ouroboros a simple secure and efficient key exchange
play

Ouroboros: a simple, secure and efficient key exchange protocol based - PowerPoint PPT Presentation

Feb 29, 2024 •693 likes •1.54k views

Ouroboros: a simple, secure and efficient key exchange protocol based on coding theory Jean-Christophe Deneuville < jean-christophe.deneuville@xlim.fr > June the 26 th , 2017 PQCrypto 17 Utrecht Joint work with: P. Gaborit G. Z

  1. Ouroboros: a simple, secure and efficient key exchange protocol based on coding theory Jean-Christophe Deneuville < jean-christophe.deneuville@xlim.fr > June the 26 th , 2017 PQCrypto ’17 Utrecht Joint work with: P. Gaborit G. Z´ emor University of Limoges University of Bordeaux

  2. Motivations [ME78]

  3. Motivations [ME78] [Nie86]

  4. Motivations RS 80’s BCH [ME78] [Nie86] ↓ Goppa 00’s RM

  5. Motivations Key Sizes RS 80’s BCH [ME78] [Nie86] ↓ Goppa 00’s RM Security reduction to a standard problem (random codes)

  6. Motivations Key Sizes RS 80’s BCH Other variations [ME78] [Nie86] ↓ Goppa Most of them broken 00’s RM Security proof

  7. Motivations Key Sizes Rank [Gab91] Metric RS 80’s BCH Other variations [ME78] [Nie86] ↓ Goppa Most of them broken 00’s RM Security proof

  8. Motivations Key Sizes Rank [Gab91] Metric RS 80’s BCH Other variations [ME78] [Nie86] ↓ Goppa Most of them broken 00’s RM Security proof [Ale03]

  9. Motivations Group [Gab05] action Key Sizes Rank [Gab91] Metric RS 80’s BCH Other variations [ME78] [Nie86] ↓ Goppa Most of them broken 00’s RM Security proof [Ale03]

  10. Motivations Group [Gab05] action Key Sizes Rank [Gab91] [Ove07] Metric Attacks RS 80’s BCH Other variations [ME78] [Nie86] ↓ Goppa Most of them broken 00’s RM Security proof [Ale03]

  11. Motivations Group [Gab05] action [BBC08] QC-LDPC Key Sizes Rank [Gab91] [Ove07] Metric Attacks RS 80’s BCH Other variations [ME78] [Nie86] ↓ Goppa Most of them broken 00’s RM Security proof [Ale03]

  12. Motivations [MB09] dyadic [BCGO09] alternant Group [Gab05] action [BBC08] QC-LDPC Key Sizes Rank [Gab91] [Ove07] Metric Attacks RS 80’s BCH Other variations [ME78] [Nie86] ↓ Goppa Most of them broken 00’s RM Security proof [Ale03]

  13. Motivations [MB09] dyadic [BCGO09] alternant Group [Gab05] action [BBC08] QC-LDPC Key Sizes [GMRZ13] Rank [Gab91] QC-LRPC [Ove07] Metric Ntru-like Attacks RS 80’s BCH Other variations [ME78] [Nie86] ↓ Goppa Most of them broken 00’s RM Security proof [Ale03]

  14. Motivations [MB09] dyadic [BCGO09] alternant Group [Gab05] Ntru-like action [BBC08] [MTSB13] QC-LDPC QC-MDPC Key Sizes [GMRZ13] Rank [Gab91] QC-LRPC [Ove07] Metric Ntru-like Attacks RS 80’s BCH Other variations [ME78] [Nie86] ↓ Goppa Most of them broken 00’s RM Security proof [Ale03]

  15. Motivations [MB09] dyadic [BCGO09] alternant Group [Gab05] Ntru-like action [BBC08] [MTSB13] QC-LDPC QC-MDPC Key Sizes [GMRZ13] Rank [Gab91] QC-LRPC [Ove07] Metric Ntru-like Attacks RS 80’s BCH Other variations [ME78] [Nie86] ↓ Goppa Most of them broken 00’s RM HQC Security proof [Ale03] [ABDGZ16] RQC

  16. Motivations [MB09] dyadic [BCGO09] alternant Group [Gab05] Ntru-like action [BBC08] [MTSB13] QC-LDPC QC-MDPC Key Sizes [GMRZ13] Rank [Gab91] QC-LRPC [Ove07] Metric Ntru-like Attacks RS 80’s BCH Other variations [ME78] [Nie86] ↓ Bottom Line Goppa Most of them broken 00’s RM HQC Security proof [Ale03] [ABDGZ16] RQC

  17. Motivations [MB09] dyadic [BCGO09] alternant Group [Gab05] Ntru-like action [BBC08] [MTSB13] QC-LDPC QC-MDPC Key Sizes [GMRZ13] Rank [Gab91] QC-LRPC [Ove07] Metric Ntru-like Attacks RS 80’s BCH Other variations [ME78] [Nie86] ↓ Bottom Line Goppa Most of them broken 00’s RM y c n HQC e i c i Security proof f [Ale03] [ABDGZ16] f E k RQC c a L

  18. Motivations [MB09] dyadic [BCGO09] alternant Group [Gab05] Ntru-like action f [BBC08] [MTSB13] o o QC-LDPC QC-MDPC r P Key Sizes a [GMRZ13] k Rank [Gab91] c QC-LRPC a [Ove07] Metric L Ntru-like Attacks RS 80’s BCH Other variations [ME78] [Nie86] ↓ Bottom Line Goppa Most of them broken 00’s RM y c n HQC e i c i Security proof f [Ale03] [ABDGZ16] f E k RQC c a L

  19. Motivations [MB09] dyadic [BCGO09] alternant Group [Gab05] Ntru-like action f o [BBC08] [MTSB13] o r QC-LDPC QC-MDPC P Key Sizes [GMRZ13] Rank [Gab91] QC-LRPC [Ove07] Metric Ntru-like Attacks RS 80’s BCH Other variations [ME78] [Nie86] ↓ Bottom Line Goppa Most of them broken 00’s RM y c n HQC e i c i f Security proof [Ale03] [ABDGZ16] f E RQC

  20. Reminders on HQC Presentation of the Ouroboros protocol Security Parameters Conclusion Outline Reminders on HQC 1 Presentation of the Ouroboros protocol 2 Security 3 Parameters 4 June the 26th, 2017 J.-C. Deneuville Ouroboros: simple, secure, efficient code-based key exchange 3 / 21

  21. Reminders on HQC Presentation of the Ouroboros protocol Security Parameters Conclusion HQC Encryption Scheme [ABD + 16] Encryption scheme in H amming metric, using Q uasi- C yclic Codes Notation: Secret data - Public data - One-time Randomness G is the generator matrix of some public code C . Alice Bob $ seed h ← { 0 , 1 } λ , h ← F n seed h 2 $ ← S n seed h , s x , y w ( F 2 ), s ← x + hy − − − − − − − − − → $ $ ← S n ← S n r 1 , r 2 w ( F 2 ), ǫ cw ( F 2 ) v ← r 1 + hr 2 , ρ ← µ G + sr 2 + ǫ v , ρ ← − − − − − − − µ ← C . Decode ( ρ − vy ) June the 26th, 2017 J.-C. Deneuville Ouroboros: simple, secure, efficient code-based key exchange 4 / 21

  22. Reminders on HQC Presentation of the Ouroboros protocol Security Parameters Conclusion HQC Encryption Scheme [ABD + 16] Encryption scheme in H amming metric, using Q uasi- C yclic Codes Notation: Secret data - Public data - One-time Randomness G is the generator matrix of some public code C . Alice Bob $ seed h ← { 0 , 1 } λ , h ← F n seed h 2 $ ← S n seed h , s x , y w ( F 2 ), s ← x + hy − − − − − − − − − → $ $ ← S n ← S n r 1 , r 2 w ( F 2 ), ǫ cw ( F 2 ) v ← r 1 + hr 2 , ρ ← µ G + sr 2 + ǫ v , ρ ← − − − − − − − µ ← C . Decode ( ρ − vy ) June the 26th, 2017 J.-C. Deneuville Ouroboros: simple, secure, efficient code-based key exchange 4 / 21

  23. Reminders on HQC Presentation of the Ouroboros protocol Security Parameters Conclusion HQC Encryption Scheme [ABD + 16] Encryption scheme in H amming metric, using Q uasi- C yclic Codes Notation: Secret data - Public data - One-time Randomness G is the generator matrix of some public code C . Alice Bob $ seed h ← { 0 , 1 } λ , h ← F n seed h 2 $ ← S n seed h , s x , y w ( F 2 ), s ← x + hy − − − − − − − − − → $ $ ← S n ← S n r 1 , r 2 w ( F 2 ), ǫ cw ( F 2 ) v ← r 1 + hr 2 , ρ ← µ G + sr 2 + ǫ v , ρ ← − − − − − − − µ ← C . Decode ( ρ − vy ) June the 26th, 2017 J.-C. Deneuville Ouroboros: simple, secure, efficient code-based key exchange 4 / 21

  24. Reminders on HQC Presentation of the Ouroboros protocol Security Parameters Conclusion HQC Encryption Scheme [ABD + 16] Encryption scheme in H amming metric, using Q uasi- C yclic Codes Notation: Secret data - Public data - One-time Randomness G is the generator matrix of some public code C . Alice Bob $ seed h ← { 0 , 1 } λ , h ← F n seed h 2 $ ← S n seed h , s x , y w ( F 2 ), s ← x + hy − − − − − − − − − → $ $ ← S n ← S n r 1 , r 2 w ( F 2 ), ǫ cw ( F 2 ) v ← r 1 + hr 2 , ρ ← µ G + sr 2 + ǫ v , ρ ← − − − − − − − µ ← C . Decode ( ρ − vy ) June the 26th, 2017 J.-C. Deneuville Ouroboros: simple, secure, efficient code-based key exchange 4 / 21

  25. Reminders on HQC Presentation of the Ouroboros protocol Security Parameters Conclusion Correctness Correctness Property Decrypt (sk , Encrypt (pk , µ , θ )) = µ C .Decode correctly decodes ρ − v · y whenever the error term is not too big ω ( s · r 2 − v · y + ǫ ) ≤ δ ω (( x + h · y ) · r 2 − ( r 1 + h · r 2 ) · y + ǫ ) ≤ δ ω ( x · r 2 − r 1 · y + ǫ ) ≤ δ Error distribution analysis → Decryption failure probability better understood June the 26th, 2017 J.-C. Deneuville Ouroboros: simple, secure, efficient code-based key exchange 5 / 21

  26. Reminders on HQC Presentation of the Ouroboros protocol Security Parameters Conclusion Correctness Correctness Property Decrypt (sk , Encrypt (pk , µ , θ )) = µ C .Decode correctly decodes ρ − v · y whenever the error term is not too big ω ( s · r 2 − v · y + ǫ ) ≤ δ ω (( x + h · y ) · r 2 − ( r 1 + h · r 2 ) · y + ǫ ) ≤ δ ω ( x · r 2 − r 1 · y + ǫ ) ≤ δ Error distribution analysis → Decryption failure probability better understood June the 26th, 2017 J.-C. Deneuville Ouroboros: simple, secure, efficient code-based key exchange 5 / 21

  27. Reminders on HQC Presentation of the Ouroboros protocol Security Parameters Conclusion Correctness Correctness Property Decrypt (sk , Encrypt (pk , µ , θ )) = µ C .Decode correctly decodes ρ − v · y whenever the error term is not too big ω ( s · r 2 − v · y + ǫ ) ≤ δ ω (( x + h · y ) · r 2 − ( r 1 + h · r 2 ) · y + ǫ ) ≤ δ ω ( x · r 2 − r 1 · y + ǫ ) ≤ δ Error distribution analysis → Decryption failure probability better understood June the 26th, 2017 J.-C. Deneuville Ouroboros: simple, secure, efficient code-based key exchange 5 / 21

Recommend

Simple and Communication Complexity Efficient Almost Secure and Perfectly Secure Message

Simple and Communication Complexity Efficient Almost Secure and Perfectly Secure Message

Simple and Communication Complexity Efficient Almost Secure and Perfectly Secure Message Transmission Schemes Yvo Desmedt 1 , 2 Stelios Erotokritou 1 Reihaneh Safavi-Naini 3 1 Department of Computer Science University College London, UK 2

459 views • 33 slides
Efficient UC-Secure Authenticated Key-Exchange for Algebraic Languages PKC 2013 , Fabrice Ben

Efficient UC-Secure Authenticated Key-Exchange for Algebraic Languages PKC 2013 , Fabrice Ben

Efficient UC-Secure Authenticated Key-Exchange for Algebraic Languages PKC 2013 , Fabrice Ben Hamouda Olivier Blazy Cline Chevalier David Pointcheval Damien Vergnaud Horst Grtz Institute for IT Security / Ruhr-University Bochum ENS /

914 views • 45 slides
Secure and Efficient Access to Outsourced Data Secure and Efficient Access to Outsourced Data

Secure and Efficient Access to Outsourced Data Secure and Efficient Access to Outsourced Data

Secure and Efficient Access to Outsourced Data Secure and Efficient Access to Outsourced Data Weichao Wang, Zhiwei Li, Rodney Owens, Bharat Bhargava CCSW 2009: The ACM Cloud Computing Security Workshop 1 The Problem Providing secure and

414 views • 19 slides
Secure and efficient deep learning everywhere Octomizer Outline Who we are (recap) Deployment

Secure and efficient deep learning everywhere Octomizer Outline Who we are (recap) Deployment

Secure and efficient deep learning everywhere Octomizer Outline Who we are (recap) Deployment pain The vision The Octomizer: TVM for everyone 2 Simple, secure, and efficient Drive TVM adoption Expand the set of users who can deployment of

370 views • 14 slides
PURPOSE Mission - to support, promote, and encourage the exchange of secure and reliable

PURPOSE Mission - to support, promote, and encourage the exchange of secure and reliable

PURPOSE Mission - to support, promote, and encourage the exchange of secure and reliable health information among stakeholders and regional networks Vision to develop a framework for the efficient exchange of patient-centric health

478 views • 21 slides
Secure Information Exchange for Secure Information Exchange for Omniscience Omniscience Chung

Secure Information Exchange for Secure Information Exchange for Omniscience Omniscience Chung

Secure Information Exchange for Secure Information Exchange for Omniscience Omniscience Chung Chan (CityU) Joint work with Navin Kashyap (IISc), Praneeth Kumar Vippathalla, (IISc) and Qiaoqiao Zhou (CUHK) Audio slides:

443 views • 17 slides
Secure Returns SAFE AS A VAULT Secure SECONDS TO UPLOAD Efficient ACCESSIBLE ANYWHERE

Secure Returns SAFE AS A VAULT Secure SECONDS TO UPLOAD Efficient ACCESSIBLE ANYWHERE

Secure Returns SAFE AS A VAULT Secure SECONDS TO UPLOAD Efficient ACCESSIBLE ANYWHERE Convenient What is Secure Returns ? Secure Returns is a secure website where you and your clients can securely upload &amp; download confidential

202 views • 9 slides
Secure and Efficient Metering Discussion Outline Clarifications Attack on Secure

Secure and Efficient Metering Discussion Outline Clarifications Attack on Secure

Secure and Efficient Metering Discussion Outline Clarifications Attack on Secure Metering Issues and Extensions Real World Other Directions Metering for General Access Structures Understanding the model Audit Agency

480 views • 35 slides
MRA and SPAA Secure Communications The Secure Data Exchange Portal (SDEP) Jonathan Hawkins and

MRA and SPAA Secure Communications The Secure Data Exchange Portal (SDEP) Jonathan Hawkins and

MRA and SPAA Secure Communications The Secure Data Exchange Portal (SDEP) Jonathan Hawkins and Neil Brinkley Background The MRA and SPAA require that Suppliers and Networks Operators work together to resolve a number of issues that may arise

975 views • 28 slides
Secure and Efficient Metering Moni Naor and Benny Pinkas Eurocrypt '98 Contents Motivation

Secure and Efficient Metering Moni Naor and Benny Pinkas Eurocrypt '98 Contents Motivation

Secure and Efficient Metering Moni Naor and Benny Pinkas Eurocrypt '98 Contents Motivation One approach Lightweight Security Secure and Efficient Metering Motivation Advertising Webpage popularity Cost Measure

993 views • 49 slides
Advanced Tools from Modern Cryptography Lecture 12 MPC: UC-secure OT UC-Secure OT UC-secure

Advanced Tools from Modern Cryptography Lecture 12 MPC: UC-secure OT UC-Secure OT UC-secure

Advanced Tools from Modern Cryptography Lecture 12 MPC: UC-secure OT UC-Secure OT UC-secure OT is impossible (even against PPT adversaries) in the plain model (i.e., without the help of another functionality) But possible from simple

527 views • 16 slides
MRA and SPAA Secure Communications The Secure Data Exchange Portal (SDEP) Training Webinar Shane

MRA and SPAA Secure Communications The Secure Data Exchange Portal (SDEP) Training Webinar Shane

MRA and SPAA Secure Communications The Secure Data Exchange Portal (SDEP) Training Webinar Shane Denny and Alessandro Scarlatti Background The majority of communications in the Electricity and Gas Market are managed by sending Data Flows

293 views • 15 slides
An efficient and simple class of functions to M. Boyer model arrival curve of packetised flows

An efficient and simple class of functions to M. Boyer model arrival curve of packetised flows

An efficient and simple class An efficient and simple class of functions to M. Boyer model arrival curve of packetised flows Network calculus Marc Boyer, J orn Migge, Nicolas Navet Shaping, packetization and computation time Swaping

488 views • 26 slides
Efficient Outsourcing GWAS using FHE Wenjie Lu*, Jun Sakuma * * Dept. of CS, University of

Efficient Outsourcing GWAS using FHE Wenjie Lu*, Jun Sakuma * * Dept. of CS, University of

Efficient Outsourcing GWAS using FHE Wenjie Lu*, Jun Sakuma * * Dept. of CS, University of Tsukuba, Japan JST CREST Secure Outsourcing GWAS Secure computation [Cloud] Outline of our solution [data holder] Secure

381 views • 19 slides
OUROBOROS-R, an IND-CPA KEM based on Rank Metric NIST First Post-Quantum Cryptography

OUROBOROS-R, an IND-CPA KEM based on Rank Metric NIST First Post-Quantum Cryptography

Presentation of the rank metric Description of the scheme Security and parameters OUROBOROS-R, an IND-CPA KEM based on Rank Metric NIST First Post-Quantum Cryptography Standardization Conference Carlos AguilarMelchor 2 Nicolas Aragon 1 Slim

157 views • 15 slides
Ensuring a secure, reliable and efficient Power System in a Changing Environment Delivering a

Ensuring a secure, reliable and efficient Power System in a Changing Environment Delivering a

Ensuring a secure, reliable and efficient Power System in a Changing Environment Delivering a Secure Sustainable Power System 17 th August 2011 Outline Agenda Chair: Dick Lewis, Manager, Grid Operations Planning 10.00 a.m. Registration (Tea

833 views • 70 slides
Commerzbank 4.0: simple digital efficient Winning in the German Retail Banking Market 10

Commerzbank 4.0: simple digital efficient Winning in the German Retail Banking Market 10

Commerzbank 4.0: simple digital efficient Winning in the German Retail Banking Market 10 May 2017 Commerzbank AG | Michael Mandel | Member of the Board of Managing Directors | London Commerzbank 4.0 simple digital efficient

527 views • 17 slides
A Simple Analytical Model for the Energy-Efficient Activation of Access Points in Dense WLANs

A Simple Analytical Model for the Energy-Efficient Activation of Access Points in Dense WLANs

A Simple Analytical Model for the Energy-Efficient Activation of Access Points in Dense WLANs Marco Ajmone Marsan , Luca Chiaraviglio, Delia Ciullo, Michela Meo Politecnico di Torino, Italy A Simple Analytical Model for the Energy-Efficient

269 views • 25 slides
Towards a Provably Secure DoS-Resilient Key Exchange Protocol with PFS 1 L. Kuppusamy * J.

Towards a Provably Secure DoS-Resilient Key Exchange Protocol with PFS 1 L. Kuppusamy * J.

Introduction Contributions Conclusion Towards a Provably Secure DoS-Resilient Key Exchange Protocol with PFS 1 L. Kuppusamy * J. Rangasamy * D. Stebila * C. Boyd * J.M. Gonzlez Nieto * * Information Security Institute Queensland

943 views • 22 slides
Ouroboros Wear-leveling: A Two-level Hierarchical Wear-leveling Model for NVRAM Qingyue Liu

Ouroboros Wear-leveling: A Two-level Hierarchical Wear-leveling Model for NVRAM Qingyue Liu

Ouroboros Wear-leveling: A Two-level Hierarchical Wear-leveling Model for NVRAM Qingyue Liu Peter Varman ECE Department, Rice University May 18, 2017 New Challenges for New Technologies RRAM PCM 3DXpoint Advantages Major Drawback:

518 views • 36 slides
More Efficient (Almost) Tightly Secure Structure-Preserving Signatures Romain Gay 1 Dennis

More Efficient (Almost) Tightly Secure Structure-Preserving Signatures Romain Gay 1 Dennis

More Efficient (Almost) Tightly Secure Structure-Preserving Signatures Romain Gay 1 Dennis Hofheinz 2 Lisa Kohl 2 Jiaxin Pan 2 1 ENS Paris, France 2 Karlsruhe Institute of Technology, Germany R. Gay, D. Hofheinz, L. Kohl, J. Pan More Efficient

827 views • 45 slides
Techniques for Efficient Secure Computation Based on Yaos Protocol Yehuda Lindell Bar-Ilan

Techniques for Efficient Secure Computation Based on Yaos Protocol Yehuda Lindell Bar-Ilan

Techniques for Efficient Secure Computation Based on Yaos Protocol Yehuda Lindell Bar-Ilan University, Israel PKC 2013 Yehuda Lindell Techniques for Efficient Secure Computation 28/2/2013 1 / 39 Secure Computation Background A set of

689 views • 39 slides
Ouroboros Crypsinous Privacy-Preserving Proof-of-Stake Thomas Kerber Aggelos Kiayias

Ouroboros Crypsinous Privacy-Preserving Proof-of-Stake Thomas Kerber Aggelos Kiayias

Ouroboros Crypsinous Privacy-Preserving Proof-of-Stake Thomas Kerber Aggelos Kiayias t.kerber@ed.ac.uk akiayias@ed.ac.uk Markulf Kohlweiss Vassilis Zikas mkohlwei@ed.ac.uk vzikas@ed.ac.uk The University of Edinburgh &amp; IOHK May 17,

286 views • 28 slides
Efficient KDM-CCA Secure Public-Key Encryption for Polynomial Functions Shuai Han, Shengli Liu,

Efficient KDM-CCA Secure Public-Key Encryption for Polynomial Functions Shuai Han, Shengli Liu,

Efficient KDM-CCA Secure Public-Key Encryption for Polynomial Functions Shuai Han, Shengli Liu, and Lin Lyu 1. Shanghai Jiao Tong University 2. State Key Laboratory of Cryptology 3. Westone Cryptologic Research Center Asiacrypt 2016, Hanoi,

950 views • 73 slides

More recommend