38 +x39)

000000002 010101012 001100112 000011112 111100002 0100112 010101012 001100112 000011112 111100002 000000002 0100112 000011112 111100002 000000002 010101012 001100112 0100112 001100112 000011112 111100002 000000002 010101012

13

slide-64
SLIDE 64

Barrel Shifter

Rotating by i = (ikik−1 ...i0)2 bits:

  • conditionally rotate by 2k bits.
  • conditionally rotate by 2k−1 bits, and so on.
  • Example for i = 0100112 and polynomial

(x8 +x10 +x12 +x14)+(x16 +x17 +x20 +x21)+(x24 +x25 +x26 +x27)+(x36 +x37 +x38 +x39)

000000002 010101012 001100112 000011112 111100002 0100112 010101012 001100112 000011112 111100002 000000002 0100112 000011112 111100002 000000002 010101012 001100112 0100112 001100112 000011112 111100002 000000002 010101012 0100112 011000012 111111102 000000002 000010102 101001102

13

slide-65
SLIDE 65

Computing u: polynomial view

f ,g ∈ Z[x]/(xn −1)

14

slide-66
SLIDE 66

Computing u: polynomial view

f ,g ∈ Z[x]/(xn −1)

↓      

f0 f1

...

fn−1 g0 g1

...

gn−1 fn−1 f0

...

fn−2 gn−1 g0

...

gn−2 . . . . . . . . . . . . . . . . . . f1 f2

...

f0 g1 g2

...

g0

     

v =

     

s0 s1 . . . sn−1

     

14

slide-67
SLIDE 67

Computing u: polynomial view

f ,g ∈ Z[x]/(xn −1)

↓      

f0 f1

...

fn−1 g0 g1

...

gn−1 fn−1 f0

...

fn−2 gn−1 g0

...

gn−2 . . . . . . . . . . . . . . . . . . f1 f2

...

f0 g1 g2

...

g0

     

v =

     

s0 s1 . . . sn−1

      ↓      

f g xf xg . . . xn−1f xn−1g

     

v =

     

s0 s1 . . . sn−1

     

14

slide-68
SLIDE 68

Computing u: polynomial view

f ,g ∈ Z[x]/(xn −1)

↓      

f0 f1

...

fn−1 g0 g1

...

gn−1 fn−1 f0

...

fn−2 gn−1 g0

...

gn−2 . . . . . . . . . . . . . . . . . . f1 f2

...

f0 g1 g2

...

g0

     

v =

     

s0 s1 . . . sn−1

      ↓      

f g xf xg . . . xn−1f xn−1g

     

v =

     

s0 s1 . . . sn−1

      ↓

u = (sf , sg) ∈ Z[x]/(xn −1)

14

slide-69
SLIDE 69

The future of QC-MDPC McEliece/Niederreiter

15

slide-70
SLIDE 70

The future of QC-MDPC McEliece/Niederreiter

How to deal with decoding failures?

15

slide-71
SLIDE 71

The future of QC-MDPC McEliece/Niederreiter

How to deal with decoding failures?

  • QcBits for higher security levels?

15

slide-72
SLIDE 72

The future of QC-MDPC McEliece/Niederreiter

How to deal with decoding failures?

  • QcBits for higher security levels?
  • better decoder?

15

slide-73
SLIDE 73

The future of QC-MDPC McEliece/Niederreiter

How to deal with decoding failures?

  • QcBits for higher security levels?
  • better decoder?
  • better parameters?

15

slide-74
SLIDE 74

The future of QC-MDPC McEliece/Niederreiter

How to deal with decoding failures?

  • QcBits for higher security levels?
  • better decoder?
  • better parameters?

Is equal weight distribution ok?

15

slide-75
SLIDE 75

The future of QC-MDPC McEliece/Niederreiter

How to deal with decoding failures?

  • QcBits for higher security levels?
  • better decoder?
  • better parameters?

Is equal weight distribution ok?

  • at least it’s close enough to the original proposal

15

slide-76
SLIDE 76

The future of QC-MDPC McEliece/Niederreiter

How to deal with decoding failures?

  • QcBits for higher security levels?
  • better decoder?
  • better parameters?

Is equal weight distribution ok?

  • at least it’s close enough to the original proposal

More research is required to build up confidence.

15

slide-77
SLIDE 77

www.win.tue.nl/~tchou/qcbits/