solutions for the storage problem of mceliece public and
play

Solutions for the Storage Problem of McEliece Public and Private - PowerPoint PPT Presentation

Mar 05, 2023 •122 likes •411 views

Solutions for the Storage Problem of McEliece Public and Private Keys on Memory-constrained Platforms Falko Strenzke FlexSecure GmbH, Darmstadt, Germany strenzke@flexsecure.de January 18, 2013 Solutions for the McEliece Key Storage Problem

  1. Solutions for the Storage Problem of McEliece Public and Private Keys on Memory-constrained Platforms Falko Strenzke FlexSecure GmbH, Darmstadt, Germany strenzke@flexsecure.de January 18, 2013 Solutions for the McEliece Key Storage Problem Falko Strenzke 1 / 28

  2. Introduction code-based cryptosystem built on error correcting codes McEliece, Niederreiter advantage: no efficient quantum algorithm known disadvantage: key sizes attempts to reduce public key size with “structured” codes original proposition of McEliece with Goppa Codes: unbroken for more than 30 years Solutions for the McEliece Key Storage Problem Falko Strenzke 2 / 28

  3. Introduction 1 Preliminaries 2 On-line Public Operation 3 Decryption without the Parity Check Matrix 4 Solutions for the McEliece Key Storage Problem Falko Strenzke 3 / 28

  4. Introduction 1 Preliminaries 2 On-line Public Operation 3 Decryption without the Parity Check Matrix 4 Solutions for the McEliece Key Storage Problem Falko Strenzke 4 / 28

  5. Goppa Codes Parameters of a Goppa Code irreducible polynomial g ( Y ) ∈ F 2 m [ Y ] of degree t (the Goppa Polynomial) support Γ = ( α 0 , α 1 , . . . , α n − 1 ), where α i are pairwise distinct elements of F 2 m Properties of the Code the code has length n ≤ 2 m (code word length) , dimension k = n − mt (message length) and can correct up to t errors. , where cH ⊤ = 0 if c ∈ C a parity check matrix H ∈ F mt × n 2 a generator matrix G ∈ F n × k with � mG ∈ C 2 example for secure parameters: n = 2048, t = 50 for 102 bit security Solutions for the McEliece Key Storage Problem Falko Strenzke 5 / 28

  6. The McEliece PKC key generation choose the parameters n and t generate randomly g ( Y ) and Γ (determining the secret the code) for this private code C s one has a public generator matrix G s the public key is G p = [ I | G ′ p ] = TG s for 102 bit secure parameters: G ′ p has size of about 100 KB encryption: � z = � mG p + � e , wt ( � e ) = t decryption: knowing g ( Y ) and Γ, � e and thus also � m can be recovered Solutions for the McEliece Key Storage Problem Falko Strenzke 6 / 28

  7. Introduction 1 Preliminaries 2 On-line Public Operation 3 Decryption without the Parity Check Matrix 4 Solutions for the McEliece Key Storage Problem Falko Strenzke 7 / 28

  8. Public Key Encryption McEliece is a public key encryption scheme i.e., applied in a Public Key Infrastructure (PKI) context Solutions for the McEliece Key Storage Problem Falko Strenzke 8 / 28

  9. Encrpytion in PKI TBS data beg. CA (trust anchor) Matrix TBS Data (Public Key) X509-Cert. 100 KByte TBS end signature standard approach: transmitt the certificate, verify signature, encrypt with public key Solutions for the McEliece Key Storage Problem Falko Strenzke 9 / 28

  10. Problems on Memory-constrained Platforms smart cards typically have less than 20 kB RAM → certificate/matrix in non-volatile memory → cost, slow writing speed, limited nr. write cylces why encryption on smart card? → in the context of electronic passports (Germany) and electronic health applications: key exchange schemes, can be built by signature schemes and PKCs Solutions for the McEliece Key Storage Problem Falko Strenzke 10 / 28

  11. Solution for Memory-constrained Platforms Process the certificate during receival: TBS data beg. � m . Matrix online- . . (Public Key) mul. 100 KByte mG � TBS end fail – sign. output signature Hash ok? error value success – finalize & output Solutions for the McEliece Key Storage Problem Falko Strenzke 11 / 28

  12. Transmission Rates contactless smart card: up to 106 KByte/s (raw) transmit 100 KByte key (security ≈ 100 bit) in ≈ 1s research implementation by NXP Semiconductors 8 times faster → leaves 35 CPU cycles at 30MHz per byte Solutions for the McEliece Key Storage Problem Falko Strenzke 12 / 28

  13. Computational Tasks SHA-256 Hash ≈ 30 cycles/byte on Pentium 4 matrix multiplication column-wise: AND of each column and � m 32-bit word-wise XOR result to 32-bit ACCU finalize column: compute parity bit of ACCU Solutions for the McEliece Key Storage Problem Falko Strenzke 13 / 28

  14. Example Implementation on Atmel AVR32 ATUC3A1512 32-bit microcontroller @ 33 MHz communicating with PC over RS232 @ 460,800 baud works with two interchanging buffers Solutions for the McEliece Key Storage Problem Falko Strenzke 14 / 28

  15. Online-Multiplication Protocol Figure: Schematic overview of the interrupt based implementation of the on-line multiplication. Solutions for the McEliece Key Storage Problem Falko Strenzke 15 / 28

  16. Two Modifications to the Protocol non-interactive version only the very first ACK is send → faster by ≈ 1.3 simulation of higher transmission speeds use fake matrix with bytes repeating r times i.e. 0x1D, 0x1D, 0x1D, 0x1D, 0xA3, 0xA3, 0xA3, 0xA3, 0x22, ... transmit repeated bytes only once B sim = rB real Solutions for the McEliece Key Storage Problem Falko Strenzke 16 / 28

  17. Results based on computa- experimental tion throughput result - w/o ACK cycles/byte measured: 55.6 for 92 SHA-256, 4.2 for mult. yields: 59.8 time at 33MHz 181ms 279ms CPU for 100,000 Bytes transmission rate 551,839 B sim = 368 , 640 in bytes/s ( r = 8) buffer size: 1536 Solutions for the McEliece Key Storage Problem Falko Strenzke 17 / 28

  18. Applicability applicable basically all code-based schemes McEliece PKC Niederreiter PKC CFS signature scheme KKS signature scheme Solutions for the McEliece Key Storage Problem Falko Strenzke 18 / 28

  19. Introduction 1 Preliminaries 2 On-line Public Operation 3 Decryption without the Parity Check Matrix 4 Solutions for the McEliece Key Storage Problem Falko Strenzke 19 / 28

  20. Syndrome Computation with the Parity Check Matrix S ( Y ) ∈ F 2 m [ Y ] of degree t − 1: starting point of decryption s = cH T � s ∈ F mt interpret � as coefficients . . . 2 → S ( Y ) Solutions for the McEliece Key Storage Problem Falko Strenzke 20 / 28

  21. McEliece Private Key Size size in bytes n = 2048, t = n = 2960, t = 50, (102 bit) 56 ( > 122 bit) 4 · 2 m bytes F 2 m tables 8,192 16,384 t 2 bytes table for square 2,500 3,136 root in F 2 m [ Y ] / g ( Y ) 2 t bytes for g ( Y ) 100 112 2 n bytes for the sup- 4,048 5,920 port sum w/o Par. Ch. Mat. 14,840 25,552 Par. Ch. Mat. 140,800 248,640 sum w/Par. Ch. Mat. 155,640 274,192 Solutions for the McEliece Key Storage Problem Falko Strenzke 21 / 28

  22. Syndrome Computation without the Parity Check Matrix S ( Y ) ≡ � n c i Y ⊕ α i mod g ( Y ) , i =1 where α i is the i -th support element done with EEA in a single iteration EEA implementation can be optimized for this case Solutions for the McEliece Key Storage Problem Falko Strenzke 22 / 28

  23. Optimized EEA c ∈ F n Require: the ciphertext � 2 , and the Goppa Polynomial g ( Y ) ∈ F 2 m [ Y ] of degree t Ensure: the syndrome polynomial S ( Y ) ∈ F 2 m [ Y ] of degree ≤ t − 1 S ( Y ) ← 0 for i ← 0 up to n − 1 do if � c [ i ] = 1 then B ( Y ) ← 0 b ← g t for j ← t − 1 down to 0 do B j ← b b ← b · α i ⊕ g j end for f ← b − 1 for j ← 0 up to deg ( B ( Y )) do S j ← S j ⊕ f · B j end for end if end for Solutions for the McEliece Key Storage Problem Falko Strenzke 23 / 28

  24. Cost of the Syndrome Computation C syndr = nt ( C mult + C add ) + n 2 C inv an average except for the inversions: cost of root-finding with exhaustive search Solutions for the McEliece Key Storage Problem Falko Strenzke 24 / 28

  25. Implementation platform: Atmel AT32 AP7000 source code: HyMES Open Source McEliece C implementation https://www.rocq.inria.fr/secret/ CBCrypto/index.php?pg=hymes Solutions for the McEliece Key Storage Problem Falko Strenzke 25 / 28

  26. Experimental Results code pa- n = 2048, t = 50 n = 2960, t = 56 rameters security 102 bit > 122 bit level cycles t @ 33 cycles t @ 33 MHz MHz 2 . 00 · 10 6 3 . 12 · 10 6 61 ms 95 ms whole decr. with par. only syndr. 0 . 26 · 10 6 0 . 39 · 10 6 8 ms 12 ms ch. mat. comp. private key 155,640 274,192 bytes 4 . 42 · 10 6 7 . 39 · 10 6 134 ms 224 ms whole decr. w/o par. only synd. 2 . 65 · 10 6 4 , 71 · 10 6 80 ms 143 ms ch. mat. comp. private key 14,840 25,552 bytes Solutions for the McEliece Key Storage Problem Falko Strenzke 26 / 28

  27. Conclusion code-based public operations in a PKI context: transmission speed is the limiting factor applicability in certain scenarios seems possible even today syndrome computation without the parity check matrix is still efficient → advantage of McEliece over Niederreiter Solutions for the McEliece Key Storage Problem Falko Strenzke 27 / 28

  28. Thank you! download the McEliece implementation and these slides: http://crypto-source.de Solutions for the McEliece Key Storage Problem Falko Strenzke 28 / 28

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

McTiny: Encoding and decoding McEliece for tiny network servers 1978 McEliece public key:

McTiny: Encoding and decoding McEliece for tiny network servers 1978 McEliece public key:

1 2 McTiny: Encoding and decoding McEliece for tiny network servers 1978 McEliece public key: Daniel J. Bernstein, matrix G over F 2 . uic.edu , rub.de Normally m mG is injective. Tanja Lange, tue.nl Fundamental literature: 1962

2.16k views • 132 slides
THE PROBLEM 1 SOLUTIONS What do you think the solutions are? 2 PROPOSED SOLUTIONS

THE PROBLEM 1 SOLUTIONS What do you think the solutions are? 2 PROPOSED SOLUTIONS

THE PROBLEM 1 SOLUTIONS What do you think the solutions are? 2 PROPOSED SOLUTIONS Increase need-based federal aid, like Pell Grants, which now cover less than one-third of the cost of attendance at public four-year universities;

184 views • 15 slides
Classic McEliece: conservative code-based cryptography D. J. Bernstein classic.mceliece.org

Classic McEliece: conservative code-based cryptography D. J. Bernstein classic.mceliece.org

1 Classic McEliece: conservative code-based cryptography D. J. Bernstein classic.mceliece.org Fundamental literature: 1962 Prange (attack) + many more attack papers. 1968 Berlekamp (decoder). 19701971 Goppa (codes). 1978 McEliece

775 views • 58 slides
McEliece type Cryptosystem based on Gabidulin Codes Joachim Rosenthal University of Z urich

McEliece type Cryptosystem based on Gabidulin Codes Joachim Rosenthal University of Z urich

Traditional McEliece Crypto System Variants of McEliece System Distinguisher Attacks McEliece for Rank Metric Codes McEliece type Cryptosystem based on Gabidulin Codes Joachim Rosenthal University of Z urich ALCOMA, March 19, 2015 joint

763 views • 54 slides
Classic McEliece: conservative code-based cryptography Round 2 https://classic.mceliece.org/

Classic McEliece: conservative code-based cryptography Round 2 https://classic.mceliece.org/

Classic McEliece: conservative code-based cryptography Round 2 https://classic.mceliece.org/ Daniel J. Bernstein 1 , Tung Chou 2 , Tanja Lange 3 , Ingo von Maurich, Rafael Misoczki 4 , Ruben Niederhagen 5 , Edoardo Persichetti 6 , Christiane

439 views • 28 slides
McTiny: classic.mceliece.org McEliece for tiny network servers submission team (alphabetical):

McTiny: classic.mceliece.org McEliece for tiny network servers submission team (alphabetical):

1 2 McTiny: classic.mceliece.org McEliece for tiny network servers submission team (alphabetical): me; Daniel J. Bernstein, Tung Chou, osaka-u.ac.jp ; uic.edu , rub.de Tanja Lange, tue.nl ; Joint work with: Ingo von Maurich;

1.87k views • 162 slides
What is... the McEliece system? Violetta Weger University of Zurich Zurich Graduate Colloquium

What is... the McEliece system? Violetta Weger University of Zurich Zurich Graduate Colloquium

What is... the McEliece system? Violetta Weger University of Zurich Zurich Graduate Colloquium 20 November 2018 Violetta Weger What is... the McEliece system? Outline Violetta Weger What is... the McEliece system? 1 Coding Theory 2 Public

779 views • 28 slides
How to achieve a McEliece-based Digital Signature Scheme Nicolas Courtois Matthieu Finiasz

How to achieve a McEliece-based Digital Signature Scheme Nicolas Courtois Matthieu Finiasz

How to achieve a McEliece-based Digital Signature Scheme Nicolas Courtois Matthieu Finiasz Nicolas Sendrier ASIACRYPT 2001 Brisbane McEliece in a nutshell (Niederreiter version) This scheme is equivalent to the original McEliece

432 views • 12 slides
Syndrome Decoding in the Non-Standard Cases Matthieu Finiasz Outline The Problem of Syndrome

Syndrome Decoding in the Non-Standard Cases Matthieu Finiasz Outline The Problem of Syndrome

Syndrome Decoding in the Non-Standard Cases Matthieu Finiasz Outline The Problem of Syndrome Decoding I The Cryptosystems of McEliece and Niederreiter II McEliece-Based Signatures III Provably Secure Syndrome-Based Hash Functions IV The

441 views • 32 slides
The Problem 2 Solutions Problem needs a cocktail of responses such as : - Road infrastructure

The Problem 2 Solutions Problem needs a cocktail of responses such as : - Road infrastructure

The Problem 2 Solutions Problem needs a cocktail of responses such as : - Road infrastructure Improvement - Full cost of transport (environmental taxes) - Higher urban density (resulting in higher use of public transport) - Performant

359 views • 35 slides
A Reaction Attack on the QC-LDPC McEliece Cryptosystem Tomas Fabsic 1 , Viliam Hromada 1 , Paul

A Reaction Attack on the QC-LDPC McEliece Cryptosystem Tomas Fabsic 1 , Viliam Hromada 1 , Paul

LDPC and MDPC Codes QC-MDPC McEliece Attack of Guo et al. QC-LDPC McEliece Our Attack A Reaction Attack on the QC-LDPC McEliece Cryptosystem Tomas Fabsic 1 , Viliam Hromada 1 , Paul Stankovski 2 , Pavol Zajac 1 , Qian Guo 2 , Thomas Johansson

693 views • 37 slides
McTiny: McEliece for tiny network servers Daniel J. Bernstein, uic.edu , rub.de Joint work with:

McTiny: McEliece for tiny network servers Daniel J. Bernstein, uic.edu , rub.de Joint work with:

1 McTiny: McEliece for tiny network servers Daniel J. Bernstein, uic.edu , rub.de Joint work with: Tanja Lange, tue.nl My main question in this talk: Shouldnt NIST PQC simply standardize Classic McEliece, discard the other 25 proposals?

1.18k views • 79 slides
Cryptanalysis of a variant of the McEliece encryption scheme Julien Lavauzelle IRMAR,

Cryptanalysis of a variant of the McEliece encryption scheme Julien Lavauzelle IRMAR,

Cryptanalysis of a variant of the McEliece encryption scheme Julien Lavauzelle IRMAR, Universit de Rennes 1 Journes Nationales de Calcul Formel 2020 03/03/2020 Outline 1. McEliece cryptosystem and variants 2. Attack on the ReedSolomon

782 views • 52 slides
Encrypted SSDs: Self-Encryption Versus Software Solutions Michael Willett Storage Security

Encrypted SSDs: Self-Encryption Versus Software Solutions Michael Willett Storage Security

Encrypted SSDs: Self-Encryption Versus Software Solutions Michael Willett Storage Security Strategist and VP Marketing Bright Plaza Flash Memory Summit 2015 Santa Clara, CA 1 The Problem 2005-2013: over 864,108,052 records

161 views • 15 slides
Storage Lessons from HPC: Extreme Scale Computing Driving Economical Storage Solutions into

Storage Lessons from HPC: Extreme Scale Computing Driving Economical Storage Solutions into

Storage Lessons from HPC: Extreme Scale Computing Driving Economical Storage Solutions into Your IT Environments Gary Grider HPC Division Leader, LANL/US DOE Mar 2017 LA-UR-16-26379 Lo Los Al s Alamos 2 Eigh ght Dec Decades es of

531 views • 35 slides
McTiny: McEliece for tiny network servers Daniel J. Bernstein, uic.edu , rub.de Tanja Lange,

McTiny: McEliece for tiny network servers Daniel J. Bernstein, uic.edu , rub.de Tanja Lange,

1 McTiny: McEliece for tiny network servers Daniel J. Bernstein, uic.edu , rub.de Tanja Lange, tue.nl Fundamental literature: 1962 Prange (attack) + many more attack papers. 1968 Berlekamp (decoder). 19701971 Goppa (codes). 1978 McEliece

899 views • 61 slides
Foundations of Artificial Intelligence 22. Constraint Satisfaction Problems: Introduction and

Foundations of Artificial Intelligence 22. Constraint Satisfaction Problems: Introduction and

Foundations of Artificial Intelligence 22. Constraint Satisfaction Problems: Introduction and Examples Martin Wehrle Universit at Basel April 11, 2016 Introduction Examples Summary Classification Classification: Constraint Satisfaction

288 views • 26 slides
Mining Free Itemsets under Constrained itemset mining Constraints Apriori revisit

Mining Free Itemsets under Constrained itemset mining Constraints Apriori revisit

Content Introduction Mining Free Itemsets under Constrained itemset mining Constraints Apriori revisit Anti-monotone constrains Monotone constrains By Jean-Francois Boulicaut and Baptiste Jeudy Generic algorithm

382 views • 8 slides
Reduction with Short Supports Christopher Jefferson, Peter Nightingale University of St Andrews

Reduction with Short Supports Christopher Jefferson, Peter Nightingale University of St Andrews

Extending Simple Tabular Reduction with Short Supports Christopher Jefferson, Peter Nightingale University of St Andrews Constraints, GAC Suppose we have finite-domain variables x 1 , x 2 , x 3 with domains x 1 :{1,..,11}, x 2 , x 3

237 views • 21 slides
Constrained Systems with Unconstrained Positions: Graph Constructions and Tradeoff Functions Lei

Constrained Systems with Unconstrained Positions: Graph Constructions and Tradeoff Functions Lei

Constrained Systems with Unconstrained Positions: Graph Constructions and Tradeoff Functions Lei Poo Stanford University Panu Chaichanavong Center for Magnetic Recording Research, UCSD Brian Marcus University of British Columbia March 25,

373 views • 25 slides
EMSEC: Embedded Security and Cryptography Responsables: Gildas Avoine, Pierre-Alain Fouque

EMSEC: Embedded Security and Cryptography Responsables: Gildas Avoine, Pierre-Alain Fouque

EMSEC: Embedded Security and Cryptography Responsables: Gildas Avoine, Pierre-Alain Fouque Prsentation: Stphanie Delaune (CNRS) EMSEC team Embedded Security & Cryptography 7 permanent researchers, 12 PhD students, and 2 post-docs

308 views • 11 slides
Art and Science of NUS Data Centres Building D ATA C ENTRE @ NUS Contents I . Nostalgia I I .

Art and Science of NUS Data Centres Building D ATA C ENTRE @ NUS Contents I . Nostalgia I I .

Art and Science of NUS Data Centres Building D ATA C ENTRE @ NUS Contents I . Nostalgia I I . Science of Elements in a Data Centre I I I . NUS DC Live Migration the Art and Challenges I V. Milestones in Pictures V. Whats next

597 views • 59 slides
High aspect-ratio I nGaAs FinFETs with sub-20 nm fin width Alon Vardi, Jianqiang Lin, Wenjie Lu,

High aspect-ratio I nGaAs FinFETs with sub-20 nm fin width Alon Vardi, Jianqiang Lin, Wenjie Lu,

High aspect-ratio I nGaAs FinFETs with sub-20 nm fin width Alon Vardi, Jianqiang Lin, Wenjie Lu, Xin Zhao and Jess A. del Alamo Microsystems Technology Laboratories, MIT June 15, 2016 Sponsors: DTRA (HDTRA 1-14-1-0057), NSF E3S STC (grant

336 views • 30 slides
Around Android Essential Android features illustrated by a walk through a practical example By

Around Android Essential Android features illustrated by a walk through a practical example By

Around Android Essential Android features illustrated by a walk through a practical example By Stefan Meisner Larsen, Trifork. sml@trifork.dk. Twitter: stefanmeisner Agenda Introduction to MoGuard Alert Development Tools Creating the

609 views • 50 slides

More recommend