a reaction attack against cryptosystems based on lrpc
play

A Reaction Attack against Cryptosystems based on LRPC Codes Gustavo - PowerPoint PPT Presentation

Sep 21, 2022 •258 likes •590 views

A Reaction Attack against Cryptosystems based on LRPC Codes Gustavo Banegas joint work with Simona Samardjiska, Paolo Santini and Edoardo Persichetti Latincrypt 2019 October 3rd, 2019 A Reaction Attack against Cryptosystems based on LRPC

  1. A Reaction Attack against Cryptosystems based on LRPC Codes Gustavo Banegas joint work with Simona Samardjiska, Paolo Santini and Edoardo Persichetti Latincrypt 2019 October 3rd, 2019 A Reaction Attack against Cryptosystems based on LRPC Codes Gustavo Banegas 1

  2. Outline Introduction Reaction Attack Our Result Conclusion A Reaction Attack against Cryptosystems based on LRPC Codes Gustavo Banegas 2

  3. Post-quantum cryptography Why do we need post-quantum cryptography? Shor’s Algorithm solves in polynomial time: ◮ Integer factorization; RSA is dead. ◮ The discrete-logarithm problem in finite fields; DSA is dead. ◮ The discrete-logarithm problem on elliptic curves; ECDSA is dead. A Reaction Attack against Cryptosystems based on LRPC Codes Gustavo Banegas 3

  4. Post-quantum cryptography What is post-quantum cryptography? A Reaction Attack against Cryptosystems based on LRPC Codes Gustavo Banegas 4

  5. Post-quantum cryptography Timeline ◮ 2016: NIST calls for submissions to “Post-Quantum Cryptography Standardization Project”. ◮ 2017: NIST receives 69 proper submissions. ◮ 2018-19: NIST 2nd round of proposals with 26 proposals. ◮ 17 code-based in the 1st round; 7 code-based in 2nd round. A Reaction Attack against Cryptosystems based on LRPC Codes Gustavo Banegas 5

  6. Code-based Cryptography Code-based cryptography in a nutshell Linear transformation Add errors Codeword Ciphertext Plaintext Inverse transformation Remove errors ◮ Originally proposed by McEliece in 1978; ◮ It uses a linear code: ◮ Goppa codes; ◮ LDPC/MDPC; ◮ Rank Metric (LRPC); ◮ Several others. A Reaction Attack against Cryptosystems based on LRPC Codes Gustavo Banegas 6

  7. Rank Metric Codes A Low-Rank Parity-Check (LRPC) code A LRPC C over F q m of length n , dimension k and rank d is described by an ( n − k ) × n parity-check matrix H = { h i , j } ∈ F ( n − k ) × n , q m ◮ Each coefficient h i , j can be written as d � h i , j = h i , j , l F l , h i , j , l ∈ F q , l = 1 each F i ∈ F q m , and F = � F 1 , F 2 , · · · , F d � is a F q subspace of F q m . A Reaction Attack against Cryptosystems based on LRPC Codes Gustavo Banegas 7

  8. Decoding LRPC codes How to decode LRPC codes? be the syndrome of e , i.e. He ⊤ = s . Let s = ( s 1 , . . . , s n − k ) ∈ F n − k q m Decoding: Recover e from the knowledge of s . Crucial facts: ◮ If h i , j ∈ F = � F 1 , F 2 , · · · , F d � and e ∈ E = � E 1 , E 2 , · · · , E r � then s i ∈ � F 1 E 1 , F 1 E 2 , . . . , F d E r � ◮ Assume S = � s 1 , s 2 , . . . , s n − k � = � F 1 E 1 , F 1 E 2 , . . . , F d E r � then: 1. Set S i = F − 1 . S . Then i S i = F − 1 . � . . . F i E 1 , F i E 2 , . . . , F i E r ... � ⇒ E = � E 1 , E 2 , · · · , E r � ⊂ S i i 2. Find E = S 1 ∩ S 2 ∩ · · · ∩ S d 3. Find e by solving He ⊤ = s A Reaction Attack against Cryptosystems based on LRPC Codes Gustavo Banegas 8

  9. Decoding of LRPC codes When do decoding failures happen? � � 1. When Dim � EF � < rd : this happens with probability d P 1 = q m − rd 2. When E � = � d i = 1 S i : when m > rd + 8, this happens with probability P 2 ≪ 2 − 30 � � 3. When Dim S < rd this happens with probability 1 P 3 = q n − k + 1 − rd ◮ In practice usually P 1 , P 2 ≪ P 3 . A Reaction Attack against Cryptosystems based on LRPC Codes Gustavo Banegas 9

  10. LRPC cryptosystems What is a LRPC cryptosystem? Basically any cryptosystem that ◮ uses LRPC codes (low rank of H secret ) ◮ uses RH secret = H to hide the secret H secret ◮ relies on the Rank syndrome decoding problem: Find e such that He ⊤ = s and | e | � r . ◮ LRPC cryptosystem [Gaborit et al.’13] ◮ McNie [Kim et al.’17] (NIST 1st round candidate) ◮ ROLLO (Rank-Ouroboros, LAKE and LOCKER) [Aguilar Melchor et al. ’17] (NIST 2nd round candidate) ◮ Durandal [Aragon et al.’19] A Reaction Attack against Cryptosystems based on LRPC Codes Gustavo Banegas 10

  11. Reaction attack A Reaction Attack against Cryptosystems based on LRPC Codes Gustavo Banegas 11

  12. Reaction attack m 1 , e 1 , c 1 = m 1 G + e 1 A Reaction Attack against Cryptosystems based on LRPC Codes Gustavo Banegas 11

  13. Reaction attack c 1 m 1 , e 1 , c 1 = m 1 G + e 1 A Reaction Attack against Cryptosystems based on LRPC Codes Gustavo Banegas 11

  14. Reaction attack c 1 m 1 , e 1 , c 1 = m 1 G + e 1 � ← Decode ( c 1 ) A Reaction Attack against Cryptosystems based on LRPC Codes Gustavo Banegas 11

  15. Reaction attack c 1 m 1 , e 1 , c 1 = m 1 G + e 1 � ← Decode ( c 1 ) m 2 , e 2 , c 2 A Reaction Attack against Cryptosystems based on LRPC Codes Gustavo Banegas 11

  16. Reaction attack c 1 m 1 , e 1 , c 1 = m 1 G + e 1 � ← Decode ( c 1 ) c 2 m 2 , e 2 , c 2 A Reaction Attack against Cryptosystems based on LRPC Codes Gustavo Banegas 11

  17. Reaction attack c 1 m 1 , e 1 , c 1 = m 1 G + e 1 � ← Decode ( c 1 ) c 2 m 2 , e 2 , c 2 � ← Decode ( c 2 ) A Reaction Attack against Cryptosystems based on LRPC Codes Gustavo Banegas 11

  18. Reaction attack c 1 m 1 , e 1 , c 1 = m 1 G + e 1 � ← Decode ( c 1 ) c 2 m 2 , e 2 , c 2 � ← Decode ( c 2 ) . . . A Reaction Attack against Cryptosystems based on LRPC Codes Gustavo Banegas 11

  19. Reaction attack c 1 m 1 , e 1 , c 1 = m 1 G + e 1 � ← Decode ( c 1 ) c 2 m 2 , e 2 , c 2 � ← Decode ( c 2 ) . . . m t , e t , c t A Reaction Attack against Cryptosystems based on LRPC Codes Gustavo Banegas 11

  20. Reaction attack c 1 m 1 , e 1 , c 1 = m 1 G + e 1 � ← Decode ( c 1 ) c 2 m 2 , e 2 , c 2 � ← Decode ( c 2 ) . . . c t m t , e t , c t A Reaction Attack against Cryptosystems based on LRPC Codes Gustavo Banegas 11

  21. Reaction attack c 1 m 1 , e 1 , c 1 = m 1 G + e 1 � ← Decode ( c 1 ) c 2 m 2 , e 2 , c 2 � ← Decode ( c 2 ) . . . c t m t , e t , c t X ← Decode ( c t ) A Reaction Attack against Cryptosystems based on LRPC Codes Gustavo Banegas 11

  22. Reaction attack c 1 m 1 , e 1 , c 1 = m 1 G + e 1 � ← Decode ( c 1 ) c 2 m 2 , e 2 , c 2 � ← Decode ( c 2 ) . . . c t m t , e t , c t X ← Decode ( c t ) Pls resend! A Reaction Attack against Cryptosystems based on LRPC Codes Gustavo Banegas 11

  23. Reaction attack c 1 m 1 , e 1 , c 1 = m 1 G + e 1 � ← Decode ( c 1 ) c 2 m 2 , e 2 , c 2 � ← Decode ( c 2 ) . . . c t m t , e t , c t X ← Decode ( c t ) Pls resend! A Reaction Attack against Cryptosystems based on LRPC Codes Gustavo Banegas 11

  24. Key recovery attack When does a decoding failure happen? (A closer look at) the syndrome equation for LRPC: H secret e ⊤ = s � d � � r n n � � � � � s i = h i , j e j = h i , j , l F l e j , u E u j = 1 j = 1 l = 1 v = 1   d r n � � �  , = F l E u h i , j , l e j , u ∀ i ∈ { 1 , . . . , n − k } .  l = 1 u = 1 j = 1 In matrix form: s = ( F 1 E 1 , F 1 E 2 . . . , F d E r ) · ¯ A h , e � � Recall: Decoding fails when Dim S < rd ¯ A h , e is not of full rank A Reaction Attack against Cryptosystems based on LRPC Codes Gustavo Banegas 12

  25. Our Attack What to do with the errors? v e 1 · ¯  A e 1 ( h ) = 0 1 × n − k  v e 2 · ¯  A e 2 ( h ) = 0 1 × n − k  . . .   v e t · ¯ A e t ( h ) = 0 1 × n − k  A Reaction Attack against Cryptosystems based on LRPC Codes Gustavo Banegas 13

  26. Our Attack What to do with the errors? v e 1 · ¯  A e 1 ( h ) = 0 1 × n − k  v e 2 · ¯  A e 2 ( h ) = 0 1 × n − k  . . .   v e t · ¯ A e t ( h ) = 0 1 × n − k  High level attack idea: 0: Collect errors e 1 , e 2 , . . . , e t from decryption failures 0: repeat h ← SolveSystem ( v e 1 , v e 2 , . . . , v e t , e 1 , e 2 , . . . , e t ) 0: if h � = ⊥ then 0: Collect ℓ messages, errors, ciphertexts ( m i , e i , c i ) 0: F , success ← FindBasis ( h , { ( m i , e i , c i ) } ℓ i = 1 ) 0: else success ← ⊥ 0: 0: until success 0: H ← ReconstructMatrix ( h , F ) return H of small rank d =0 A Reaction Attack against Cryptosystems based on LRPC Codes Gustavo Banegas 13

  27. Our Attack How to solve the system? v e 1 · ¯  A e 1 ( h ) = 0 1 × n − k  v e 2 · ¯  A e 2 ( h ) = 0 1 × n − k  . . .   v e t · ¯ A e t ( h ) = 0 1 × n − k  ◮ Kernel method ◮ n − k equations for each error e i ◮ nd unknown coefficients in h ◮ guess v e i in kernel of ¯ A e t ( h ) ◮ ⇒ linear system only in the nd h -variables ◮ need to collect t � nd n − k errors from DF A Reaction Attack against Cryptosystems based on LRPC Codes Gustavo Banegas 14

  28. Our Attack How to solve the system? v e 1 · ¯  A e 1 ( h ) = 0 1 × n − k  v e 2 · ¯  A e 2 ( h ) = 0 1 × n − k  . . .   v e t · ¯ A e t ( h ) = 0 1 × n − k  ◮ Kernel method ◮ n − k equations for each error e i ◮ nd unknown coefficients in h ◮ guess v e i in kernel of ¯ A e t ( h ) ◮ ⇒ linear system only in the nd h -variables ◮ need to collect t � nd n − k errors from DF ◮ Probability of guessing v e i correctly: P e i = q K e i q rd , where q K e i = | Ker (¯ A e i ( h )) | . A Reaction Attack against Cryptosystems based on LRPC Codes Gustavo Banegas 14

Recommend

A Timing Attack on Hyperelliptic Curve Cryptosystems Asiacrypt 2003 rump session on Dec. 2 nd ,

A Timing Attack on Hyperelliptic Curve Cryptosystems Asiacrypt 2003 rump session on Dec. 2 nd ,

A Timing Attack on Hyperelliptic Curve Cryptosystems Asiacrypt 2003 rump session on Dec. 2 nd , 2003 M.Katagi, I.Kitamura, T.Akishita, and T. Takagi(*) Sony Corporation (*)Technische Universitaet Darmstadt Introduction Optimization of

229 views • 5 slides
Discrete-Log Based Public Key Cryptosystems Jim Royer September 25, 2018 Introduction to

Discrete-Log Based Public Key Cryptosystems Jim Royer September 25, 2018 Introduction to

Note: Log = logarithm, not Discrete-Log Based Public Key Cryptosystems Jim Royer September 25, 2018 Introduction to Cryptography 1 References Symmetric and Asymmetric Cryptosystems Public-Key Cryptosystems Based on the Discrete

436 views • 9 slides
Fault Attacks on Supersingular Isogeny Cryptosystems Yan Bo Ti Department of Mathematics,

Fault Attacks on Supersingular Isogeny Cryptosystems Yan Bo Ti Department of Mathematics,

Fault Attacks on Supersingular Isogeny Cryptosystems Yan Bo Ti Department of Mathematics, University of Auckland PQCrypto 2017, 26th of June 1/15 Outline 1 Preliminaries Introduction Supersingular isogenies SSI cryptosystems 2 Fault attack

378 views • 33 slides
The RSA Algorithm Private-key cryptosystems: - Alice and Bob agree on the key before the

The RSA Algorithm Private-key cryptosystems: - Alice and Bob agree on the key before the

The RSA Algorithm Private-key cryptosystems: - Alice and Bob agree on the key before the communication - all cryptosystems we discussed so far - also called: symmetric-key cryptosystems Public-key cryptosystems (Chapter 6) : - what to do if

281 views • 4 slides
A Reaction Attack on the QC-LDPC McEliece Cryptosystem Tomas Fabsic 1 , Viliam Hromada 1 , Paul

A Reaction Attack on the QC-LDPC McEliece Cryptosystem Tomas Fabsic 1 , Viliam Hromada 1 , Paul

LDPC and MDPC Codes QC-MDPC McEliece Attack of Guo et al. QC-LDPC McEliece Our Attack A Reaction Attack on the QC-LDPC McEliece Cryptosystem Tomas Fabsic 1 , Viliam Hromada 1 , Paul Stankovski 2 , Pavol Zajac 1 , Qian Guo 2 , Thomas Johansson

693 views • 37 slides
Cryptosystems from 1900 to 1975 Late Classical Cryptosystems From 1900 up to the mid-1970s

Cryptosystems from 1900 to 1975 Late Classical Cryptosystems From 1900 up to the mid-1970s

Cryptosystems from 1900 to 1975 Late Classical Cryptosystems From 1900 up to the mid-1970s Many important and storied examples. See: http://users.telenet.be/d.rijmenants/ Jim Royer Well talk about just one in detail: the one-time pad .

250 views • 6 slides
Elliptic Curve Isogeny Based Cryptosystems Frederik Vercauteren Open Security Research (China)

Elliptic Curve Isogeny Based Cryptosystems Frederik Vercauteren Open Security Research (China)

Elliptic Curve Isogeny Based Cryptosystems Frederik Vercauteren Open Security Research (China) KU Leuven ESAT/COSIC (Belgium) frederik.vercauteren@gmail.com 23 August 2016 Frederik Vercauteren Elliptic Curve Isogeny Based Cryptosystems 23

839 views • 52 slides
Outline Yet More On Cryptography Symmetric cryptosystems CS 239 Asymmetric

Outline Yet More On Cryptography Symmetric cryptosystems CS 239 Asymmetric

Outline Yet More On Cryptography Symmetric cryptosystems CS 239 Asymmetric cryptosystems Computer Security Digital signatures January 30, 2006 Digital hashes Key recovery cryptosystems Lecture 4 Lecture 4 Page 1 Page

358 views • 11 slides
Identity-Based Cryptosystems and Quadratic Residuosity Marc Joye Proxy: Fabrice Benhamouda PKC

Identity-Based Cryptosystems and Quadratic Residuosity Marc Joye Proxy: Fabrice Benhamouda PKC

Identity-Based Encryption Cocks IBE Scheme Algebraic Structure Applications Conclusion Identity-Based Cryptosystems and Quadratic Residuosity Marc Joye Proxy: Fabrice Benhamouda PKC 2016 Tapei, Taiwan 1 / 20 Identity-Based Encryption

655 views • 38 slides
(GLUP) Study Plus Long Range Planning Committee (LRPC) December 11, 2019 Tonights Agenda 1.

(GLUP) Study Plus Long Range Planning Committee (LRPC) December 11, 2019 Tonights Agenda 1.

Shirlington Village Special General Land Use Plan (GLUP) Study Plus Long Range Planning Committee (LRPC) December 11, 2019 Tonights Agenda 1. Introduction 2. Parking Utilization Report 3. LRPC Discussion 4. Results from Community

396 views • 22 slides
A Complete and Explicit Security Reduction Algorithm for RSA-based Cryptosystems Asiacrypt 2003,

A Complete and Explicit Security Reduction Algorithm for RSA-based Cryptosystems Asiacrypt 2003,

A Complete and Explicit Security Reduction Algorithm for RSA-based Cryptosystems Asiacrypt 2003, Taipei Kaoru Kurosawa 1 , Katja Schmidt-Samoa 2 , Tsuyoshi Takagi 2 1 Ibaraki University 2 Technische Universit at Darmstadt A Complete and

408 views • 39 slides
Unbreakable Cryptosystems ??? Almost all of the practical cryptosystems are theoretically

Unbreakable Cryptosystems ??? Almost all of the practical cryptosystems are theoretically

Unbreakable Cryptosystems ??? Almost all of the practical cryptosystems are theoretically breakable given the time are theoretically breakable given the time Security Notions and computational resources. However,

307 views • 10 slides
Attack- based Domain Transition Analysis Susan Hinrichs shinrich@ uiuc.edu Prasad Naldurg

Attack- based Domain Transition Analysis Susan Hinrichs shinrich@ uiuc.edu Prasad Naldurg

Attack- based Domain Transition Analysis Susan Hinrichs shinrich@ uiuc.edu Prasad Naldurg prasadn@ microsoft.com SE Linux Symposium Attack- based DTA 1 06 Outline Motivation Review of type enforcement transitions Attack

471 views • 18 slides
Public-Key Cryptosystems from the Worst-Case Shortest Vector Problem Chris Peikert SRI

Public-Key Cryptosystems from the Worst-Case Shortest Vector Problem Chris Peikert SRI

Public-Key Cryptosystems from the Worst-Case Shortest Vector Problem Chris Peikert SRI Georgia Tech Impagliazzos World Workshop 1 / 16 This Talk 1 State of Lattice-Based Cryptography 2 Main Result: Public-Key Encryption based on GapSVP

908 views • 73 slides
Fast and Secure Root Finding for Code-based Cryptosystems Falko Strenzke Cryptography and

Fast and Secure Root Finding for Code-based Cryptosystems Falko Strenzke Cryptography and

Fast and Secure Root Finding for Code-based Cryptosystems Falko Strenzke Cryptography and Computeralgebra, Department of Computer Science, Technische Universit at Darmstadt, Germany, fstrenzke@crypto-source.de April 13, 2015 Fast and

494 views • 38 slides
Efficiency and Implementation Security of Code-based Cryptosystems PhD Thesis by Falko Strenzke

Efficiency and Implementation Security of Code-based Cryptosystems PhD Thesis by Falko Strenzke

Efficiency and Implementation Security of Code-based Cryptosystems PhD Thesis by Falko Strenzke Falko Strenzke Cryptography and Computeralgebra, Department of Computer Science, Technische Universit at Darmstadt, Germany,

1.73k views • 160 slides
Outline Threshold Homomorphic Cryptosystems (THCs) Basic examples Secure multiparty

Outline Threshold Homomorphic Cryptosystems (THCs) Basic examples Secure multiparty

ECRYPT: Achievements and Perspectives Antwerp / May 27, 2008 PROVILAB Focus 2 Secure Multiparty Computation Based on Threshold Homomorphic Cryptosystems Berry Schoenmakers Coding &amp; Crypto group Dept. Math &amp; CS TU Eindhoven Outline

583 views • 13 slides
Shirlington Village Special General Land Use Plan (GLUP) Study Plus Long Range Planning

Shirlington Village Special General Land Use Plan (GLUP) Study Plus Long Range Planning

Shirlington Village Special General Land Use Plan (GLUP) Study Plus Long Range Planning Committee (LRPC) January 21, 2020 Tonights Agenda 1. Principles and Vision 2. LRPC Discussion 3. Building Heights 4. LRPC Discussion 5. Next Steps

638 views • 35 slides
Symmetric Key Cryptosystems Modern Symmetric Key Cryptosystems Public key cryptosystems (PKCs) and

Symmetric Key Cryptosystems Modern Symmetric Key Cryptosystems Public key cryptosystems (PKCs) and

Modern Block Ciphers DES Games with Block Ciphers Modern Block Ciphers DES Games with Block Ciphers Symmetric Key Cryptosystems Modern Symmetric Key Cryptosystems Public key cryptosystems (PKCs) and their applications are the primary focus

521 views • 5 slides
Lattice-based public-key cryptosystems D. J. Bernstein NIST post-quantum competition: 69

Lattice-based public-key cryptosystems D. J. Bernstein NIST post-quantum competition: 69

1 Lattice-based public-key cryptosystems D. J. Bernstein NIST post-quantum competition: 69 submissions in first round, from hundreds of people. (+13 submissions that NIST declared incomplete or improper.) 22 signature-system submissions. 5

1.97k views • 196 slides
Contents Introduction to data security Public key cryptosystems: Classical

Contents Introduction to data security Public key cryptosystems: Classical

Contents Introduction to data security Public key cryptosystems: Classical cryptosystems RSA Introduction to modern Prime number generation cryptography Polynomial arithmetic T-79.159 Block ciphers: DES, IDEA,

439 views • 15 slides
Extent- -based Incremental Identification based Incremental Identification Extent of Reaction

Extent- -based Incremental Identification based Incremental Identification Extent of Reaction

LABORATOIRE DAUTOMATIQUE AUTOMATIC CONTROL LABORATORY Extent- -based Incremental Identification based Incremental Identification Extent of Reaction Kinetics from Spectroscopic Data of Reaction Kinetics from Spectroscopic Data XIII

428 views • 23 slides
1 Enthaply vs. entropy in chemical reaction: S solid &lt; S liquid &lt;&lt; S gas Spontaneous

1 Enthaply vs. entropy in chemical reaction: S solid &lt; S liquid &lt;&lt; S gas Spontaneous

There are two fundamental tendencies in nature that help determine whether a reaction will occur: Topic 9.4 1. Enthalpy Enthalpy, entropy and spontaneity Energy change during reaction = heat of reaction ( H) Reactions tend toward lower

338 views • 3 slides
Security Bounds for the Design of Code-based Cryptosystems M. Finiasz et N. Sendrier The

Security Bounds for the Design of Code-based Cryptosystems M. Finiasz et N. Sendrier The

Security Bounds for the Design of Code-based Cryptosystems M. Finiasz et N. Sendrier The Syndrome Decoding Problem e S r H n Syndrome Decoding (SD) Does e { 0 , 1 } n of weight w such that e H = S exist? NP-complete problem.

445 views • 31 slides

More recommend