a reaction attack on the qc ldpc mceliece cryptosystem
play

A Reaction Attack on the QC-LDPC McEliece Cryptosystem Tomas Fabsic - PowerPoint PPT Presentation

Dec 28, 2023 •320 likes •693 views

LDPC and MDPC Codes QC-MDPC McEliece Attack of Guo et al. QC-LDPC McEliece Our Attack A Reaction Attack on the QC-LDPC McEliece Cryptosystem Tomas Fabsic 1 , Viliam Hromada 1 , Paul Stankovski 2 , Pavol Zajac 1 , Qian Guo 2 , Thomas Johansson

  1. LDPC and MDPC Codes QC-MDPC McEliece Attack of Guo et al. QC-LDPC McEliece Our Attack A Reaction Attack on the QC-LDPC McEliece Cryptosystem Tomas Fabsic 1 , Viliam Hromada 1 , Paul Stankovski 2 , Pavol Zajac 1 , Qian Guo 2 , Thomas Johansson 2 1 Slovak University of Technology in Bratislava, Slovakia 2 Lund University, Sweden PQCrypto 2017 Fabsic et al. A Reaction Attack on the QC-LDPC McEliece Cryptosystem

  2. LDPC and MDPC Codes QC-MDPC McEliece Attack of Guo et al. QC-LDPC McEliece Our Attack Contents LDPC and MDPC Codes 1 QC-MDPC McEliece 2 Attack of Guo et al. 3 QC-LDPC McEliece 4 Our Attack 5 Fabsic et al. A Reaction Attack on the QC-LDPC McEliece Cryptosystem

  3. LDPC and MDPC Codes QC-MDPC McEliece Attack of Guo et al. QC-LDPC McEliece Our Attack Contents LDPC and MDPC Codes 1 QC-MDPC McEliece 2 Attack of Guo et al. 3 QC-LDPC McEliece 4 Our Attack 5 Fabsic et al. A Reaction Attack on the QC-LDPC McEliece Cryptosystem

  4. LDPC and MDPC Codes QC-MDPC McEliece Attack of Guo et al. QC-LDPC McEliece Our Attack Contents LDPC and MDPC Codes 1 QC-MDPC McEliece 2 Attack of Guo et al. 3 QC-LDPC McEliece 4 Our Attack 5 Fabsic et al. A Reaction Attack on the QC-LDPC McEliece Cryptosystem

  5. LDPC and MDPC Codes QC-MDPC McEliece Attack of Guo et al. QC-LDPC McEliece Our Attack Contents LDPC and MDPC Codes 1 QC-MDPC McEliece 2 Attack of Guo et al. 3 QC-LDPC McEliece 4 Our Attack 5 Fabsic et al. A Reaction Attack on the QC-LDPC McEliece Cryptosystem

  6. LDPC and MDPC Codes QC-MDPC McEliece Attack of Guo et al. QC-LDPC McEliece Our Attack Contents LDPC and MDPC Codes 1 QC-MDPC McEliece 2 Attack of Guo et al. 3 QC-LDPC McEliece 4 Our Attack 5 Fabsic et al. A Reaction Attack on the QC-LDPC McEliece Cryptosystem

  7. LDPC and MDPC Codes QC-MDPC McEliece Attack of Guo et al. QC-LDPC McEliece Our Attack Contents LDPC and MDPC Codes 1 QC-MDPC McEliece 2 Attack of Guo et al. 3 QC-LDPC McEliece 4 Our Attack 5 Fabsic et al. A Reaction Attack on the QC-LDPC McEliece Cryptosystem

  8. LDPC and MDPC Codes QC-MDPC McEliece Attack of Guo et al. QC-LDPC McEliece Our Attack Definitions Definition Low-density parity-check (LDPC) code = a binary linear code which admits a parity-check matrix H with a low number of 1s. Definition Moderate-density parity-check (MDPC) code - admits a parity-check matrix H with a slightly higher number of 1s than an LDPC code. Fabsic et al. A Reaction Attack on the QC-LDPC McEliece Cryptosystem

  9. LDPC and MDPC Codes QC-MDPC McEliece Attack of Guo et al. QC-LDPC McEliece Our Attack Decoding Soft-decision decoding (belief propagation algorithms) Hard-decision decoding (bit-flipping algorithms) Both methods fail with some probability. Fabsic et al. A Reaction Attack on the QC-LDPC McEliece Cryptosystem

  10. LDPC and MDPC Codes QC-MDPC McEliece Attack of Guo et al. QC-LDPC McEliece Our Attack Contents LDPC and MDPC Codes 1 QC-MDPC McEliece 2 Attack of Guo et al. 3 QC-LDPC McEliece 4 Our Attack 5 Fabsic et al. A Reaction Attack on the QC-LDPC McEliece Cryptosystem

  11. LDPC and MDPC Codes QC-MDPC McEliece Attack of Guo et al. QC-LDPC McEliece Our Attack Circulant matrices - definition Definition An n × n matrix C is circulant if it is of the form:   c 0 c 1 c 2 c n − 1 . . . c n − 1 c 0 c 1 c n − 2   . . .   c n − 2 c n − 1 c 0 c n − 3 C =   . . .  . . . .  ... . . . .   . . . .   c 1 c 2 c 3 c 0 . . . Fabsic et al. A Reaction Attack on the QC-LDPC McEliece Cryptosystem

  12. LDPC and MDPC Codes QC-MDPC McEliece Attack of Guo et al. QC-LDPC McEliece Our Attack Private Key in QC-MDPC McEliece H is a parity-check matrix of an MDPC code. H = ( H 0 | H 1 | . . . | H n 0 − 1 ) , where each H i is a circulant matrix with a low weight. (i.e. H is quasi-cyclic (QC)) Fabsic et al. A Reaction Attack on the QC-LDPC McEliece Cryptosystem

  13. LDPC and MDPC Codes QC-MDPC McEliece Attack of Guo et al. QC-LDPC McEliece Our Attack How QC-MDPC McEliece works? H is randomly generated. A generator matrix G is computed. G is the public key. Encryption of a message x : y = x · G + e , where e is an error vector. Decryption: by a decoding algorithm (uses H ). Fabsic et al. A Reaction Attack on the QC-LDPC McEliece Cryptosystem

  14. LDPC and MDPC Codes QC-MDPC McEliece Attack of Guo et al. QC-LDPC McEliece Our Attack Contents LDPC and MDPC Codes 1 QC-MDPC McEliece 2 Attack of Guo et al. 3 QC-LDPC McEliece 4 Our Attack 5 Fabsic et al. A Reaction Attack on the QC-LDPC McEliece Cryptosystem

  15. LDPC and MDPC Codes QC-MDPC McEliece Attack of Guo et al. QC-LDPC McEliece Our Attack Presented in Guo, Johansson and Stankovski: A key recovery attack on MDPC with CCA security using decoding errors, ASIACRYPT 2016. Fabsic et al. A Reaction Attack on the QC-LDPC McEliece Cryptosystem

  16. LDPC and MDPC Codes QC-MDPC McEliece Attack of Guo et al. QC-LDPC McEliece Our Attack Distances Definition We say that a distance d is present in a vector v of length p if there exist two 1s in v in positions p 1 and p 2 such that d = min { p 1 − p 2 mod p , p 2 − p 1 mod p } . E.g., the distance between the 1s in ( 0 , 1 , 0 , 0 , 0 , 0 , 0 , 1 , 0 ) is 3. Definition We say that a distance d is present in a p × p circulant matrix C if the distance d is present in the first row of C . Fabsic et al. A Reaction Attack on the QC-LDPC McEliece Cryptosystem

  17. LDPC and MDPC Codes QC-MDPC McEliece Attack of Guo et al. QC-LDPC McEliece Our Attack Key Observation of Guo et al. Suppose that the circulant blocks in H are of size p × p . Let e be the error vector added to a message during the encryption. Let e = ( e 0 , e 1 , . . . , e n / p − 1 ) , where each e i has length p . Observation Suppose that e i contains a distance d . If the distance d is present in the corresponding block H i in H , then the probability that a bit-flipping algorithm fails to decode the message is lower! Fabsic et al. A Reaction Attack on the QC-LDPC McEliece Cryptosystem

  18. LDPC and MDPC Codes QC-MDPC McEliece Attack of Guo et al. QC-LDPC McEliece Our Attack How the attack on QC-MDPC McEliece works? 1 Send a large number of encrypted messages with a randomly generated error vector e . 2 Observe when the recipient requests a message to be resend. (This means that the recipient experienced a decoding error.) 3 Group the encrypted messages into groups Σ d according to the rule: A message belongs to Σ d if its error vector contains the distance d in e 0 . 4 For each Σ d estimate the probability of the decoding error. 5 Select the distances with low estimates of the probability of the decoding error. (These are the distances present in H 0 .) 6 Reconstruct candidates for H 0 . Fabsic et al. A Reaction Attack on the QC-LDPC McEliece Cryptosystem

  19. LDPC and MDPC Codes QC-MDPC McEliece Attack of Guo et al. QC-LDPC McEliece Our Attack Contents LDPC and MDPC Codes 1 QC-MDPC McEliece 2 Attack of Guo et al. 3 QC-LDPC McEliece 4 Our Attack 5 Fabsic et al. A Reaction Attack on the QC-LDPC McEliece Cryptosystem

  20. LDPC and MDPC Codes QC-MDPC McEliece Attack of Guo et al. QC-LDPC McEliece Our Attack Private key in QC-LDPC McEliece Private key consists of matrices: H , S , Q . All matrices are quasi-cyclic. Circulant blocks in all three matrices have the same size p × p . Fabsic et al. A Reaction Attack on the QC-LDPC McEliece Cryptosystem

  21. LDPC and MDPC Codes QC-MDPC McEliece Attack of Guo et al. QC-LDPC McEliece Our Attack Private key in QC-LDPC McEliece - matrix H H is as in QC-MDPC McEliece but sparser,i.e. H = ( H 0 | H 1 | . . . | H n 0 − 1 ) , where each H i is a circulant matrix with a fixed weight. Fabsic et al. A Reaction Attack on the QC-LDPC McEliece Cryptosystem

  22. LDPC and MDPC Codes QC-MDPC McEliece Attack of Guo et al. QC-LDPC McEliece Our Attack Private key in QC-LDPC McEliece - matrix Q Q is a sparse invertible n × n matrix.   Q 00 Q 0 , n 0 − 1 . . . . . ... . . Q =   . .  ,  Q n 0 − 1 , 0 Q n 0 − 1 , n 0 − 1 . . . where each Q ij is a sparse circulant matrix. Fabsic et al. A Reaction Attack on the QC-LDPC McEliece Cryptosystem

  23. LDPC and MDPC Codes QC-MDPC McEliece Attack of Guo et al. QC-LDPC McEliece Our Attack Private key in QC-LDPC McEliece - matrix S S is a dense invertible k × k matrix.   S 00 S 0 , k 0 − 1 . . . . . ... . . S =   . .  ,  S k 0 − 1 , 0 S k 0 − 1 , k 0 − 1 . . . where each S ij is a dense circulant matrix. Fabsic et al. A Reaction Attack on the QC-LDPC McEliece Cryptosystem

  24. LDPC and MDPC Codes QC-MDPC McEliece Attack of Guo et al. QC-LDPC McEliece Our Attack Public Key in QC-LDPC McEliece H , S , Q are randomly generated. A generator matrix G is computed from H . Public key G ′ is computed as: G ′ = S − 1 · G · Q − 1 . Fabsic et al. A Reaction Attack on the QC-LDPC McEliece Cryptosystem

  25. LDPC and MDPC Codes QC-MDPC McEliece Attack of Guo et al. QC-LDPC McEliece Our Attack Encryption in QC-LDPC McEliece Message x is encrypted as: y = x · G ′ + e , where e is an error vector. Fabsic et al. A Reaction Attack on the QC-LDPC McEliece Cryptosystem

Recommend

McEliece type Cryptosystem based on Gabidulin Codes Joachim Rosenthal University of Z urich

McEliece type Cryptosystem based on Gabidulin Codes Joachim Rosenthal University of Z urich

Traditional McEliece Crypto System Variants of McEliece System Distinguisher Attacks McEliece for Rank Metric Codes McEliece type Cryptosystem based on Gabidulin Codes Joachim Rosenthal University of Z urich ALCOMA, March 19, 2015 joint

763 views • 54 slides
Cryptanalysis of a variant of the McEliece encryption scheme Julien Lavauzelle IRMAR,

Cryptanalysis of a variant of the McEliece encryption scheme Julien Lavauzelle IRMAR,

Cryptanalysis of a variant of the McEliece encryption scheme Julien Lavauzelle IRMAR, Universit de Rennes 1 Journes Nationales de Calcul Formel 2020 03/03/2020 Outline 1. McEliece cryptosystem and variants 2. Attack on the ReedSolomon

782 views • 52 slides
Classic McEliece: conservative code-based cryptography D. J. Bernstein classic.mceliece.org

Classic McEliece: conservative code-based cryptography D. J. Bernstein classic.mceliece.org

1 Classic McEliece: conservative code-based cryptography D. J. Bernstein classic.mceliece.org Fundamental literature: 1962 Prange (attack) + many more attack papers. 1968 Berlekamp (decoder). 19701971 Goppa (codes). 1978 McEliece

775 views • 58 slides
Twisted Hermitian Codes and the McEliece Cryptosystem Bethany Matsick Liberty University

Twisted Hermitian Codes and the McEliece Cryptosystem Bethany Matsick Liberty University

Twisted Hermitian Codes and the McEliece Cryptosystem Bethany Matsick Liberty University January 26, 2018 Joint work with Austin Allen, Keller Blackwell, Olivia Fiol, Rutuja Kshirsagar, and Zoe Nelson, supervised by Gretchen Matthews. Coding

773 views • 18 slides
McTiny: McEliece for tiny network servers Daniel J. Bernstein, uic.edu , rub.de Tanja Lange,

McTiny: McEliece for tiny network servers Daniel J. Bernstein, uic.edu , rub.de Tanja Lange,

1 McTiny: McEliece for tiny network servers Daniel J. Bernstein, uic.edu , rub.de Tanja Lange, tue.nl Fundamental literature: 1962 Prange (attack) + many more attack papers. 1968 Berlekamp (decoder). 19701971 Goppa (codes). 1978 McEliece

899 views • 61 slides
Cryptanalysis of Two Variants of the McEliece Cryptosystem Ayoub Otmani 1

Cryptanalysis of Two Variants of the McEliece Cryptosystem Ayoub Otmani 1

Cryptanalysis of Two Variants of the McEliece Cryptosystem Ayoub Otmani 1 Ayoub.Otmani@info.unicaen.fr eonard Dallot 1 Jean-Pierre Tillich 2 L Leonard.Dallot@info.unicaen.fr jean-pierre.tillich@inria.fr 1 GREYC - Groupe de Recherche en

857 views • 51 slides
- tunnel-effect ( "micro-convergence" ) for SC-LDPC [ 1 ] [ 1 ] Schmalen, ten Brink,

- tunnel-effect ( "micro-convergence" ) for SC-LDPC [ 1 ] [ 1 ] Schmalen, ten Brink,

EXIT-Chart of SC-LDPC Spatial Coupling & Tail-biting Further Investigation Simulation results Block-LDPC SC-LDPC 1 1 0.9 0.9 0.8 0.8 0.7 0.7 I E,VND , I A,CND 0.6 I E,VND , I A,CND 0.6 0.5 0.5 0.4 0.4 0.3 0.3 0.2 0.2 I

436 views • 5 slides
Cryptanalysis of LEDAcrypt Daniel Apon 1 , Ray Perlner 1 , Angela Robinson 1 , Paolo Santini 2 1:

Cryptanalysis of LEDAcrypt Daniel Apon 1 , Ray Perlner 1 , Angela Robinson 1 , Paolo Santini 2 1:

Cryptanalysis of LEDAcrypt Daniel Apon 1 , Ray Perlner 1 , Angela Robinson 1 , Paolo Santini 2 1: NIST 2: Universit Politecnica delle Marche, Florida Atlantic University Significance We present an attack on the QC-LDPC-McEliece construction

735 views • 25 slides
Cryptanalysis of the Sidelnikov cryptosystem Lorenz Minder, Amin Shokrollahi {

Cryptanalysis of the Sidelnikov cryptosystem Lorenz Minder, Amin Shokrollahi {

Cryptanalysis of the Sidelnikov cryptosystem Lorenz Minder, Amin Shokrollahi { lorenz.minder,amin.shokrollahi } @epfl.ch. LMA, EPFL Cryptanalysis of the Sidelnikov cryptosystem p.1/18 McEliece type cryptosystems PKCS based on

785 views • 18 slides
A Reaction Attack against Cryptosystems based on LRPC Codes Gustavo Banegas joint work with

A Reaction Attack against Cryptosystems based on LRPC Codes Gustavo Banegas joint work with

A Reaction Attack against Cryptosystems based on LRPC Codes Gustavo Banegas joint work with Simona Samardjiska, Paolo Santini and Edoardo Persichetti Latincrypt 2019 October 3rd, 2019 A Reaction Attack against Cryptosystems based on LRPC

590 views • 33 slides
The Paillier Cryptosystem A Look Into The Cryptosystem And Its Potential Application By Michael

The Paillier Cryptosystem A Look Into The Cryptosystem And Its Potential Application By Michael

The Paillier Cryptosystem A Look Into The Cryptosystem And Its Potential Application By Michael OKeeffe The College of New Jersey Mathematics Department April 18, 2008 A BSTRACT So long as there are secrets, there is a need for encryption

357 views • 16 slides
Classic McEliece: conservative code-based cryptography Round 2 https://classic.mceliece.org/

Classic McEliece: conservative code-based cryptography Round 2 https://classic.mceliece.org/

Classic McEliece: conservative code-based cryptography Round 2 https://classic.mceliece.org/ Daniel J. Bernstein 1 , Tung Chou 2 , Tanja Lange 3 , Ingo von Maurich, Rafael Misoczki 4 , Ruben Niederhagen 5 , Edoardo Persichetti 6 , Christiane

439 views • 28 slides
McTiny: classic.mceliece.org McEliece for tiny network servers submission team (alphabetical):

McTiny: classic.mceliece.org McEliece for tiny network servers submission team (alphabetical):

1 2 McTiny: classic.mceliece.org McEliece for tiny network servers submission team (alphabetical): me; Daniel J. Bernstein, Tung Chou, osaka-u.ac.jp ; uic.edu , rub.de Tanja Lange, tue.nl ; Joint work with: Ingo von Maurich;

1.87k views • 162 slides
Code-based Cryptography Christiane Peters Technical University of Denmark ECC 2011 September

Code-based Cryptography Christiane Peters Technical University of Denmark ECC 2011 September

Code-based Cryptography Christiane Peters Technical University of Denmark ECC 2011 September 20, 2011 Code-based cryptography 1. Background 2. The McEliece cryptosystem 3. Information-set-decoding attacks 4. Designs: Wild McEliece 5.

721 views • 55 slides
McTiny: Encoding and decoding McEliece for tiny network servers 1978 McEliece public key:

McTiny: Encoding and decoding McEliece for tiny network servers 1978 McEliece public key:

1 2 McTiny: Encoding and decoding McEliece for tiny network servers 1978 McEliece public key: Daniel J. Bernstein, matrix G over F 2 . uic.edu , rub.de Normally m mG is injective. Tanja Lange, tue.nl Fundamental literature: 1962

2.16k views • 132 slides
How to achieve a McEliece-based Digital Signature Scheme Nicolas Courtois Matthieu Finiasz

How to achieve a McEliece-based Digital Signature Scheme Nicolas Courtois Matthieu Finiasz

How to achieve a McEliece-based Digital Signature Scheme Nicolas Courtois Matthieu Finiasz Nicolas Sendrier ASIACRYPT 2001 Brisbane McEliece in a nutshell (Niederreiter version) This scheme is equivalent to the original McEliece

432 views • 12 slides
Side Channel Attack to Actual Cryptanalysis: Breaking CRT-RSA with Low Weight Decryption

Side Channel Attack to Actual Cryptanalysis: Breaking CRT-RSA with Low Weight Decryption

Side Channel Attack to Actual Cryptanalysis: Breaking CRT-RSA with Low Weight Decryption Exponents Santanu Sarkar and Subhamoy Maitra Leuven, Belgium 12 September, 2012 Outline of the Talk RSA Cryptosystem CRT-RSA CRT-RSA having Low Hamming

403 views • 25 slides
The RSA Cryptosystem February 27, 2008 Introducing PS4: RSA encryption Problem set 4 is about

The RSA Cryptosystem February 27, 2008 Introducing PS4: RSA encryption Problem set 4 is about

The RSA Cryptosystem February 27, 2008 Introducing PS4: RSA encryption Problem set 4 is about implementing a famous public key cryptosystem, RSA. Administrative Details: Posted by tomorrow. Due Friday March 7, at Noon. My office hours will be

610 views • 23 slides
An Efficient GPU-based An Efficient GPU-based LDPC Decoder for Long LDPC Decoder for Long

An Efficient GPU-based An Efficient GPU-based LDPC Decoder for Long LDPC Decoder for Long

An Efficient GPU-based An Efficient GPU-based LDPC Decoder for Long LDPC Decoder for Long Codewords Codewords Stefan Grnroos Kristian Nybom Jerker Bjrkqvist 18.10.11 bo Akademi University - Turku, Finland 1 Background Background

301 views • 11 slides
Massive MIMO Physical Layer Cryptosystem through Inverse Precoding Amin Sakzad Clayton School of

Massive MIMO Physical Layer Cryptosystem through Inverse Precoding Amin Sakzad Clayton School of

Background and Problem Statement Zero-Forcing (ZF) attack and its Advantage Ratio Inverse Precoding Conclusions Massive MIMO Physical Layer Cryptosystem through Inverse Precoding Amin Sakzad Clayton School of IT Monash University

749 views • 61 slides
Key Escrow free Identity-based Identity-based Cryptosystem Cryptosystem Identity-based

Key Escrow free Identity-based Identity-based Cryptosystem Cryptosystem Identity-based

Contents Background Key Escrow free Identity-based Identity-based Cryptosystem Cryptosystem Identity-based Signature Conclusion Manik Lal Das DA-IICT, Gandhinagar, India About DA-IICT and Our Group DA-IICT is a private university,

563 views • 35 slides
McTiny: McEliece for tiny network servers Daniel J. Bernstein, uic.edu , rub.de Joint work with:

McTiny: McEliece for tiny network servers Daniel J. Bernstein, uic.edu , rub.de Joint work with:

1 McTiny: McEliece for tiny network servers Daniel J. Bernstein, uic.edu , rub.de Joint work with: Tanja Lange, tue.nl My main question in this talk: Shouldnt NIST PQC simply standardize Classic McEliece, discard the other 25 proposals?

1.18k views • 79 slides
Decoding random codes: asymptotics, benchmarks, challenges, and implementations D. J.

Decoding random codes: asymptotics, benchmarks, challenges, and implementations D. J.

Decoding random codes: asymptotics, benchmarks, challenges, and implementations D. J. Bernstein University of Illinois at Chicago Assume that were using the McEliece cryptosystem (or Neiderreiter or ) to encrypt a plaintext.

1.17k views • 71 slides
What is... the McEliece system? Violetta Weger University of Zurich Zurich Graduate Colloquium

What is... the McEliece system? Violetta Weger University of Zurich Zurich Graduate Colloquium

What is... the McEliece system? Violetta Weger University of Zurich Zurich Graduate Colloquium 20 November 2018 Violetta Weger What is... the McEliece system? Outline Violetta Weger What is... the McEliece system? 1 Coding Theory 2 Public

779 views • 28 slides

More recommend