Error Amplification in Code-based Cryptography Alexander Nilsson 1,2 - PowerPoint PPT Presentation

Error Amplification in Code-based Cryptography Alexander Nilsson 1,2 Thomas Johansson 1 Paul Stankovski Wagner 1 August 27, 2019 1 Dept. of Electrical and Information Technology, Lund University, Sweden 2 Advenica AB, Malmö, Sweden WALLENBERG AI, AUTONOMOUS SYSTEMS AND SOFTWARE PROGRAM

Background Code-based Cryptography Previous work Attack Scenario Contributions The Chaining method Generating e 0 Results Amplification effect Wrapping it up

• Security based on hardness of decoding random linear codes. • The McElice cryptosystem from 1978, using binary Goppa codes, is still secure today. • Large keys! Code-based Cryptography • One of the major branches of cryptographic post-quantum research. 1

• The McElice cryptosystem from 1978, using binary Goppa codes, is still secure today. • Large keys! Code-based Cryptography • One of the major branches of cryptographic post-quantum research. • Security based on hardness of decoding random linear codes. 1

• Large keys! Code-based Cryptography • One of the major branches of cryptographic post-quantum research. • Security based on hardness of decoding random linear codes. • The McElice cryptosystem from 1978, using binary Goppa codes, is still secure today. 1

Code-based Cryptography • One of the major branches of cryptographic post-quantum research. • Security based on hardness of decoding random linear codes. • The McElice cryptosystem from 1978, using binary Goppa codes, is still secure today. • Large keys! 1

• More compact keys by using cyclic structures in the key-matrices. • Encryption simply: c mG e • Uses iterative bitflipping decoding in the decryption stage • Decryption Failure Rate (DFR), is non-zero. QC-MDPC (1/5) Quasi-Cyclic Medium Density Parity Check is a variant of the McEliece cryptosystem [Mis+12]: 2

• Encryption simply: c mG e • Uses iterative bitflipping decoding in the decryption stage • Decryption Failure Rate (DFR), is non-zero. QC-MDPC (1/5) Quasi-Cyclic Medium Density Parity Check is a variant of the McEliece cryptosystem [Mis+12]: • More compact keys by using cyclic structures in the key-matrices. 2

• Uses iterative bitflipping decoding in the decryption stage • Decryption Failure Rate (DFR), is non-zero. QC-MDPC (1/5) Quasi-Cyclic Medium Density Parity Check is a variant of the McEliece cryptosystem [Mis+12]: • More compact keys by using cyclic structures in the key-matrices. • Encryption simply: c ← mG + e 2

• Decryption Failure Rate (DFR), is non-zero. QC-MDPC (1/5) Quasi-Cyclic Medium Density Parity Check is a variant of the McEliece cryptosystem [Mis+12]: • More compact keys by using cyclic structures in the key-matrices. • Encryption simply: c ← mG + e • Uses iterative bitflipping decoding in the decryption stage 2

QC-MDPC (1/5) Quasi-Cyclic Medium Density Parity Check is a variant of the McEliece cryptosystem [Mis+12]: • More compact keys by using cyclic structures in the key-matrices. • Encryption simply: c ← mG + e • Uses iterative bitflipping decoding in the decryption stage • Decryption Failure Rate (DFR), is non-zero. 2

Suggested parameters for 80-bit security: n 0 2 n 9602 r 4801 w 90 t 84 Sparse! 99 bits out of 100 are zero in H . QC-MDPC (2/5) A ( n , r , w )-QC-MDPC code, is a linear code with an error correcting capability t , length n , codimension r and with a row weight w in the parity check matrix H . Additionally we have that n = n 0 r . 3

Sparse! 99 bits out of 100 are zero in H . QC-MDPC (2/5) A ( n , r , w )-QC-MDPC code, is a linear code with an error correcting capability t , length n , codimension r and with a row weight w in the parity check matrix H . Additionally we have that n = n 0 r . Suggested parameters for 80-bit security: n 0 = 2 , n = 9602 , r = 4801 , w = 90 , t = 84 3

QC-MDPC (2/5) A ( n , r , w )-QC-MDPC code, is a linear code with an error correcting capability t , length n , codimension r and with a row weight w in the parity check matrix H . Additionally we have that n = n 0 r . Suggested parameters for 80-bit security: n 0 = 2 , n = 9602 , r = 4801 , w = 90 , t = 84 Sparse! ≈ 99 bits out of 100 are zero in H . 3

For n 0 2, we get h 0 0 h 0 1 h 0 r h 1 0 h 1 1 h 1 r 1 1 h 0 r h 0 0 h 0 r h 1 r h 1 0 h 1 r 1 2 1 2 H . . . . . . ... ... . . . . . . . . . . . . h 0 1 h 0 2 h 0 0 h 1 1 h 1 2 h 1 0 Knowledge of h 0 (the first row of H 0 ) is sufficient for complete key recovery. QC-MDPC (3/5) The secret key H ∈ F r × n is constructed as 2 H = [ H 0 | H 1 | . . . | H n 0 − 1 ] , where H i is a circulant r × r matrix. 4

Knowledge of h 0 (the first row of H 0 ) is sufficient for complete key recovery. QC-MDPC (3/5) The secret key H ∈ F r × n is constructed as 2 H = [ H 0 | H 1 | . . . | H n 0 − 1 ] , where H i is a circulant r × r matrix. For n 0 = 2, we get   h 0 , 0 h 0 , 1 h 0 , r − 1   h 1 , 0 h 1 , 1 h 1 , r − 1   · · · · · · h 0 , r − 1 h 0 , 0 h 0 , r − 2 h 1 , r − 1 h 1 , 0 h 1 , r − 2 · · · · · ·       H =       . . . . . . ... ... . . . . . .       . . . . . .             h 0 , 1 h 0 , 2 h 0 , 0 h 1 , 1 h 1 , 2 h 1 , 0 · · · · · · 4

QC-MDPC (3/5) The secret key H ∈ F r × n is constructed as 2 H = [ H 0 | H 1 | . . . | H n 0 − 1 ] , where H i is a circulant r × r matrix. For n 0 = 2, we get   h 0 , 0 h 0 , 1 h 0 , r − 1   h 1 , 0 h 1 , 1 h 1 , r − 1   · · · · · · h 0 , r − 1 h 0 , 0 h 0 , r − 2 h 1 , r − 1 h 1 , 0 h 1 , r − 2 · · · · · ·       H =       . . . . . . ... ... . . . . . .       . . . . . .             h 0 , 1 h 0 , 2 h 0 , 0 h 1 , 1 h 1 , 2 h 1 , 0 · · · · · · Knowledge of h 0 (the first row of H 0 ) is sufficient for complete key recovery. 4

n r n Encryption of plaintext m into c 2 is given by: 2 n 1. Generating random e 2 with Hamming weight, wt e , less than t . 2. Computing c mG e . QC-MDPC (4/5) Public key G ∈ F ( n − r ) × n is constructed as follows: 2   ( H − 1 n 0 − 1 · H 0 ) T     ( H − 1 n 0 − 1 · H 1 ) T     G =  I    .   .   .         ( H − 1 n 0 − 1 · H n 0 − 2 ) T   5

n 1. Generating random e 2 with Hamming weight, wt e , less than t . 2. Computing c mG e . QC-MDPC (4/5) Public key G ∈ F ( n − r ) × n is constructed as follows: 2   ( H − 1 n 0 − 1 · H 0 ) T     ( H − 1 n 0 − 1 · H 1 ) T     G =  I    .   .   .         ( H − 1 n 0 − 1 · H n 0 − 2 ) T   Encryption of plaintext m ∈ F n − r into c ∈ F n 2 is given by: 2 5

2. Computing c mG e . QC-MDPC (4/5) Public key G ∈ F ( n − r ) × n is constructed as follows: 2   ( H − 1 n 0 − 1 · H 0 ) T     ( H − 1 n 0 − 1 · H 1 ) T     G =  I    .   .   .         ( H − 1 n 0 − 1 · H n 0 − 2 ) T   Encryption of plaintext m ∈ F n − r into c ∈ F n 2 is given by: 2 1. Generating random e ∈ F n 2 with Hamming weight, wt ( e ) , less than t . 5

QC-MDPC (4/5) Public key G ∈ F ( n − r ) × n is constructed as follows: 2   ( H − 1 n 0 − 1 · H 0 ) T     ( H − 1 n 0 − 1 · H 1 ) T     G =  I    .   .   .         ( H − 1 n 0 − 1 · H n 0 − 2 ) T   Encryption of plaintext m ∈ F n − r into c ∈ F n 2 is given by: 2 1. Generating random e ∈ F n 2 with Hamming weight, wt ( e ) , less than t . 2. Computing c ← mG + e . 5

1. Decode mG H mG e 2. Plaintext m is first n r positions of mG . The decoding algorithms ( H ) are based on variants of the original Gallager’s bitflipping algorithm. QC-MDPC (5/5) 2 into m ∈ F n − r To decrypt c ∈ F n we need a decoding algorithm, 2 Ψ H , with knowledge of H . 6

2. Plaintext m is first n r positions of mG . The decoding algorithms ( H ) are based on variants of the original Gallager’s bitflipping algorithm. QC-MDPC (5/5) 2 into m ∈ F n − r To decrypt c ∈ F n we need a decoding algorithm, 2 Ψ H , with knowledge of H . 1. Decode mG ← Ψ H ( mG + e ) 6

The decoding algorithms ( H ) are based on variants of the original Gallager’s bitflipping algorithm. QC-MDPC (5/5) 2 into m ∈ F n − r To decrypt c ∈ F n we need a decoding algorithm, 2 Ψ H , with knowledge of H . 1. Decode mG ← Ψ H ( mG + e ) 2. Plaintext m is first ( n − r ) positions of mG . 6

QC-MDPC (5/5) 2 into m ∈ F n − r To decrypt c ∈ F n we need a decoding algorithm, 2 Ψ H , with knowledge of H . 1. Decode mG ← Ψ H ( mG + e ) 2. Plaintext m is first ( n − r ) positions of mG . The decoding algorithms ( Ψ H ) are based on variants of the original Gallager’s bitflipping algorithm. 6