2,189 research outputs found
LEDAkem: a post-quantum key encapsulation mechanism based on QC-LDPC codes
This work presents a new code-based key encapsulation mechanism (KEM) called
LEDAkem. It is built on the Niederreiter cryptosystem and relies on
quasi-cyclic low-density parity-check codes as secret codes, providing high
decoding speeds and compact keypairs. LEDAkem uses ephemeral keys to foil known
statistical attacks, and takes advantage of a new decoding algorithm that
provides faster decoding than the classical bit-flipping decoder commonly
adopted in this kind of systems. The main attacks against LEDAkem are
investigated, taking into account quantum speedups. Some instances of LEDAkem
are designed to achieve different security levels against classical and quantum
computers. Some performance figures obtained through an efficient C99
implementation of LEDAkem are provided.Comment: 21 pages, 3 table
Analysis of reaction and timing attacks against cryptosystems based on sparse parity-check codes
In this paper we study reaction and timing attacks against cryptosystems
based on sparse parity-check codes, which encompass low-density parity-check
(LDPC) codes and moderate-density parity-check (MDPC) codes. We show that the
feasibility of these attacks is not strictly associated to the quasi-cyclic
(QC) structure of the code but is related to the intrinsically probabilistic
decoding of any sparse parity-check code. So, these attacks not only work
against QC codes, but can be generalized to broader classes of codes. We
provide a novel algorithm that, in the case of a QC code, allows recovering a
larger amount of information than that retrievable through existing attacks and
we use this algorithm to characterize new side-channel information leakages. We
devise a theoretical model for the decoder that describes and justifies our
results. Numerical simulations are provided that confirm the effectiveness of
our approach
Variations of the McEliece Cryptosystem
Two variations of the McEliece cryptosystem are presented. The first one is
based on a relaxation of the column permutation in the classical McEliece
scrambling process. This is done in such a way that the Hamming weight of the
error, added in the encryption process, can be controlled so that efficient
decryption remains possible. The second variation is based on the use of
spatially coupled moderate-density parity-check codes as secret codes. These
codes are known for their excellent error-correction performance and allow for
a relatively low key size in the cryptosystem. For both variants the security
with respect to known attacks is discussed
On the Duality of Probing and Fault Attacks
In this work we investigate the problem of simultaneous privacy and integrity
protection in cryptographic circuits. We consider a white-box scenario with a
powerful, yet limited attacker. A concise metric for the level of probing and
fault security is introduced, which is directly related to the capabilities of
a realistic attacker. In order to investigate the interrelation of probing and
fault security we introduce a common mathematical framework based on the
formalism of information and coding theory. The framework unifies the known
linear masking schemes. We proof a central theorem about the properties of
linear codes which leads to optimal secret sharing schemes. These schemes
provide the lower bound for the number of masks needed to counteract an
attacker with a given strength. The new formalism reveals an intriguing duality
principle between the problems of probing and fault security, and provides a
unified view on privacy and integrity protection using error detecting codes.
Finally, we introduce a new class of linear tamper-resistant codes. These are
eligible to preserve security against an attacker mounting simultaneous probing
and fault attacks
Worst case QC-MDPC decoder for McEliece cryptosystem
McEliece encryption scheme which enjoys relatively small key sizes as well as
a security reduction to hard problems of coding theory. Furthermore, it remains
secure against a quantum adversary and is very well suited to low cost
implementations on embedded devices.
Decoding MDPC codes is achieved with the (iterative) bit flipping algorithm,
as for LDPC codes. Variable time decoders might leak some information on the
code structure (that is on the sparse parity check equations) and must be
avoided. A constant time decoder is easy to emulate, but its running time
depends on the worst case rather than on the average case. So far
implementations were focused on minimizing the average cost. We show that the
tuning of the algorithm is not the same to reduce the maximal number of
iterations as for reducing the average cost. This provides some indications on
how to engineer the QC-MDPC-McEliece scheme to resist a timing side-channel
attack.Comment: 5 pages, conference ISIT 201
- …