5 research outputs found
A Reaction Attack on LEDApkc
We propose a new reaction attack on the public-key cryptosystem LEDApkc. The adversary uses the decoding failure rate (DFR) analysis to learn information about the secret masking matrix . Provided the adversary learns information about within decryptions (as prescribed by LEDApkc design to thwart previously known attacks), the adversary builds a small set of candidates for . Using these candidates, the adversary obtains candidates for a generator matrix of the secret LDPC code. Afterwards, the adversary applies Stern\u27s algorithm to recover the secret matrix , thus recovering the full private key.
Provided the adversary can learn information about the matrix , the complexity of the attack is below for a parameter set for 128-bit security. In order to study whether the adversary can learn information about from decryptions, we conducted experiments with a modified parameter set. The parameter set was modified only in order to increase the DFR, and thus make experiments less computationally expensive. We show that with the modified parameter set it is indeed possible to learn the required information about the matrix
Assessing and countering reaction attacks against post-quantum public-key cryptosystems based on QC-LDPC codes
Code-based public-key cryptosystems based on QC-LDPC and QC-MDPC codes are
promising post-quantum candidates to replace quantum vulnerable classical
alternatives. However, a new type of attacks based on Bob's reactions have
recently been introduced and appear to significantly reduce the length of the
life of any keypair used in these systems. In this paper we estimate the
complexity of all known reaction attacks against QC-LDPC and QC-MDPC code-based
variants of the McEliece cryptosystem. We also show how the structure of the
secret key and, in particular, the secret code rate affect the complexity of
these attacks. It follows from our results that QC-LDPC code-based systems can
indeed withstand reaction attacks, on condition that some specific decoding
algorithms are used and the secret code has a sufficiently high rate.Comment: 21 pages, 2 figures, to be presented at CANS 201
Analysis of reaction and timing attacks against cryptosystems based on sparse parity-check codes
In this paper we study reaction and timing attacks against cryptosystems
based on sparse parity-check codes, which encompass low-density parity-check
(LDPC) codes and moderate-density parity-check (MDPC) codes. We show that the
feasibility of these attacks is not strictly associated to the quasi-cyclic
(QC) structure of the code but is related to the intrinsically probabilistic
decoding of any sparse parity-check code. So, these attacks not only work
against QC codes, but can be generalized to broader classes of codes. We
provide a novel algorithm that, in the case of a QC code, allows recovering a
larger amount of information than that retrievable through existing attacks and
we use this algorithm to characterize new side-channel information leakages. We
devise a theoretical model for the decoder that describes and justifies our
results. Numerical simulations are provided that confirm the effectiveness of
our approach
Tree authenticated ephemeral keys
Public key algorithms based on QC-MPDC and QC-LDPC codes for key encapsulation/encryption submitted to NIST post-quantum competition (BIKE, QC-MDPC KEM, LEDA) are vulnerable against reaction attacks based on decoding failures. To protect algorithms, authors propose to limit the key usage, in the extreme (BIKE) to only use ephemeral public keys. In some authenticated protocols, we need to combine each key with a signature, which can lead to increased traffic overhead, especially given large signature sizes of some of the proposed post-quantum signature schemes. We propose to combine ephemeral public keys with a simple Merkle-tree to obtain a server authenticated key encapsulation/transport suitable for TLS-like handshake protocols
LEDAcrypt: QC-LDPC Code-Based Cryptosystems with Bounded Decryption Failure Rate
We consider the QC-LDPC code-based cryptosystems named LEDAcrypt, which are under consideration by NIST for the second round of the post-quantum cryptography standardization initiative. LEDAcrypt is the result of the merger of the key encapsulation mechanism LEDAkem and the public-key cryptosystem LEDApkc, which were submitted to the first round of the same competition.
We provide a detailed quantification of the quantum and classical computational efforts needed to foil the cryptographic guarantees of these systems.
To this end, we take into account the best known attacks that can be mounted against them employing both classical and quantum computers, and compare their computational complexities with the ones required to break AES, coherently with the NIST requirements.
Assuming the original LEDAkem and LEDApkc parameters as a reference, we introduce an algorithmic optimization procedure to design new sets of parameters for LEDAcrypt.
These novel sets match the security levels in the NIST call and make the C reference implementation of the systems exhibit significantly improved figures of merit, in terms of both running times and key sizes.
As a further contribution, we develop a theoretical characterization of the decryption failure rate (DFR) of LEDAcrypt cryptosystems, which allows new instances of the systems with guaranteed low DFR to be designed.
Such a characterization is crucial to withstand recent attacks exploiting the reactions of the legitimate recipient upon decrypting multiple ciphertexts with the same private key, and consequentially it is able to ensure a lifecycle of the corresponding key pairs which can be sufficient for the wide majority of practical purposes