21 research outputs found
A tiny public key scheme based on Niederreiter Cryptosystem
Due to the weakness of public key cryptosystems encounter of quantum
computers, the need to provide a solution was emerged. The McEliece
cryptosystem and its security equivalent, the Niederreiter cryptosystem, which
are based on Goppa codes, are one of the solutions, but they are not practical
due to their long key length. Several prior attempts to decrease the length of
the public key in code-based cryptosystems involved substituting the Goppa code
family with other code families. However, these efforts ultimately proved to be
insecure. In 2016, the National Institute of Standards and Technology (NIST)
called for proposals from around the world to standardize post-quantum
cryptography (PQC) schemes to solve this issue. After receiving of various
proposals in this field, the Classic McEliece cryptosystem, as well as the
Hamming Quasi-Cyclic (HQC) and Bit Flipping Key Encapsulation (BIKE), chosen as
code-based encryption category cryptosystems that successfully progressed to
the final stage. This article proposes a method for developing a code-based
public key cryptography scheme that is both simple and implementable. The
proposed scheme has a much shorter public key length compared to the NIST
finalist cryptosystems. The key length for the primary parameters of the
McEliece cryptosystem (n=1024, k=524, t=50) ranges from 18 to 500 bits. The
security of this system is at least as strong as the security of the
Niederreiter cryptosystem. The proposed structure is based on the Niederreiter
cryptosystem which exhibits a set of highly advantageous properties that make
it a suitable candidate for implementation in all extant systems
The decoding failure probability of MDPC codes
Moderate Density Parity Check (MDPC) codes are defined here as codes which
have a parity-check matrix whose row weight is where is the
length of the code. They can be decoded like LDPC codes but they decode
much less errors than LDPC codes: the number of errors they can decode in this
case is of order . Despite this fact they have been proved
very useful in cryptography for devising key exchange mechanisms. They have
also been proposed in McEliece type cryptosystems. However in this case, the
parameters that have been proposed in \cite{MTSB13} were broken in
\cite{GJS16}. This attack exploits the fact that the decoding failure
probability is non-negligible. We show here that this attack can be thwarted by
choosing the parameters in a more conservative way. We first show that such
codes can decode with a simple bit-flipping decoder any pattern of
errors. This avoids the
previous attack at the cost of significantly increasing the key size of the
scheme. We then show that under a very reasonable assumption the decoding
failure probability decays almost exponentially with the codelength with just
two iterations of bit-flipping. With an additional assumption it has even been
proved that it decays exponentially with an unbounded number of iterations and
we show that in this case the increase of the key size which is required for
resisting to the attack of \cite{GJS16} is only moderate
A Side-Channel Assisted Cryptanalytic Attack Against QcBits
International audienceQcBits is a code-based public key algorithm based on a problem thought to be resistant to quantum computer attacks. It is a constant-time implementation for a quasi-cyclic moderate density parity check (QC-MDPC) Niederreiter encryption scheme, and has excellent performance and small key sizes. In this paper, we present a key recovery attack against QcBits. We first used differential power analysis (DPA) against the syndrome computation of the decoding algorithm to recover partial information about one half of the private key. We then used the recovered information to set up a system of noisy binary linear equations. Solving this system of equations gave us the entire key. Finally, we propose a simple but effective countermeasure against the power analysis used during the syndrome calculation
The Nested Subset Differential Attack: A Practical Direct Attack Against LUOV which Forges a Signature within 210 Minutes
In 2017, Ward Beullenset al.submitted Lifted Unbalanced Oil andVinegar, which is a modification to the Unbalanced Oil and Vinegar Schemeby Patarin. Previously, Dinget al.proposed the Subfield Differential Attack which prompted a change of parameters by the authors of LUOV for the sec-ond round of the NIST post quantum standardization competition. In this paper we propose a modification to the Subfield Differential Attack called the Nested Subset Differential Attack which fully breaks half of the pa-rameter sets put forward. We also show by experimentation that this attack ispractically possible to do in under 210 minutes for the level I security param-eters and not just a theoretical attack. The Nested Subset Differential attack isa large improvement of the Subfield differential attack which can be used inreal world circumstances. Moreover, we will only use what is called the lifted structure of LUOV, and our attack can be thought as a development of solving lifted quadratic systems
G-Merkle: A Hash-Based Group Signature Scheme From Standard Assumptions
Hash-based signature schemes are the most promising cryptosystem candidates in a post-quantum world, but offer little structure to enable more sophisticated constructions such as group signatures.
Group signatures allow a group member to anonymously sign messages on behalf of the whole group (as needed for anonymous remote attestation).
In this work, we introduce G-Merkle, the first (stateful) hash-based group signature scheme.
Our proposal relies on minimal assumptions, namely the existence of one-way functions, and offers performance equivalent to the Merkle single-signer setting. The public key size (as small as in the single-signer setting) outperforms all other post-quantum group signatures. Moreover, for group members issuing at most signatures each, the size of a hash-based group signature is just as large as a Merkle signature with a tree composed by leaf nodes. This directly translates into fast signing and verification engines.
Different from lattice-based counterparts, our construction does not require any random oracle. Note that due to the randomized structure of our Merkle tree, the signature authentication paths are pre-stored or deduced from a public tree, which seems a requirement hard to circumvent. To conclude, we present implementation results to demonstrate the practicality of our proposal
A post-quantum digital signature scheme based on supersingular isogenies
We present the first general-purpose digital signature scheme
based on supersingular elliptic curve isogenies secure against quantum
adversaries in the quantum random oracle model with small key sizes.
This scheme is an application of Unruh’s construction of non-interactive
zero-knowledge proofs to an interactive zero-knowledge proof proposed
by De Feo, Jao, and Plut. We implement our proposed scheme on an x86-
64 PC platform as well as an ARM-powered device. We exploit the stateof-the-art
techniques to speed up the computations for general C and
assembly. Finally, we provide timing results for real world applications
Criptografía post-cuántica y códigos correctores de errores
Este proyecto es un estudio sobre un el criptositema de McEliece. Un criptosistema corrector de errores que funciona con los códigos de Goppa. Además, se estudia y analiza una propuesta presentada en el proceso de estandarización de criptografía pos-cuántica del NIST basada en este criptosistema.The main objective of this project is to study the binary Goppa code and the McEliece cryptosystem (1978). Furthermore, there is a proposal based on this cryptosystem in the Post-Quantum Cryptography Standardization Process of the NIST which is analyzed
McBits Revisited
This paper presents a constant-time fast implementation for a high-security code-based encryption system. The implementation is based on the “McBits” paper by Bernstein, Chou, and Schwabe in 2013: we use the same FFT algorithms for root finding and syndrome computation, similar algorithms for secret permutation, and bitslicing for low-level operations. As opposed to McBits, where a high decryption throughput is achieved by running many decryption operations in parallel, we take a different approach to exploit the internal parallelism in one decryption operation for the use of more applications. As the result, we manage to achieve a slightly better decryption throughput at a much higher security level than McBits. As a minor contribution, we also present a constant-time implementation for encryption and key-pair generation, with similar techniques used for decryption
Algebraic Attack against Variants of McEliece with Goppa Polynomial of a Special Form
International audienceIn this paper, we present a new algebraic attack against some special cases of Wild McEliece Incognito, a generalization of the original McEliece cryptosystem. This attack does not threaten the original McEliece cryptosystem. We prove that recovering the secret key for such schemes is equivalent to solving a system of polynomial equations whose solutions have the structure of a usual vector space. Consequently, to recover a basis of this vector space, we can greatly reduce the number of variables in the corresponding algebraic system. From these solutions, we can then deduce the basis of a GRS code. Finally, the last step of the cryptanalysis of those schemes corresponds to attacking a McEliece scheme instantiated with particular GRS codes (with a polynomial relation between the support and the multipliers) which can be done in polynomial-time thanks to a variant of the Sidelnikov-Shestakov attack. For Wild McEliece & Incognito, we also show that solving the corresponding algebraic system is notably easier in the case of a non-prime base eld Fq. To support our theoretical results, we have been able to practically break several parameters de ned over a non-prime base field q in {9; 16; 25; 27; 32}, t < 7, extension degrees m in {2,3}, security level up to 2^129 against information set decoding in few minutes or hours