Fast and Secure Root Finding for Code-based Cryptosystems Falko - PowerPoint PPT Presentation

Fast and Secure Root Finding for Code-based Cryptosystems Falko Strenzke Cryptography and Computeralgebra, Department of Computer Science, Technische Universit¨ at Darmstadt, Germany, fstrenzke@crypto-source.de April 13, 2015 Fast and Secure Root Finding for Code-based Cryptosystems Falko Strenzke 1 / 38

Introduction Code-based Cryptography employs error corrections codes its security is based on the syndrome decoding problem secure in the presence of quantum computers Code-based Cryptosystems: McEliece and Niederreiter both use the Patterson Algorithm in decryption root-finding of polynomial over F 2 m Fast and Secure Root Finding for Code-based Cryptosystems Falko Strenzke 2 / 38

Introduction 1 Preliminaries 2 Previous Work 3 Variants of Root-finding 4 Side Channel Security Aspects of Root Finding 5 Message-aimed Attacks Key-aimed Attacks Performance 6 Conclusion 7 Fast and Secure Root Finding for Code-based Cryptosystems Falko Strenzke 3 / 38

Introduction 1 Preliminaries 2 Previous Work 3 Variants of Root-finding 4 Side Channel Security Aspects of Root Finding 5 Message-aimed Attacks Key-aimed Attacks Performance 6 Conclusion 7 Fast and Secure Root Finding for Code-based Cryptosystems Falko Strenzke 4 / 38

Error Correcting Codes Fast and Secure Root Finding for Code-based Cryptosystems Falko Strenzke 5 / 38

Goppa Codes Parameters of a Goppa Code irreducible polynomial g ( Y ) ∈ F 2 m [ Y ] of degree t (the Goppa Polynomial) support Γ = ( α 0 , α 1 , . . . , α n − 1 ), where α i are pairwise distinct elements of F 2 m Properties of the Code the code has length n ≤ 2 m (code word length) , dimension k = n − mt (message length) and can correct up to t errors. a parity check matrix H , where cH ⊤ = 0 if c ∈ C example for secure parameters: n = 2048, t = 50 for 100 bit security Fast and Secure Root Finding for Code-based Cryptosystems Falko Strenzke 6 / 38

The McEliece PKC key generation choose the parameters n and t generate randomly g ( Y ) and Γ (determining the secret the code) for this private code C s one has a private generator matrix G s the public key is G p = [ I | G ′ p ] = TG s encryption: � z = � mG p + � e , wt ( � e ) = t decryption: knowing g ( Y ) and Γ, � e and thus also � m can be recovered Fast and Secure Root Finding for Code-based Cryptosystems Falko Strenzke 7 / 38

The McEliece PKC Fast and Secure Root Finding for Code-based Cryptosystems Falko Strenzke 8 / 38

Syndrome Decoding secret key: g ( Y ), Γ = { α 0 , α 1 , . . . , α n − 1 } e ∈ F n error vector � 2 m , wt ( � e ) = t chosen during encryption � � ⊤ c ) H ⊤ Y t − 1 , · · · , Y , 1 S ( Y ) ← ( � e ⊕ � � �� � ∈ F t 2 m � S − 1 ( Y ) + Y mod g ( Y ) // by EEA τ ( Y ) ← ( α ( Y ) , β ( Y )) ← EEA ( g ( Y ) , τ ( Y )) σ ( Y ) ← α 2 ( Y ) + Y β 2 ( Y ) e i ← 1 iff σ ( α i ) = 0 Fast and Secure Root Finding for Code-based Cryptosystems Falko Strenzke 9 / 38

Introduction 1 Preliminaries 2 Previous Work 3 Variants of Root-finding 4 Side Channel Security Aspects of Root Finding 5 Message-aimed Attacks Key-aimed Attacks Performance 6 Conclusion 7 Fast and Secure Root Finding for Code-based Cryptosystems Falko Strenzke 10 / 38

Previous Work Biswas, Sendrier, PQCrypto 2008: HyMES McEliece implementation Strenzke, Tews, Molter, Overbeck, Shoufan, PQCrypto 2008: message-aimed side-channel attack Fast and Secure Root Finding for Code-based Cryptosystems Falko Strenzke 11 / 38

Introduction 1 Preliminaries 2 Previous Work 3 Variants of Root-finding 4 Side Channel Security Aspects of Root Finding 5 Message-aimed Attacks Key-aimed Attacks Performance 6 Conclusion 7 Fast and Secure Root Finding for Code-based Cryptosystems Falko Strenzke 12 / 38

Exhaustive Evaluation with and without Division σ ( Y ) = � w − 1 i =0 ( α f i − Y ) Require: the polynomial σ ( Y ) over F 2 m Ensure: the set E , where γ i is a root of σ ( Y ) if and only if i ∈ E 1: E = ∅ 2: for i = 0 up to i = n − 1 do if σ ( γ i ) = 0 then 3: E ← E ∪ { i } 4: σ ( Y ) ← σ ( Y ) / ( Y ⊕ γ i ) 5: end if 6: 7: end for 8: return E → eval-rf , eval-div-rf Fast and Secure Root Finding for Code-based Cryptosystems Falko Strenzke 13 / 38

Berlekamp Trace Algorithm Tr ( Y ) = Y + Y 2 + Y 2 2 + . . . + Y 2 m − 1 , and { β 1 , β 2 , . . . , β m } is a standard basis of F 2 m . initial call: BTA( σ ( Y ), 1) algorithm BTA(Ω( Y ), i) : 1: if deg (Ω( Y ) ≤ 1) then return root of Ω( Y ) 2: 3: end if 4: Ω 0 ( Y ) ← gcd(Ω( Y ) , Tr ( β i · Y )) 5: Ω 1 ( Y ) ← gcd(Ω( Y ) , 1 + Tr ( β i · Y )) 6: return BTA(Ω 0 ( Y ) , i + 1) ∪ BTA(Ω 1 ( Y ) , i + 1) → BTA-rf Fast and Secure Root Finding for Code-based Cryptosystems Falko Strenzke 14 / 38

Berlekamp Trace Algorithm - Hybrid Algorithms Biswas, Herbert 2009: improvement of BTA with root-finding algorithms for low degrees efficient root-finding for degree 2 with lookup tables → BTZ 2 -rf Fast and Secure Root Finding for Code-based Cryptosystems Falko Strenzke 15 / 38

Root Finding with Linearized Polynomials Definition linearized polynomial: L ( Y ) = � i L i Y 2 i , where L i ∈ F 2 m . Definition affine polynomial: A ( Y ) = L ( Y ) + β with β ∈ F 2 m Federenko, Trifonov 2002: A ( x i ) = A ( x i − 1 ) + L (∆ i ) , ∆ i = x i − x i − 1 = α δ ( x i , x i − 1 ) , where { α 0 , α 1 , . . . , α m − 1 } is a standard basis of F 2 m and wt ( x i ⊕ x i − 1 ) = 1 Fast and Secure Root Finding for Code-based Cryptosystems Falko Strenzke 16 / 38

Root Finding with Linearized Polynomials ⌈ ( t − 4) / 5 ⌉ � f ( Y ) = f 3 Y 3 + Y 5 i A i ( Y ) , (1) i =0 where 3 � f 5 i +2 j Y 2 j . A i ( Y ) = f 5 i + (2) j =0 → dcmp-rf Fast and Secure Root Finding for Code-based Cryptosystems Falko Strenzke 17 / 38

Root Finding with Linearized Polynomials – Hybrid Variant dcmp-div-rf : perform divisions by found roots (after each 5 roots) Fast and Secure Root Finding for Code-based Cryptosystems Falko Strenzke 18 / 38

Introduction 1 Preliminaries 2 Previous Work 3 Variants of Root-finding 4 Side Channel Security Aspects of Root Finding 5 Message-aimed Attacks Key-aimed Attacks Performance 6 Conclusion 7 Fast and Secure Root Finding for Code-based Cryptosystems Falko Strenzke 19 / 38

Side Channel Security Aspects of Root Finding Only timing attacks Message-aimed attacks: observe decryption and recover message Key-aimed attacks: observe decryption and recover key Fast and Secure Root Finding for Code-based Cryptosystems Falko Strenzke 20 / 38

Introduction 1 Preliminaries 2 Previous Work 3 Variants of Root-finding 4 Side Channel Security Aspects of Root Finding 5 Message-aimed Attacks Key-aimed Attacks Performance 6 Conclusion 7 Fast and Secure Root Finding for Code-based Cryptosystems Falko Strenzke 21 / 38

Previously Known Message-aimed Attacks deg ( σ ( Y )) = wt ( � e ) when wt ( � e ) ≤ t → known TA against eval-rf : decryption time ∼ wt ( � e ) Fast and Secure Root Finding for Code-based Cryptosystems Falko Strenzke 22 / 38

Previously Known Message-aimed Attacks Fast and Secure Root Finding for Code-based Cryptosystems Falko Strenzke 23 / 38

Vulnerability of eval-div-rf countermeasure against this vulnerability: ensure deg ( σ ( Y )) = t number of roots very small when wt ( � e ) > t also for wt ( � e ) < t due to countermeasure → number of roots very small when wt ( � e ) � = t Fast and Secure Root Finding for Code-based Cryptosystems Falko Strenzke 24 / 38

Vulnerability of eval-div-rf remaining vulnerability of eval-div-rf ( t = 33): 3.6e+06 3.4e+06 cycles taken by eval-div-rf 3.2e+06 3e+06 2.8e+06 2.6e+06 2.4e+06 2.2e+06 2e+06 1.8e+06 1.6e+06 20 25 30 35 40 error weight w number of roots very small when wt ( � e ) � = t → two-bit-flip attack is still successful: attacker learns when he flipped one error and one non-error position Fast and Secure Root Finding for Code-based Cryptosystems Falko Strenzke 25 / 38

Vulnerability of BTA-rf 2.35e+06 2.3e+06 2.25e+06 cycles taken by bta-rf 2.2e+06 2.15e+06 2.1e+06 2.05e+06 2e+06 1.95e+06 1.9e+06 20 25 30 35 40 error weight w Fast and Secure Root Finding for Code-based Cryptosystems Falko Strenzke 26 / 38

Introduction 1 Preliminaries 2 Previous Work 3 Variants of Root-finding 4 Side Channel Security Aspects of Root Finding 5 Message-aimed Attacks Key-aimed Attacks Performance 6 Conclusion 7 Fast and Secure Root Finding for Code-based Cryptosystems Falko Strenzke 27 / 38

Error Positions and Support Elements � e = ( 0 0 . . . 0 1 0 . . . 0 1 0 . . . ) indexes: 0 1 . . . f 1 f 2 α f 1 α f 2 σ ( Y ) = � w − 1 i =0 ( α f i − Y ) Γ = { α 0 , α 1 , . . . α n − 1 } Fast and Secure Root Finding for Code-based Cryptosystems Falko Strenzke 28 / 38