qcbits constant time small key code based cryptography
play

QcBits: constant-time small-key code-based cryptography Tung Chou - PowerPoint PPT Presentation

Jul 20, 2023 •226 likes •1k views

QcBits: constant-time small-key code-based cryptography Tung Chou Technische Universiteit Eindhoven, The Netherlands Coding theory 2 Coding theory Linear codes 2 Coding theory Linear codes a linear subspace in F N 2 2 Coding theory

  1. QcBits: constant-time small-key code-based cryptography Tung Chou Technische Universiteit Eindhoven, The Netherlands

  2. Coding theory 2

  3. Coding theory Linear codes 2

  4. Coding theory Linear codes • a linear subspace in F N 2 2

  5. Coding theory Linear codes • a linear subspace in F N 2 • can be defined by a parity-check matrix H , e.g., C = { c | Hc = 0 } 2

  6. Coding theory Linear codes • a linear subspace in F N 2 • can be defined by a parity-check matrix H , e.g., C = { c | Hc = 0 } Decoding 2

  7. Coding theory Linear codes • a linear subspace in F N 2 • can be defined by a parity-check matrix H , e.g., C = { c | Hc = 0 } Decoding • compute e (or c ) given c + e , where e is of weight ≤ t 2

  8. Coding theory Linear codes • a linear subspace in F N 2 • can be defined by a parity-check matrix H , e.g., C = { c | Hc = 0 } Decoding • compute e (or c ) given c + e , where e is of weight ≤ t • compute e given the syndrome He = H ( c + e ) 2

  9. Code-based encryption • McEliece versus Niederreiter plaintext ciphertext McEliece c c + e H ∗ e Niederreiter e 3

  10. Code-based encryption • McEliece versus Niederreiter plaintext ciphertext McEliece c c + e H ∗ e Niederreiter e • General shape McEliece/Niederreiter + some code 3

  11. Binary-Goppa and QC-MDPC McEliece/Niederreiter 4

  12. Binary-Goppa and QC-MDPC McEliece/Niederreiter Binary Goppa codes QC-MDPC codes Confidence unbroken since 1978 unbroken since 2013 4

  13. Binary-Goppa and QC-MDPC McEliece/Niederreiter Binary Goppa codes QC-MDPC codes Confidence unbroken since 1978 unbroken since 2013 Efficiency fast (McBits, CHES 2013) not so fast 4

  14. Binary-Goppa and QC-MDPC McEliece/Niederreiter Binary Goppa codes QC-MDPC codes Confidence unbroken since 1978 unbroken since 2013 Efficiency fast (McBits, CHES 2013) not so fast Key size ≈ 100 kilobytes ≈ 1 kilobyte 4

  15. Timeline 2013 • QC-MDPC McEliece (ISIT) 5

  16. Timeline 2013 • QC-MDPC McEliece (ISIT) • Bochum people felt like implementing it... 5

  17. Timeline 2013 • QC-MDPC McEliece (ISIT) • Bochum people felt like implementing it... • on FPGAs (CHES) 2014 • on FPGAs, microcontrollers (PQCrypto, DATE) 2015 • on Haswell CPUs (ACM-TECS) 2016 • on microcontrollers (PQCrypto) 5

  18. Timeline 2013 • QC-MDPC McEliece (ISIT) • Bochum people felt like implementing it... • on FPGAs (CHES) 2014 • on FPGAs, microcontrollers (PQCrypto, DATE) 2015 • on Haswell CPUs (ACM-TECS) 2016 • on microcontrollers (PQCrypto) • QcBits (new) 5

  19. Timeline 2013 • QC-MDPC McEliece (ISIT) • Bochum people felt like implementing it... • on FPGAs (CHES) 2014 • on FPGAs, microcontrollers (PQCrypto, DATE) 2015 • on Haswell CPUs (ACM-TECS) 2016 • on microcontrollers (PQCrypto) • QcBits (new) The problem is timing attacks. 5

  20. Timeline 2013 • QC-MDPC McEliece (ISIT) • Bochum people felt like implementing it... • on FPGAs (CHES) 2014 • on FPGAs, microcontrollers (PQCrypto, DATE) 2015 • on Haswell CPUs (ACM-TECS) 2016 • on microcontrollers (PQCrypto) • QcBits (new) The problem is timing attacks. 5

  21. Timeline 2013 • QC-MDPC McEliece (ISIT) • Bochum people felt like implementing it... • on FPGAs (CHES) 2014 • on FPGAs, microcontrollers (PQCrypto, DATE) 2015 • on Haswell CPUs (ACM-TECS) 2016 • on microcontrollers (PQCrypto) • QcBits (new) The problem is timing attacks. • PQCrypto 2014: constant-time operations assuming no caches 5

  22. Timeline 2013 • QC-MDPC McEliece (ISIT) • Bochum people felt like implementing it... • on FPGAs (CHES) 2014 • on FPGAs, microcontrollers (PQCrypto, DATE) 2015 • on Haswell CPUs (ACM-TECS) 2016 • on microcontrollers (PQCrypto) • QcBits (new) The problem is timing attacks. • PQCrypto 2014: constant-time operations assuming no caches • QcBits: constant-time for a wide-variety of 32/64-bit platforms 5

  23. Performance results platform key-pair encrypt decrypt reference scheme Haswell 784 192 82 732 1 560 072 (new) QcBits KEM/DEM 14 234 347 34 123 3 104 624 ACMTECS 2015 McEliece Cortex-M4 140 372 822 2 244 489 14 679 937 (new) QcBits KEM/DEM 63 185 108 2 623 432 18 416 012 PQCrypto 2016 KEM/DEM 148 576 008 7 018 493 42 129 589 PQCrypto 2014 McEliece Cycle counts for key-pair generation, encryption, and decryption for 80-bit pre-quantum security. Numbers in RED are non-constant-time. Numbers in BLUE are constant-time. 6

  24. QC-MDPC codes 7

  25. QC-MDPC codes • MDPC: moderate-density-parity-check 7

  26. QC-MDPC codes • MDPC: moderate-density-parity-check • QC: quasi-cyclic (for saving bandwidth and memory) 7

  27. QC-MDPC codes • MDPC: moderate-density-parity-check • QC: quasi-cyclic (for saving bandwidth and memory)   1 0 1 0 0 0 1 0 0 1 0 1 0 1 0 1 0 1 0 0   � �   ∈ F n × 2 n H ( 0 ) H ( 1 ) 0 0 1 0 1 0 1 0 1 0 =   2   1 0 0 1 0 0 0 1 0 1     0 1 0 0 1 1 0 0 1 0 7

  28. QC-MDPC codes • MDPC: moderate-density-parity-check • QC: quasi-cyclic (for saving bandwidth and memory)   1 0 1 0 0 0 1 0 0 1 0 1 0 1 0 1 0 1 0 0   � �   ∈ F n × 2 n H ( 0 ) H ( 1 ) 0 0 1 0 1 0 1 0 1 0 =   2   1 0 0 1 0 0 0 1 0 1     0 1 0 0 1 1 0 0 1 0 QcBits: • [ n = 4801 , w = 90 , t = 84 ] for 80-bit security 7

  29. QC-MDPC codes • MDPC: moderate-density-parity-check • QC: quasi-cyclic (for saving bandwidth and memory)   1 0 1 0 0 0 1 0 0 1 0 1 0 1 0 1 0 1 0 0   � �   ∈ F n × 2 n H ( 0 ) H ( 1 ) 0 0 1 0 1 0 1 0 1 0 =   2   1 0 0 1 0 0 0 1 0 1     0 1 0 0 1 1 0 0 1 0 QcBits: • [ n = 4801 , w = 90 , t = 84 ] for 80-bit security • further requires H ( i ) to have row weight w / 2 (same for the Bochum papers) 7

  30. Statistical decoding Start with finding v = c + e such that H ∗ v = H ∗ e . Compute Hv . 8

  31. Statistical decoding Start with finding v = c + e such that H ∗ v = H ∗ e . Compute Hv .     1 0 1 0 0 0 1 0 0 1 1 0 1 0 1 0 1 0 1 0 0 0         0 0 1 0 1 0 1 0 1 0 0 v =         1 0 0 1 0 0 0 1 0 1 1         0 1 0 0 1 1 0 0 1 0 0 8

  32. Statistical decoding Start with finding v = c + e such that H ∗ v = H ∗ e . Compute Hv .     1 0 1 0 0 0 1 0 0 1 1 0 1 0 1 0 1 0 1 0 0 0         0 0 1 0 1 0 1 0 1 0 0 v =         1 0 0 1 0 0 0 1 0 1 1         0 1 0 0 1 1 0 0 1 0 0 8

  33. Statistical decoding Start with finding v = c + e such that H ∗ v = H ∗ e . Compute Hv .     1 0 1 0 0 0 1 0 0 1 1 0 1 0 1 0 1 0 1 0 0 0         0 0 1 0 1 0 1 0 1 0 0 v =         1 0 0 1 0 0 0 1 0 1 1         0 1 0 0 1 1 0 0 1 0 0 + ) ∈ Z 2 n � 2 0 1 1 0 0 1 1 0 2 � u = 8

  34. Statistical decoding Start with finding v = c + e such that H ∗ v = H ∗ e . Compute Hv .     1 0 1 0 0 0 1 0 0 1 1 0 1 0 1 0 1 0 1 0 0 0         0 0 1 0 1 0 1 0 1 0 0 v =         1 0 0 1 0 0 0 1 0 1 1         0 1 0 0 1 1 0 0 1 0 0 + ) ∈ Z 2 n � 2 0 1 1 0 0 1 1 0 2 � u = Flip v i if u i is large. Repeat until Hv = 0. 8

  35. Statistical decoding Start with finding v = c + e such that H ∗ v = H ∗ e . Compute Hv .     1 0 1 0 0 0 1 0 0 1 1 0 1 0 1 0 1 0 1 0 0 0         0 0 1 0 1 0 1 0 1 0 0 v =         1 0 0 1 0 0 0 1 0 1 1         0 1 0 0 1 1 0 0 1 0 0 + ) ∈ Z 2 n � 2 0 1 1 0 0 1 1 0 2 � u = Flip v i if u i is large. Repeat until Hv = 0. Rationale 8

  36. Statistical decoding Start with finding v = c + e such that H ∗ v = H ∗ e . Compute Hv .     1 0 1 0 0 0 1 0 0 1 1 0 1 0 1 0 1 0 1 0 0 0         0 0 1 0 1 0 1 0 1 0 0 v =         1 0 0 1 0 0 0 1 0 1 1         0 1 0 0 1 1 0 0 1 0 0 + ) ∈ Z 2 n � 2 0 1 1 0 0 1 1 0 2 � u = Flip v i if u i is large. Repeat until Hv = 0. Rationale • parity = 0: perhaps no errors. no information. 8

Recommend

McBits: Objectives fast constant-time Set new speed records code-based cryptography for

McBits: Objectives fast constant-time Set new speed records code-based cryptography for

McBits: Objectives fast constant-time Set new speed records code-based cryptography for public-key cryptography. D. J. Bernstein University of Illinois at Chicago & Technische Universiteit Eindhoven Joint work with: Tung Chou

746 views • 73 slides
McBits: Objectives fast constant-time Set new speed records code-based cryptography for

McBits: Objectives fast constant-time Set new speed records code-based cryptography for

McBits: Objectives fast constant-time Set new speed records code-based cryptography for public-key cryptography. (to appear at CHES 2013) D. J. Bernstein University of Illinois at Chicago & Technische Universiteit Eindhoven Joint work

969 views • 94 slides
McBits: fast constant-time code-based cryptography Tung Chou Technische Universiteit Eindhoven,

McBits: fast constant-time code-based cryptography Tung Chou Technische Universiteit Eindhoven,

McBits: fast constant-time code-based cryptography Tung Chou Technische Universiteit Eindhoven, The Netherlands October 13, 2015 Joint work with Daniel J. Bernstein and Peter Schwabe Outline Summary of Our Work Background Main

439 views • 32 slides
McBits: fast constant-time code-based cryptography (to appear at CHES 2013) D. J. Bernstein

McBits: fast constant-time code-based cryptography (to appear at CHES 2013) D. J. Bernstein

McBits: fast constant-time code-based cryptography (to appear at CHES 2013) D. J. Bernstein University of Illinois at Chicago & Technische Universiteit Eindhoven Joint work with: Tung Chou Technische Universiteit Eindhoven Peter

823 views • 46 slides
McBits: fast constant-time code-based cryptography (to appear at CHES 2013) D. J. Bernstein

McBits: fast constant-time code-based cryptography (to appear at CHES 2013) D. J. Bernstein

McBits: fast constant-time code-based cryptography (to appear at CHES 2013) D. J. Bernstein University of Illinois at Chicago & Technische Universiteit Eindhoven Joint work with: Tung Chou Technische Universiteit Eindhoven Peter

643 views • 52 slides
McBits: fast constant-time code-based cryptography (to appear at CHES 2013) D. J. Bernstein

McBits: fast constant-time code-based cryptography (to appear at CHES 2013) D. J. Bernstein

McBits: fast constant-time code-based cryptography (to appear at CHES 2013) D. J. Bernstein University of Illinois at Chicago & Technische Universiteit Eindhoven Joint work with: Tung Chou Technische Universiteit Eindhoven Peter

625 views • 41 slides
McBits: fast constant-time code-based cryptography D. J. Bernstein University of Illinois at

McBits: fast constant-time code-based cryptography D. J. Bernstein University of Illinois at

McBits: fast constant-time code-based cryptography D. J. Bernstein University of Illinois at Chicago & Technische Universiteit Eindhoven Joint work with: Tung Chou Technische Universiteit Eindhoven Peter Schwabe Radboud University

902 views • 43 slides
Code-based Cryptography Selected publications [1] Carlos Aguilar, Philippe Gaborit, and Julien

Code-based Cryptography Selected publications [1] Carlos Aguilar, Philippe Gaborit, and Julien

1 Code-based Cryptography Code-based Cryptography Selected publications [1] Carlos Aguilar, Philippe Gaborit, and Julien Schrek. A new zero-knowledge code based identification scheme with reduced communication. In ITW 2011 , pages 648

284 views • 6 slides
Public key cryptography on IoT devices Sujoy Sinha Roy COSIC, KU Leuven 1 Small area for HW

Public key cryptography on IoT devices Sujoy Sinha Roy COSIC, KU Leuven 1 Small area for HW

Public key cryptography on IoT devices Sujoy Sinha Roy COSIC, KU Leuven 1 Small area for HW implementations Small code size for SW implementation Low power or energy or both Reasonably fast computation time 2 This talk

676 views • 43 slides
The Support Splitting Algorithm and its Application to Code-based Cryptography Dimitris E. Simos

The Support Splitting Algorithm and its Application to Code-based Cryptography Dimitris E. Simos

The Support Splitting Algorithm and its Application to Code-based Cryptography Dimitris E. Simos ( joint work with Nicolas Sendrier) Project-Team SECRET INRIA Paris-Rocquencourt May 9, 2012 3rd Code-based Cryptography Workshop Technical

301 views • 17 slides
Smaller Keys for Code based Cryptography: QC MDPC McEliece Implementations on Embedded

Smaller Keys for Code based Cryptography: QC MDPC McEliece Implementations on Embedded

Smaller Keys for Code based Cryptography: QC MDPC McEliece Implementations on Embedded Devices 4 th Code based Cryptography Workshop 2013, Rocquencourt, France Stefan Heyse, Ingo von Maurich and Tim Gneysu Horst Grtz Institute for

500 views • 39 slides
Attacks in code based cryptography: a survey, new results and open problems J.-P. Tillich Inria,

Attacks in code based cryptography: a survey, new results and open problems J.-P. Tillich Inria,

Attacks in code based cryptography: a survey, new results and open problems J.-P. Tillich Inria, team-project SECRET April 9, 2018 introduction 1. Code based cryptography Difficult problem in coding theory Problem 1. [Decoding] Input: n, r,

800 views • 53 slides
Constant-time This code uses 256 squarings, square-and-multiply plus 1 extra multiplication for

Constant-time This code uses 256 squarings, square-and-multiply plus 1 extra multiplication for

1 2 Constant-time This code uses 256 squarings, square-and-multiply plus 1 extra multiplication for each bit set in e . D. J. Bernstein Problem when e is secret: time University of Illinois at Chicago; leaks number of bits set in e . Ruhr

381 views • 36 slides
Code-Based Cryptography for FPGAs Dr. Ruben Niederhagen, February 8, 2018 Introduction Global

Code-Based Cryptography for FPGAs Dr. Ruben Niederhagen, February 8, 2018 Introduction Global

Code-Based Cryptography for FPGAs Dr. Ruben Niederhagen, February 8, 2018 Introduction Global Map public-key cryptography classic post-quantum lattice code multivariate hash isogenies . . . McEliece Niederreiter . . . GRS codes

1.04k views • 73 slides
Efficient implementation of Objectives code-based cryptography Set new speed records D. J.

Efficient implementation of Objectives code-based cryptography Set new speed records D. J.

Efficient implementation of Objectives code-based cryptography Set new speed records D. J. Bernstein for public-key cryptography. University of Illinois at Chicago & Technische Universiteit Eindhoven Joint work with: Tung Chou

868 views • 73 slides
Tweaking Code-Based Cryptography for Embedded Systems DIMACS Workshop on The Mathematics of

Tweaking Code-Based Cryptography for Embedded Systems DIMACS Workshop on The Mathematics of

Tweaking Code-Based Cryptography for Embedded Systems DIMACS Workshop on The Mathematics of Post-Quantum Cryptography Tim Gneysu, Ingo von Maurich 1/12/2015 Horst Grtz Institute for IT-Security, Ruhr-Universitt Bochum, Germany Motivation

920 views • 70 slides
Code-based Cryptography Christiane Peters Technical University of Denmark ECC 2011 September

Code-based Cryptography Christiane Peters Technical University of Denmark ECC 2011 September

Code-based Cryptography Christiane Peters Technical University of Denmark ECC 2011 September 20, 2011 Code-based cryptography 1. Background 2. The McEliece cryptosystem 3. Information-set-decoding attacks 4. Designs: Wild McEliece 5.

721 views • 55 slides
Code-based Cryptography ECRYPT-CSA Executive School on Post-Quantum Cryptography 2017 TU

Code-based Cryptography ECRYPT-CSA Executive School on Post-Quantum Cryptography 2017 TU

Code-based Cryptography ECRYPT-CSA Executive School on Post-Quantum Cryptography 2017 TU Eindhoven Nicolas Sendrier Linear Codes for Telecommunication linear expansion data codeword k n > k noisy channel noisy

783 views • 52 slides
Code Based Cryptography Colloquium at Eastern Kentucky University E. Mart nez-Moro i

Code Based Cryptography Colloquium at Eastern Kentucky University E. Mart nez-Moro i

Code Based Cryptography Colloquium at Eastern Kentucky University E. Mart nez-Moro i Acknowledgements Full papers: Two in Designs, Codes and Cryptography (also as preprints OWP 2012-01 at MFO) and one in Journal of Symbolic Computation.

1.14k views • 67 slides
Code-Based Cryptography Tanja Lange with some slides by Tung Chou and Christiane Peters

Code-Based Cryptography Tanja Lange with some slides by Tung Chou and Christiane Peters

Code-Based Cryptography Tanja Lange with some slides by Tung Chou and Christiane Peters Technische Universiteit Eindhoven Executive School on Post-Quantum Cryptography 02 July 2019 Error correction Digital media is exposed to memory

1.83k views • 96 slides
Code-Based Cryptography Tanja Lange with some slides by Tung Chou and Christiane Peters

Code-Based Cryptography Tanja Lange with some slides by Tung Chou and Christiane Peters

Code-Based Cryptography Tanja Lange with some slides by Tung Chou and Christiane Peters Technische Universiteit Eindhoven Post-Quantum Cryptography Winter School 23 February 2016 Error correction Digital media is exposed to memory

519 views • 38 slides
Code-Based Post-Quantum Cryptography Wijik Lee 1 , Young-Sik Kim 2 , and Jong-Seon No 1 1

Code-Based Post-Quantum Cryptography Wijik Lee 1 , Young-Sik Kim 2 , and Jong-Seon No 1 1

Mathematical Methods for Cryptography 2017, Svolvaer, Lofoten, Norway 1 / 41 Code-Based Post-Quantum Cryptography Wijik Lee 1 , Young-Sik Kim 2 , and Jong-Seon No 1 1 Department of ECE, INMC, Seoul National University, Seoul, Korea 2 Chosun

565 views • 41 slides
Code-based Cryptography PQCRYPTO Summer School on Post-Quantum Cryptography 2017 TU

Code-based Cryptography PQCRYPTO Summer School on Post-Quantum Cryptography 2017 TU

Code-based Cryptography PQCRYPTO Summer School on Post-Quantum Cryptography 2017 TU Eindhoven Nicolas Sendrier Linear Codes for Telecommunication linear expansion data codeword k n > k noisy channel noisy codeword

916 views • 74 slides
An Overview on Post-Quantum Cryptography with an Emphasis on Code based Systems Joachim Rosenthal

An Overview on Post-Quantum Cryptography with an Emphasis on Code based Systems Joachim Rosenthal

Basics on Public Key Crypto Systems Research Directions in Post-Quantum Cryptography Variants of McEliece System Distinguisher Attacks McEliece for Rank Metric Codes An Overview on Post-Quantum Cryptography with an Emphasis on Code based

1.05k views • 100 slides

More recommend