mctiny classic mceliece org mceliece for tiny network
play

McTiny: classic.mceliece.org McEliece for tiny network servers - PowerPoint PPT Presentation

Mar 31, 2023 •237 likes •1.87k views

1 2 McTiny: classic.mceliece.org McEliece for tiny network servers submission team (alphabetical): me; Daniel J. Bernstein, Tung Chou, osaka-u.ac.jp ; uic.edu , rub.de Tanja Lange, tue.nl ; Joint work with: Ingo von Maurich;

  1. 3 4 Encoding and decoding Binary Goppa codes iterature: 1978 McEliece public key: Parameters: q ∈ { (attack) matrix A over F 2 . w ∈ { 2 ; 3 ; : : : ; ⌊ ( q attack papers. Normally s �→ As is injective. n ∈ { w lg q + 1 ; : : (decoder). Ciphertext: vector C = As + e . Goppa (codes). Uses secret “codeword” As , (cryptosystem). weight- w “error vector” e . Niederreiter (dual) 1978 parameters for 2 64 security optimizations. goal: 1024 × 512 matrix, w = 50. McEliece, round 1. Public key is secretly generated submitters may wish with “binary Goppa code” rameter sets for structure that allows efficient categories.” ⇒ decoding: C �→ As; e . e, round 2.

  2. 3 4 Encoding and decoding Binary Goppa codes 1978 McEliece public key: Parameters: q ∈ { 8 ; 16 ; 32 ; : matrix A over F 2 . w ∈ { 2 ; 3 ; : : : ; ⌊ ( q − 1) = lg q ers. Normally s �→ As is injective. n ∈ { w lg q + 1 ; : : : ; q − 1 ; q der). Ciphertext: vector C = As + e . des). Uses secret “codeword” As , (cryptosystem). weight- w “error vector” e . 1978 parameters for 2 64 security optimizations. goal: 1024 × 512 matrix, w = 50. round 1. Public key is secretly generated y wish with “binary Goppa code” sets for structure that allows efficient ⇒ decoding: C �→ As; e .

  3. 4 5 Encoding and decoding Binary Goppa codes 1978 McEliece public key: Parameters: q ∈ { 8 ; 16 ; 32 ; : : : } ; matrix A over F 2 . w ∈ { 2 ; 3 ; : : : ; ⌊ ( q − 1) = lg q ⌋} ; Normally s �→ As is injective. n ∈ { w lg q + 1 ; : : : ; q − 1 ; q } . Ciphertext: vector C = As + e . Uses secret “codeword” As , weight- w “error vector” e . 1978 parameters for 2 64 security goal: 1024 × 512 matrix, w = 50. Public key is secretly generated with “binary Goppa code” structure that allows efficient decoding: C �→ As; e .

  4. 4 5 Encoding and decoding Binary Goppa codes 1978 McEliece public key: Parameters: q ∈ { 8 ; 16 ; 32 ; : : : } ; matrix A over F 2 . w ∈ { 2 ; 3 ; : : : ; ⌊ ( q − 1) = lg q ⌋} ; Normally s �→ As is injective. n ∈ { w lg q + 1 ; : : : ; q − 1 ; q } . Ciphertext: vector C = As + e . Secrets: distinct ¸ 1 ; : : : ; ¸ n ∈ F q ; Uses secret “codeword” As , monic irreducible degree- w weight- w “error vector” e . polynomial g ∈ F q [ x ]. 1978 parameters for 2 64 security goal: 1024 × 512 matrix, w = 50. Public key is secretly generated with “binary Goppa code” structure that allows efficient decoding: C �→ As; e .

  5. 4 5 Encoding and decoding Binary Goppa codes 1978 McEliece public key: Parameters: q ∈ { 8 ; 16 ; 32 ; : : : } ; matrix A over F 2 . w ∈ { 2 ; 3 ; : : : ; ⌊ ( q − 1) = lg q ⌋} ; Normally s �→ As is injective. n ∈ { w lg q + 1 ; : : : ; q − 1 ; q } . Ciphertext: vector C = As + e . Secrets: distinct ¸ 1 ; : : : ; ¸ n ∈ F q ; Uses secret “codeword” As , monic irreducible degree- w weight- w “error vector” e . polynomial g ∈ F q [ x ]. 1978 parameters for 2 64 security Goppa code: kernel of the map v �→ P goal: 1024 × 512 matrix, w = 50. i v i = ( x − ¸ i ) from F n 2 to F q [ x ] =g . Public key is secretly generated Normal dimension n − w lg q . with “binary Goppa code” structure that allows efficient decoding: C �→ As; e .

  6. 4 5 Encoding and decoding Binary Goppa codes 1978 McEliece public key: Parameters: q ∈ { 8 ; 16 ; 32 ; : : : } ; matrix A over F 2 . w ∈ { 2 ; 3 ; : : : ; ⌊ ( q − 1) = lg q ⌋} ; Normally s �→ As is injective. n ∈ { w lg q + 1 ; : : : ; q − 1 ; q } . Ciphertext: vector C = As + e . Secrets: distinct ¸ 1 ; : : : ; ¸ n ∈ F q ; Uses secret “codeword” As , monic irreducible degree- w weight- w “error vector” e . polynomial g ∈ F q [ x ]. 1978 parameters for 2 64 security Goppa code: kernel of the map v �→ P goal: 1024 × 512 matrix, w = 50. i v i = ( x − ¸ i ) from F n 2 to F q [ x ] =g . Public key is secretly generated Normal dimension n − w lg q . with “binary Goppa code” structure that allows efficient McEliece uses random matrix A decoding: C �→ As; e . whose image is this code.

  7. 4 5 ding and decoding Binary Goppa codes One-wayness McEliece public key: Parameters: q ∈ { 8 ; 16 ; 32 ; : : : } ; Fundamental A over F 2 . w ∈ { 2 ; 3 ; : : : ; ⌊ ( q − 1) = lg q ⌋} ; Given random rmally s �→ As is injective. n ∈ { w lg q + 1 ; : : : ; q − 1 ; q } . ciphertext can attack Ciphertext: vector C = As + e . Secrets: distinct ¸ 1 ; : : : ; ¸ n ∈ F q ; secret “codeword” As , monic irreducible degree- w eight- w “error vector” e . polynomial g ∈ F q [ x ]. parameters for 2 64 security Goppa code: kernel of the map v �→ P 1024 × 512 matrix, w = 50. i v i = ( x − ¸ i ) from F n 2 to F q [ x ] =g . key is secretly generated Normal dimension n − w lg q . “binary Goppa code” structure that allows efficient McEliece uses random matrix A ding: C �→ As; e . whose image is this code.

  8. 4 5 decoding Binary Goppa codes One-wayness (OW-P public key: Parameters: q ∈ { 8 ; 16 ; 32 ; : : : } ; Fundamental securit . w ∈ { 2 ; 3 ; : : : ; ⌊ ( q − 1) = lg q ⌋} ; Given random public As is injective. n ∈ { w lg q + 1 ; : : : ; q − 1 ; q } . ciphertext As + e can attacker efficiently vector C = As + e . Secrets: distinct ¸ 1 ; : : : ; ¸ n ∈ F q ; deword” As , monic irreducible degree- w vector” e . polynomial g ∈ F q [ x ]. for 2 64 security Goppa code: kernel of the map v �→ P 512 matrix, w = 50. i v i = ( x − ¸ i ) from F n 2 to F q [ x ] =g . secretly generated Normal dimension n − w lg q . Goppa code” allows efficient McEliece uses random matrix A As; e . whose image is this code.

  9. 4 5 Binary Goppa codes One-wayness (OW-Passive) Parameters: q ∈ { 8 ; 16 ; 32 ; : : : } ; Fundamental security question: w ∈ { 2 ; 3 ; : : : ; ⌊ ( q − 1) = lg q ⌋} ; Given random public key A and injective. n ∈ { w lg q + 1 ; : : : ; q − 1 ; q } . ciphertext As + e for random can attacker efficiently find s + e . Secrets: distinct ¸ 1 ; : : : ; ¸ n ∈ F q ; As , monic irreducible degree- w . polynomial g ∈ F q [ x ]. security Goppa code: kernel of the map v �→ P w = 50. i v i = ( x − ¸ i ) from F n 2 to F q [ x ] =g . generated Normal dimension n − w lg q . efficient McEliece uses random matrix A whose image is this code.

  10. 5 6 Binary Goppa codes One-wayness (OW-Passive) Parameters: q ∈ { 8 ; 16 ; 32 ; : : : } ; Fundamental security question: w ∈ { 2 ; 3 ; : : : ; ⌊ ( q − 1) = lg q ⌋} ; Given random public key A and n ∈ { w lg q + 1 ; : : : ; q − 1 ; q } . ciphertext As + e for random s; e , can attacker efficiently find s; e ? Secrets: distinct ¸ 1 ; : : : ; ¸ n ∈ F q ; monic irreducible degree- w polynomial g ∈ F q [ x ]. Goppa code: kernel of the map v �→ P i v i = ( x − ¸ i ) from F n 2 to F q [ x ] =g . Normal dimension n − w lg q . McEliece uses random matrix A whose image is this code.

  11. 5 6 Binary Goppa codes One-wayness (OW-Passive) Parameters: q ∈ { 8 ; 16 ; 32 ; : : : } ; Fundamental security question: w ∈ { 2 ; 3 ; : : : ; ⌊ ( q − 1) = lg q ⌋} ; Given random public key A and n ∈ { w lg q + 1 ; : : : ; q − 1 ; q } . ciphertext As + e for random s; e , can attacker efficiently find s; e ? Secrets: distinct ¸ 1 ; : : : ; ¸ n ∈ F q ; monic irreducible degree- w 1962 Prange: simple attack idea polynomial g ∈ F q [ x ]. guiding sizes in 1978 McEliece. Goppa code: kernel of the map v �→ P i v i = ( x − ¸ i ) from F n 2 to F q [ x ] =g . Normal dimension n − w lg q . McEliece uses random matrix A whose image is this code.

  12. 5 6 Binary Goppa codes One-wayness (OW-Passive) Parameters: q ∈ { 8 ; 16 ; 32 ; : : : } ; Fundamental security question: w ∈ { 2 ; 3 ; : : : ; ⌊ ( q − 1) = lg q ⌋} ; Given random public key A and n ∈ { w lg q + 1 ; : : : ; q − 1 ; q } . ciphertext As + e for random s; e , can attacker efficiently find s; e ? Secrets: distinct ¸ 1 ; : : : ; ¸ n ∈ F q ; monic irreducible degree- w 1962 Prange: simple attack idea polynomial g ∈ F q [ x ]. guiding sizes in 1978 McEliece. Goppa code: kernel of The McEliece system the map v �→ P i v i = ( x − ¸ i ) (with later key-size optimizations) from F n uses ( c 0 + o (1)) – 2 (lg – ) 2 -bit keys 2 to F q [ x ] =g . as – → ∞ to achieve 2 – security Normal dimension n − w lg q . against Prange’s attack. McEliece uses random matrix A Here c 0 ≈ 0 : 7418860694. whose image is this code.

  13. 5 6 Goppa codes One-wayness (OW-Passive) ≥ 25 subsequent analyzing rameters: q ∈ { 8 ; 16 ; 32 ; : : : } ; Fundamental security question: 2 ; 3 ; : : : ; ⌊ ( q − 1) = lg q ⌋} ; Given random public key A and 1981 Cla lg q + 1 ; : : : ; q − 1 ; q } . ciphertext As + e for random s; e , crediting can attacker efficiently find s; e ? 1988 Lee–Brick Secrets: distinct ¸ 1 ; : : : ; ¸ n ∈ F q ; 1988 Leon. irreducible degree- w 1962 Prange: simple attack idea 1989 Krouk. olynomial g ∈ F q [ x ]. guiding sizes in 1978 McEliece. 1989 Stern. code: kernel of The McEliece system 1989 Dumer. map v �→ P i v i = ( x − ¸ i ) (with later key-size optimizations) 1990 Coffey–Go n uses ( c 0 + o (1)) – 2 (lg – ) 2 -bit keys 2 to F q [ x ] =g . 1990 van as – → ∞ to achieve 2 – security rmal dimension n − w lg q . 1991 Dumer. against Prange’s attack. 1991 Coffey–Go McEliece uses random matrix A Here c 0 ≈ 0 : 7418860694. 1993 Chabanne–Courteau. image is this code.

  14. 5 6 des One-wayness (OW-Passive) ≥ 25 subsequent publication analyzing one-wayness { 8 ; 16 ; 32 ; : : : } ; Fundamental security question: ( q − 1) = lg q ⌋} ; Given random public key A and 1981 Clark–Cain, : : : ; q − 1 ; q } . ciphertext As + e for random s; e , crediting Omura. can attacker efficiently find s; e ? 1988 Lee–Brickell. ¸ 1 ; : : : ; ¸ n ∈ F q ; 1988 Leon. irreducible degree- w 1962 Prange: simple attack idea 1989 Krouk. F q [ x ]. guiding sizes in 1978 McEliece. 1989 Stern. ernel of The McEliece system 1989 Dumer. i v i = ( x − ¸ i ) (with later key-size optimizations) 1990 Coffey–Goodman. uses ( c 0 + o (1)) – 2 (lg – ) 2 -bit keys ] =g . 1990 van Tilburg. as – → ∞ to achieve 2 – security dimension n − w lg q . 1991 Dumer. against Prange’s attack. 1991 Coffey–Goodman–F random matrix A Here c 0 ≈ 0 : 7418860694. 1993 Chabanne–Courteau. this code.

  15. 5 6 One-wayness (OW-Passive) ≥ 25 subsequent publications analyzing one-wayness of system ; : : : } ; Fundamental security question: q ⌋} ; Given random public key A and 1981 Clark–Cain, ; q } . ciphertext As + e for random s; e , crediting Omura. can attacker efficiently find s; e ? 1988 Lee–Brickell. n ∈ F q ; 1988 Leon. 1962 Prange: simple attack idea 1989 Krouk. guiding sizes in 1978 McEliece. 1989 Stern. The McEliece system 1989 Dumer. ¸ i ) (with later key-size optimizations) 1990 Coffey–Goodman. uses ( c 0 + o (1)) – 2 (lg – ) 2 -bit keys 1990 van Tilburg. as – → ∞ to achieve 2 – security lg q . 1991 Dumer. against Prange’s attack. 1991 Coffey–Goodman–Farrell. matrix A Here c 0 ≈ 0 : 7418860694. 1993 Chabanne–Courteau.

  16. 6 7 One-wayness (OW-Passive) ≥ 25 subsequent publications analyzing one-wayness of system: Fundamental security question: Given random public key A and 1981 Clark–Cain, ciphertext As + e for random s; e , crediting Omura. can attacker efficiently find s; e ? 1988 Lee–Brickell. 1988 Leon. 1962 Prange: simple attack idea 1989 Krouk. guiding sizes in 1978 McEliece. 1989 Stern. The McEliece system 1989 Dumer. (with later key-size optimizations) 1990 Coffey–Goodman. uses ( c 0 + o (1)) – 2 (lg – ) 2 -bit keys 1990 van Tilburg. as – → ∞ to achieve 2 – security 1991 Dumer. against Prange’s attack. 1991 Coffey–Goodman–Farrell. Here c 0 ≈ 0 : 7418860694. 1993 Chabanne–Courteau.

  17. 6 7 ayness (OW-Passive) ≥ 25 subsequent publications 1993 Chabaud. analyzing one-wayness of system: 1994 van undamental security question: 1994 Canteaut–Chabanne. random public key A and 1981 Clark–Cain, 1998 Canteaut–Chabaud. ciphertext As + e for random s; e , crediting Omura. 1998 Canteaut–Sendrier. attacker efficiently find s; e ? 1988 Lee–Brickell. 2008 Bernstein–Lange–P 1988 Leon. Prange: simple attack idea 2009 Bernstein–Lange–P 1989 Krouk. guiding sizes in 1978 McEliece. van 1989 Stern. 2009 Finiasz–Sendrier. McEliece system 1989 Dumer. 2011 Bernstein–Lange–P later key-size optimizations) 1990 Coffey–Goodman. 2011 Ma 0 + o (1)) – 2 (lg – ) 2 -bit keys 1990 van Tilburg. 2012 Beck ∞ to achieve 2 – security 1991 Dumer. 2013 Hamdaoui–Sendrier. against Prange’s attack. 1991 Coffey–Goodman–Farrell. 2015 Ma 0 ≈ 0 : 7418860694. 1993 Chabanne–Courteau. 2016 Canto

  18. 6 7 W-Passive) ≥ 25 subsequent publications 1993 Chabaud. analyzing one-wayness of system: 1994 van Tilburg. security question: 1994 Canteaut–Chabanne. public key A and 1981 Clark–Cain, 1998 Canteaut–Chabaud. e for random s; e , crediting Omura. 1998 Canteaut–Sendrier. efficiently find s; e ? 1988 Lee–Brickell. 2008 Bernstein–Lange–P 1988 Leon. simple attack idea 2009 Bernstein–Lange–P 1989 Krouk. 1978 McEliece. van Tilborg. 1989 Stern. 2009 Finiasz–Sendrier. system 1989 Dumer. 2011 Bernstein–Lange–P ey-size optimizations) 1990 Coffey–Goodman. 2011 May–Meurer–Th – 2 (lg – ) 2 -bit keys 1990 van Tilburg. 2012 Becker–Joux–Ma achieve 2 – security 1991 Dumer. 2013 Hamdaoui–Sendrier. attack. 1991 Coffey–Goodman–Farrell. 2015 May–Ozerov. 7418860694. 1993 Chabanne–Courteau. 2016 Canto Torres–Sendrier.

  19. 6 7 assive) ≥ 25 subsequent publications 1993 Chabaud. analyzing one-wayness of system: 1994 van Tilburg. question: 1994 Canteaut–Chabanne. and 1981 Clark–Cain, 1998 Canteaut–Chabaud. random s; e , crediting Omura. 1998 Canteaut–Sendrier. find s; e ? 1988 Lee–Brickell. 2008 Bernstein–Lange–Peters. 1988 Leon. attack idea 2009 Bernstein–Lange–Peters– 1989 Krouk. McEliece. van Tilborg. 1989 Stern. 2009 Finiasz–Sendrier. 1989 Dumer. 2011 Bernstein–Lange–Peters. optimizations) 1990 Coffey–Goodman. 2011 May–Meurer–Thomae. -bit keys 1990 van Tilburg. 2012 Becker–Joux–May–Meurer. security 1991 Dumer. 2013 Hamdaoui–Sendrier. 1991 Coffey–Goodman–Farrell. 2015 May–Ozerov. 1993 Chabanne–Courteau. 2016 Canto Torres–Sendrier.

  20. 7 8 ≥ 25 subsequent publications 1993 Chabaud. analyzing one-wayness of system: 1994 van Tilburg. 1994 Canteaut–Chabanne. 1981 Clark–Cain, 1998 Canteaut–Chabaud. crediting Omura. 1998 Canteaut–Sendrier. 1988 Lee–Brickell. 2008 Bernstein–Lange–Peters. 1988 Leon. 2009 Bernstein–Lange–Peters– 1989 Krouk. van Tilborg. 1989 Stern. 2009 Finiasz–Sendrier. 1989 Dumer. 2011 Bernstein–Lange–Peters. 1990 Coffey–Goodman. 2011 May–Meurer–Thomae. 1990 van Tilburg. 2012 Becker–Joux–May–Meurer. 1991 Dumer. 2013 Hamdaoui–Sendrier. 1991 Coffey–Goodman–Farrell. 2015 May–Ozerov. 1993 Chabanne–Courteau. 2016 Canto Torres–Sendrier.

  21. 7 8 subsequent publications 1993 Chabaud. The McEliece analyzing one-wayness of system: 1994 van Tilburg. uses ( c 0 1994 Canteaut–Chabanne. as – → ∞ Clark–Cain, 1998 Canteaut–Chabaud. against all crediting Omura. 1998 Canteaut–Sendrier. Same c 0 Lee–Brickell. 2008 Bernstein–Lange–Peters. Leon. 2009 Bernstein–Lange–Peters– Krouk. van Tilborg. Stern. 2009 Finiasz–Sendrier. Dumer. 2011 Bernstein–Lange–Peters. Coffey–Goodman. 2011 May–Meurer–Thomae. van Tilburg. 2012 Becker–Joux–May–Meurer. Dumer. 2013 Hamdaoui–Sendrier. Coffey–Goodman–Farrell. 2015 May–Ozerov. Chabanne–Courteau. 2016 Canto Torres–Sendrier.

  22. 7 8 publications 1993 Chabaud. The McEliece system uses ( c 0 + o (1)) – 2 ayness of system: 1994 van Tilburg. 1994 Canteaut–Chabanne. as – → ∞ to achieve k–Cain, 1998 Canteaut–Chabaud. against all attacks Omura. 1998 Canteaut–Sendrier. Same c 0 ≈ 0 : 7418860694. ell. 2008 Bernstein–Lange–Peters. 2009 Bernstein–Lange–Peters– van Tilborg. 2009 Finiasz–Sendrier. 2011 Bernstein–Lange–Peters. odman. 2011 May–Meurer–Thomae. urg. 2012 Becker–Joux–May–Meurer. 2013 Hamdaoui–Sendrier. odman–Farrell. 2015 May–Ozerov. Chabanne–Courteau. 2016 Canto Torres–Sendrier.

  23. 7 8 publications 1993 Chabaud. The McEliece system uses ( c 0 + o (1)) – 2 (lg – ) 2 -bit system: 1994 van Tilburg. as – → ∞ to achieve 2 – securit 1994 Canteaut–Chabanne. 1998 Canteaut–Chabaud. against all attacks known to 1998 Canteaut–Sendrier. Same c 0 ≈ 0 : 7418860694. 2008 Bernstein–Lange–Peters. 2009 Bernstein–Lange–Peters– van Tilborg. 2009 Finiasz–Sendrier. 2011 Bernstein–Lange–Peters. 2011 May–Meurer–Thomae. 2012 Becker–Joux–May–Meurer. 2013 Hamdaoui–Sendrier. rrell. 2015 May–Ozerov. Chabanne–Courteau. 2016 Canto Torres–Sendrier.

  24. 8 9 1993 Chabaud. The McEliece system uses ( c 0 + o (1)) – 2 (lg – ) 2 -bit keys 1994 van Tilburg. as – → ∞ to achieve 2 – security 1994 Canteaut–Chabanne. 1998 Canteaut–Chabaud. against all attacks known today. 1998 Canteaut–Sendrier. Same c 0 ≈ 0 : 7418860694. 2008 Bernstein–Lange–Peters. 2009 Bernstein–Lange–Peters– van Tilborg. 2009 Finiasz–Sendrier. 2011 Bernstein–Lange–Peters. 2011 May–Meurer–Thomae. 2012 Becker–Joux–May–Meurer. 2013 Hamdaoui–Sendrier. 2015 May–Ozerov. 2016 Canto Torres–Sendrier.

  25. 8 9 1993 Chabaud. The McEliece system uses ( c 0 + o (1)) – 2 (lg – ) 2 -bit keys 1994 van Tilburg. as – → ∞ to achieve 2 – security 1994 Canteaut–Chabanne. 1998 Canteaut–Chabaud. against all attacks known today. 1998 Canteaut–Sendrier. Same c 0 ≈ 0 : 7418860694. 2008 Bernstein–Lange–Peters. Replacing – with 2 – 2009 Bernstein–Lange–Peters– stops all known quantum attacks van Tilborg. (and is probably massive overkill), 2009 Finiasz–Sendrier. as in symmetric crypto. 2011 Bernstein–Lange–Peters. 2011 May–Meurer–Thomae. 2012 Becker–Joux–May–Meurer. 2013 Hamdaoui–Sendrier. 2015 May–Ozerov. 2016 Canto Torres–Sendrier.

  26. 8 9 1993 Chabaud. The McEliece system uses ( c 0 + o (1)) – 2 (lg – ) 2 -bit keys 1994 van Tilburg. as – → ∞ to achieve 2 – security 1994 Canteaut–Chabanne. 1998 Canteaut–Chabaud. against all attacks known today. 1998 Canteaut–Sendrier. Same c 0 ≈ 0 : 7418860694. 2008 Bernstein–Lange–Peters. Replacing – with 2 – 2009 Bernstein–Lange–Peters– stops all known quantum attacks van Tilborg. (and is probably massive overkill), 2009 Finiasz–Sendrier. as in symmetric crypto. 2011 Bernstein–Lange–Peters. mceliece6960119 parameter set 2011 May–Meurer–Thomae. (2008 Bernstein–Lange–Peters): 2012 Becker–Joux–May–Meurer. q = 8192, n = 6960, w = 119. 2013 Hamdaoui–Sendrier. 2015 May–Ozerov. Also in submission: 8192128 , 2016 Canto Torres–Sendrier. 6688128 , 460896 , 348864 .

  27. 8 9 Chabaud. The McEliece system McEliece’s uses ( c 0 + o (1)) – 2 (lg – ) 2 -bit keys van Tilburg. huge amount as – → ∞ to achieve 2 – security Canteaut–Chabanne. Some wo Canteaut–Chabaud. against all attacks known today. while clea Canteaut–Sendrier. Same c 0 ≈ 0 : 7418860694. e.g., Niederreiter’s Bernstein–Lange–Peters. Replacing – with 2 – e.g., many Bernstein–Lange–Peters– stops all known quantum attacks Classic McEliec van Tilborg. (and is probably massive overkill), Finiasz–Sendrier. as in symmetric crypto. Bernstein–Lange–Peters. mceliece6960119 parameter set May–Meurer–Thomae. (2008 Bernstein–Lange–Peters): Becker–Joux–May–Meurer. q = 8192, n = 6960, w = 119. Hamdaoui–Sendrier. May–Ozerov. Also in submission: 8192128 , Canto Torres–Sendrier. 6688128 , 460896 , 348864 .

  28. 8 9 The McEliece system McEliece’s system uses ( c 0 + o (1)) – 2 (lg – ) 2 -bit keys rg. huge amount of follo as – → ∞ to achieve 2 – security Canteaut–Chabanne. Some work improves Canteaut–Chabaud. against all attacks known today. while clearly preserving Canteaut–Sendrier. Same c 0 ≈ 0 : 7418860694. e.g., Niederreiter’s Bernstein–Lange–Peters. Replacing – with 2 – e.g., many decoding Bernstein–Lange–Peters– stops all known quantum attacks Classic McEliece uses rg. (and is probably massive overkill), Finiasz–Sendrier. as in symmetric crypto. Bernstein–Lange–Peters. mceliece6960119 parameter set y–Meurer–Thomae. (2008 Bernstein–Lange–Peters): er–Joux–May–Meurer. q = 8192, n = 6960, w = 119. Hamdaoui–Sendrier. y–Ozerov. Also in submission: 8192128 , rres–Sendrier. 6688128 , 460896 , 348864 .

  29. 8 9 The McEliece system McEliece’s system prompted uses ( c 0 + o (1)) – 2 (lg – ) 2 -bit keys huge amount of followup wo as – → ∞ to achieve 2 – security Canteaut–Chabanne. Some work improves efficiency against all attacks known today. while clearly preserving secur Same c 0 ≈ 0 : 7418860694. e.g., Niederreiter’s dual PKE; eters. Replacing – with 2 – e.g., many decoding speedups. eters– stops all known quantum attacks Classic McEliece uses all this. (and is probably massive overkill), as in symmetric crypto. eters. mceliece6960119 parameter set ae. (2008 Bernstein–Lange–Peters): y–Meurer. q = 8192, n = 6960, w = 119. Also in submission: 8192128 , rres–Sendrier. 6688128 , 460896 , 348864 .

  30. 9 10 The McEliece system McEliece’s system prompted a uses ( c 0 + o (1)) – 2 (lg – ) 2 -bit keys huge amount of followup work. as – → ∞ to achieve 2 – security Some work improves efficiency against all attacks known today. while clearly preserving security: Same c 0 ≈ 0 : 7418860694. e.g., Niederreiter’s dual PKE; Replacing – with 2 – e.g., many decoding speedups. stops all known quantum attacks Classic McEliece uses all this. (and is probably massive overkill), as in symmetric crypto. mceliece6960119 parameter set (2008 Bernstein–Lange–Peters): q = 8192, n = 6960, w = 119. Also in submission: 8192128 , 6688128 , 460896 , 348864 .

  31. 9 10 The McEliece system McEliece’s system prompted a uses ( c 0 + o (1)) – 2 (lg – ) 2 -bit keys huge amount of followup work. as – → ∞ to achieve 2 – security Some work improves efficiency against all attacks known today. while clearly preserving security: Same c 0 ≈ 0 : 7418860694. e.g., Niederreiter’s dual PKE; Replacing – with 2 – e.g., many decoding speedups. stops all known quantum attacks Classic McEliece uses all this. (and is probably massive overkill), Classic McEliece does not use as in symmetric crypto. variants whose security has not mceliece6960119 parameter set been studied as thoroughly: (2008 Bernstein–Lange–Peters): e.g., replacing binary Goppa codes q = 8192, n = 6960, w = 119. with other families of codes; e.g., lattice-based cryptography. Also in submission: 8192128 , 6688128 , 460896 , 348864 .

  32. 9 10 McEliece system McEliece’s system prompted a Niederreiter 0 + o (1)) – 2 (lg – ) 2 -bit keys huge amount of followup work. Generato ∞ to achieve 2 – security Some work improves efficiency of length against all attacks known today. while clearly preserving security: n × k matrix c 0 ≈ 0 : 7418860694. e.g., Niederreiter’s dual PKE; McEliece Replacing – with 2 – e.g., many decoding speedups. random k all known quantum attacks Classic McEliece uses all this. is probably massive overkill), Classic McEliece does not use symmetric crypto. variants whose security has not mceliece6960119 parameter set been studied as thoroughly: Bernstein–Lange–Peters): e.g., replacing binary Goppa codes 8192, n = 6960, w = 119. with other families of codes; e.g., lattice-based cryptography. submission: 8192128 , 6688128 , 460896 , 348864 .

  33. 9 10 system McEliece’s system prompted a Niederreiter key comp – 2 (lg – ) 2 -bit keys huge amount of followup work. Generator matrix fo achieve 2 – security Some work improves efficiency of length n and dimension attacks known today. while clearly preserving security: n × k matrix G with 7418860694. e.g., Niederreiter’s dual PKE; McEliece public key: 2 – e.g., many decoding speedups. random k × k invertible quantum attacks Classic McEliece uses all this. massive overkill), Classic McEliece does not use crypto. variants whose security has not mceliece6960119 parameter set been studied as thoroughly: Bernstein–Lange–Peters): e.g., replacing binary Goppa codes 6960, w = 119. with other families of codes; e.g., lattice-based cryptography. submission: 8192128 , , 348864 .

  34. 9 10 McEliece’s system prompted a Niederreiter key compression -bit keys huge amount of followup work. Generator matrix for code Γ security Some work improves efficiency of length n and dimension k today. while clearly preserving security: n × k matrix G with Γ = G · e.g., Niederreiter’s dual PKE; McEliece public key: G times e.g., many decoding speedups. random k × k invertible matrix. attacks Classic McEliece uses all this. overkill), Classic McEliece does not use variants whose security has not rameter set been studied as thoroughly: eters): e.g., replacing binary Goppa codes 119. with other families of codes; e.g., lattice-based cryptography. 8192128 , .

  35. 10 11 McEliece’s system prompted a Niederreiter key compression huge amount of followup work. Generator matrix for code Γ Some work improves efficiency of length n and dimension k : n × k matrix G with Γ = G · F k while clearly preserving security: 2 . e.g., Niederreiter’s dual PKE; McEliece public key: G times e.g., many decoding speedups. random k × k invertible matrix. Classic McEliece uses all this. Classic McEliece does not use variants whose security has not been studied as thoroughly: e.g., replacing binary Goppa codes with other families of codes; e.g., lattice-based cryptography.

  36. 10 11 McEliece’s system prompted a Niederreiter key compression huge amount of followup work. Generator matrix for code Γ Some work improves efficiency of length n and dimension k : n × k matrix G with Γ = G · F k while clearly preserving security: 2 . e.g., Niederreiter’s dual PKE; McEliece public key: G times e.g., many decoding speedups. random k × k invertible matrix. Classic McEliece uses all this. Niederreiter instead reduces G Classic McEliece does not use to the unique generator matrix variants whose security has not in “systematic form”: bottom k been studied as thoroughly: rows are k × k identity matrix I k . e.g., replacing binary Goppa codes Public key T is top n − k rows. with other families of codes; e.g., lattice-based cryptography.

  37. 10 11 McEliece’s system prompted a Niederreiter key compression huge amount of followup work. Generator matrix for code Γ Some work improves efficiency of length n and dimension k : n × k matrix G with Γ = G · F k while clearly preserving security: 2 . e.g., Niederreiter’s dual PKE; McEliece public key: G times e.g., many decoding speedups. random k × k invertible matrix. Classic McEliece uses all this. Niederreiter instead reduces G Classic McEliece does not use to the unique generator matrix variants whose security has not in “systematic form”: bottom k been studied as thoroughly: rows are k × k identity matrix I k . e.g., replacing binary Goppa codes Public key T is top n − k rows. with other families of codes; Pr ≈ 29% that systematic form e.g., lattice-based cryptography. exists. Security loss: < 2 bits.

  38. 10 11 McEliece’s system prompted a Niederreiter key compression Niederreiter amount of followup work. Generator matrix for code Γ Use Niede work improves efficiency of length n and dimension k : n × k matrix G with Γ = G · F k McEliece clearly preserving security: 2 . Niederreiter’s dual PKE; McEliece public key: G times many decoding speedups. random k × k invertible matrix. McEliece uses all this. Niederreiter instead reduces G McEliece does not use to the unique generator matrix riants whose security has not in “systematic form”: bottom k studied as thoroughly: rows are k × k identity matrix I k . replacing binary Goppa codes Public key T is top n − k rows. other families of codes; Pr ≈ 29% that systematic form lattice-based cryptography. exists. Security loss: < 2 bits.

  39. 10 11 system prompted a Niederreiter key compression Niederreiter ciphertext followup work. Generator matrix for code Γ Use Niederreiter key roves efficiency of length n and dimension k : n × k matrix G with Γ = G · F k McEliece ciphertext: reserving security: 2 . Niederreiter’s dual PKE; McEliece public key: G times ding speedups. random k × k invertible matrix. uses all this. Niederreiter instead reduces G does not use to the unique generator matrix security has not in “systematic form”: bottom k thoroughly: rows are k × k identity matrix I k . binary Goppa codes Public key T is top n − k rows. families of codes; Pr ≈ 29% that systematic form lattice-based cryptography. exists. Security loss: < 2 bits.

  40. 10 11 rompted a Niederreiter key compression Niederreiter ciphertext comp work. „ T Generator matrix for code Γ Use Niederreiter key A = I efficiency of length n and dimension k : n × k matrix G with Γ = G · F k McEliece ciphertext: As + e curity: 2 . PKE; McEliece public key: G times edups. random k × k invertible matrix. this. Niederreiter instead reduces G use to the unique generator matrix has not in “systematic form”: bottom k roughly: rows are k × k identity matrix I k . Goppa codes Public key T is top n − k rows. des; Pr ≈ 29% that systematic form cryptography. exists. Security loss: < 2 bits.

  41. 11 12 Niederreiter key compression Niederreiter ciphertext compression „ « T Generator matrix for code Γ Use Niederreiter key A = . I k of length n and dimension k : McEliece ciphertext: As + e ∈ F n n × k matrix G with Γ = G · F k 2 . 2 . McEliece public key: G times random k × k invertible matrix. Niederreiter instead reduces G to the unique generator matrix in “systematic form”: bottom k rows are k × k identity matrix I k . Public key T is top n − k rows. Pr ≈ 29% that systematic form exists. Security loss: < 2 bits.

  42. 11 12 Niederreiter key compression Niederreiter ciphertext compression „ « T Generator matrix for code Γ Use Niederreiter key A = . I k of length n and dimension k : McEliece ciphertext: As + e ∈ F n n × k matrix G with Γ = G · F k 2 . 2 . Niederreiter ciphertext, shorter: McEliece public key: G times He ∈ F n − k where H = ( I n − k | T ). random k × k invertible matrix. 2 Niederreiter instead reduces G to the unique generator matrix in “systematic form”: bottom k rows are k × k identity matrix I k . Public key T is top n − k rows. Pr ≈ 29% that systematic form exists. Security loss: < 2 bits.

  43. 11 12 Niederreiter key compression Niederreiter ciphertext compression „ « T Generator matrix for code Γ Use Niederreiter key A = . I k of length n and dimension k : McEliece ciphertext: As + e ∈ F n n × k matrix G with Γ = G · F k 2 . 2 . Niederreiter ciphertext, shorter: McEliece public key: G times He ∈ F n − k where H = ( I n − k | T ). random k × k invertible matrix. 2 Given H and Niederreiter’s He , Niederreiter instead reduces G can attacker efficiently find e ? to the unique generator matrix in “systematic form”: bottom k rows are k × k identity matrix I k . Public key T is top n − k rows. Pr ≈ 29% that systematic form exists. Security loss: < 2 bits.

  44. 11 12 Niederreiter key compression Niederreiter ciphertext compression „ « T Generator matrix for code Γ Use Niederreiter key A = . I k of length n and dimension k : McEliece ciphertext: As + e ∈ F n n × k matrix G with Γ = G · F k 2 . 2 . Niederreiter ciphertext, shorter: McEliece public key: G times He ∈ F n − k where H = ( I n − k | T ). random k × k invertible matrix. 2 Given H and Niederreiter’s He , Niederreiter instead reduces G can attacker efficiently find e ? to the unique generator matrix in “systematic form”: bottom k If so, attacker can efficiently rows are k × k identity matrix I k . find s; e given A and As + e : Public key T is top n − k rows. compute H ( As + e ) = He ; find e ; compute s from As . Pr ≈ 29% that systematic form exists. Security loss: < 2 bits.

  45. 11 12 Niederreiter key compression Niederreiter ciphertext compression The immaturit „ « T Generator matrix for code Γ Case study: Use Niederreiter key A = . I k length n and dimension k : the most McEliece ciphertext: As + e ∈ F n matrix G with Γ = G · F k 2 . 2 . 2006 Silverman: Niederreiter ciphertext, shorter: McEliece public key: G times and CVP He ∈ F n − k where H = ( I n − k | T ). k × k invertible matrix. studied fo 2 both as intrinsic Given H and Niederreiter’s He , Niederreiter instead reduces G problems can attacker efficiently find e ? unique generator matrix pure and “systematic form”: bottom k If so, attacker can efficiently physics and re k × k identity matrix I k . find s; e given A and As + e : key T is top n − k rows. compute H ( As + e ) = He ; find e ; compute s from As . 29% that systematic form Security loss: < 2 bits.

  46. 11 12 compression Niederreiter ciphertext compression The immaturity of „ « T ix for code Γ Case study: SVP, Use Niederreiter key A = . I k dimension k : the most famous lattice McEliece ciphertext: As + e ∈ F n with Γ = G · F k 2 . 2 . 2006 Silverman: “Lattices, Niederreiter ciphertext, shorter: key: G times and CVP, have been He ∈ F n − k where H = ( I n − k | T ). invertible matrix. studied for more than 2 both as intrinsic mathematical Given H and Niederreiter’s He , instead reduces G problems and for applications can attacker efficiently find e ? generator matrix pure and applied mathematics, form”: bottom k If so, attacker can efficiently physics and cryptograph identity matrix I k . find s; e given A and As + e : top n − k rows. compute H ( As + e ) = He ; find e ; compute s from As . systematic form loss: < 2 bits.

  47. 11 12 ression Niederreiter ciphertext compression The immaturity of lattice attacks „ « T Γ Case study: SVP, Use Niederreiter key A = . I k k : the most famous lattice problem. McEliece ciphertext: As + e ∈ F n · F k 2 . 2 . 2006 Silverman: “Lattices, SVP Niederreiter ciphertext, shorter: times and CVP, have been intensively He ∈ F n − k where H = ( I n − k | T ). matrix. studied for more than 100 yea 2 both as intrinsic mathematical Given H and Niederreiter’s He , reduces G problems and for applications can attacker efficiently find e ? matrix pure and applied mathematics, ottom k If so, attacker can efficiently physics and cryptography.” matrix I k . find s; e given A and As + e : rows. compute H ( As + e ) = He ; find e ; compute s from As . form bits.

  48. 12 13 Niederreiter ciphertext compression The immaturity of lattice attacks „ « T Case study: SVP, Use Niederreiter key A = . I k the most famous lattice problem. McEliece ciphertext: As + e ∈ F n 2 . 2006 Silverman: “Lattices, SVP Niederreiter ciphertext, shorter: and CVP, have been intensively He ∈ F n − k where H = ( I n − k | T ). studied for more than 100 years, 2 both as intrinsic mathematical Given H and Niederreiter’s He , problems and for applications in can attacker efficiently find e ? pure and applied mathematics, If so, attacker can efficiently physics and cryptography.” find s; e given A and As + e : compute H ( As + e ) = He ; find e ; compute s from As .

  49. 12 13 Niederreiter ciphertext compression The immaturity of lattice attacks „ « T Case study: SVP, Use Niederreiter key A = . I k the most famous lattice problem. McEliece ciphertext: As + e ∈ F n 2 . 2006 Silverman: “Lattices, SVP Niederreiter ciphertext, shorter: and CVP, have been intensively He ∈ F n − k where H = ( I n − k | T ). studied for more than 100 years, 2 both as intrinsic mathematical Given H and Niederreiter’s He , problems and for applications in can attacker efficiently find e ? pure and applied mathematics, If so, attacker can efficiently physics and cryptography.” find s; e given A and As + e : Best SVP algorithms known compute H ( As + e ) = He ; by 2000: time 2 Θ( N log N ) for find e ; compute s from As . almost all dimension- N lattices.

  50. 12 13 Niederreiter ciphertext compression The immaturity of lattice attacks Best SVP today: 2 „ « T Case study: SVP, Niederreiter key A = . I k the most famous lattice problem. Approx c McEliece ciphertext: As + e ∈ F n 2 . believed 2006 Silverman: “Lattices, SVP 0 : 415: 2008 Niederreiter ciphertext, shorter: and CVP, have been intensively 0 : 415: 2010 F n − k where H = ( I n − k | T ). studied for more than 100 years, 2 both as intrinsic mathematical H and Niederreiter’s He , problems and for applications in attacker efficiently find e ? pure and applied mathematics, attacker can efficiently physics and cryptography.” e given A and As + e : Best SVP algorithms known compute H ( As + e ) = He ; by 2000: time 2 Θ( N log N ) for compute s from As . almost all dimension- N lattices.

  51. 12 13 ciphertext compression The immaturity of lattice attacks Best SVP algorithms today: 2 Θ( N ) . „ « T Case study: SVP, key A = . I k the most famous lattice problem. Approx c for some ciphertext: As + e ∈ F n 2 . believed to take time 2006 Silverman: “Lattices, SVP 0 : 415: 2008 Nguyen–Vidi ciphertext, shorter: and CVP, have been intensively 0 : 415: 2010 Micciancio–V where H = ( I n − k | T ). studied for more than 100 years, both as intrinsic mathematical Niederreiter’s He , problems and for applications in efficiently find e ? pure and applied mathematics, can efficiently physics and cryptography.” and As + e : Best SVP algorithms known e ) = He ; by 2000: time 2 Θ( N log N ) for s from As . almost all dimension- N lattices.

  52. 12 13 compression The immaturity of lattice attacks Best SVP algorithms known today: 2 Θ( N ) . „ « T Case study: SVP, . I k the most famous lattice problem. Approx c for some algorithms e ∈ F n believed to take time 2 ( c + o (1)) 2 . 2006 Silverman: “Lattices, SVP 0 : 415: 2008 Nguyen–Vidick. shorter: and CVP, have been intensively 0 : 415: 2010 Micciancio–Voulga − k | T ). studied for more than 100 years, both as intrinsic mathematical Niederreiter’s He , problems and for applications in find e ? pure and applied mathematics, efficiently physics and cryptography.” e : Best SVP algorithms known ; by 2000: time 2 Θ( N log N ) for . almost all dimension- N lattices.

  53. 13 14 The immaturity of lattice attacks Best SVP algorithms known today: 2 Θ( N ) . Case study: SVP, the most famous lattice problem. Approx c for some algorithms believed to take time 2 ( c + o (1)) N : 2006 Silverman: “Lattices, SVP 0 : 415: 2008 Nguyen–Vidick. and CVP, have been intensively 0 : 415: 2010 Micciancio–Voulgaris. studied for more than 100 years, both as intrinsic mathematical problems and for applications in pure and applied mathematics, physics and cryptography.” Best SVP algorithms known by 2000: time 2 Θ( N log N ) for almost all dimension- N lattices.

  54. 13 14 The immaturity of lattice attacks Best SVP algorithms known today: 2 Θ( N ) . Case study: SVP, the most famous lattice problem. Approx c for some algorithms believed to take time 2 ( c + o (1)) N : 2006 Silverman: “Lattices, SVP 0 : 415: 2008 Nguyen–Vidick. and CVP, have been intensively 0 : 415: 2010 Micciancio–Voulgaris. studied for more than 100 years, 0 : 384: 2011 Wang–Liu–Tian–Bi. both as intrinsic mathematical problems and for applications in pure and applied mathematics, physics and cryptography.” Best SVP algorithms known by 2000: time 2 Θ( N log N ) for almost all dimension- N lattices.

  55. 13 14 The immaturity of lattice attacks Best SVP algorithms known today: 2 Θ( N ) . Case study: SVP, the most famous lattice problem. Approx c for some algorithms believed to take time 2 ( c + o (1)) N : 2006 Silverman: “Lattices, SVP 0 : 415: 2008 Nguyen–Vidick. and CVP, have been intensively 0 : 415: 2010 Micciancio–Voulgaris. studied for more than 100 years, 0 : 384: 2011 Wang–Liu–Tian–Bi. both as intrinsic mathematical 0 : 378: 2013 Zhang–Pan–Hu. problems and for applications in pure and applied mathematics, physics and cryptography.” Best SVP algorithms known by 2000: time 2 Θ( N log N ) for almost all dimension- N lattices.

  56. 13 14 The immaturity of lattice attacks Best SVP algorithms known today: 2 Θ( N ) . Case study: SVP, the most famous lattice problem. Approx c for some algorithms believed to take time 2 ( c + o (1)) N : 2006 Silverman: “Lattices, SVP 0 : 415: 2008 Nguyen–Vidick. and CVP, have been intensively 0 : 415: 2010 Micciancio–Voulgaris. studied for more than 100 years, 0 : 384: 2011 Wang–Liu–Tian–Bi. both as intrinsic mathematical 0 : 378: 2013 Zhang–Pan–Hu. problems and for applications in 0 : 337: 2014 Laarhoven. pure and applied mathematics, physics and cryptography.” Best SVP algorithms known by 2000: time 2 Θ( N log N ) for almost all dimension- N lattices.

  57. 13 14 The immaturity of lattice attacks Best SVP algorithms known today: 2 Θ( N ) . Case study: SVP, the most famous lattice problem. Approx c for some algorithms believed to take time 2 ( c + o (1)) N : 2006 Silverman: “Lattices, SVP 0 : 415: 2008 Nguyen–Vidick. and CVP, have been intensively 0 : 415: 2010 Micciancio–Voulgaris. studied for more than 100 years, 0 : 384: 2011 Wang–Liu–Tian–Bi. both as intrinsic mathematical 0 : 378: 2013 Zhang–Pan–Hu. problems and for applications in 0 : 337: 2014 Laarhoven. pure and applied mathematics, 0 : 298: 2015 Laarhoven–de Weger. physics and cryptography.” 0 : 292: 2015 Becker–Ducas– Best SVP algorithms known Gama–Laarhoven. by 2000: time 2 Θ( N log N ) for almost all dimension- N lattices.

  58. 13 14 The immaturity of lattice attacks Best SVP algorithms known today: 2 Θ( N ) . Case study: SVP, the most famous lattice problem. Approx c for some algorithms believed to take time 2 ( c + o (1)) N : 2006 Silverman: “Lattices, SVP 0 : 415: 2008 Nguyen–Vidick. and CVP, have been intensively 0 : 415: 2010 Micciancio–Voulgaris. studied for more than 100 years, 0 : 384: 2011 Wang–Liu–Tian–Bi. both as intrinsic mathematical 0 : 378: 2013 Zhang–Pan–Hu. problems and for applications in 0 : 337: 2014 Laarhoven. pure and applied mathematics, 0 : 298: 2015 Laarhoven–de Weger. physics and cryptography.” 0 : 292: 2015 Becker–Ducas– Best SVP algorithms known Gama–Laarhoven. by 2000: time 2 Θ( N log N ) for Lattice crypto: more attack almost all dimension- N lattices. avenues; even less understanding.

  59. 13 14 immaturity of lattice attacks Best SVP algorithms known Agility, diversit today: 2 Θ( N ) . study: SVP, “You think most famous lattice problem. Approx c for some algorithms That’s crazy! believed to take time 2 ( c + o (1)) N : Silverman: “Lattices, SVP 0 : 415: 2008 Nguyen–Vidick. CVP, have been intensively 0 : 415: 2010 Micciancio–Voulgaris. studied for more than 100 years, 0 : 384: 2011 Wang–Liu–Tian–Bi. as intrinsic mathematical 0 : 378: 2013 Zhang–Pan–Hu. roblems and for applications in 0 : 337: 2014 Laarhoven. and applied mathematics, 0 : 298: 2015 Laarhoven–de Weger. physics and cryptography.” 0 : 292: 2015 Becker–Ducas– SVP algorithms known Gama–Laarhoven. 2000: time 2 Θ( N log N ) for Lattice crypto: more attack all dimension- N lattices. avenues; even less understanding.

  60. 13 14 of lattice attacks Best SVP algorithms known Agility, diversity, etc. today: 2 Θ( N ) . , “You think there can famous lattice problem. Approx c for some algorithms That’s crazy! We believed to take time 2 ( c + o (1)) N : “Lattices, SVP 0 : 415: 2008 Nguyen–Vidick. een intensively 0 : 415: 2010 Micciancio–Voulgaris. than 100 years, 0 : 384: 2011 Wang–Liu–Tian–Bi. mathematical 0 : 378: 2013 Zhang–Pan–Hu. r applications in 0 : 337: 2014 Laarhoven. mathematics, 0 : 298: 2015 Laarhoven–de Weger. cryptography.” 0 : 292: 2015 Becker–Ducas– rithms known Gama–Laarhoven. Θ( N log N ) for Lattice crypto: more attack dimension- N lattices. avenues; even less understanding.

  61. 13 14 attacks Best SVP algorithms known Agility, diversity, etc. today: 2 Θ( N ) . “You think there can be only roblem. Approx c for some algorithms That’s crazy! We need backups!” believed to take time 2 ( c + o (1)) N : “Lattices, SVP 0 : 415: 2008 Nguyen–Vidick. nsively 0 : 415: 2010 Micciancio–Voulgaris. years, 0 : 384: 2011 Wang–Liu–Tian–Bi. mathematical 0 : 378: 2013 Zhang–Pan–Hu. applications in 0 : 337: 2014 Laarhoven. mathematics, 0 : 298: 2015 Laarhoven–de Weger. .” 0 : 292: 2015 Becker–Ducas– wn Gama–Laarhoven. for Lattice crypto: more attack lattices. avenues; even less understanding.

  62. 14 15 Best SVP algorithms known Agility, diversity, etc. today: 2 Θ( N ) . “You think there can be only one? Approx c for some algorithms That’s crazy! We need backups!” believed to take time 2 ( c + o (1)) N : 0 : 415: 2008 Nguyen–Vidick. 0 : 415: 2010 Micciancio–Voulgaris. 0 : 384: 2011 Wang–Liu–Tian–Bi. 0 : 378: 2013 Zhang–Pan–Hu. 0 : 337: 2014 Laarhoven. 0 : 298: 2015 Laarhoven–de Weger. 0 : 292: 2015 Becker–Ducas– Gama–Laarhoven. Lattice crypto: more attack avenues; even less understanding.

  63. 14 15 Best SVP algorithms known Agility, diversity, etc. today: 2 Θ( N ) . “You think there can be only one? Approx c for some algorithms That’s crazy! We need backups!” believed to take time 2 ( c + o (1)) N : McEliece has lower risk than 0 : 415: 2008 Nguyen–Vidick. lattice-based crypto. This doesn’t 0 : 415: 2010 Micciancio–Voulgaris. mean that McEliece has zero risk. 0 : 384: 2011 Wang–Liu–Tian–Bi. 0 : 378: 2013 Zhang–Pan–Hu. 0 : 337: 2014 Laarhoven. 0 : 298: 2015 Laarhoven–de Weger. 0 : 292: 2015 Becker–Ducas– Gama–Laarhoven. Lattice crypto: more attack avenues; even less understanding.

  64. 14 15 Best SVP algorithms known Agility, diversity, etc. today: 2 Θ( N ) . “You think there can be only one? Approx c for some algorithms That’s crazy! We need backups!” believed to take time 2 ( c + o (1)) N : McEliece has lower risk than 0 : 415: 2008 Nguyen–Vidick. lattice-based crypto. This doesn’t 0 : 415: 2010 Micciancio–Voulgaris. mean that McEliece has zero risk. 0 : 384: 2011 Wang–Liu–Tian–Bi. But there are also risks in 0 : 378: 2013 Zhang–Pan–Hu. standardizing more options: e.g., 0 : 337: 2014 Laarhoven. vulnerabilities are missed because 0 : 298: 2015 Laarhoven–de Weger. cryptanalysts and implementors 0 : 292: 2015 Becker–Ducas– are spreading attention too thin. Gama–Laarhoven. Lattice crypto: more attack avenues; even less understanding.

  65. 14 15 Best SVP algorithms known Agility, diversity, etc. today: 2 Θ( N ) . “You think there can be only one? Approx c for some algorithms That’s crazy! We need backups!” believed to take time 2 ( c + o (1)) N : McEliece has lower risk than 0 : 415: 2008 Nguyen–Vidick. lattice-based crypto. This doesn’t 0 : 415: 2010 Micciancio–Voulgaris. mean that McEliece has zero risk. 0 : 384: 2011 Wang–Liu–Tian–Bi. But there are also risks in 0 : 378: 2013 Zhang–Pan–Hu. standardizing more options: e.g., 0 : 337: 2014 Laarhoven. vulnerabilities are missed because 0 : 298: 2015 Laarhoven–de Weger. cryptanalysts and implementors 0 : 292: 2015 Becker–Ducas– are spreading attention too thin. Gama–Laarhoven. OCB2 was published in 2004; Lattice crypto: more attack standardized by ISO in 2009; avenues; even less understanding. complete break published in 2018.

  66. 14 15 SVP algorithms known Agility, diversity, etc. Integrity 2 Θ( N ) . “You think there can be only one? “You want x c for some algorithms That’s crazy! We need backups!” That’s crazy! elieved to take time 2 ( c + o (1)) N : post-quantum McEliece has lower risk than 2008 Nguyen–Vidick. lattice-based crypto. This doesn’t 2010 Micciancio–Voulgaris. mean that McEliece has zero risk. 2011 Wang–Liu–Tian–Bi. But there are also risks in 2013 Zhang–Pan–Hu. standardizing more options: e.g., 2014 Laarhoven. vulnerabilities are missed because 2015 Laarhoven–de Weger. cryptanalysts and implementors 2015 Becker–Ducas– are spreading attention too thin. Gama–Laarhoven. OCB2 was published in 2004; Lattice crypto: more attack standardized by ISO in 2009; avenues; even less understanding. complete break published in 2018.

  67. 14 15 rithms known Agility, diversity, etc. Integrity “You think there can be only one? “You want just encryption? e algorithms That’s crazy! We need backups!” That’s crazy! Obviously time 2 ( c + o (1)) N : post-quantum signatures McEliece has lower risk than Nguyen–Vidick. lattice-based crypto. This doesn’t Micciancio–Voulgaris. mean that McEliece has zero risk. ang–Liu–Tian–Bi. But there are also risks in Zhang–Pan–Hu. standardizing more options: e.g., rhoven. vulnerabilities are missed because rhoven–de Weger. cryptanalysts and implementors Becker–Ducas– are spreading attention too thin. Gama–Laarhoven. OCB2 was published in 2004; more attack standardized by ISO in 2009; less understanding. complete break published in 2018.

  68. 14 15 wn Agility, diversity, etc. Integrity “You think there can be only one? “You want just encryption? rithms That’s crazy! We need backups!” That’s crazy! Obviously we o (1)) N : post-quantum signatures too!” McEliece has lower risk than k. lattice-based crypto. This doesn’t oulgaris. mean that McEliece has zero risk. ang–Liu–Tian–Bi. But there are also risks in an–Hu. standardizing more options: e.g., vulnerabilities are missed because Weger. cryptanalysts and implementors er–Ducas– are spreading attention too thin. OCB2 was published in 2004; attack standardized by ISO in 2009; understanding. complete break published in 2018.

  69. 15 16 Agility, diversity, etc. Integrity “You think there can be only one? “You want just encryption? That’s crazy! We need backups!” That’s crazy! Obviously we need post-quantum signatures too!” McEliece has lower risk than lattice-based crypto. This doesn’t mean that McEliece has zero risk. But there are also risks in standardizing more options: e.g., vulnerabilities are missed because cryptanalysts and implementors are spreading attention too thin. OCB2 was published in 2004; standardized by ISO in 2009; complete break published in 2018.

  70. 15 16 Agility, diversity, etc. Integrity “You think there can be only one? “You want just encryption? That’s crazy! We need backups!” That’s crazy! Obviously we need post-quantum signatures too!” McEliece has lower risk than lattice-based crypto. This doesn’t Example: Google’s NewHope mean that McEliece has zero risk. experiment, modification of TLS. • Server → client: E , But there are also risks in one-time NewHope public key. standardizing more options: e.g., • Client → server: vulnerabilities are missed because AES-GCM key encrypted to E . cryptanalysts and implementors • Server signs key exchange are spreading attention too thin. under its long-term RSA key. OCB2 was published in 2004; standardized by ISO in 2009; complete break published in 2018.

  71. 15 16 Agility, diversity, etc. Integrity “You think there can be only one? “You want just encryption? That’s crazy! We need backups!” That’s crazy! Obviously we need post-quantum signatures too!” McEliece has lower risk than lattice-based crypto. This doesn’t Example: Google’s NewHope mean that McEliece has zero risk. experiment, modification of TLS. • Server → client: E , But there are also risks in one-time NewHope public key. standardizing more options: e.g., • Client → server: vulnerabilities are missed because AES-GCM key encrypted to E . cryptanalysts and implementors • Server signs key exchange are spreading attention too thin. under its long-term RSA key. OCB2 was published in 2004; standardized by ISO in 2009; Must upgrade this protocol before complete break published in 2018. attacker has quantum computer.

  72. 15 16 , diversity, etc. Integrity More general Server signs think there can be only one? “You want just encryption? server’s long-term crazy! We need backups!” That’s crazy! Obviously we need Client verifies post-quantum signatures too!” McEliece has lower risk than lattice-based crypto. This doesn’t Example: Google’s NewHope that McEliece has zero risk. experiment, modification of TLS. • Server → client: E , there are also risks in one-time NewHope public key. rdizing more options: e.g., • Client → server: vulnerabilities are missed because AES-GCM key encrypted to E . cryptanalysts and implementors • Server signs key exchange reading attention too thin. under its long-term RSA key. was published in 2004; rdized by ISO in 2009; Must upgrade this protocol before complete break published in 2018. attacker has quantum computer.

  73. 15 16 etc. Integrity More general signature Server signs message can be only one? “You want just encryption? server’s long-term e need backups!” That’s crazy! Obviously we need Client verifies signature. post-quantum signatures too!” er risk than crypto. This doesn’t Example: Google’s NewHope McEliece has zero risk. experiment, modification of TLS. • Server → client: E , also risks in one-time NewHope public key. more options: e.g., • Client → server: re missed because AES-GCM key encrypted to E . and implementors • Server signs key exchange attention too thin. under its long-term RSA key. published in 2004; ISO in 2009; Must upgrade this protocol before published in 2018. attacker has quantum computer.

  74. 15 16 Integrity More general signature situation: Server signs message m under only one? “You want just encryption? server’s long-term signature backups!” That’s crazy! Obviously we need Client verifies signature. post-quantum signatures too!” than doesn’t Example: Google’s NewHope zero risk. experiment, modification of TLS. • Server → client: E , one-time NewHope public key. options: e.g., • Client → server: ecause AES-GCM key encrypted to E . implementors • Server signs key exchange o thin. under its long-term RSA key. 2004; 2009; Must upgrade this protocol before in 2018. attacker has quantum computer.

  75. 16 17 Integrity More general signature situation: Server signs message m under “You want just encryption? server’s long-term signature key. That’s crazy! Obviously we need Client verifies signature. post-quantum signatures too!” Example: Google’s NewHope experiment, modification of TLS. • Server → client: E , one-time NewHope public key. • Client → server: AES-GCM key encrypted to E . • Server signs key exchange under its long-term RSA key. Must upgrade this protocol before attacker has quantum computer.

  76. 16 17 Integrity More general signature situation: Server signs message m under “You want just encryption? server’s long-term signature key. That’s crazy! Obviously we need Client verifies signature. post-quantum signatures too!” Can protect integrity of m Example: Google’s NewHope without a signature system: experiment, modification of TLS. • Client → server: • Server → client: E , AES-GCM key k encrypted to one-time NewHope public key. server’s long-term encryption key. • Client → server: • Server → client: AES-GCM key encrypted to E . message m encrypted under k . • Server signs key exchange under its long-term RSA key. AES-GCM includes authentication so client knows m is from server. Must upgrade this protocol before attacker has quantum computer.

  77. 16 17 Integrity More general signature situation: Advantages Server signs message m under want just encryption? Client kno server’s long-term signature key. crazy! Obviously we need Client verifies signature. ost-quantum signatures too!” Can protect integrity of m Example: Google’s NewHope without a signature system: eriment, modification of TLS. • Client → server: Server → client: E , AES-GCM key k encrypted to one-time NewHope public key. server’s long-term encryption key. Client → server: • Server → client: AES-GCM key encrypted to E . message m encrypted under k . Server signs key exchange under its long-term RSA key. AES-GCM includes authentication so client knows m is from server. upgrade this protocol before er has quantum computer.

  78. 16 17 More general signature situation: Advantages of this Server signs message m under encryption? Client knows m is server’s long-term signature key. Obviously we need Client verifies signature. signatures too!” Can protect integrity of m ogle’s NewHope without a signature system: dification of TLS. • Client → server: client: E , AES-GCM key k encrypted to ewHope public key. server’s long-term encryption key. server: • Server → client: encrypted to E . message m encrypted under k . ey exchange long-term RSA key. AES-GCM includes authentication so client knows m is from server. this protocol before quantum computer.

  79. 16 17 More general signature situation: Advantages of this approach: Server signs message m under encryption? Client knows m is fresh. server’s long-term signature key. e need Client verifies signature. too!” Can protect integrity of m NewHope without a signature system: of TLS. • Client → server: AES-GCM key k encrypted to public key. server’s long-term encryption key. • Server → client: encrypted to E . message m encrypted under k . exchange key. AES-GCM includes authentication so client knows m is from server. col before computer.

  80. 17 18 More general signature situation: Advantages of this approach: Server signs message m under Client knows m is fresh. server’s long-term signature key. Client verifies signature. Can protect integrity of m without a signature system: • Client → server: AES-GCM key k encrypted to server’s long-term encryption key. • Server → client: message m encrypted under k . AES-GCM includes authentication so client knows m is from server.

  81. 17 18 More general signature situation: Advantages of this approach: Server signs message m under Client knows m is fresh. server’s long-term signature key. — Already guaranteed for TLS, Client verifies signature. since m has client randomness. Can protect integrity of m without a signature system: • Client → server: AES-GCM key k encrypted to server’s long-term encryption key. • Server → client: message m encrypted under k . AES-GCM includes authentication so client knows m is from server.

  82. 17 18 More general signature situation: Advantages of this approach: Server signs message m under Client knows m is fresh. server’s long-term signature key. — Already guaranteed for TLS, Client verifies signature. since m has client randomness. Can protect integrity of m Authenticates and encrypts. without a signature system: Don’t need 2nd encryption layer. • Client → server: AES-GCM key k encrypted to server’s long-term encryption key. • Server → client: message m encrypted under k . AES-GCM includes authentication so client knows m is from server.

  83. 17 18 More general signature situation: Advantages of this approach: Server signs message m under Client knows m is fresh. server’s long-term signature key. — Already guaranteed for TLS, Client verifies signature. since m has client randomness. Can protect integrity of m Authenticates and encrypts. without a signature system: Don’t need 2nd encryption layer. • Client → server: — But “forward secrecy” needs AES-GCM key k encrypted to an ephemeral encryption layer. server’s long-term encryption key. • Server → client: message m encrypted under k . AES-GCM includes authentication so client knows m is from server.

  84. 17 18 More general signature situation: Advantages of this approach: Server signs message m under Client knows m is fresh. server’s long-term signature key. — Already guaranteed for TLS, Client verifies signature. since m has client randomness. Can protect integrity of m Authenticates and encrypts. without a signature system: Don’t need 2nd encryption layer. • Client → server: — But “forward secrecy” needs AES-GCM key k encrypted to an ephemeral encryption layer. server’s long-term encryption key. Advantage of signatures: • Server → client: Signer can be offline. message m encrypted under k . AES-GCM includes authentication so client knows m is from server.

  85. 17 18 More general signature situation: Advantages of this approach: Server signs message m under Client knows m is fresh. server’s long-term signature key. — Already guaranteed for TLS, Client verifies signature. since m has client randomness. Can protect integrity of m Authenticates and encrypts. without a signature system: Don’t need 2nd encryption layer. • Client → server: — But “forward secrecy” needs AES-GCM key k encrypted to an ephemeral encryption layer. server’s long-term encryption key. Advantage of signatures: • Server → client: Signer can be offline. message m encrypted under k . — Designing for a disconnected AES-GCM includes authentication future? Not relevant to TLS. so client knows m is from server.

  86. 17 18 general signature situation: Advantages of this approach: Time signs message m under Client knows m is fresh. Cycles on server’s long-term signature key. — Already guaranteed for TLS, params verifies signature. since m has client randomness. 348864 rotect integrity of m Authenticates and encrypts. 460896 without a signature system: Don’t need 2nd encryption layer. 6688128 Client → server: — But “forward secrecy” needs 6960119 AES-GCM key k encrypted to an ephemeral encryption layer. 8192128 server’s long-term encryption key. Advantage of signatures: Server → client: 348864 Signer can be offline. message m encrypted under k . 460896 — Designing for a disconnected 6688128 AES-GCM includes authentication future? Not relevant to TLS. 6960119 client knows m is from server. 8192128

  87. 17 18 signature situation: Advantages of this approach: Time message m under Client knows m is fresh. Cycles on Intel Hasw long-term signature key. — Already guaranteed for TLS, params op cycles signature. since m has client randomness. 45888 348864 enc integrity of m Authenticates and encrypts. 82684 460896 enc signature system: Don’t need 2nd encryption layer. 6688128 enc 153372 server: — But “forward secrecy” needs 6960119 enc 154972 k encrypted to an ephemeral encryption layer. 8192128 enc 183892 long-term encryption key. Advantage of signatures: client: dec 136840 348864 Signer can be offline. encrypted under k . dec 273872 460896 — Designing for a disconnected 6688128 dec 320428 includes authentication future? Not relevant to TLS. 6960119 dec 302460 m is from server. 8192128 dec 324008

Recommend

McTiny: McEliece for tiny network servers Daniel J. Bernstein, uic.edu , rub.de Joint work with:

McTiny: McEliece for tiny network servers Daniel J. Bernstein, uic.edu , rub.de Joint work with:

1 McTiny: McEliece for tiny network servers Daniel J. Bernstein, uic.edu , rub.de Joint work with: Tanja Lange, tue.nl My main question in this talk: Shouldnt NIST PQC simply standardize Classic McEliece, discard the other 25 proposals?

1.18k views • 79 slides
McTiny: Encoding and decoding McEliece for tiny network servers 1978 McEliece public key:

McTiny: Encoding and decoding McEliece for tiny network servers 1978 McEliece public key:

1 2 McTiny: Encoding and decoding McEliece for tiny network servers 1978 McEliece public key: Daniel J. Bernstein, matrix G over F 2 . uic.edu , rub.de Normally m mG is injective. Tanja Lange, tue.nl Fundamental literature: 1962

2.16k views • 132 slides
McTiny: McEliece for tiny network servers Daniel J. Bernstein, uic.edu , rub.de Tanja Lange,

McTiny: McEliece for tiny network servers Daniel J. Bernstein, uic.edu , rub.de Tanja Lange,

1 McTiny: McEliece for tiny network servers Daniel J. Bernstein, uic.edu , rub.de Tanja Lange, tue.nl Fundamental literature: 1962 Prange (attack) + many more attack papers. 1968 Berlekamp (decoder). 19701971 Goppa (codes). 1978 McEliece

899 views • 61 slides
Classic McEliece: conservative code-based cryptography D. J. Bernstein classic.mceliece.org

Classic McEliece: conservative code-based cryptography D. J. Bernstein classic.mceliece.org

1 Classic McEliece: conservative code-based cryptography D. J. Bernstein classic.mceliece.org Fundamental literature: 1962 Prange (attack) + many more attack papers. 1968 Berlekamp (decoder). 19701971 Goppa (codes). 1978 McEliece

775 views • 58 slides
Classic McEliece: conservative code-based cryptography Round 2 https://classic.mceliece.org/

Classic McEliece: conservative code-based cryptography Round 2 https://classic.mceliece.org/

Classic McEliece: conservative code-based cryptography Round 2 https://classic.mceliece.org/ Daniel J. Bernstein 1 , Tung Chou 2 , Tanja Lange 3 , Ingo von Maurich, Rafael Misoczki 4 , Ruben Niederhagen 5 , Edoardo Persichetti 6 , Christiane

439 views • 28 slides
McEliece type Cryptosystem based on Gabidulin Codes Joachim Rosenthal University of Z urich

McEliece type Cryptosystem based on Gabidulin Codes Joachim Rosenthal University of Z urich

Traditional McEliece Crypto System Variants of McEliece System Distinguisher Attacks McEliece for Rank Metric Codes McEliece type Cryptosystem based on Gabidulin Codes Joachim Rosenthal University of Z urich ALCOMA, March 19, 2015 joint

763 views • 54 slides
Classic McEliece: conservative code-based cryptography Daniel J. Bernstein 1 , Tung Chou 2 , Tanja

Classic McEliece: conservative code-based cryptography Daniel J. Bernstein 1 , Tung Chou 2 , Tanja

Classic McEliece: conservative code-based cryptography Daniel J. Bernstein 1 , Tung Chou 2 , Tanja Lange 3 , Ingo von Maurich, Rafael Misoczki 4 , Ruben Niederhagen 5 , Edoardo Persichetti 6 , Christiane Peters, Peter Schwabe 7 , Nicolas Sendrier 8

684 views • 25 slides
How to achieve a McEliece-based Digital Signature Scheme Nicolas Courtois Matthieu Finiasz

How to achieve a McEliece-based Digital Signature Scheme Nicolas Courtois Matthieu Finiasz

How to achieve a McEliece-based Digital Signature Scheme Nicolas Courtois Matthieu Finiasz Nicolas Sendrier ASIACRYPT 2001 Brisbane McEliece in a nutshell (Niederreiter version) This scheme is equivalent to the original McEliece

432 views • 12 slides
A Reaction Attack on the QC-LDPC McEliece Cryptosystem Tomas Fabsic 1 , Viliam Hromada 1 , Paul

A Reaction Attack on the QC-LDPC McEliece Cryptosystem Tomas Fabsic 1 , Viliam Hromada 1 , Paul

LDPC and MDPC Codes QC-MDPC McEliece Attack of Guo et al. QC-LDPC McEliece Our Attack A Reaction Attack on the QC-LDPC McEliece Cryptosystem Tomas Fabsic 1 , Viliam Hromada 1 , Paul Stankovski 2 , Pavol Zajac 1 , Qian Guo 2 , Thomas Johansson

693 views • 37 slides
Cryptanalysis of a variant of the McEliece encryption scheme Julien Lavauzelle IRMAR,

Cryptanalysis of a variant of the McEliece encryption scheme Julien Lavauzelle IRMAR,

Cryptanalysis of a variant of the McEliece encryption scheme Julien Lavauzelle IRMAR, Universit de Rennes 1 Journes Nationales de Calcul Formel 2020 03/03/2020 Outline 1. McEliece cryptosystem and variants 2. Attack on the ReedSolomon

782 views • 52 slides
What is... the McEliece system? Violetta Weger University of Zurich Zurich Graduate Colloquium

What is... the McEliece system? Violetta Weger University of Zurich Zurich Graduate Colloquium

What is... the McEliece system? Violetta Weger University of Zurich Zurich Graduate Colloquium 20 November 2018 Violetta Weger What is... the McEliece system? Outline Violetta Weger What is... the McEliece system? 1 Coding Theory 2 Public

779 views • 28 slides
Making McEliece and Regev meet Gilles Zmor based on common work with C. Aguilar, O. Blazy, J-C.

Making McEliece and Regev meet Gilles Zmor based on common work with C. Aguilar, O. Blazy, J-C.

Making McEliece and Regev meet Gilles Zmor based on common work with C. Aguilar, O. Blazy, J-C. Deneuville, P . Gaborit Bordeaux Mathematics Institute March 21, 2019, Oberwolfach the McEliece paridigm Choose a code C that comes with a

680 views • 20 slides
McTiny: Fast High-Confidence Post-Quantum Key Erasure for Tiny Network Servers Daniel J.

McTiny: Fast High-Confidence Post-Quantum Key Erasure for Tiny Network Servers Daniel J.

McTiny: Fast High-Confidence Post-Quantum Key Erasure for Tiny Network Servers Daniel J. Bernstein 1,2 and Tanja Lange 3 1 University of Illinois at Chicago 2 Ruhr University Bochum 3 Eindhoven University of Technology USENIX Security 2020

388 views • 19 slides
Weight two Masking in the McEliece system Violetta Weger University of Zurich The 13th

Weight two Masking in the McEliece system Violetta Weger University of Zurich The 13th

Weight two Masking in the McEliece system Violetta Weger University of Zurich The 13th International Conference on Finite Fields and their Applications June 5, 2017 Violetta Weger Weight two Masking in the McEliece system Outline 1

1.31k views • 34 slides
Solutions for the Storage Problem of McEliece Public and Private Keys on Memory-constrained

Solutions for the Storage Problem of McEliece Public and Private Keys on Memory-constrained

Solutions for the Storage Problem of McEliece Public and Private Keys on Memory-constrained Platforms Falko Strenzke FlexSecure GmbH, Darmstadt, Germany strenzke@flexsecure.de January 18, 2013 Solutions for the McEliece Key Storage Problem

411 views • 28 slides
On the security of Some Compact Keys for McEliece Scheme lise Barelli INRIA Saclay and LIX,

On the security of Some Compact Keys for McEliece Scheme lise Barelli INRIA Saclay and LIX,

On the security of Some Compact Keys for McEliece Scheme lise Barelli INRIA Saclay and LIX, CNRS UMR 7161 cole Polytechnique, 91120 Palaiseau Cedex June 16, 2017 E. Barelli (INRIA Saclay and LIX) Security of Compact McEliece Scheme June

1.01k views • 61 slides
Twisted Hermitian Codes and the McEliece Cryptosystem Bethany Matsick Liberty University

Twisted Hermitian Codes and the McEliece Cryptosystem Bethany Matsick Liberty University

Twisted Hermitian Codes and the McEliece Cryptosystem Bethany Matsick Liberty University January 26, 2018 Joint work with Austin Allen, Keller Blackwell, Olivia Fiol, Rutuja Kshirsagar, and Zoe Nelson, supervised by Gretchen Matthews. Coding

773 views • 18 slides
for McEliece Im Implementations Thomas Eisenbarth Joint work with Cong Chen, Ingo von Maurich

for McEliece Im Implementations Thomas Eisenbarth Joint work with Cong Chen, Ingo von Maurich

Sid ide Channel Analysis and Protection for McEliece Im Implementations Thomas Eisenbarth Joint work with Cong Chen, Ingo von Maurich and Rainer Steinwandt 9/27/2016 NATO Workshop- Tel Aviv University Overview Motivation QC-MDPC

593 views • 43 slides
Some Project Ideas Read &amp; Write something Constructions not covered in class (e.g., McEliece

Some Project Ideas Read &amp; Write something Constructions not covered in class (e.g., McEliece

Some Project Ideas Read &amp; Write something Constructions not covered in class (e.g., McEliece PKE, lattice- based PKE), primitives not covered (e.g., Zero-Knowledge, Oblivious Transfer), proofs not covered (e.g., security of TLS),

411 views • 13 slides
An Overview on Post-Quantum Cryptography with an Emphasis on Code based Systems Joachim Rosenthal

An Overview on Post-Quantum Cryptography with an Emphasis on Code based Systems Joachim Rosenthal

Basics on Public Key Crypto Systems Research Directions in Post-Quantum Cryptography Variants of McEliece System Distinguisher Attacks McEliece for Rank Metric Codes An Overview on Post-Quantum Cryptography with an Emphasis on Code based

1.05k views • 100 slides
Smaller Keys for Code based Cryptography: QC MDPC McEliece Implementations on Embedded

Smaller Keys for Code based Cryptography: QC MDPC McEliece Implementations on Embedded

Smaller Keys for Code based Cryptography: QC MDPC McEliece Implementations on Embedded Devices 4 th Code based Cryptography Workshop 2013, Rocquencourt, France Stefan Heyse, Ingo von Maurich and Tim Gneysu Horst Grtz Institute for

500 views • 39 slides
A distinguisher for high-rate McEliece Cryptosystems J.C. Faug` ere (INRIA, SALSA project),

A distinguisher for high-rate McEliece Cryptosystems J.C. Faug` ere (INRIA, SALSA project),

A distinguisher for high-rate McEliece Cryptosystems J.C. Faug` ere (INRIA, SALSA project), Val erie Gauthier (Math. dep. Tech. Univ. of Denmark), A. Otmani (Universit e Caen- INRIA, SECRET project), L. Perret (INRIA, SALSA project),

734 views • 35 slides
Syndrome Decoding in the Non-Standard Cases Matthieu Finiasz Outline The Problem of Syndrome

Syndrome Decoding in the Non-Standard Cases Matthieu Finiasz Outline The Problem of Syndrome

Syndrome Decoding in the Non-Standard Cases Matthieu Finiasz Outline The Problem of Syndrome Decoding I The Cryptosystems of McEliece and Niederreiter II McEliece-Based Signatures III Provably Secure Syndrome-Based Hash Functions IV The

441 views • 32 slides
Parallel-CFS Strengthening the CFS McEliece-Based Signature Scheme Matthieu Finiasz Digital

Parallel-CFS Strengthening the CFS McEliece-Based Signature Scheme Matthieu Finiasz Digital

Parallel-CFS Strengthening the CFS McEliece-Based Signature Scheme Matthieu Finiasz Digital Signatures The hash and sign paradigm m c slide 1/18 . Any public key encryption can be turned into a signature. Digital Signatures The hash and

759 views • 28 slides

More recommend