Quantifying risks in cryptographic selection processes

There appears to be a widespread belief that some processes of selecting cryptosystems are less risky than other processes. As a case study of quantifying the difference in risks, this paper compares the currently-known-failure rates of three large groups of cryptosystems: (1) the round-1 submissions to the NIST Post-Quantum Cryptography Standardization Project, (2) the round-1 submissions not broken by the end of round 1, and (3) the round-1 submissions selected by NIST for round 2 of the same project. These groups of cryptosystems turn out to have currently-known-failure rates that are strikingly high, and that include statistically significant differences across the groups, not matching the pattern of differences that one might expect. Readers are cautioned that the actual failure rates could be much higher than the currently-known-failure rates

Quantum Resistant Public Key Encryption Scheme RLCE and IND-CCA2 Security for McEliece Schemes

Recently, Wang (2016) introduced a random linear code based quantum resistant public key encryp- tion scheme RLCE which is a variant of McEliece encryption scheme. In this paper, we introduce a revised version of the RLCE encryption scheme. The revised RLCE schemes are more efficient than the original RLCE scheme. Specifically, it is shown that RLCE schemes have smaller public key sizes com- pared to binary Goppa code based McEliece encryption schemes for corresponding security levels. The paper further proposes message padding schemes for RLCE to achieve IND-CCA2 security. Practical RLCE parameters for the security levels of 128, 192, and 256 bits and for the quantum security levels of 80, 110, and 144 are recommended. The implementation of the RLCE encryption scheme and software packages for analyzing the security strength of RLCE parameters are available at http://quantumca.org

Cryptanalysis of Ivanov-Krouk-Zyablov cryptosystem

Recently, F.Ivanov, E.Krouk and V.Zyablov proposed new cryptosystem based of Generalized Reed--Solomon (GRS) codes over field extensions. In their approach, the subfield images of GRS codes are masked by a special transform, so that the resulting public codes are not equivalent to subfield images of GRS code but burst errors still can be decoded. In this paper, we show that the complexity of message-recovery attack on this cryptosystem can be reduced due to using burst errors, and the secret key of Ivanov-Krouk-Zyablov cryptosystem can successfully recovered in polynomial time with a linear-algebra based attack and a square-based attack

Chaves mais pequenas para criptossistemas de McEliece usando codificadores convolucionais

The arrival of the quantum computing era is a real threat to the confidentiality and integrity of digital communications. So, it is urgent to develop alternative cryptographic techniques that are resilient to quantum computing. This is the goal of pos-quantum cryptography. The code-based cryptosystem called Classical McEliece Cryptosystem remains one of the most promising postquantum alternatives. However, the main drawback of this system is that the public key is much larger than in the other alternatives. In this thesis we study the algebraic properties of this type of cryptosystems and present a new variant that uses a convolutional encoder to mask the so-called Generalized Reed- Solomon code. We conduct a cryptanalysis of this new variant to show that high levels of security can be achieved using significant smaller keys than in the existing variants of the McEliece scheme. We illustrate the advantages of the proposed cryptosystem by presenting several practical examples.A chegada da era da computação quântica é uma ameaça real à confidencialidade e integridade das comunicações digitais. É, por isso, urgente desenvolver técnicas criptográficas alternativas que sejam resilientes à computação quântica. Este é o objetivo da criptografia pós-quântica. O Criptossistema de McEliece continua a ser uma das alternativas pós-quânticas mais promissora, contudo, a sua principal desvantagem é o tamanho da chave pública, uma vez que é muito maior do que o das outras alternativas. Nesta tese estudamos as propriedades algébricas deste tipo de criptossistemas e apresentamos uma nova variante que usa um codificador convolucional para mascarar o código de Generalized Reed-Solomon. Conduzimos uma criptoanálise dessa nova variante para mostrar que altos níveis de segurança podem ser alcançados usando uma chave significativamente menor do que as variantes existentes do esquema de McEliece. Ilustramos, assim, as vantagens do criptossistema proposto apresentando vários exemplos práticos.Programa Doutoral em Matemátic

On McEliece type cryptosystems using self-dual codes with large minimum weight

One of the finalists in the NIST post-quantum cryptography competition is the Classic McEliece cryptosystem. Unfortunately, its public key size represents a practical limitation. One option to address this problem is to use different families of error-correcting codes. Most of such attempts failed as those cryptosystems were proved not secure. In this paper, we propose a McEliece type cryptosystem using high minimum distance self-dual codes and punctured codes derived from them. To the best of our knowledge, such codes have not been implemented in a code-based cryptosystem until now. For the 80-bit security case, we construct an optimal self-dual code of length 1\,064, which, as far as we are aware, was not presented before. Compared to the original McEliece cryptosystem, this allows us to reduce the key size by about 38.5\%

A Modified Symmetric Key Fully Homomorphic Encryption Scheme Based on Read-Muller Code

Homomorphic encryption became popular and powerful cryptographic primitive for various cloud computing applications. In the recent decades several developments has been made. Few schemes based on coding theory have been proposed but none of them support unlimited operations with security.   We propose a modified Reed-Muller Code based symmetric key fully homomorphic encryption to improve its security by using message expansion technique. Message expansion with prepended random fixed length string provides one-to-many mapping between message and codeword, thus one-to many mapping between plaintext and ciphertext. The proposed scheme supports both (MOD 2) additive and multiplication operations unlimitedly.   We make an effort to prove the security of the scheme under indistinguishability under chosen-plaintext attack (IND-CPA) through a game-based security proof. The security proof gives a mathematical analysis and its complexity of hardness. Also, it presents security analysis against all the known attacks with respect to the message expansion and homomorphic operations

Theoretical analysis of decoding failure rate of non-binary QC-MDPC codes

In this paper, we study the decoding failure rate (DFR) of non-binary QC-MDPC codes using theoretical tools, extending the results of previous binary QC-MDPC code studies. The theoretical estimates of the DFR are particularly significant for cryptographic applications of QC-MDPC codes. Specifically, in the binary case, it is established that exploiting decoding failures makes it possible to recover the secret key of a QC-MDPC cryptosystem. This implies that to attain the desired security level against adversaries in the CCA2 model, the decoding failure rate must be strictly upper-bounded to be negligibly small. In this paper, we observe that this attack can also be extended to the non--binary case as well, which underscores the importance of DFR estimation. Consequently, we study the guaranteed error-correction capability of non-binary QC-MDPC codes under one-step majority logic (OSML) decoder and provide a theoretical analysis of the 1-iteration parallel symbol flipping decoder and its combination with OSML decoder. Utilizing these results, we estimate the potential public-key sizes for QC-MDPC cryptosystems over $\mathbb{F}_4$ for various security levels. We find that there is no advantage in reducing key sizes when compared to the binary case

Correlated Pseudorandomness from the Hardness of Quasi-Abelian Decoding

Secure computation often benefits from the use of correlated randomness to achieve fast, non-cryptographic online protocols. A recent paradigm put forth by Boyle $\textit{et al.}$ (CCS 2018, Crypto 2019) showed how pseudorandom correlation generators (PCG) can be used to generate large amounts of useful forms of correlated (pseudo)randomness, using minimal interactions followed solely by local computations, yielding silent secure two-party computation protocols (protocols where the preprocessing phase requires almost no communication). An additional property called programmability allows to extend this to build N-party protocols. However, known constructions for programmable PCG's can only produce OLE's over large fields, and use rather new splittable Ring-LPN assumption. In this work, we overcome both limitations. To this end, we introduce the quasi-abelian syndrome decoding problem (QA-SD), a family of assumptions which generalises the well-established quasi-cyclic syndrome decoding assumption. Building upon QA-SD, we construct new programmable PCG's for OLE's over any field $\mathbb{F}_q$ with $q>2$. Our analysis also sheds light on the security of the ring-LPN assumption used in Boyle $\textit{et al.}$ (Crypto 2020). Using our new PCG's, we obtain the first efficient N-party silent secure computation protocols for computing general arithmetic circuit over $\mathbb{F}_q$ for any $q>2$.Comment: This is a long version of a paper accepted at CRYPTO'2

Correlated Pseudorandomness from the Hardness of Quasi-Abelian Decoding

Secure computation often benefits from the use of correlated randomness to achieve fast, non-cryptographic online protocols. A recent paradigm put forth by Boyle $\textit{et al.}$ (CCS 2018, Crypto 2019) showed how pseudorandom correlation generators (PCG) can be used to generate large amounts of useful forms of correlated (pseudo)randomness, using minimal interactions followed solely by local computations, yielding silent secure two-party computation protocols (protocols where the preprocessing phase requires almost no communication). Furthermore, programmable PCG\u27s can be used similarly to generate multiparty correlated randomness to be used in silent secure N-party protocols. Previous works constructed very efficient (non-programmable) PCG\u27s for correlations such as random oblivious transfers. However, the situation is less satisfying for the case of random oblivious linear evaluation (OLE), which generalises oblivious transfers over large fields, and are a core resource for secure computation of arithmetic circuits. The state-of-the-art work of Boyle $\textit{et al.}$ (Crypto 2020) constructed programmable PCG\u27s for OLE, but their work suffers from two important downsides: (1) it only generates OLE\u27s over large fields, and (2) it relies on relatively new splittable ring-LPN assumption, which lacks strong security foundations. In this work, we construct new programmable PCG\u27s for the OLE correlation, that overcome both limitations. To this end, we introduce the quasi-abelian syndrome decoding problem (QA-SD), a family of assumptions which generalises the well-established quasi-cyclic syndrome decoding assumption. Building upon QA-SD, we construct new programmable PCG\u27s for OLE\u27s over any field $\mathbb{F}_q$ with $q>2$. Our analysis also sheds light on the security of the ring-LPN assumption used in Boyle $\textit{et al.}$ (Crypto 2020). Using our new PCG\u27s, we obtain the first efficient N-party silent secure computation protocols for computing general arithmetic circuit over $\mathbb{F}_q$ for any $q>2$