qc mdpc a timing attack and a cca2 kem
play

QC-MDPC: A Timing Attack and a CCA2 KEM PQCrypto April 9, 2018 - PowerPoint PPT Presentation

Oct 29, 2023 •134 likes •1.05k views

QC-MDPC: A Timing Attack and a CCA2 KEM PQCrypto April 9, 2018 Edward Eaton 1 , Matthieu Lequesne 2,3 , Alex Parent 1 and Nicolas Sendrier 3 1 - ISARA Corporation, Waterloo, Canada 2 - Sorbonne Universit Paris, France 3 - Inria Paris,

  1. QC-MDPC: A Timing Attack and a CCA2 KEM PQCrypto – April 9, 2018 Edward Eaton 1 , Matthieu Lequesne 2,3 , Alex Parent 1 and Nicolas Sendrier 3 1 - ISARA Corporation, Waterloo, Canada 2 - Sorbonne Université Paris, France 3 - Inria Paris, France – team Secret

  2. Context

  3. Public Key Cryptography ... 1011010001101 RSA [1977]

  4. Public Key Cryptography + + [1994] ... 1011010001101 /////////// RSA [1977] ??? 2

  5. Post-Quantum Cryptography Post-Quantum Cryptography Isogenies Lattice Codes Hash Multivariate McEliece MDPC Goppa [2013] [1978] QC-MDPC [2013] 3

  6. Post-Quantum Cryptography Post-Quantum Cryptography Isogenies Lattice Codes Hash Multivariate McEliece MDPC Goppa [2013] [1978] QC-MDPC [2013] Code-based cryptosystem (à la McEliece) 3

  7. Post-Quantum Cryptography Post-Quantum Cryptography Isogenies Lattice Codes Hash Multivariate McEliece MDPC Goppa [2013] [1978] QC-MDPC [2013] Code-based cryptosystem (à la McEliece) Goal: achieve relatively short keys 3

  8. Post-Quantum Cryptography Post-Quantum Cryptography Isogenies Lattice Codes Hash Multivariate McEliece MDPC Goppa [2013] [1978] QC-MDPC [2013] Code-based cryptosystem (à la McEliece) Goal: achieve relatively short keys Idea: use (quasi)-cyclic structure. 3

  9. Post-Quantum Cryptography Post-Quantum Cryptography Isogenies Lattice Codes Hash Multivariate McEliece MDPC Goppa [2013] [1978] QC-MDPC [2013] Code-based cryptosystem (à la McEliece) Goal: achieve relatively short keys Idea: use (quasi)-cyclic structure. 3

  10. Post-Quantum Cryptography Post-Quantum Cryptography Isogenies Lattice Codes Hash Multivariate McEliece MDPC Goppa [2013] [1978] QC-MDPC [2013] Code-based cryptosystem (à la McEliece) Goal: achieve relatively short keys Idea: use (quasi)-cyclic structure. 3

  11. QC-MDPC McEliece

  12. QC-MDPC scheme k , d , t ∈ N parameters √ ( k prime, d odd, 2 d ∼ t ∼ 2 k ) R = F 2 [ X ] / ( X k − 1 )

  13. QC-MDPC scheme k , d , t ∈ N parameters √ ( k prime, d odd, 2 d ∼ t ∼ 2 k ) R = F 2 [ X ] / ( X k − 1 ) private key � �� � ( h 0 , h 1 ) ← R | h 0 | = | h 1 | = d

  14. QC-MDPC scheme k , d , t ∈ N parameters √ ( k prime, d odd, 2 d ∼ t ∼ 2 k ) R = F 2 [ X ] / ( X k − 1 ) public key � �� � q = h 1 · h − 1 private key 0 � �� � ( h 0 , h 1 ) ← R | h 0 | = | h 1 | = d

  15. QC-MDPC scheme k , d , t ∈ N parameters √ ( k prime, d odd, 2 d ∼ t ∼ 2 k ) R = F 2 [ X ] / ( X k − 1 ) public key � �� � q = h 1 · h − 1 private key 0 � �� � ( h 0 , h 1 ) ← R | h 0 | = | h 1 | = d ( e 0 , e 1 ) ← R | e 0 | + | e 1 | = t

  16. QC-MDPC scheme k , d , t ∈ N parameters √ ( k prime, d odd, 2 d ∼ t ∼ 2 k ) R = F 2 [ X ] / ( X k − 1 ) public key � �� � q = h 1 · h − 1 private key 0 � �� � ( h 0 , h 1 ) ← R | h 0 | = | h 1 | = d ( e 0 , e 1 ) ← R | e 0 | + | e 1 | = t c = e 0 + e 1 · q

  17. QC-MDPC scheme k , d , t ∈ N parameters √ ( k prime, d odd, 2 d ∼ t ∼ 2 k ) R = F 2 [ X ] / ( X k − 1 ) public key � �� � q = h 1 · h − 1 private key 0 � �� � ( h 0 , h 1 ) ← R | h 0 | = | h 1 | = d ( e 0 , e 1 ) ← R | e 0 | + | e 1 | = t c = e 0 + e 1 · q c · h 0 = e 0 h 0 + e 1 h 1 ( e 0 , e 1 ) = Decode ( h 0 , h 1 , e 0 h 0 + e 1 h 1 )

  18. QC-MDPC scheme k , d , t ∈ N parameters √ ( k prime, d odd, 2 d ∼ t ∼ 2 k ) R = F 2 [ X ] / ( X k − 1 ) public key � �� � q = h 1 · h − 1 private key 0 � �� � ( h 0 , h 1 ) ← R | h 0 | = | h 1 | = d ( e 0 , e 1 ) ← R | e 0 | + | e 1 | = t c = e 0 + e 1 · q c · h 0 = e 0 h 0 + e 1 h 1 ( e 0 , e 1 ) = Decode ( h 0 , h 1 , e 0 h 0 + e 1 h 1 ) Shared secret: ( e 0 , e 1 ) .

  19. QC-MDPC scheme k , d , t ∈ N parameters √ ( k prime, d odd, 2 d ∼ t ∼ 2 k ) R = F 2 [ X ] / ( X k − 1 ) public key � �� � q = h 1 · h − 1 private key 0 � �� � ( h 0 , h 1 ) ← R | h 0 | = | h 1 | = d ( e 0 , e 1 ) ← R | e 0 | + | e 1 | = t c = e 0 + e 1 · q c · h 0 = e 0 h 0 + e 1 h 1 ( e 0 , e 1 ) = Decode ( h 0 , h 1 , e 0 h 0 + e 1 h 1 ) Shared secret: ( e 0 , e 1 ) . 5

  20. QC-MDPC McEliece: Bit Flip Decoding ( e 0 , e 1 ) = Decode ( h 0 , h 1 , e 0 h 0 + e 1 h 1 ) � �� � s 6

  21. QC-MDPC McEliece: Bit Flip Decoding ( e 0 , e 1 ) = Decode ( h 0 , h 1 , e 0 h 0 + e 1 h 1 ) � �� � s Find a sparse solution ( e 0 , e 1 ) such that:         e 0         h 0 h 1               � �       · = s                             e 1         6

  22. QC-MDPC McEliece: Bit Flip Syndrome Decoding Input: H the parity-check matrix of the code C , s the syndrome Output: An error e of small weight such that He ⊺ = s e ← 0; s ′ ← s − He ⊺ while s ′ � = 0 do for j = 1 , . . . , n do if σ j = � s ′ , h j � ≥ threshold then Flip( e j ) s ′ ← s − He ⊺ return e 7

  23. QC-MDPC McEliece: Bit Flip Syndrome Decoding Input: H the parity-check matrix of the code C , s the syndrome Output: An error e of small weight such that He ⊺ = s e ← 0; s ′ ← s − He ⊺ while s ′ � = 0 do for j = 1 , . . . , n do if σ j = � s ′ , h j � ≥ threshold then Flip( e j ) s ′ ← s − He ⊺ return e - While loop: variable number of iterations. 7

  24. QC-MDPC McEliece: Bit Flip Syndrome Decoding Input: H the parity-check matrix of the code C , s the syndrome Output: An error e of small weight such that He ⊺ = s e ← 0; s ′ ← s − He ⊺ while s ′ � = 0 do for j = 1 , . . . , n do if σ j = � s ′ , h j � ≥ threshold then Flip( e j ) s ′ ← s − He ⊺ return e - While loop: variable number of iterations. - Decoding algorithm fails with a small probability (DFR). 7

  25. QC-MDPC McEliece: Bit Flip Syndrome Decoding Input: H the parity-check matrix of the code C , s the syndrome Output: An error e of small weight such that He ⊺ = s e ← 0; s ′ ← s − He ⊺ while s ′ � = 0 do for j = 1 , . . . , n do if σ j = � s ′ , h j � ≥ threshold then Flip( e j ) s ′ ← s − He ⊺ return e - While loop: variable number of iterations. - Decoding algorithm fails with a small probability (DFR). - Thresholds? 7

  26. The GJS Attack

  27. The GJS Attack [GJS] Guo, Johansson, Stankovski, Asiacrypt 2016 Observation [GJS] When two non-zero bits appear at a distance δ both in the secret key and in the error vector, a decoding failure is less likely to occur. 9

  28. Example: δ = 1     1 1 0 0 1 1 0 0 0 0   0 1 1 0 0 1 1 0 0   1          0 0 1 1 0 0 1 1 0  0         0 0 0 1 1 0 0 1 1 0           H = s = 1 0 0 0 1 1 0 0 1 1           0 1 1 0 0 0 1 1 0 0          1  0 1 1 0 0 0 1 1 0           0 0 0 1 1 0 0 0 1 1     1 1 0 0 1 1 0 0 0 1 � � e = 1 1 0 0 0 0 0 0 0 10

  29. Example: δ = 1     1 1 0 0 1 1 0 0 0 0   0 1 1 0 0 1 1 0 0   1          0 0 1 1 0 0 1 1 0  0         0 0 0 1 1 0 0 1 1 0           H = s = 1 0 0 0 1 1 0 0 1 1           0 1 1 0 0 0 1 1 0 0          1  0 1 1 0 0 0 1 1 0           0 0 0 1 1 0 0 0 1 1     1 1 0 0 1 1 0 0 0 1 � � e = 1 1 0 0 0 0 0 0 0 10

  30. Example: δ = 1     1 1 0 0 1 1 0 0 0 0   0 1 1 0 0 1 1 0 0   1          0 0 1 1 0 0 1 1 0  0         0 0 0 1 1 0 0 1 1 0           H = s = 1 0 0 0 1 1 0 0 1 1           0 1 1 0 0 0 1 1 0 0          1  0 1 1 0 0 0 1 1 0           0 0 0 1 1 0 0 0 1 1     1 1 0 0 1 1 0 0 0 1 � � e = 1 1 0 0 0 0 0 0 0 10

  31. The GJS Attack [GJS] Guo, Johansson, Stankovski, Asiacrypt 2016 Observation [GJS] When two non-zero bits appear at a distance δ both in the secret key and in the error vector, a decoding failure is less likely to occur. ⇒ By observing the DFR for different error paterns we can recover information on the key. 11

  32. The Distance Spectrum [GJS] Definition (Distance Spectrum) h = 1001000001 12

  33. The Distance Spectrum [GJS] Definition (Distance Spectrum) h = 1001000001 ∆( h ) ⊇ { 1 } 12

  34. The Distance Spectrum [GJS] Definition (Distance Spectrum) h = 1001000001 ∆( h ) ⊇ { 1 , 3 } 12

Recommend

A Reaction Attack on the QC-LDPC McEliece Cryptosystem Tomas Fabsic 1 , Viliam Hromada 1 , Paul

A Reaction Attack on the QC-LDPC McEliece Cryptosystem Tomas Fabsic 1 , Viliam Hromada 1 , Paul

LDPC and MDPC Codes QC-MDPC McEliece Attack of Guo et al. QC-LDPC McEliece Our Attack A Reaction Attack on the QC-LDPC McEliece Cryptosystem Tomas Fabsic 1 , Viliam Hromada 1 , Paul Stankovski 2 , Pavol Zajac 1 , Qian Guo 2 , Thomas Johansson

693 views • 37 slides
A Key Recovery Attack on QC-MDPC Using Decoding Errors Qian Guo Selmer Center, University of

A Key Recovery Attack on QC-MDPC Using Decoding Errors Qian Guo Selmer Center, University of

A Key Recovery Attack on QC-MDPC Using Decoding Errors Qian Guo Selmer Center, University of Bergen. This is a joint work with Thomas Johansson and Paul Stankovski. Finse winter school 2018 May 11th, 2018 Outline 1 Motivation 2 Background on

813 views • 38 slides
A Key Recovery Attack on MDPC with CCA Security Using Decoding Errors Qian Guo Thomas Johansson

A Key Recovery Attack on MDPC with CCA Security Using Decoding Errors Qian Guo Thomas Johansson

A Key Recovery Attack on MDPC with CCA Security Using Decoding Errors Qian Guo Thomas Johansson Paul Stankovski Dept. of Electrical and Information Technology, Lund University ASIACRYPT 2016 Dec 8th, 2016 Outline 1 Motivation 2 Background on

381 views • 36 slides
A key-recovery timing attack on post-quantum primitives using the Fujisaki-Okamoto transformation

A key-recovery timing attack on post-quantum primitives using the Fujisaki-Okamoto transformation

A key-recovery timing attack on post-quantum primitives using the Fujisaki-Okamoto transformation and its application on FrodoKEM Qian Guo, Thomas Johansson, Alexander Nilsson August 10, 2020 Preliminaries Implementing Crypto Is Hard

994 views • 80 slides
A Timing Attack on Hyperelliptic Curve Cryptosystems Asiacrypt 2003 rump session on Dec. 2 nd ,

A Timing Attack on Hyperelliptic Curve Cryptosystems Asiacrypt 2003 rump session on Dec. 2 nd ,

A Timing Attack on Hyperelliptic Curve Cryptosystems Asiacrypt 2003 rump session on Dec. 2 nd , 2003 M.Katagi, I.Kitamura, T.Akishita, and T. Takagi(*) Sony Corporation (*)Technische Universitaet Darmstadt Introduction Optimization of

229 views • 5 slides
17-654: Analysis of Software Systems Spring 2005 4/21/2005 Topics Timing attack

17-654: Analysis of Software Systems Spring 2005 4/21/2005 Topics Timing attack

17-654: Analysis of Software Systems Spring 2005 4/21/2005 Topics Timing attack Algorithms leak information Nice example of practice trumping theoretical security Hardening algorithms: randomization Privilege separation

1.11k views • 69 slides
Skiplist Timing Attack Vulnerability Eyal Nussbaum PhD Student, Communication Systems Engineering

Skiplist Timing Attack Vulnerability Eyal Nussbaum PhD Student, Communication Systems Engineering

Skiplist Timing Attack Vulnerability Eyal Nussbaum PhD Student, Communication Systems Engineering School of Electrical and Computer Engineering Ben-Gurion University of the Negev Advisor: Professor Michael Segal Talk Overview Introduction

203 views • 19 slides
Ransomware Attack Briefing Presidents Leadership Council October 21, 2019 August 8 Cyberattack

Ransomware Attack Briefing Presidents Leadership Council October 21, 2019 August 8 Cyberattack

Ransomware Attack Briefing Presidents Leadership Council October 21, 2019 August 8 Cyberattack Summary : The attack was severe and sophisticated; categorized as a catastrophic attack. It was highly strategic with regard to timing

329 views • 16 slides
IND-CCA2 secure cryptosystems Dan Bogdanov University of Tartu db@ut.ee Research Seminar in

IND-CCA2 secure cryptosystems Dan Bogdanov University of Tartu db@ut.ee Research Seminar in

MTAT.07.006 Research Seminar in Cryptography IND-CCA2 secure cryptosystems Dan Bogdanov University of Tartu db@ut.ee Research Seminar in Cryptography, 31.10.2005 IND-CCA2 secure cryptosystems, Dan Bogdanov 1 Overview Notion of

396 views • 20 slides
Active Timing-Based Correlation of Perturbed Traffic Flows with Chaff Packets Pai Peng, Peng

Active Timing-Based Correlation of Perturbed Traffic Flows with Chaff Packets Pai Peng, Peng

Computer Science Active Timing-Based Correlation of Perturbed Traffic Flows with Chaff Packets Pai Peng, Peng Ning, Douglas Reeves North Carolina State Univ. Xinyuan Wang George Mason Univ. 1 Attack Through Stepping Stones Telnet/ Attack

460 views • 20 slides
The Clock is Still Ticking: Timing Attacks in the Modern Web Tom Van Goethem, Wouter Joosen,

The Clock is Still Ticking: Timing Attacks in the Modern Web Tom Van Goethem, Wouter Joosen,

The Clock is Still Ticking: Timing Attacks in the Modern Web Tom Van Goethem, Wouter Joosen, Nick Nikiforakis Background: Timing attacks Introduced by Felten et al. in 2000. A side-channel attack analyzing the time that it takes to a

642 views • 21 slides
HQC: H amming Q uasi- C yclic An IND-CCA2 Code-based Public Key Encryption Scheme August the 24 th

HQC: H amming Q uasi- C yclic An IND-CCA2 Code-based Public Key Encryption Scheme August the 24 th

HQC: H amming Q uasi- C yclic An IND-CCA2 Code-based Public Key Encryption Scheme August the 24 th , 2019 NIST 2 nd PQC Standardization Conference Santa-Barbara https://pqc-hqc.org C. Aguilar Melchor ISAE-Supa ero, University of Toulouse N.

188 views • 15 slides
Smaller Keys for Code based Cryptography: QC MDPC McEliece Implementations on Embedded

Smaller Keys for Code based Cryptography: QC MDPC McEliece Implementations on Embedded

Smaller Keys for Code based Cryptography: QC MDPC McEliece Implementations on Embedded Devices 4 th Code based Cryptography Workshop 2013, Rocquencourt, France Stefan Heyse, Ingo von Maurich and Tim Gneysu Horst Grtz Institute for

500 views • 39 slides
Remote Timing Attacks are Still Practical Billy Brumley Nicola Tuveri Aalto University School of

Remote Timing Attacks are Still Practical Billy Brumley Nicola Tuveri Aalto University School of

Remote Timing Attacks are Still Practical Billy Brumley Nicola Tuveri Aalto University School of Science, Finland {bbrumley,ntuveri}@tcs.hut.fi Synopsis New remote timing attack vulnerability in OpenSSLs implementation of Montgomerys

487 views • 25 slides
Cache-Timing Attacks Matteo BOCCHI System Research & Applications STMicroelectronics S.r.l.

Cache-Timing Attacks Matteo BOCCHI System Research & Applications STMicroelectronics S.r.l.

Cache-Timing Attacks Matteo BOCCHI System Research & Applications STMicroelectronics S.r.l. 2018/12/06 Agenda 2 STM32 Nucleo Boards STM32 Firewall Cache-Timing Attack Evict&Time vs. MbedTLS AES on STM32

477 views • 20 slides
Attack on Traffic Systems These attack examples have happened in the past. We will take an

Attack on Traffic Systems These attack examples have happened in the past. We will take an

From start to finish how a cyber attack would be performed on traffic system, we will go over first day >> exploitation of the device >> the real-world aftermath. Mission Secure, Inc. Attack on Traffic Systems These attack examples

556 views • 18 slides
CCA2 Key-Privacy for Code-Based Encryption in the Standard Model Yusuke Yoshida with Kirill

CCA2 Key-Privacy for Code-Based Encryption in the Standard Model Yusuke Yoshida with Kirill

CCA2 Key-Privacy for Code-Based Encryption in the Standard Model Yusuke Yoshida with Kirill Morozov and Keisuke Tanaka from Tokyo Institute of Technology, Japan 1 Contents Contents Key-Privacy for PKE Indistinguishability of keys (IK) 2

598 views • 58 slides
Timing Analysis Timing Path Groups and Types Timing paths are grouped into path groups

Timing Analysis Timing Path Groups and Types Timing paths are grouped into path groups

Introduction to Digital VLSI Logic Synthesis Timing Analysis Timing Path Groups and Types Timing paths are grouped into path groups according to the clock associated with the endpoint of the path. There is a default path group that

541 views • 18 slides
FORMAL MODELING AND VERIFICATION FOR TIMING PREDICTABILITY Mathieu Jan, Mihail Asavoae, Belgacem

FORMAL MODELING AND VERIFICATION FOR TIMING PREDICTABILITY Mathieu Jan, Mihail Asavoae, Belgacem

FORMAL MODELING AND VERIFICATION FOR TIMING PREDICTABILITY Mathieu Jan, Mihail Asavoae, Belgacem Ben Hedia ERTS 2020 Toulouse Outline of the talk Motivations and goals Timing anomalies in Worst-Case Timing Reasoning An example of a timing

286 views • 16 slides
Top 5 Timing Closure Techniques Greg Daughtry Correct Timing Constraints Analyze Before

Top 5 Timing Closure Techniques Greg Daughtry Correct Timing Constraints Analyze Before

Top 5 Timing Closure Techniques Greg Daughtry Correct Timing Constraints Analyze Before Doing Implementation Strategies and Directives Congestion and Complexity Advanced Physical Optimization Create Good Timing Constraints

659 views • 31 slides
X-ray ray Timing and Timing and Polarizati Polarization on mi missi ssion & & inst

X-ray ray Timing and Timing and Polarizati Polarization on mi missi ssion & & inst

X-ray ray Timing and Timing and Polarizati Polarization on mi missi ssion & & inst strumen mentation DONG Y Yongw ngwei Center fo r for r Parti rticle A Astroph trophysics Ins nstitute o of High Ene igh Energy P gy

437 views • 15 slides
Timing and Coordination Essential Knowledge 2.E.2 and 2.E.3 Timing and Coordination Timing

Timing and Coordination Essential Knowledge 2.E.2 and 2.E.3 Timing and Coordination Timing

Timing and Coordination Essential Knowledge 2.E.2 and 2.E.3 Timing and Coordination Timing and coordination of physiological events are regulated by multiple mechanisms ( 2.E.2 ) Timing and coordination of physiological events are

598 views • 37 slides
Automatic Synthesis of Fault Attack Resistant Cipher Implementations Chester Rebeiro IIT Madras

Automatic Synthesis of Fault Attack Resistant Cipher Implementations Chester Rebeiro IIT Madras

Automatic Synthesis of Fault Attack Resistant Cipher Implementations Chester Rebeiro IIT Madras Side Channel Analysis Electro magnetic Radiation Fault injection Power consumption Timing channels Preventing Side Channel Attacks is

468 views • 34 slides
A Highly Compressed Timing Macro-modeling Algorithm for Hierarchical and Incremental Timing

A Highly Compressed Timing Macro-modeling Algorithm for Hierarchical and Incremental Timing

A Highly Compressed Timing Macro-modeling Algorithm for Hierarchical and Incremental Timing Analysis Tin-Yin Lai, and Martin D. F. Wong March. 16, 2018 Outline Introduction Timing Macro-modeling Problem Formulation Previous

397 views • 23 slides

More recommend