Re-proving Channel Polarization Theorems: An Extremality and Robustness Analysis

The general subject considered in this thesis is a recently discovered coding technique, polar coding, which is used to construct a class of error correction codes with unique properties. In his ground-breaking work, Ar{\i}kan proved that this class of codes, called polar codes, achieve the symmetric capacity --- the mutual information evaluated at the uniform input distribution ---of any stationary binary discrete memoryless channel with low complexity encoders and decoders requiring in the order of $O(N\log N)$ operations in the block-length $N$. This discovery settled the long standing open problem left by Shannon of finding low complexity codes achieving the channel capacity. Polar coding settled an open problem in information theory, yet opened plenty of challenging problems that need to be addressed. A significant part of this thesis is dedicated to advancing the knowledge about this technique in two directions. The first one provides a better understanding of polar coding by generalizing some of the existing results and discussing their implications, and the second one studies the robustness of the theory over communication models introducing various forms of uncertainty or variations into the probabilistic model of the channel.Comment: Preview of my PhD Thesis, EPFL, Lausanne, 2014. For the full version, see http://people.epfl.ch/mine.alsan/publication

Cryptography based on the Hardness of Decoding

This thesis provides progress in the fields of for lattice and coding based cryptography. The first contribution consists of constructions of IND-CCA2 secure public key cryptosystems from both the McEliece and the low noise learning parity with noise assumption. The second contribution is a novel instantiation of the lattice-based learning with errors problem which uses uniform errors

Quantum Resistant Authenticated Key Exchange for OPC UA using Hybrid X.509 Certificates

While the current progress in quantum computing opens new opportunities in a wide range of scientific fields, it poses a serious threat to today?s asymmetric cryptography. New quantum resistant primitives are already available but under active investigation. To avoid the risk of deploying immature schemes we combine them with well-established classical primitives to hybrid schemes, thus hedging our bets. Because quantum resistant primitives have higher resource requirements, the transition to them will affect resource constrained IoT devices in particular. We propose two modifications for the authenticated key establishment process of the industrial machine-to-machine communication protocol OPC UA to make it quantum resistant. Our first variant is based on Kyber for the establishment of shared secrets and uses either Falcon or Dilithium for digital signatures in combination with classical RSA. The second variant is solely based on Kyber in combination with classical RSA. We modify existing opensource software (open62541, mbedTLS) to integrate our two proposed variants and perform various performance measurement

On Two Fundamental Problems on APN Power Functions

The six infinite families of power APN functions are among the oldest known instances of APN functions, and it has been conjectured in 2000 that they exhaust all possible power APN functions. Another long-standing open problem is that of the Walsh spectrum of the Dobbertin power family, which is still unknown. Those of Kasami, Niho and Welch functions are known, but not the precise values of their Walsh transform, with rare exceptions. One promising approach that could lead to the resolution of these problems is to consider alternative representations of the functions in questions. We derive alternative representations for the infinite APN monomial families. We show how the Niho, Welch, and Dobbertin functions can be represented as the composition xi∘x1/j of two power functions, and prove that our representations are optimal, i.e. no two power functions of lesser algebraic degree can be used to represent the functions in this way. We investigate compositions xi∘L∘x1/j for a linear polynomial L , show how the Kasami functions in odd dimension can be expressed in this way with i=j being a Gold exponent and compute all APN functions of this form for n≤9 and for L with binary coefficients, thereby showing that our theoretical constructions exhaust all possible cases. We present observations and data on power functions with exponent ∑k−1i=122ni−1 which generalize the inverse and Dobbertin families. We present data on the Walsh spectrum of the Dobbertin function for n≤35 , and conjecture its exact form. As an application of our results, we determine the exact values of the Walsh transform of the Kasami function at all points of a special form. Computations performed for n≤21 show that these points cover about 2/3 of the field.acceptedVersio

Exploring Decryption Failures of BIKE: New Class of Weak Keys and Key Recovery Attacks

Code-based cryptography has received a lot of attention recently because it is considered secure under quantum computing. Among them, the QC-MDPC based scheme is one of the most promising due to its excellent performance. QC-MDPC based scheme is usually subject to a small rate of decryption failure, which can leak information about the secret key. This raises two crucial problems: how to accurately estimate the decryption failure rate and how to use the failure information to recover the secret key. However, the two problems are challenging due to the difficulty of geometrically characterizing the bit-flipping decoder employed in QC-MDPC, such as using decoding radius. In this work, we introduce the gathering property and show that it is strongly connected with the decryption failure rate of QC-MDPC. Based on the gathering property, we present two results for QC-MDPC based schemes. The first is a new construction of weak keys obtained by extending the keys that have gathering property via ring isomorphism. For the set of weak keys, we present a rigorous analysis of the probability, as well as experimental simulation of the decryption failure rates. Considering BIKE\u27s parameter set targeting $128$-bit security, our result eventually indicates that the average decryption failure rate is lower bounded by $DFR_{avg} \ge 2^{-122.57}$. The second is a key recovery attack against CCA secure QC-MDPC schemes using decryption failures in a multi-target setting. By decrypting ciphertexts with errors satisfying the gathering property, we show that a single decryption failure can be used to identify whether a target\u27s secret key satisfies the gathering property. Then using the gathering property as extra information, we present a modified information set decoding algorithm that efficiently retrieves the target\u27s secret key. For BIKE\u27s parameter set targeting $128$-bit security, a key recovery attack with complexity $2^{119.88}$ can be expected by using extrapolated decryption failure rates

An IND-CCA Rank Metric Encryption Scheme Implementation

TCC(graduação) - Universidade Federal de Santa Catarina. Centro Tecnológico. Ciências da Computação.The advances in the field of quantum computation impose a severe threat to the cryptographic primitives used nowadays. In particular, the community predicts public-key cryptography will be turned completely obsolete if these computers are ever produced. In the light of these facts, researchers are contributing in a great effort to preserve current information systems against quantum attacks. Post-quantum cryptography is the area of research that aims to develop cryptographic systems to resist against both quantum and classical computers while assuring interoperability with existing networks and protocols. This work considers the use of Gabidulin codes—a class of error-correcting codes using rank metric—in the construction of encryption schemes. We first introduce error-correcting codes in general and Gabidulin codes in particular. Then, we present the use of these codes in the context of public-key encryption schemes and show that, while providing the possibility of smaller key sizes, they are especially challenging in terms of security. We present the scheme proposed in Loidreau in 2017, showing that although correcting the main weakness in previous propositions, it is still insecure related to chosen-ciphertext attacks. Then, we present a modification to the scheme, proposed by Shehhi et al. to achieve CCA security, and provide an implementation. We also analyze the theoretical complexity of recent attacks to rank-based cryptography and propose a set of parameters for the scheme

Horizontal Correlation Attack on Classic McEliece

As the technical feasibility of a quantum computer becomes more and more likely, post-quantum cryptography algorithms are receiving particular attention in recent years. Among them, code-based cryptosystems were first considered unsuited for hardware and embedded software implementations because of their very large key sizes. However, recent work has shown that such implementations are practical, which also makes them susceptible to physical attacks. In this article, we propose a horizontal correlation attack on the Classic McEliece cryptosystem, more precisely on the matrix-vector multiplication over $\mathbb{F}_2$ that computes the shared key in the encapsulation process. The attack is applicable in the broader context of Niederreiter-like code-based cryptosystems and is independent of the code structure, i.e. it does not need to exploit any particular structure in the parity check matrix. Instead, we take advantage of the constant time property of the matrix-vector multiplication over $\mathbb{F}_2$. We extend the feasibility of the basic attack by leveraging information-set decoding methods and carry it out successfully on the reference embedded software implementation. Interestingly, we highlight that implementation choices, like the word size or the compilation options, play a crucial role in the attack success, and even contradict the theoretical analysis