Tweaking Code-Based Cryptography for Embedded Systems DIMACS Workshop on The Mathematics of Post-Quantum Cryptography Tim Güneysu, Ingo von Maurich 1/12/2015 Horst Görtz Institute for IT-Security, Ruhr-Universität Bochum, Germany
Motivation High demand for security in the Internet of Things (IoT) Requirements • Highly embedded/cost-sensitive • Long life-time/security • Diversity of target platforms • Simple physical accessibility Consequences • Quantum-computer resistant cryptography • Implementations for a wide range of cheap embedded devices Tweaking code-based cryptography for embedded systems | DIMACS‘15 | Tim Güneysu, Ingo von Maurich 2
Motivation Cryptography in the era of quantum computing • Symmetric: Security level for key lengths is halved (Grover) … not good but we can fix it. • Asymmetric: Polytime attacks on RSA and Elliptic Curve exist (Shor) … so it’s essential to have alternatives ready! Task : Deploy new asymmetric schemes that are • resistant to attacks from quantum computing • as efficient as RSA and ECC on our today’s and future computing platforms • available with many implementations Code-based Crypto on Embedded Platforms Tweaking code-based cryptography for embedded systems | DIMACS‘15 | Tim Güneysu, Ingo von Maurich 3
Overview Motivation Background Efficient Decoding Techniques Implementing QC-MDPC McEliece Side-Channel Attacks Countermeasures Tweaking code-based cryptography for embedded systems | DIMACS‘15 | Tim Güneysu, Ingo von Maurich 4
Cryptography on Embedded Devices Common computing platforms of embedded devices Microcontrollers (µC) • Small 8/16/32- bit CPU, small RAM (≈ 512B -256KB), a bit more Flash ( ≈ 4KB-1MB) Reconfigurable Hardware (FPGA) • LUT-based logic functions, flip-flops, some 18/36 kBit block memories and DSP units Application-Specific Integrated Circuits (ASIC) • Dedicated hardware design of an individual application Tweaking code-based cryptography for embedded systems | DIMACS‘15 | Tim Güneysu, Ingo von Maurich 5
Cryptography on Embedded Devices Microcontroller Architecture FPGA Architecture AVR & ARM M4 architectures Altera/Xilinx FPGA Flexible routing paths Dedicated multiplier or DSP block A slice contains • 2-4 Look-Up Tables (LUT) as logic function generators • 2-8 flip flops for data storage Tweaking code-based cryptography for embedded systems | DIMACS‘15 | Tim Güneysu, Ingo von Maurich 6
Cryptography with Linear Codes? • Error-Correcting Codes are well-known in a large variety of applications • Detection/Correction of errors in noisy channels by adding redundancy • Observation : Some problems in code-based theory are NP-complete Possible Foundation of Code-Based Cryptosystems (CBC) Tweaking code-based cryptography for embedded systems | DIMACS‘15 | Tim Güneysu, Ingo von Maurich 9
Linear Codes and Cryptography • Generator and parity check matrices for encoding and decoding • Matrices in systematic form minimize time and storage Matrix size of G: k x n • Rows of G form a basis for the code C[n [n, , k, , d] of length n n with dimension k k and minimum distance d Tweaking code-based cryptography for embedded systems | DIMACS‘15 | Tim Güneysu, Ingo von Maurich 10
Linear Codes and Cryptography • Parity check matrix H is a (n- k) ∙ k matrix orthogonal to G • Defines the dual C of the code C via scalar product • A codeword c ∈ C if and only if Hc = 0 • The term s = Hc ’ = Hc + He is the syndrome of the error Tweaking code-based cryptography for embedded systems | DIMACS‘15 | Tim Güneysu, Ingo von Maurich 11
McEliece Encryption Scheme [1978] Key Generation Given a [𝑜, 𝑙] -code 𝐷 with generator matrix 𝐻 and error correcting capability 𝑢 Private Key: (𝑇, 𝐻, 𝑄) , where 𝑇 is a scrambling and 𝑄 is a permutation matrix Public Key: 𝐻′ = 𝑇 · 𝐻 · 𝑄 Encryption 𝑙 , error vector e ∈ 𝑆 𝔾 2 𝑜 , wt e ≤ 𝑢 Message 𝑛 ∈ 𝔾 2 x ← 𝑛𝐻′ + e Decryption Let Ψ 𝐼 be a 𝑢 -error-correcting decoding algorithm. 𝑛 · 𝑇 ← Ψ 𝐼 𝑦 · 𝑄 −1 , removes the error e · 𝑄 −1 Extract 𝑛 by computing 𝑛 · 𝑇 · 𝑇 −1 Tweaking code-based cryptography for embedded systems | DIMACS‘15 | Tim Güneysu, Ingo von Maurich 12
Security Parameters (Goppa Codes) Original proposal : McEliece with binary Goppa codes Code properties determine key size, matrices are often large Code parameters revisited by Bernstein, Lange and Peters Public key is a 𝑙 ∗ (𝑜 − 𝑙) bit matrix (redundant part only) Tweaking code-based cryptography for embedded systems | DIMACS‘15 | Tim Güneysu, Ingo von Maurich 13
Code-based Cryptography for Embedded Devices K pub =M y= Ψ (y, K priv ) y=Mx+e K priv (Matrix) Decrypt Encrypt x x y y • Selection of the employed code is a highly critical issue – Properties of code determine key size, short keys essential – Structures in codes reduce key size, but can enable attacks – Encoding is a fast operation on all platforms (matrix multiplication) – Decoding requires efficient techniques in terms of time and memory • Basic McEliece is only CPA-secure; conversion required • Protection against side-channel and fault-injection attacks Tweaking code-based cryptography for embedded systems | DIMACS‘15 | Tim Güneysu, Ingo von Maurich 14
Code-based Cryptosystems Suitable codes for code-based cryptography? Goppa Generalized Concatenated Elliptic Reed-Solomon LDPC/MDPC Reed Muller Srivastava Tweaking code-based cryptography for embedded systems | DIMACS‘15 | Tim Güneysu, Ingo von Maurich 15
Code-based Cryptosystems Suitable codes for code-based cryptography? Goppa Generalized Concatenated Elliptic Reed-Solomon LDPC/MDPC Reed Muller Srivastava See Anja‘s and Nicolas‘ talks on Wednesday! Tweaking code-based cryptography for embedded systems | DIMACS‘15 | Tim Güneysu, Ingo von Maurich 16
Code-based Cryptosystems Key sizes for ≈ 80 -bit Suitable codes for code-based cryptography? equivalent symmetric security. PK: 63 kB SK: 2.5 kB Goppa Generalized Concatenated Elliptic Reed-Solomon LDPC/MDPC Reed Muller Srivastava PK: 0.6 kB PK: 2.5 kB SK: 1.2 kB SK: 1.5 kB See Anja‘s and Nicolas‘ talks on Wednesday! Tweaking code-based cryptography for embedded systems | DIMACS‘15 | Tim Güneysu, Ingo von Maurich 17
QC-MDPC Codes for Cryptography [MTSB13] 𝑢 -error correcting (𝑜, 𝑠, 𝑥) -QC-MDPC code of length 𝑜 = 𝑜 0 𝑠 Parity-check matrix 𝐼 consists of 𝑜 0 blocks with fixed row weight 𝑥 Code/Key Generation 1. Generate 𝑜 0 first rows of parity-check matrix blocks 𝐼 𝑗 𝑜 0 −1 𝑠 of weight 𝑥 𝑗 , w = ℎ 𝑗 ∈ 𝑆 𝐺 𝑥 𝑗 2 𝑗=0 2. Obtain remaining rows by 𝑠 − 1 quasi-cyclic shifts of ℎ 𝑗 3. 𝐼 = [𝐼 0 |𝐼 1 | … |𝐼 𝑜 0 −1 ] 4. Generator matrix of systematic form 𝐻 = 𝐽 𝑙 𝑅 −1 ∗ 𝐼 0 ) 𝑈 (𝐼 𝑜 0 −1 −1 ∗ 𝐼 1 ) 𝑈 (𝐼 𝑜 0 −1 Q = … −1 ∗ 𝐼 𝑜 0 −2 ) 𝑈 (𝐼 𝑜 0 −1 See Marco‘s talk! Tweaking code-based cryptography for embedded systems | DIMACS‘15 | Tim Güneysu, Ingo von Maurich 18
Background on QC-MDPC Codes Parity check matrix 𝐼 𝑜 0 = 2 𝐼 1 𝐼 0 I Generator matrix 𝐻 Tweaking code-based cryptography for embedded systems | DIMACS‘15 | Tim Güneysu, Ingo von Maurich 19
(QC-)MDPC McEliece Encryption 𝑙 , error vector 𝑓 ∈ 𝑆 𝐺 𝑜 , 𝑥𝑢(𝑓) ≤ 𝑢 Message 𝑛 ∈ 𝐺 2 2 x ← 𝑛𝐻 + 𝑓 Decryption Let Ψ 𝐼 be a 𝑢 -error-correcting (QC-)MDPC decoding algorithm. 𝑛𝐻 ← Ψ 𝐼 𝑛𝐻 + 𝑓 Extract 𝑛 from the first k positions. Parameters for 80-bit equivalent symmetric security [MTSB13] 𝑜 0 = 2, 𝑜 = 9602, 𝑠 = 4801, 𝑥 = 90, 𝑢 = 84 Tweaking code-based cryptography for embedded systems | DIMACS‘15 | Tim Güneysu, Ingo von Maurich 20
Overview Motivation Background Efficient Decoding Techniques Implementing QC-MDPC McEliece Side-Channel Attacks Countermeasures Tweaking code-based cryptography for embedded systems | DIMACS‘15 | Tim Güneysu, Ingo von Maurich 21
Efficient Decoding of MDPC Codes Decoders for LDPC/MDPC codes: bit flipping and belief propagation “Bit - Flipping” Decoder Compute syndrome 𝑡 of the ciphertext 1. 2. Count unsatisfied parity-check-equations # 𝑣𝑞𝑑 for each ciphertext bit Flip ciphertext bits that violate ≥ 𝑐 equations 3. 4. Recompute syndrome Repeat until 𝑡 = 0 or reaching max. iterations (decoding failure) 5. How to determine threshold 𝑐 ? • Precompute 𝑐 𝑗 for each iteration [Gal62] • 𝑐 = 𝑛𝑏𝑦 𝑣𝑞𝑑 [HP03] • 𝑐 = 𝑛𝑏𝑦 𝑣𝑞𝑑 − δ [MTSB13] Tweaking code-based cryptography for embedded systems | DIMACS‘15 | Tim Güneysu, Ingo von Maurich 22
Recommend
More recommend
![Code-based Cryptography Selected publications [1] Carlos Aguilar, Philippe Gaborit, and Julien](https://c.sambuz.com/729752/code-based-cryptography-selected-publications-s.jpg)
