Paulo S L M Barreto University of Washington Tacoma Objectives Basics of coding theory Security considerations Panorama of codebased cryptosystems Choice of codes Implementation issues ID: 933745
Download Presentation The PPT/PDF document "Toward Practical Code-Based Cryptography" is the property of its rightful owner. Permission is granted to download and print the materials on this web site for personal, non-commercial use only, and to display it on your personal computer provided you do not modify the materials and that you retain all copyright notices contained in the materials. By downloading content from our website, you accept the terms of this agreement.
Slide1
Toward Practical Code-Based Cryptography
Paulo S. L. M. Barreto
University of Washington | Tacoma
Slide2Objectives
Basics of coding theory.
Security considerations.Panorama of code-based cryptosystems.Choice of codes.
Implementation issues.Research problems.⏲️
Slide3Coding Theory
Slide4Linear Codes
Let
for some prime
and
.
A
linear
-
code
over is a -dimensional vector subspace of .Let and let , so that .An -subfield subcode of a code is the subspace of consisting of all words with all components in .
Weight and Distance
The (Hamming)
weight of
is the number of nonzero components of
:
.
The (Hamming)
distance
between
is
.The minimum distance of a code is .Determining is NP
-hard.
Generator and Parity-Check
A
generator matrix for an
-code
is a matrix
whose rows form a basis of
, i.e.
.
A parity-check matrix for the same code is a matrix
, with
, whose rows form a basis for the orthogonal code, i.e. .
Therefore
for all
, i.e.
.
General & Syndrome (Bounded-Distance) Decoding
GDP
Input:
positive integers , ,
;
generator matrix
;
vector
.
Question:
such that has weight ?
SDP
Input:
positive integers
,
, ;parity-check matrix;vector
.
Question:
of weight
such that
?
Both are NP-complete!
Slide8Code-Based Cryptography
There exist codes for which efficient decoders are known.Cryptosystems naturally follow if:the decoding trapdoor can be securely hidden;
the GDP/SDP remains intractable on average for those codes.(Obs.: from now on, binary codes)
Slide9Bounded-Distance Decoding
Slide10The
Prange method
Pioneering technique:
Prange (1962).Recap (SDP): given
and
, find
such that
with
.
Linear system:
equations, variables.
The
Prange method
Most of those
variables must be
.
Idea: set
randomly picked variables to
.
This ensures
.
The remaining variables satisfy an linear system.The solution is expected to “look random” and hence .Cost: .Refinement: information set decoding.
Slide12Information set decoding
Recap (GDP): given
and
where
for some
and some
with
, find
.
An
information set (IS) for the error pattern is a subset such that
for all
.
In other words,
is correct at all positions indicated by
.
Decoding with an IS
Let
, and let
and
denote the restrictions of
and
to the columns indicated in
.
(i.e. no errors).
If
is invertible, then
.
The method succeeds when
for the recovered
.
What is the expected cost of a successful decoding?
Cost Estimate
Let
be an IS with
.
The probability that
remains an IS for some uniformly random
is
, since
out of the
values in
correspond to error positions.Hence the probability that a uniformly random with is an IS will be .
Cost Estimate
The decoding cost (or work factor,
, in the number of decoding attempts) is slightly increased by a factor
where
due to the need that
be invertible, i.e.
.
Examples:
“Some” improvements
1981: Clark-Cain-
Omura.1988: Lee-Brickell; Leon; Stern.1989:
Krouk; Stern; Dumer.1990: Coffey-Goodman; van Tilburg.1991: Coffey-Goodman-Farrell; Dumer.1993: Chabanne-Courteau
;
Chabaud
.
1994: van Tilburg;
Canteaut-Chabanne
.
1998: Canteaut-Chabaud; Canteaut-Sendrier.2008: Bernstein-Lange-Peters.2009: Bernstein-Lange-Peters-van Tilborg; Finiasz-Sendrier.2011: Bernstein-Lange-Peters (bis); May-Meurer-Thomae.2012: Becker-Joux-May-Meurer; Hamdaoui-Sendrier.2015: May-Ozerov.2016: Canto-Torres-Sendrier.Sources: Bernstein et al. “Classic McEliece: conservative code-based cryptography” (2017); Bardet et al. “BIG QUAKE – BInary Goppa QUAsi-cyclic Key Encapsulation (2017).Cost still exponential (improvements in the exponent constant)
Slide17Other Attacks
Message recovery vs. key recovery.Finding low-weight code words in related codes (e.g. in the dual).Exploiting the algebraic structure (e.g. properties of the underlying field, or mapping to other computational problems like MQ systems, or attacking some feature of the specific code).
Exploiting symmetries (e.g. quasi-cyclic).Implementation attacks (e.g. timing).
Interesting attack names! (DOOM, 1+1=0).
Slide18Code-Based Cryptosystems
Slide19(Incomplete) chronology
1978: McEliece (encryption)1986:
Niederreiter (encryption)1993: Stern (identification)2001: CFS (signatures)2007:
Gaborit-Girault (improved identification)2008: Zheng-Chen (ring signatures)2009: Overbeck (blind signatures)2011: Aguilar-Melchor et al. (threshold signatures)2013: Alaoui (improved signatures)2017: Aguilar-Melchor et al; Albrecht et al; Aragon et al;
Baldi
et al; Bardet et al; Bernstein et al; … (KEM)
…
Slide20McEliece
Encryption
Slide21McEliece Cryptosystem
Key generation:
Choose a secure, uniformly random -error correcting
-code
over
, equipped with a decoding trapdoor, usually a specific parity-check matrix
of some unique form.
Compute for
a systematic generator matrix
.
Set , .
Slide22McEliece Cryptosystem
“Hey, wait, I know
McEliece, and this does not look quite like it!”Textbook version:computing some (private, highly structured)
from
.
hide it as
(with
invertible,
a permutation).
Does not increase semantic security, is less efficient, and can actually leak side-channel information (
Strenzke 2010).The description here is simpler, more efficient, and more secure.
Slide23McEliece Cryptosystem
Encryption of a plaintext
:
Choose a uniformly random
-error vector
and compute
(IND-CCA2 variant via e.g. Fujisaki-Okamoto).
Decryption of a ciphertext
:
Compute the (private) syndrome
and decode it to obtain .Obtain as the first components of .
Slide24McEliece/Fujisaki-Okamoto: Setup
Random oracles (modeling a message authentication code and a symmetric cipher)
,
.
(Un)ranking function
.
Decoding algorithm
such that
for all
.
McEliece/Fujisaki-Okamoto: Encryption
Input: message
.
Output: ciphertext
.
Algorithm:
,
,
Input: ciphertext
.
Output: message
, or rejection.
Algorithm:
,
,
,
accept
McEliece
/Fujisaki-Okamoto: Encryption
Slide27Niederreiter
Encryption
Slide28Niederreiter Cryptosystem
Setup:
Semantically secure symmetric cipher
, where
indicates decryption failure.
Key generation:
Choose a secure, uniformly random
-error correcting
-code
, equipped with a decoding-friendly parity-check matrix
and an efficient decoding algorithm
.
Compute the systematic parity-check matrix
such that
for some nonsingular matrix
.
Set
,
.
Niederreiter Cryptosystem
Encryption of plaintext
:
,
Decryption of cryptogram
:
// NB:
(therefore
is
-decodable to
)
,
accept
CFS Signatures
Slide31CFS Signatures
System setup:
Random oracle
.
Key generation:
Choose a secure, uniformly random
-error correcting
-code
with a high density of decodable syndromes
, equipped with a decoding-friendly parity-check matrix and an efficient decoding algorithm .Compute the systematic parity-check matrix
such that
for some nonsingular matrix
.
Set
,
.
CFS Signatures
Signing a message
:
Find
such that, for
and
,
is
-decodable.
// NB:
, hence
, i.e.
is the (public)
-syndrome of
.
Verifying a signature
:
accept
.
CFS Signatures
Best known codes for CFS instantiation: Goppa
codes (highest density of decodable syndromes).Bad news:number of possible hash values:
number of decodable syndromes:
probability of finding a
codeword
of weight
:
expected value of steps to sign:
Slide34CFS Signatures
If the
-bit error
of weight is encoded via permutation ranking, the signature length is
.
Public key is huge:
bits.
Key sizes for usual sec levels are several
MiB
long, coupled with very long processing times
Bleichenbacher’s attack security level lower than expected, hence larger key sizes and longer signing times.
Slide35Stern Identification
Slide36Stern Identification
: uniformly random, systematic binary parity-check matrix (e.g.
).
Gaborit-Girault
improvement: uniformly random
quasi-cyclic
, with
for some
.
Key pair:Private key: .Public key:
.
Stern Identification
Commitment:
The prover chooses a uniformly random word
and a uniformly random permutation
on
.
The
prover
sends to the verifier:
,
,.
Slide38Stern Identification
Challenge & Response:
The verifier sends a uniformly random
to the
prover
.
The
prover
responds by revealing:
and
if ; and if ; and if .
Slide39Stern Identification
Verification:
The verifier verifies that:
and
are correct if
(noticing that
);
and
are correct if
;
and are correct and if (noticing that
).
The probability of cheating in this ZKP is
. Repeating
times reduces the cheating probability below
.
SFS Signatures
Commitments
:for
do
,
end
Challenges
:
SFS Signatures
Responses
:for
do if
then
if
then if then
end
Signature
:
SFS Signatures
Verification
:for
do if
then
,
if
then
,
if
then
,
if
then
“reject”
end
SFS Signatures
Verification
:
if
then
“reject”
else
“accept”
Signature size?
elements of form
or
.
Hence
bits.
AGS Identification
Slide45AGS Identification
Aguilar-Gaborit
-Schrek: identification in the GDP (rather than SDP) setting.
: uniformly random, systematic, quasi-cyclic binary generator matrix (usually
,
).
Key pair:
Private key:
,
.
Public key: .
Slide46AGS Identification
Commitment 1:
The prover chooses a uniformly random word
and a uniformly random permutation
on
.
The
prover
sends to the verifier:
,
.
Slide47AGS Identification
Challenge 1:
The verifier chooses a uniformly random
and sends it to the
prover
.
Commitment 2:
The
prover
sends to the verifier:
AGS Identification
Challenge 2 & Response:
The verifier sends a uniformly random
to the
prover
.
The
prover
responds by revealing:
and if ; and if .
Slide49AGS Identification
Verification:
The verifier verifies that:
and
are correct if
, noticing that
, hence
;
and
are correct and
, if
The probability of cheating in this ZKP is
. Repeating
times reduces the cheating probability below
.
Stern & AGS Keys
Gaborit-Girault propose
,
to achieve security.
Modern recommendation would be
,
for
security, or (better yet)
,
for
security.Private and public keys are very short (respectively and bits long).Signatures are possible via the Fiat-Shamir heuristics, but rather large (e.g. KiB at security).
Slide51Identity-Based Signatures
Slide52Identity-based signatures
Cayrel
et al.: Goppa trapdoor for the Stern scheme combined with CFS signatures.Stern parameter
is the KGC’s CFS public key.Stern public key is the user’s identity mapped to a decodable syndrome (N.B. necessary to increase weight to cover radius
, otherwise the scheme is
not
id-based).
Identity-based private key is a CFS signature of the user’s identity, i.e. an error vector of weight
computed by the KGC.
Not practical because of CFS (also, the distinguishability of
Goppa codes may affect formal security properties).
Slide53Choosing the Code
Slide54Which Code to Choose?
Not all codes are suitable for cryptography.
Needed: code equipped with a trapdoor that can be easily and securely hidden.
Most popular choice: Goppa codes.… except for a few weak cases, e.g. binary Goppa polynomial (Loidreau-Sendrier 1998).
… distinguishing a
Goppa
code from a random code of the same length can be done in
time
(
Márquez-Corbella, Martínez-Moro and
Pellikaan 2013; Faugère et al. 2013).… OTOH interesting quantum-resistance properties (Dinh-Moore-Russell 2011)… short keys? (Misoczki-B. 2009, Couvreur et al. 2017)
Slide55Which Code to Choose?
Other choices:
(quasi-cyclic) random(!) codes (Gaborit-Girault 2005)(quasi-cyclic) LDPC codes (
Baldi-Chiaraluce-Garello-Mininni 2007)(quasi-cyclic) GRS codes (Niederreiter 1986, Berger-Cayrel-Gaborit-Otmany 2009)
(quasi-dyadic) Srivastava codes (Persichetti 2012)
(quasi-cyclic) MDPC codes (
Misoczki
-Tillich-
Sendrier
-B. 2013)
(quasi-cyclic) random+BCH codes (Melchor et al. 2016)All of the above are codes in the Hamming metric. There are proposals that adopt different metrics:(quasi-cyclic) random+LRPC codes (Aguilar-Melchor et al. 2016; Aragon et al. 2017 “RankSign”)punctured Reed-Muller codes (Lee et al. 2017 “pqsigRM”)
Slide56Goppa
Codes
Slide57Goppa Codes
Let
be a
monic
(
) polynomial.
Let
(all distinct) such that
for all
. This is called the
support.Properties:Easy to generate and plentiful.Usually is chosen to be irreducible; if so,
.
Goppa Codes
The
Goppa syndrome function is the linear map
:
.
The
Goppa
code
is the kernel of the Goppa syndrome function, i.e.
.
Distance of a Goppa code
In general the minimum distance of
is only known to be
.
In the
binary
case when
is
square-free
(e.g. when
is irreducible) the minimum distance becomes .How do we correct errors/decode?
Slide60Error Locator Polynomial
Efficient decoding procedure for known
and
via the (Patterson) error locator polynomial:
.
Property:
.
The Key Equation
Property:
.
.
.
Error Correction
Let
, let
be an error vector of weight
, and
.
Compute the syndrome of
through the relation
.
Compute the error locator polynomial
from the syndrome.Determine which are zeroes of , thus retrieving and recovering .
Slide63Error Correction
Let
. If
, nothing to do (no error), otherwise
is invertible.
Extended Euclid!
Thus
, hence
with
.
Extended Euclid!
Property #1:
.
Property #2:
.
Property #3:
.
Given:
,
Find
:
,
,
Where
:
Thus
, i.e.
.
Conditions
:
,
.
Decoding a binary
Goppa
syndrome
Slide65Patterson’s decoding algorithm
while
do
while
do
end
end
return
// error locator polynomial
Challenges
Isochronous decoding: possible, but hard to implement properly (error-prone) and efficiently.
Code size in software and area in hardware tend to be large (hindrance for embedded platforms/IoT).But mainly: large keys.
Slide67The key size problem
Using systematic Goppa
codes, key size is only
bits. And yet…
Goppa
variants
Quasi-dyadic (
Misoczki
-B. 2009): distinguishable from random.
Quasi-cyclic (Bardet et al. 2017):
levelmnk
t
key size
2
128
12
3307
2515
66
1991880
2
256
13
6960
5413
119
8378552
level
m
n
k
t
key size
2
128
12
3510
2418
91
203112
2
256
13
10070
6650
190
1197000
Slide68Gallager
Codes
Slide69Gallager (LDPC) Codes
Extremely sparse parity-check matrices, e.g.
with
nonzero components at randomly chosen positions on each column.
Higher error-correction capability than
Goppa
codes (almost 3 times in the above example).
Gallager (LDPC) Codes
Symbols in red affect parity bit in
green through the parity-checks in blue.
Gallager (LDPC) Codes
If the green parity bit is 1, at least one of the
red bits is wrong.
Gallager (LDPC) Codes
Symbol in red affects parity bits in
green through the parity-checks in blue.
Gallager (LDPC) Codes
If the red
bit is wrong, some of the green parity bits will likely reveal it.
Gallager (LDPC) Codes
Bit flipping:
Determine which symbol bits are the most suspect (i.e. influence the largest number of parity bits
in error) by counting how many parity errors it influences via the parity-check matrix.Flip those bits ().Repeat until no parity error is left (or max number of attempts is exceeded).
Bit-flipping
Trouble:
symbol bits
counters.More trouble: one pass to count and find the maximum count value, another pass to flip most suspect bits and recompute affected parity-check bits.Memory-consuming and slow.
MDPC codes
Plain LDPC codes are susceptible to key recovery attacks: dual codes contain too sparse words of small
weight.
Idea: set density and number of errors
near the decodability threshold
for security, but still within the range of bit-flipping or belief-propagation.
Moderate-density parity-check (MDPC) codes (
Misoczki
et al. 2013).
Short(ish) keys
Quasi-cyclic MDPC codes (QC-MDPC)
The trapdoor (private)
parity-check matrix consists of
blocks of sparse
circulant
matrices,
, with
:
…
NB: sparse!
Slide78Short(ish) keys
The systematic (public) parity-check matrix consists of
blocks of dense
circulant matrices,
, with
,
:
…
NB: dense!
Slide79Short(ish) keys
Shorter public (and private) keys than conventional schemes:
level
n
k
t
w
QC-MDPC
Goppa
shrink
2
128
20326
10163
134
142
10163
1991880
202×
2
256
65498
32749
264
274
32749
8378552
256×
Slide80Challenges
Decoding failures.
Low enough probability to be a concern regarding passive adversaries, but (sometimes, depending on the parameters) high enough to be a concern regarding active attacks.Isochronous implementations.
Goal: avoid timing leaks.Worst-case behavior (e.g. emulating more bit-flipping rounds even when not needed) leads to in efficiencies.Also an issue for Goppa/Srivastava codes.Embedded/IoT platforms.
Slide81What Next?
Slide82Limitations and trends
Codes are fine for key agreement and encryption 👍…but hard to use for many other applications ☹️
Improvements for advanced functionalities (blind signatures, identity-based encryption, …)? 🤔
More research, please! 🎓
Slide83Questions?