Toward Practical Code-Based Cryptography - PowerPoint Presentation

Slide1

Toward Practical Code-Based Cryptography

Paulo S. L. M. Barreto

University of Washington | Tacoma

Slide2

Objectives

Basics of coding theory.

Security considerations.Panorama of code-based cryptosystems.Choice of codes.

Implementation issues.Research problems.⏲️

Slide3

Coding Theory

Slide4

Linear Codes

Let

for some prime

and

.

A

linear

-

code

over is a -dimensional vector subspace of .Let and let , so that .An -subfield subcode of a code is the subspace of consisting of all words with all components in .

 

Slide5

Weight and Distance

The (Hamming)

weight of

is the number of nonzero components of

:

.

The (Hamming)

distance

between

is

.The minimum distance of a code is .Determining is NP

-hard.

 

Slide6

Generator and Parity-Check

A

generator matrix for an

-code

is a matrix

whose rows form a basis of

, i.e.

.

A parity-check matrix for the same code is a matrix

, with

, whose rows form a basis for the orthogonal code, i.e. .

Therefore

for all

, i.e.

.

 

Slide7

General & Syndrome (Bounded-Distance) Decoding

GDP

Input:

positive integers , ,

;

generator matrix

;

vector

.

Question:

such that has weight ? 

SDP

Input:

positive integers

,

, ;parity-check matrix;vector

.

Question:

of weight

such that

?

 

Both are NP-complete!

Slide8

Code-Based Cryptography

There exist codes for which efficient decoders are known.Cryptosystems naturally follow if:the decoding trapdoor can be securely hidden;

the GDP/SDP remains intractable on average for those codes.(Obs.: from now on, binary codes)

Slide9

Bounded-Distance Decoding

Slide10

The

Prange method

Pioneering technique:

Prange (1962).Recap (SDP): given

and

, find

such that

with

.

Linear system:

equations, variables. 

 

 

 

 

 

Slide11

The

Prange method

Most of those

variables must be

.

Idea: set

randomly picked variables to

.

This ensures

.

The remaining variables satisfy an linear system.The solution is expected to “look random” and hence .Cost: .Refinement: information set decoding. 

Slide12

Information set decoding

Recap (GDP): given

and

where

for some

and some

with

, find

.

An

information set (IS) for the error pattern is a subset such that

for all

.

In other words,

is correct at all positions indicated by

.

 

Slide13

Decoding with an IS

Let

, and let

and

denote the restrictions of

and

to the columns indicated in

.

(i.e. no errors).

If

is invertible, then

.

The method succeeds when

for the recovered

.

What is the expected cost of a successful decoding?

 

Slide14

Cost Estimate

Let

be an IS with

.

The probability that

remains an IS for some uniformly random

is

, since

out of the

values in

correspond to error positions.Hence the probability that a uniformly random with is an IS will be .

 

Slide15

Cost Estimate

The decoding cost (or work factor,

, in the number of decoding attempts) is slightly increased by a factor

where

due to the need that

be invertible, i.e.

.

Examples:

 

Slide16

“Some” improvements

1981: Clark-Cain-

Omura.1988: Lee-Brickell; Leon; Stern.1989:

Krouk; Stern; Dumer.1990: Coffey-Goodman; van Tilburg.1991: Coffey-Goodman-Farrell; Dumer.1993: Chabanne-Courteau

;

Chabaud

.

1994: van Tilburg;

Canteaut-Chabanne

.

1998: Canteaut-Chabaud; Canteaut-Sendrier.2008: Bernstein-Lange-Peters.2009: Bernstein-Lange-Peters-van Tilborg; Finiasz-Sendrier.2011: Bernstein-Lange-Peters (bis); May-Meurer-Thomae.2012: Becker-Joux-May-Meurer; Hamdaoui-Sendrier.2015: May-Ozerov.2016: Canto-Torres-Sendrier.Sources: Bernstein et al. “Classic McEliece: conservative code-based cryptography” (2017); Bardet et al. “BIG QUAKE – BInary Goppa QUAsi-cyclic Key Encapsulation (2017).Cost still exponential (improvements in the exponent constant)

Slide17

Other Attacks

Message recovery vs. key recovery.Finding low-weight code words in related codes (e.g. in the dual).Exploiting the algebraic structure (e.g. properties of the underlying field, or mapping to other computational problems like MQ systems, or attacking some feature of the specific code).

Exploiting symmetries (e.g. quasi-cyclic).Implementation attacks (e.g. timing).

Interesting attack names! (DOOM, 1+1=0).

Slide18

Code-Based Cryptosystems

Slide19

(Incomplete) chronology

1978: McEliece (encryption)1986:

Niederreiter (encryption)1993: Stern (identification)2001: CFS (signatures)2007:

Gaborit-Girault (improved identification)2008: Zheng-Chen (ring signatures)2009: Overbeck (blind signatures)2011: Aguilar-Melchor et al. (threshold signatures)2013: Alaoui (improved signatures)2017: Aguilar-Melchor et al; Albrecht et al; Aragon et al;

Baldi

et al; Bardet et al; Bernstein et al; … (KEM)

…

Slide20

McEliece

Encryption

Slide21

McEliece Cryptosystem

Key generation:

Choose a secure, uniformly random -error correcting

-code

over

, equipped with a decoding trapdoor, usually a specific parity-check matrix

of some unique form.

Compute for

a systematic generator matrix

.

Set , . 

Slide22

McEliece Cryptosystem

“Hey, wait, I know

McEliece, and this does not look quite like it!”Textbook version:computing some (private, highly structured)

from

.

hide it as

(with

invertible,

a permutation).

Does not increase semantic security, is less efficient, and can actually leak side-channel information (

Strenzke 2010).The description here is simpler, more efficient, and more secure. 

Slide23

McEliece Cryptosystem

Encryption of a plaintext

:

Choose a uniformly random

-error vector

and compute

(IND-CCA2 variant via e.g. Fujisaki-Okamoto).

Decryption of a ciphertext

:

Compute the (private) syndrome

and decode it to obtain .Obtain as the first components of . 

Slide24

McEliece/Fujisaki-Okamoto: Setup

Random oracles (modeling a message authentication code and a symmetric cipher)

,

.

(Un)ranking function

.

Decoding algorithm

such that

for all

.

 

Slide25

McEliece/Fujisaki-Okamoto: Encryption

Input: message

.

Output: ciphertext

.

Algorithm:

,

,

 

Slide26

Input: ciphertext

.

Output: message

, or rejection.

Algorithm:

,

,

,

accept



 

McEliece

/Fujisaki-Okamoto: Encryption

Slide27

Niederreiter

Encryption

Slide28

Niederreiter Cryptosystem

Setup:

Semantically secure symmetric cipher

, where

indicates decryption failure.

Key generation:

Choose a secure, uniformly random

-error correcting

-code

, equipped with a decoding-friendly parity-check matrix

and an efficient decoding algorithm

.

Compute the systematic parity-check matrix

such that

for some nonsingular matrix

.

Set

,

.

 

Slide29

Niederreiter Cryptosystem

Encryption of plaintext

:

,

Decryption of cryptogram

:

// NB:

(therefore

is

-decodable to

)

,

accept



 

Slide30

CFS Signatures

Slide31

CFS Signatures

System setup:

Random oracle

.

Key generation:

Choose a secure, uniformly random

-error correcting

-code

with a high density of decodable syndromes

, equipped with a decoding-friendly parity-check matrix and an efficient decoding algorithm .Compute the systematic parity-check matrix

such that

for some nonsingular matrix

.

Set

,

.

 

Slide32

CFS Signatures

Signing a message

:

Find

such that, for

and

,

is

-decodable.

// NB:

, hence

, i.e.

is the (public)

-syndrome of

.

Verifying a signature

:

accept



.

 

Slide33

CFS Signatures

Best known codes for CFS instantiation: Goppa

codes (highest density of decodable syndromes).Bad news:number of possible hash values:

number of decodable syndromes:

probability of finding a

codeword

of weight

:

expected value of steps to sign:

 

Slide34

CFS Signatures

If the

-bit error

of weight is encoded via permutation ranking, the signature length is

.

Public key is huge:

bits.

Key sizes for usual sec levels are several

MiB

long, coupled with very long processing times

Bleichenbacher’s attack  security level lower than expected, hence larger key sizes and longer signing times. 

Slide35

Stern Identification

Slide36

Stern Identification

: uniformly random, systematic binary parity-check matrix (e.g.

).

Gaborit-Girault

improvement: uniformly random

quasi-cyclic

, with

for some

.

Key pair:Private key: .Public key:

.

 

Slide37

Stern Identification

Commitment:

The prover chooses a uniformly random word

and a uniformly random permutation

on

.

The

prover

sends to the verifier:

,

,. 

Slide38

Stern Identification

Challenge & Response:

The verifier sends a uniformly random

to the

prover

.

The

prover

responds by revealing:

and

if ; and if ; and if . 

Slide39

Stern Identification

Verification:

The verifier verifies that:

and

are correct if

(noticing that

);

and

are correct if

;

and are correct and if (noticing that

).

The probability of cheating in this ZKP is

. Repeating

times reduces the cheating probability below

.

 

Slide40

SFS Signatures

Commitments

:for

do

,

end

Challenges

:

 

Slide41

SFS Signatures

Responses

:for

do if

then

if

then if then

end

Signature

:

 

Slide42

SFS Signatures

Verification

:for

do if

then

,

if

then

,

if

then

,

if

then

“reject”

end

 

Slide43

SFS Signatures

Verification

:

if

then

“reject”

else

“accept”

Signature size?

elements of form

or

.

Hence

bits.

 

Slide44

AGS Identification

Slide45

AGS Identification

Aguilar-Gaborit

-Schrek: identification in the GDP (rather than SDP) setting.

: uniformly random, systematic, quasi-cyclic binary generator matrix (usually

,

).

Key pair:

Private key:

,

.

Public key: . 

Slide46

AGS Identification

Commitment 1:

The prover chooses a uniformly random word

and a uniformly random permutation

on

.

The

prover

sends to the verifier:

,

. 

Slide47

AGS Identification

Challenge 1:

The verifier chooses a uniformly random

and sends it to the

prover

.

Commitment 2:

The

prover

sends to the verifier:

 

Slide48

AGS Identification

Challenge 2 & Response:

The verifier sends a uniformly random

to the

prover

.

The

prover

responds by revealing:

and if ; and if . 

Slide49

AGS Identification

Verification:

The verifier verifies that:

and

are correct if

, noticing that

, hence

;

and

are correct and

, if

The probability of cheating in this ZKP is

. Repeating

times reduces the cheating probability below

.

 

Slide50

Stern & AGS Keys

Gaborit-Girault propose

,

to achieve security.

Modern recommendation would be

,

for

security, or (better yet)

,

for

security.Private and public keys are very short (respectively and bits long).Signatures are possible via the Fiat-Shamir heuristics, but rather large (e.g. KiB at security). 

Slide51

Identity-Based Signatures

Slide52

Identity-based signatures

Cayrel

et al.: Goppa trapdoor for the Stern scheme combined with CFS signatures.Stern parameter

is the KGC’s CFS public key.Stern public key is the user’s identity mapped to a decodable syndrome (N.B. necessary to increase weight to cover radius

, otherwise the scheme is

not

id-based).

Identity-based private key is a CFS signature of the user’s identity, i.e. an error vector of weight

computed by the KGC.

Not practical because of CFS (also, the distinguishability of

Goppa codes may affect formal security properties). 

Slide53

Choosing the Code

Slide54

Which Code to Choose?

Not all codes are suitable for cryptography.

Needed: code equipped with a trapdoor that can be easily and securely hidden.

Most popular choice: Goppa codes.… except for a few weak cases, e.g. binary Goppa polynomial (Loidreau-Sendrier 1998).

… distinguishing a

Goppa

code from a random code of the same length can be done in

time

(

Márquez-Corbella, Martínez-Moro and

Pellikaan 2013; Faugère et al. 2013).… OTOH interesting quantum-resistance properties (Dinh-Moore-Russell 2011)… short keys? (Misoczki-B. 2009, Couvreur et al. 2017) 

Slide55

Which Code to Choose?

Other choices:

(quasi-cyclic) random(!) codes (Gaborit-Girault 2005)(quasi-cyclic) LDPC codes (

Baldi-Chiaraluce-Garello-Mininni 2007)(quasi-cyclic) GRS codes (Niederreiter 1986, Berger-Cayrel-Gaborit-Otmany 2009)

(quasi-dyadic) Srivastava codes (Persichetti 2012)

(quasi-cyclic) MDPC codes (

Misoczki

-Tillich-

Sendrier

-B. 2013)

(quasi-cyclic) random+BCH codes (Melchor et al. 2016)All of the above are codes in the Hamming metric. There are proposals that adopt different metrics:(quasi-cyclic) random+LRPC codes (Aguilar-Melchor et al. 2016; Aragon et al. 2017 “RankSign”)punctured Reed-Muller codes (Lee et al. 2017 “pqsigRM”)

Slide56

Goppa

Codes

Slide57

Goppa Codes

Let

be a

monic

(

) polynomial.

Let

(all distinct) such that

for all

. This is called the

support.Properties:Easy to generate and plentiful.Usually is chosen to be irreducible; if so,

.

 

Slide58

Goppa Codes

The

Goppa syndrome function is the linear map

:

.

The

Goppa

code

is the kernel of the Goppa syndrome function, i.e.

.

 

Slide59

Distance of a Goppa code

In general the minimum distance of

is only known to be

.

In the

binary

case when

is

square-free

(e.g. when

is irreducible) the minimum distance becomes .How do we correct errors/decode? 

Slide60

Error Locator Polynomial

Efficient decoding procedure for known

and

via the (Patterson) error locator polynomial:

.

Property:

.

 

Slide61

The Key Equation

Property:

.

.

.

 

Slide62

Error Correction

Let

, let

be an error vector of weight

, and

.

Compute the syndrome of

through the relation

.

Compute the error locator polynomial

from the syndrome.Determine which are zeroes of , thus retrieving and recovering . 

Slide63

Error Correction

Let

. If

, nothing to do (no error), otherwise

is invertible.

 

Extended Euclid!

Thus

, hence

with

.

 

Extended Euclid!

Property #1:

.

 

Property #2:

.

 

Property #3:

.

 

Slide64

Given:

,

Find

:

,

,

Where

:

Thus

, i.e.

.

Conditions

:

,

.

 

Decoding a binary

Goppa

syndrome

Slide65

Patterson’s decoding algorithm

while

do

while

do

end

end

return

// error locator polynomial

 

Slide66

Challenges

Isochronous decoding: possible, but hard to implement properly (error-prone) and efficiently.

Code size in software and area in hardware tend to be large (hindrance for embedded platforms/IoT).But mainly: large keys.

Slide67

The key size problem

Using systematic Goppa

codes, key size is only

bits. And yet…

Goppa

variants

Quasi-dyadic (

Misoczki

-B. 2009): distinguishable from random.

Quasi-cyclic (Bardet et al. 2017):

 levelmnk

t

key size

2

128

12

3307

2515

66

1991880

2

256

13

6960

5413

119

8378552

level

m

n

k

t

key size

2

128

12

3510

2418

91

203112

2

256

13

10070

6650

190

1197000

Slide68

Gallager

Codes

Slide69

Gallager (LDPC) Codes

Extremely sparse parity-check matrices, e.g.

with

nonzero components at randomly chosen positions on each column.

Higher error-correction capability than

Goppa

codes (almost 3 times in the above example).

 

Slide70

Gallager (LDPC) Codes

Symbols in red affect parity bit in

green through the parity-checks in blue.

 

 

 

Slide71

Gallager (LDPC) Codes

If the green parity bit is 1, at least one of the

red bits is wrong.

 

 

 

Slide72

Gallager (LDPC) Codes

Symbol in red affects parity bits in

green through the parity-checks in blue.

 

 

 

Slide73

Gallager (LDPC) Codes

If the red

bit is wrong, some of the green parity bits will likely reveal it.

 

 

 

Slide74

Gallager (LDPC) Codes

Bit flipping:

Determine which symbol bits are the most suspect (i.e. influence the largest number of parity bits

in error) by counting how many parity errors it influences via the parity-check matrix.Flip those bits ().Repeat until no parity error is left (or max number of attempts is exceeded).

 

Slide75

Bit-flipping

Trouble:

symbol bits 

counters.More trouble: one pass to count and find the maximum count value, another pass to flip most suspect bits and recompute affected parity-check bits.Memory-consuming and slow.

 

Slide76

MDPC codes

Plain LDPC codes are susceptible to key recovery attacks: dual codes contain too sparse words of small

weight.

Idea: set density and number of errors

near the decodability threshold

for security, but still within the range of bit-flipping or belief-propagation.

Moderate-density parity-check (MDPC) codes (

Misoczki

et al. 2013).

 

Slide77

Short(ish) keys

Quasi-cyclic MDPC codes (QC-MDPC)

The trapdoor (private)

parity-check matrix consists of

blocks of sparse

circulant

matrices,

, with

:

 

 

 

…

 

NB: sparse!

Slide78

Short(ish) keys

The systematic (public) parity-check matrix consists of

blocks of dense

circulant matrices,

, with

,

:

 

 

 

 

…

NB: dense!

Slide79

Short(ish) keys

Shorter public (and private) keys than conventional schemes:

level

n

k

t

w

QC-MDPC

Goppa

shrink

2

128

20326

10163

134

142

10163

1991880

202×

2

256

65498

32749

264

274

32749

8378552

256×

Slide80

Challenges

Decoding failures.

Low enough probability to be a concern regarding passive adversaries, but (sometimes, depending on the parameters) high enough to be a concern regarding active attacks.Isochronous implementations.

Goal: avoid timing leaks.Worst-case behavior (e.g. emulating more bit-flipping rounds even when not needed) leads to in efficiencies.Also an issue for Goppa/Srivastava codes.Embedded/IoT platforms.

Slide81

What Next?

Slide82

Limitations and trends

Codes are fine for key agreement and encryption 👍…but hard to use for many other applications ☹️

Improvements for advanced functionalities (blind signatures, identity-based encryption, …)? 🤔

More research, please! 🎓

Slide83

Questions?