efficiency and implementation security of code based
play

Efficiency and Implementation Security of Code-based Cryptosystems - PowerPoint PPT Presentation

Efficiency and Implementation Security of Code-based Cryptosystems PhD Thesis by Falko Strenzke Falko Strenzke Cryptography and Computeralgebra, Department of Computer Science, Technische Universit at Darmstadt, Germany,


  1. Goppa Codes Parameters of a Goppa Code irreducible polynomial g ( Y ) ∈ F 2 m [ Y ] of degree t (the Goppa Polynomial) support Γ = ( α 0 , α 1 , . . . , α n − 1 ), where α i are pairwise distinct elements of F 2 m Properties of the Code the code has length n ≤ 2 m (code word length) , dimension k = n − mt (message length) and can correct up to t errors. a parity check matrix H , where cH ⊤ = 0 if c ∈ C example for secure parameters: n = 2048, t = 50 for 100 bit security Efficiency and Implementation Security of Code-based Cryptosyst. Falko Strenzke 6 / 37

  2. Goppa Codes Parameters of a Goppa Code irreducible polynomial g ( Y ) ∈ F 2 m [ Y ] of degree t (the Goppa Polynomial) support Γ = ( α 0 , α 1 , . . . , α n − 1 ), where α i are pairwise distinct elements of F 2 m Properties of the Code the code has length n ≤ 2 m (code word length) , dimension k = n − mt (message length) and can correct up to t errors. a parity check matrix H , where cH ⊤ = 0 if c ∈ C example for secure parameters: n = 2048, t = 50 for 100 bit security Efficiency and Implementation Security of Code-based Cryptosyst. Falko Strenzke 6 / 37

  3. Goppa Codes Parameters of a Goppa Code irreducible polynomial g ( Y ) ∈ F 2 m [ Y ] of degree t (the Goppa Polynomial) support Γ = ( α 0 , α 1 , . . . , α n − 1 ), where α i are pairwise distinct elements of F 2 m Properties of the Code the code has length n ≤ 2 m (code word length) , dimension k = n − mt (message length) and can correct up to t errors. a parity check matrix H , where cH ⊤ = 0 if c ∈ C example for secure parameters: n = 2048, t = 50 for 100 bit security Efficiency and Implementation Security of Code-based Cryptosyst. Falko Strenzke 6 / 37

  4. Goppa Codes Parameters of a Goppa Code irreducible polynomial g ( Y ) ∈ F 2 m [ Y ] of degree t (the Goppa Polynomial) support Γ = ( α 0 , α 1 , . . . , α n − 1 ), where α i are pairwise distinct elements of F 2 m Properties of the Code the code has length n ≤ 2 m (code word length) , dimension k = n − mt (message length) and can correct up to t errors. a parity check matrix H , where cH ⊤ = 0 if c ∈ C example for secure parameters: n = 2048, t = 50 for 100 bit security Efficiency and Implementation Security of Code-based Cryptosyst. Falko Strenzke 6 / 37

  5. Goppa Codes Parameters of a Goppa Code irreducible polynomial g ( Y ) ∈ F 2 m [ Y ] of degree t (the Goppa Polynomial) support Γ = ( α 0 , α 1 , . . . , α n − 1 ), where α i are pairwise distinct elements of F 2 m Properties of the Code the code has length n ≤ 2 m (code word length) , dimension k = n − mt (message length) and can correct up to t errors. a parity check matrix H , where cH ⊤ = 0 if c ∈ C example for secure parameters: n = 2048, t = 50 for 100 bit security Efficiency and Implementation Security of Code-based Cryptosyst. Falko Strenzke 6 / 37

  6. Goppa Codes Parameters of a Goppa Code irreducible polynomial g ( Y ) ∈ F 2 m [ Y ] of degree t (the Goppa Polynomial) support Γ = ( α 0 , α 1 , . . . , α n − 1 ), where α i are pairwise distinct elements of F 2 m Properties of the Code the code has length n ≤ 2 m (code word length) , dimension k = n − mt (message length) and can correct up to t errors. a parity check matrix H , where cH ⊤ = 0 if c ∈ C example for secure parameters: n = 2048, t = 50 for 100 bit security Efficiency and Implementation Security of Code-based Cryptosyst. Falko Strenzke 6 / 37

  7. Goppa Codes Parameters of a Goppa Code irreducible polynomial g ( Y ) ∈ F 2 m [ Y ] of degree t (the Goppa Polynomial) support Γ = ( α 0 , α 1 , . . . , α n − 1 ), where α i are pairwise distinct elements of F 2 m Properties of the Code the code has length n ≤ 2 m (code word length) , dimension k = n − mt (message length) and can correct up to t errors. a parity check matrix H , where cH ⊤ = 0 if c ∈ C example for secure parameters: n = 2048, t = 50 for 100 bit security Efficiency and Implementation Security of Code-based Cryptosyst. Falko Strenzke 6 / 37

  8. Goppa Codes Parameters of a Goppa Code irreducible polynomial g ( Y ) ∈ F 2 m [ Y ] of degree t (the Goppa Polynomial) support Γ = ( α 0 , α 1 , . . . , α n − 1 ), where α i are pairwise distinct elements of F 2 m Properties of the Code the code has length n ≤ 2 m (code word length) , dimension k = n − mt (message length) and can correct up to t errors. a parity check matrix H , where cH ⊤ = 0 if c ∈ C example for secure parameters: n = 2048, t = 50 for 100 bit security Efficiency and Implementation Security of Code-based Cryptosyst. Falko Strenzke 6 / 37

  9. The McEliece PKC Efficiency and Implementation Security of Code-based Cryptosyst. Falko Strenzke 7 / 37

  10. Syndrome Decoding: Patterson Algorithm secret key: g ( Y ), Γ = ( α 0 , α 1 , . . . , α n − 1 ) input: distorted codeword � e ⊕ � c e ∈ F n output: error vector � 2 m � � ⊤ c ) H ⊤ Y t − 1 , · · · , Y , 1 S ( Y ) ← ( � e ⊕ � � �� � ∈ F t 2 m U ( Y ) ← S − 1 mod g ( Y ) // by EEA � τ ( Y ) ← U ( Y ) + Y mod g ( Y ) ( α ( Y ) , β ( Y )) ← EEA ( g ( Y ) , τ ( Y )) // β ( Y ) τ ( Y ) ≡ α ( Y ) mod g ( Y ) σ ( Y ) ← α 2 ( Y ) + Y β 2 ( Y ) // σ ( Y ) = � t − 1 i =0 ( α f i − Y ) e i ← 1 iff σ ( α i ) = 0 // root finding Efficiency and Implementation Security of Code-based Cryptosyst. Falko Strenzke 8 / 37

  11. Syndrome Decoding: Patterson Algorithm secret key: g ( Y ), Γ = ( α 0 , α 1 , . . . , α n − 1 ) input: distorted codeword � e ⊕ � c e ∈ F n output: error vector � 2 m � � ⊤ c ) H ⊤ Y t − 1 , · · · , Y , 1 S ( Y ) ← ( � e ⊕ � � �� � ∈ F t 2 m U ( Y ) ← S − 1 mod g ( Y ) // by EEA � τ ( Y ) ← U ( Y ) + Y mod g ( Y ) ( α ( Y ) , β ( Y )) ← EEA ( g ( Y ) , τ ( Y )) // β ( Y ) τ ( Y ) ≡ α ( Y ) mod g ( Y ) σ ( Y ) ← α 2 ( Y ) + Y β 2 ( Y ) // σ ( Y ) = � t − 1 i =0 ( α f i − Y ) e i ← 1 iff σ ( α i ) = 0 // root finding Efficiency and Implementation Security of Code-based Cryptosyst. Falko Strenzke 8 / 37

  12. Syndrome Decoding: Patterson Algorithm secret key: g ( Y ), Γ = ( α 0 , α 1 , . . . , α n − 1 ) input: distorted codeword � e ⊕ � c e ∈ F n output: error vector � 2 m � � ⊤ c ) H ⊤ Y t − 1 , · · · , Y , 1 S ( Y ) ← ( � e ⊕ � � �� � ∈ F t 2 m U ( Y ) ← S − 1 mod g ( Y ) // by EEA � τ ( Y ) ← U ( Y ) + Y mod g ( Y ) ( α ( Y ) , β ( Y )) ← EEA ( g ( Y ) , τ ( Y )) // β ( Y ) τ ( Y ) ≡ α ( Y ) mod g ( Y ) σ ( Y ) ← α 2 ( Y ) + Y β 2 ( Y ) // σ ( Y ) = � t − 1 i =0 ( α f i − Y ) e i ← 1 iff σ ( α i ) = 0 // root finding Efficiency and Implementation Security of Code-based Cryptosyst. Falko Strenzke 8 / 37

  13. Syndrome Decoding: Patterson Algorithm secret key: g ( Y ), Γ = ( α 0 , α 1 , . . . , α n − 1 ) input: distorted codeword � e ⊕ � c e ∈ F n output: error vector � 2 m � � ⊤ c ) H ⊤ Y t − 1 , · · · , Y , 1 S ( Y ) ← ( � e ⊕ � � �� � ∈ F t 2 m U ( Y ) ← S − 1 mod g ( Y ) // by EEA � τ ( Y ) ← U ( Y ) + Y mod g ( Y ) ( α ( Y ) , β ( Y )) ← EEA ( g ( Y ) , τ ( Y )) // β ( Y ) τ ( Y ) ≡ α ( Y ) mod g ( Y ) σ ( Y ) ← α 2 ( Y ) + Y β 2 ( Y ) // σ ( Y ) = � t − 1 i =0 ( α f i − Y ) e i ← 1 iff σ ( α i ) = 0 // root finding Efficiency and Implementation Security of Code-based Cryptosyst. Falko Strenzke 8 / 37

  14. Syndrome Decoding: Patterson Algorithm secret key: g ( Y ), Γ = ( α 0 , α 1 , . . . , α n − 1 ) input: distorted codeword � e ⊕ � c e ∈ F n output: error vector � 2 m � � ⊤ c ) H ⊤ Y t − 1 , · · · , Y , 1 S ( Y ) ← ( � e ⊕ � � �� � ∈ F t 2 m U ( Y ) ← S − 1 mod g ( Y ) // by EEA � τ ( Y ) ← U ( Y ) + Y mod g ( Y ) ( α ( Y ) , β ( Y )) ← EEA ( g ( Y ) , τ ( Y )) // β ( Y ) τ ( Y ) ≡ α ( Y ) mod g ( Y ) σ ( Y ) ← α 2 ( Y ) + Y β 2 ( Y ) // σ ( Y ) = � t − 1 i =0 ( α f i − Y ) e i ← 1 iff σ ( α i ) = 0 // root finding Efficiency and Implementation Security of Code-based Cryptosyst. Falko Strenzke 8 / 37

  15. Syndrome Decoding: Patterson Algorithm secret key: g ( Y ), Γ = ( α 0 , α 1 , . . . , α n − 1 ) input: distorted codeword � e ⊕ � c e ∈ F n output: error vector � 2 m � � ⊤ c ) H ⊤ Y t − 1 , · · · , Y , 1 S ( Y ) ← ( � e ⊕ � � �� � ∈ F t 2 m U ( Y ) ← S − 1 mod g ( Y ) // by EEA � τ ( Y ) ← U ( Y ) + Y mod g ( Y ) ( α ( Y ) , β ( Y )) ← EEA ( g ( Y ) , τ ( Y )) // β ( Y ) τ ( Y ) ≡ α ( Y ) mod g ( Y ) σ ( Y ) ← α 2 ( Y ) + Y β 2 ( Y ) // σ ( Y ) = � t − 1 i =0 ( α f i − Y ) e i ← 1 iff σ ( α i ) = 0 // root finding Efficiency and Implementation Security of Code-based Cryptosyst. Falko Strenzke 8 / 37

  16. Syndrome Decoding: Patterson Algorithm secret key: g ( Y ), Γ = ( α 0 , α 1 , . . . , α n − 1 ) input: distorted codeword � e ⊕ � c e ∈ F n output: error vector � 2 m � � ⊤ c ) H ⊤ Y t − 1 , · · · , Y , 1 S ( Y ) ← ( � e ⊕ � � �� � ∈ F t 2 m U ( Y ) ← S − 1 mod g ( Y ) // by EEA � τ ( Y ) ← U ( Y ) + Y mod g ( Y ) ( α ( Y ) , β ( Y )) ← EEA ( g ( Y ) , τ ( Y )) // β ( Y ) τ ( Y ) ≡ α ( Y ) mod g ( Y ) σ ( Y ) ← α 2 ( Y ) + Y β 2 ( Y ) // σ ( Y ) = � t − 1 i =0 ( α f i − Y ) e i ← 1 iff σ ( α i ) = 0 // root finding Efficiency and Implementation Security of Code-based Cryptosyst. Falko Strenzke 8 / 37

  17. Syndrome Decoding: Patterson Algorithm secret key: g ( Y ), Γ = ( α 0 , α 1 , . . . , α n − 1 ) input: distorted codeword � e ⊕ � c e ∈ F n output: error vector � 2 m � � ⊤ c ) H ⊤ Y t − 1 , · · · , Y , 1 S ( Y ) ← ( � e ⊕ � � �� � ∈ F t 2 m U ( Y ) ← S − 1 mod g ( Y ) // by EEA � τ ( Y ) ← U ( Y ) + Y mod g ( Y ) ( α ( Y ) , β ( Y )) ← EEA ( g ( Y ) , τ ( Y )) // β ( Y ) τ ( Y ) ≡ α ( Y ) mod g ( Y ) σ ( Y ) ← α 2 ( Y ) + Y β 2 ( Y ) // σ ( Y ) = � t − 1 i =0 ( α f i − Y ) e i ← 1 iff σ ( α i ) = 0 // root finding Efficiency and Implementation Security of Code-based Cryptosyst. Falko Strenzke 8 / 37

  18. Syndrome Decoding: Patterson Algorithm secret key: g ( Y ), Γ = ( α 0 , α 1 , . . . , α n − 1 ) input: distorted codeword � e ⊕ � c e ∈ F n output: error vector � 2 m � � ⊤ c ) H ⊤ Y t − 1 , · · · , Y , 1 S ( Y ) ← ( � e ⊕ � � �� � ∈ F t 2 m U ( Y ) ← S − 1 mod g ( Y ) // by EEA � τ ( Y ) ← U ( Y ) + Y mod g ( Y ) ( α ( Y ) , β ( Y )) ← EEA ( g ( Y ) , τ ( Y )) // β ( Y ) τ ( Y ) ≡ α ( Y ) mod g ( Y ) σ ( Y ) ← α 2 ( Y ) + Y β 2 ( Y ) // σ ( Y ) = � t − 1 i =0 ( α f i − Y ) e i ← 1 iff σ ( α i ) = 0 // root finding Efficiency and Implementation Security of Code-based Cryptosyst. Falko Strenzke 8 / 37

  19. Implementation Aspects of Cryptograpic Algorithms Efficiency and Implementation Security of Code-based Cryptosyst. Falko Strenzke 9 / 37

  20. Implementation Aspects of Cryptograpic Algorithms RAM Efficiency and Implementation Security of Code-based Cryptosyst. Falko Strenzke 9 / 37

  21. Implementation Aspects of Cryptograpic Algorithms RAM ROM Efficiency and Implementation Security of Code-based Cryptosyst. Falko Strenzke 9 / 37

  22. Implementation Aspects of Cryptograpic Algorithms RAM ROM input ∆ t output Efficiency and Implementation Security of Code-based Cryptosyst. Falko Strenzke 9 / 37

  23. Implementation Aspects of Cryptograpic Algorithms Efficiency RAM ROM input ∆ t output Efficiency and Implementation Security of Code-based Cryptosyst. Falko Strenzke 9 / 37

  24. Implementation Aspects of Cryptograpic Algorithms Efficiency RAM ROM input ∆ t output Efficiency and Implementation Security of Code-based Cryptosyst. Falko Strenzke 9 / 37

  25. Implementation Aspects of Cryptograpic Algorithms Efficiency RAM ROM input input ∆ t ∆ t output output Efficiency and Implementation Security of Code-based Cryptosyst. Falko Strenzke 9 / 37

  26. Implementation Aspects of Cryptograpic Algorithms Efficiency RAM ROM input input ∆ t ∆ t output output Efficiency and Implementation Security of Code-based Cryptosyst. Falko Strenzke 9 / 37

  27. Implementation Aspects of Cryptograpic Algorithms Efficiency Side Channel Security RAM ROM input input ∆ t ∆ t output output Efficiency and Implementation Security of Code-based Cryptosyst. Falko Strenzke 9 / 37

  28. The Challenges of Code-based Encryption Code-based schemes known to be fast fast enough on embedded systems (smart cards)? time memory trade-offs? Large public-key size what does this mean for embedded systems? Side Channel Security no previous works Efficiency and Implementation Security of Code-based Cryptosyst. Falko Strenzke 10 / 37

  29. The Challenges of Code-based Encryption Code-based schemes known to be fast fast enough on embedded systems (smart cards)? time memory trade-offs? Large public-key size what does this mean for embedded systems? Side Channel Security no previous works Efficiency and Implementation Security of Code-based Cryptosyst. Falko Strenzke 10 / 37

  30. The Challenges of Code-based Encryption Code-based schemes known to be fast fast enough on embedded systems (smart cards)? time memory trade-offs? Large public-key size what does this mean for embedded systems? Side Channel Security no previous works Efficiency and Implementation Security of Code-based Cryptosyst. Falko Strenzke 10 / 37

  31. The Challenges of Code-based Encryption Code-based schemes known to be fast fast enough on embedded systems (smart cards)? time memory trade-offs? Large public-key size what does this mean for embedded systems? Side Channel Security no previous works Efficiency and Implementation Security of Code-based Cryptosyst. Falko Strenzke 10 / 37

  32. The Challenges of Code-based Encryption Code-based schemes known to be fast fast enough on embedded systems (smart cards)? time memory trade-offs? Large public-key size what does this mean for embedded systems? Side Channel Security no previous works Efficiency and Implementation Security of Code-based Cryptosyst. Falko Strenzke 10 / 37

  33. The Challenges of Code-based Encryption Code-based schemes known to be fast fast enough on embedded systems (smart cards)? time memory trade-offs? Large public-key size what does this mean for embedded systems? Side Channel Security no previous works Efficiency and Implementation Security of Code-based Cryptosyst. Falko Strenzke 10 / 37

  34. The Challenges of Code-based Encryption Code-based schemes known to be fast fast enough on embedded systems (smart cards)? time memory trade-offs? Large public-key size what does this mean for embedded systems? Side Channel Security no previous works Efficiency and Implementation Security of Code-based Cryptosyst. Falko Strenzke 10 / 37

  35. Overview RSA Efficiency Key-aimed SCA Message-aimed SCA (Message-aimed SCA) PQCrypto 2008 Timing Attack ICISC 2009 Timing Attack PQCrypto 2010 JCEN 2011 ISICS 2010 Timing Attack Power Analysis Attack ISC 2012 PQCrypto 2013 JCEN 2011 Key Storage Timing Attack Generalization CANS 2012 Root finding Efficiency and Implementation Security of Code-based Cryptosyst. Falko Strenzke 11 / 37

  36. Overview Efficiency Key-aimed SCA Message-aimed SCA Decryption: � � ⊤ c ) H ⊤ Y t − 1 , · · · , Y , 1 S ( Y ) ← ( � e ⊕ � PQCrypto 2008 � �� � Timing Attack ∈ F t 2 m U ( Y ) ← S − 1 ( Y ) mod g ( Y ) � ICISC 2009 τ ( Y ) ← U ( Y ) + Y mod g ( Y ) Timing Attack ( α ( Y ) , β ( Y )) ← EEA ( g ( Y ) , τ ( Y )) σ ( Y ) ← α 2 ( Y ) + Y β 2 ( Y ) PQCrypto 2010 JCEN 2011 Timing Attack Power Analysis Attack e i ← 1 iff σ ( α i ) = 0 ISC 2012 PQCrypto 2013 JCEN 2011 Key Storage Timing Attack Generalization Encryption: z ′ = � � mG p CANS 2012 z ′ ⊕ � � z = � e Root finding Efficiency and Implementation Security of Code-based Cryptosyst. Falko Strenzke 12 / 37

  37. Message-aimed Timing Attack Efficiency Key-aimed SCA Message-aimed SCA Decryption: � � ⊤ c ) H ⊤ Y t − 1 , · · · , Y , 1 S ( Y ) ← ( � e ⊕ � PQCrypto 2008 � �� � Timing Attack ∈ F t 2 m U ( Y ) ← S − 1 ( Y ) mod g ( Y ) � ICISC 2009 τ ( Y ) ← U ( Y ) + Y mod g ( Y ) Timing Attack ( α ( Y ) , β ( Y )) ← EEA ( g ( Y ) , τ ( Y )) σ ( Y ) ← α 2 ( Y ) + Y β 2 ( Y ) PQCrypto 2010 JCEN 2011 Timing Attack Power Analysis Attack e i ← 1 iff σ ( α i ) = 0 ISC 2012 PQCrypto 2013 JCEN 2011 Key Storage Timing Attack Generalization Encryption: z ′ = � � mG p CANS 2012 z ′ ⊕ � � z = � e Root finding Efficiency and Implementation Security of Code-based Cryptosyst. Falko Strenzke 13 / 37

  38. Message-aimed Timing Attack (I) let w = wt ( � e ) deg ( σ ( Y )) = w for w ≤ t basically any root-finding variant: (at least) linear dependency of root-finding time on deg ( σ ( Y )) Efficiency and Implementation Security of Code-based Cryptosyst. Falko Strenzke 14 / 37

  39. Message-aimed Timing Attack (I) let w = wt ( � e ) deg ( σ ( Y )) = w for w ≤ t basically any root-finding variant: (at least) linear dependency of root-finding time on deg ( σ ( Y )) Efficiency and Implementation Security of Code-based Cryptosyst. Falko Strenzke 14 / 37

  40. Message-aimed Timing Attack (I) let w = wt ( � e ) deg ( σ ( Y )) = w for w ≤ t basically any root-finding variant: (at least) linear dependency of root-finding time on deg ( σ ( Y )) Efficiency and Implementation Security of Code-based Cryptosyst. Falko Strenzke 14 / 37

  41. Message-aimed Timing Attack (I) let w = wt ( � e ) deg ( σ ( Y )) = w for w ≤ t basically any root-finding variant: (at least) linear dependency of root-finding time on deg ( σ ( Y )) Efficiency and Implementation Security of Code-based Cryptosyst. Falko Strenzke 14 / 37

  42. Message-aimed Timing Attack (II) t = 50 Efficiency and Implementation Security of Code-based Cryptosyst. Falko Strenzke 15 / 37

  43. Overview Efficiency Key-aimed SCA Message-aimed SCA Decryption: � � ⊤ c ) H ⊤ Y t − 1 , · · · , Y , 1 S ( Y ) ← ( � e ⊕ � PQCrypto 2008 � �� � Timing Attack ∈ F t 2 m U ( Y ) ← S − 1 ( Y ) mod g ( Y ) � ICISC 2009 τ ( Y ) ← U ( Y ) + Y mod g ( Y ) Timing Attack ( α ( Y ) , β ( Y )) ← EEA ( g ( Y ) , τ ( Y )) σ ( Y ) ← α 2 ( Y ) + Y β 2 ( Y ) PQCrypto 2010 JCEN 2011 Timing Attack Power Analysis Attack e i ← 1 iff σ ( α i ) = 0 ISC 2012 PQCrypto 2013 JCEN 2011 Key Storage Timing Attack Generalization Encryption: z ′ = � � mG p CANS 2012 z ′ ⊕ � � z = � e Root finding Efficiency and Implementation Security of Code-based Cryptosyst. Falko Strenzke 16 / 37

  44. Refinements of the Message-aimed Attack Efficiency Key-aimed SCA Message-aimed SCA Decryption: � � ⊤ c ) H ⊤ Y t − 1 , · · · , Y , 1 S ( Y ) ← ( � e ⊕ � PQCrypto 2008 � �� � Timing Attack ∈ F t 2 m U ( Y ) ← S − 1 ( Y ) mod g ( Y ) � ICISC 2009 τ ( Y ) ← U ( Y ) + Y mod g ( Y ) Timing Attack ( α ( Y ) , β ( Y )) ← EEA ( g ( Y ) , τ ( Y )) σ ( Y ) ← α 2 ( Y ) + Y β 2 ( Y ) PQCrypto 2010 JCEN 2011 Timing Attack Power Analysis Attack e i ← 1 iff σ ( α i ) = 0 ISC 2012 PQCrypto 2013 JCEN 2011 Key Storage Timing Attack Generalization Encryption: z ′ = � � mG p CANS 2012 z ′ ⊕ � � z = � e Root finding Efficiency and Implementation Security of Code-based Cryptosyst. Falko Strenzke 17 / 37

  45. Refinements of the Message-aimed Attack (outline) Number of iterations in the EEA already dependent on w smaller timing differences, allowing same attack countermeasure: avoid “premature” abortion of the EEA Related simple power analysis attack on the number of iterations in EEA similar countermeasure Efficiency and Implementation Security of Code-based Cryptosyst. Falko Strenzke 18 / 37

  46. Refinements of the Message-aimed Attack (outline) Number of iterations in the EEA already dependent on w smaller timing differences, allowing same attack countermeasure: avoid “premature” abortion of the EEA Related simple power analysis attack on the number of iterations in EEA similar countermeasure Efficiency and Implementation Security of Code-based Cryptosyst. Falko Strenzke 18 / 37

  47. Refinements of the Message-aimed Attack (outline) Number of iterations in the EEA already dependent on w smaller timing differences, allowing same attack countermeasure: avoid “premature” abortion of the EEA Related simple power analysis attack on the number of iterations in EEA similar countermeasure Efficiency and Implementation Security of Code-based Cryptosyst. Falko Strenzke 18 / 37

  48. Refinements of the Message-aimed Attack (outline) Number of iterations in the EEA already dependent on w smaller timing differences, allowing same attack countermeasure: avoid “premature” abortion of the EEA Related simple power analysis attack on the number of iterations in EEA similar countermeasure Efficiency and Implementation Security of Code-based Cryptosyst. Falko Strenzke 18 / 37

  49. Refinements of the Message-aimed Attack (outline) Number of iterations in the EEA already dependent on w smaller timing differences, allowing same attack countermeasure: avoid “premature” abortion of the EEA Related simple power analysis attack on the number of iterations in EEA similar countermeasure Efficiency and Implementation Security of Code-based Cryptosyst. Falko Strenzke 18 / 37

  50. Overview Efficiency Key-aimed SCA Message-aimed SCA Decryption: � � ⊤ c ) H ⊤ Y t − 1 , · · · , Y , 1 S ( Y ) ← ( � e ⊕ � PQCrypto 2008 � �� � Timing Attack ∈ F t 2 m U ( Y ) ← S − 1 ( Y ) mod g ( Y ) � ICISC 2009 τ ( Y ) ← U ( Y ) + Y mod g ( Y ) Timing Attack ( α ( Y ) , β ( Y )) ← EEA ( g ( Y ) , τ ( Y )) σ ( Y ) ← α 2 ( Y ) + Y β 2 ( Y ) PQCrypto 2010 JCEN 2011 Timing Attack Power Analysis Attack e i ← 1 iff σ ( α i ) = 0 ISC 2012 PQCrypto 2013 JCEN 2011 Key Storage Timing Attack Generalization Encryption: z ′ = � � mG p CANS 2012 z ′ ⊕ � � z = � e Root finding Efficiency and Implementation Security of Code-based Cryptosyst. Falko Strenzke 19 / 37

  51. Analysis of Root-Finding Variants Efficiency Key-aimed SCA Message-aimed SCA Decryption: � � ⊤ c ) H ⊤ Y t − 1 , · · · , Y , 1 S ( Y ) ← ( � e ⊕ � PQCrypto 2008 � �� � Timing Attack ∈ F t 2 m U ( Y ) ← S − 1 ( Y ) mod g ( Y ) � ICISC 2009 τ ( Y ) ← U ( Y ) + Y mod g ( Y ) Timing Attack ( α ( Y ) , β ( Y )) ← EEA ( g ( Y ) , τ ( Y )) σ ( Y ) ← α 2 ( Y ) + Y β 2 ( Y ) PQCrypto 2010 JCEN 2011 Timing Attack Power Analysis Attack e i ← 1 iff σ ( α i ) = 0 ISC 2012 PQCrypto 2013 JCEN 2011 Key Storage Timing Attack Generalization Encryption: z ′ = � � mG p CANS 2012 z ′ ⊕ � � z = � e Root finding Efficiency and Implementation Security of Code-based Cryptosyst. Falko Strenzke 20 / 37

  52. Analysis of Root-Finding Variants RAM Mess.- Key-aim. Speed demands aim. TA TA Efficiency and Implementation Security of Code-based Cryptosyst. Falko Strenzke 21 / 37

  53. Analysis of Root-Finding Variants using parameters n = 6624, t = 115 (244 bit security); Atmel AP7000, 30 MHz RAM Mess.- Key-aim. Speed demands aim. TA TA Efficiency and Implementation Security of Code-based Cryptosyst. Falko Strenzke 21 / 37

  54. Analysis of Root-Finding Variants using parameters n = 6624, t = 115 (244 bit security); Atmel AP7000, 30 MHz RAM Mess.- Key-aim. Speed demands aim. TA TA exh. evaluation Efficiency and Implementation Security of Code-based Cryptosyst. Falko Strenzke 21 / 37

  55. Analysis of Root-Finding Variants using parameters n = 6624, t = 115 (244 bit security); Atmel AP7000, 30 MHz RAM Mess.- Key-aim. Speed demands aim. TA TA exh. evaluation 1269ms Efficiency and Implementation Security of Code-based Cryptosyst. Falko Strenzke 21 / 37

  56. Analysis of Root-Finding Variants using parameters n = 6624, t = 115 (244 bit security); Atmel AP7000, 30 MHz RAM Mess.- Key-aim. Speed demands aim. TA TA exh. evaluation 1269ms 2344 byte Efficiency and Implementation Security of Code-based Cryptosyst. Falko Strenzke 21 / 37

  57. Analysis of Root-Finding Variants using parameters n = 6624, t = 115 (244 bit security); Atmel AP7000, 30 MHz RAM Mess.- Key-aim. Speed demands aim. TA TA exh. evaluation 1269ms 2344 byte safe Efficiency and Implementation Security of Code-based Cryptosyst. Falko Strenzke 21 / 37

  58. Analysis of Root-Finding Variants using parameters n = 6624, t = 115 (244 bit security); Atmel AP7000, 30 MHz RAM Mess.- Key-aim. Speed demands aim. TA TA exh. evaluation 1269ms 2344 byte safe safe Efficiency and Implementation Security of Code-based Cryptosyst. Falko Strenzke 21 / 37

  59. Analysis of Root-Finding Variants using parameters n = 6624, t = 115 (244 bit security); Atmel AP7000, 30 MHz RAM Mess.- Key-aim. Speed demands aim. TA TA exh. evaluation 1269ms 2344 byte safe safe exh. evalua- tion w/ division Efficiency and Implementation Security of Code-based Cryptosyst. Falko Strenzke 21 / 37

  60. Analysis of Root-Finding Variants using parameters n = 6624, t = 115 (244 bit security); Atmel AP7000, 30 MHz RAM Mess.- Key-aim. Speed demands aim. TA TA exh. evaluation 1269ms 2344 byte safe safe exh. evalua- 638ms tion w/ division Efficiency and Implementation Security of Code-based Cryptosyst. Falko Strenzke 21 / 37

  61. Analysis of Root-Finding Variants using parameters n = 6624, t = 115 (244 bit security); Atmel AP7000, 30 MHz RAM Mess.- Key-aim. Speed demands aim. TA TA exh. evaluation 1269ms 2344 byte safe safe exh. evalua- 638ms 2344 byte tion w/ division Efficiency and Implementation Security of Code-based Cryptosyst. Falko Strenzke 21 / 37

  62. Analysis of Root-Finding Variants using parameters n = 6624, t = 115 (244 bit security); Atmel AP7000, 30 MHz RAM Mess.- Key-aim. Speed demands aim. TA TA exh. evaluation 1269ms 2344 byte safe safe exh. evalua- 638ms 2344 byte unsafe tion w/ division Efficiency and Implementation Security of Code-based Cryptosyst. Falko Strenzke 21 / 37

  63. Analysis of Root-Finding Variants using parameters n = 6624, t = 115 (244 bit security); Atmel AP7000, 30 MHz RAM Mess.- Key-aim. Speed demands aim. TA TA exh. evaluation 1269ms 2344 byte safe safe exh. evalua- 638ms 2344 byte unsafe safe with tion w/ division c.m. Efficiency and Implementation Security of Code-based Cryptosyst. Falko Strenzke 21 / 37

  64. Analysis of Root-Finding Variants using parameters n = 6624, t = 115 (244 bit security); Atmel AP7000, 30 MHz RAM Mess.- Key-aim. Speed demands aim. TA TA exh. evaluation 1269ms 2344 byte safe safe exh. evalua- 638ms 2344 byte unsafe safe with tion w/ division c.m. BTZ 2 Efficiency and Implementation Security of Code-based Cryptosyst. Falko Strenzke 21 / 37

  65. Analysis of Root-Finding Variants using parameters n = 6624, t = 115 (244 bit security); Atmel AP7000, 30 MHz RAM Mess.- Key-aim. Speed demands aim. TA TA exh. evaluation 1269ms 2344 byte safe safe exh. evalua- 638ms 2344 byte unsafe safe with tion w/ division c.m. BTZ 2 272ms Efficiency and Implementation Security of Code-based Cryptosyst. Falko Strenzke 21 / 37

  66. Analysis of Root-Finding Variants using parameters n = 6624, t = 115 (244 bit security); Atmel AP7000, 30 MHz RAM Mess.- Key-aim. Speed demands aim. TA TA exh. evaluation 1269ms 2344 byte safe safe exh. evalua- 638ms 2344 byte unsafe safe with tion w/ division c.m. BTZ 2 272ms 34886 byte Efficiency and Implementation Security of Code-based Cryptosyst. Falko Strenzke 21 / 37

Recommend


More recommend