1,672 research outputs found
Timing attacks on Error Correcting Codes in Post-Quantum Schemes
While error correcting codes (ECC) have the potential to significantly reduce the failure probability of post-quantum schemes, they add an extra ECC decoding step to the algorithm. Even though this additional step does not compute directly on the secret key, it is susceptible to side-channel attacks. We show that if no precaution is taken, it is possible to use timing information to distinguish between ciphertexts that result in an error before decoding and ciphertexts that do not contain errors, due to the variable execution time of the ECC decoding algorithm. We demonstrate that this information can be used to break the IND-CCA security of post-quantum secure schemes by presenting an attack on two round 1 candidates to the NIST Post-Quantum Standardization Process: the Ring-LWE scheme LAC and the Mersenne prime scheme Ramstake. This attack recovers the full secret key using a limited number of timed decryption queries and is implemented on the reference and the optimized implementations of both submissions. It is able to retrieve LAC\u27s secret key for all security levels in under 2 minutes using less than decryption queries and Ramstake\u27s secret key in under 2 minutes using approximately decryption queries. The attack generalizes to other lattice-based schemes with ECC in which any side-channel information about the presence of errors is leaked during decoding
Rank-metric Encryption on Arm-Cortex M0
Since its invention by McEliece in 1978, cryptography based on Error Correcting Codes (ECC) has suffered from the reputation of not being suitable for constrained devices. Indeed, McEliece\u27s scheme and its variants have large public keys and relatively long ciphertexts.
Recent works on these downsides explored the possible use of ECC based on rank metric instead of Hamming metric.
These codes were introduced in the late 80\u27s to eliminate errors with repeating patterns, regardless of their Hamming weight.
Numerous proposals for the NIST Post-Quantum Cryptography (PQC) competition rely on these codes.
It has been proven that lattice-based cryptography and even hash-based signatures can run on lightweight devices,
but the question remains for code-based cryptography.
In this work, we demonstrate that this is actually possible for rank metric:
we have implemented the encryption operation of 5 schemes based on ECC in rank metric and made them run on an Arm Cortex-M0 processor, the smallest Arm processor available.
We describe the technical difficulties of porting rank-based cryptography to a resource-constrained device while maintaining decent performance and a suitable level of security against side-channel attacks, especially timing attacks
Worst case QC-MDPC decoder for McEliece cryptosystem
McEliece encryption scheme which enjoys relatively small key sizes as well as
a security reduction to hard problems of coding theory. Furthermore, it remains
secure against a quantum adversary and is very well suited to low cost
implementations on embedded devices.
Decoding MDPC codes is achieved with the (iterative) bit flipping algorithm,
as for LDPC codes. Variable time decoders might leak some information on the
code structure (that is on the sparse parity check equations) and must be
avoided. A constant time decoder is easy to emulate, but its running time
depends on the worst case rather than on the average case. So far
implementations were focused on minimizing the average cost. We show that the
tuning of the algorithm is not the same to reduce the maximal number of
iterations as for reducing the average cost. This provides some indications on
how to engineer the QC-MDPC-McEliece scheme to resist a timing side-channel
attack.Comment: 5 pages, conference ISIT 201
Estimating the cost of generic quantum pre-image attacks on SHA-2 and SHA-3
We investigate the cost of Grover's quantum search algorithm when used in the
context of pre-image attacks on the SHA-2 and SHA-3 families of hash functions.
Our cost model assumes that the attack is run on a surface code based
fault-tolerant quantum computer. Our estimates rely on a time-area metric that
costs the number of logical qubits times the depth of the circuit in units of
surface code cycles. As a surface code cycle involves a significant classical
processing stage, our cost estimates allow for crude, but direct, comparisons
of classical and quantum algorithms.
We exhibit a circuit for a pre-image attack on SHA-256 that is approximately
surface code cycles deep and requires approximately
logical qubits. This yields an overall cost of
logical-qubit-cycles. Likewise we exhibit a SHA3-256 circuit that is
approximately surface code cycles deep and requires approximately
logical qubits for a total cost of, again,
logical-qubit-cycles. Both attacks require on the order of queries in
a quantum black-box model, hence our results suggest that executing these
attacks may be as much as billion times more expensive than one would
expect from the simple query analysis.Comment: Same as the published version to appear in the Selected Areas of
Cryptography (SAC) 2016. Comments are welcome
Quantum cryptography: key distribution and beyond
Uniquely among the sciences, quantum cryptography has driven both
foundational research as well as practical real-life applications. We review
the progress of quantum cryptography in the last decade, covering quantum key
distribution and other applications.Comment: It's a review on quantum cryptography and it is not restricted to QK
Analysis of reaction and timing attacks against cryptosystems based on sparse parity-check codes
In this paper we study reaction and timing attacks against cryptosystems
based on sparse parity-check codes, which encompass low-density parity-check
(LDPC) codes and moderate-density parity-check (MDPC) codes. We show that the
feasibility of these attacks is not strictly associated to the quasi-cyclic
(QC) structure of the code but is related to the intrinsically probabilistic
decoding of any sparse parity-check code. So, these attacks not only work
against QC codes, but can be generalized to broader classes of codes. We
provide a novel algorithm that, in the case of a QC code, allows recovering a
larger amount of information than that retrievable through existing attacks and
we use this algorithm to characterize new side-channel information leakages. We
devise a theoretical model for the decoder that describes and justifies our
results. Numerical simulations are provided that confirm the effectiveness of
our approach
Decryption Failure Attacks on Post-Quantum Cryptography
This dissertation discusses mainly new cryptanalytical results related to issues of securely implementing the next generation of asymmetric cryptography, or Public-Key Cryptography (PKC).PKC, as it has been deployed until today, depends heavily on the integer factorization and the discrete logarithm problems.Unfortunately, it has been well-known since the mid-90s, that these mathematical problems can be solved due to Peter Shor's algorithm for quantum computers, which achieves the answers in polynomial time.The recently accelerated pace of R&D towards quantum computers, eventually of sufficient size and power to threaten cryptography, has led the crypto research community towards a major shift of focus.A project towards standardization of Post-quantum Cryptography (PQC) was launched by the US-based standardization organization, NIST. PQC is the name given to algorithms designed for running on classical hardware/software whilst being resistant to attacks from quantum computers.PQC is well suited for replacing the current asymmetric schemes.A primary motivation for the project is to guide publicly available research toward the singular goal of finding weaknesses in the proposed next generation of PKC.For public key encryption (PKE) or digital signature (DS) schemes to be considered secure they must be shown to rely heavily on well-known mathematical problems with theoretical proofs of security under established models, such as indistinguishability under chosen ciphertext attack (IND-CCA).Also, they must withstand serious attack attempts by well-renowned cryptographers both concerning theoretical security and the actual software/hardware instantiations.It is well-known that security models, such as IND-CCA, are not designed to capture the intricacies of inner-state leakages.Such leakages are named side-channels, which is currently a major topic of interest in the NIST PQC project.This dissertation focuses on two things, in general:1) how does the low but non-zero probability of decryption failures affect the cryptanalysis of these new PQC candidates?And 2) how might side-channel vulnerabilities inadvertently be introduced when going from theory to the practice of software/hardware implementations?Of main concern are PQC algorithms based on lattice theory and coding theory.The primary contributions are the discovery of novel decryption failure side-channel attacks, improvements on existing attacks, an alternative implementation to a part of a PQC scheme, and some more theoretical cryptanalytical results
LEDAkem: a post-quantum key encapsulation mechanism based on QC-LDPC codes
This work presents a new code-based key encapsulation mechanism (KEM) called
LEDAkem. It is built on the Niederreiter cryptosystem and relies on
quasi-cyclic low-density parity-check codes as secret codes, providing high
decoding speeds and compact keypairs. LEDAkem uses ephemeral keys to foil known
statistical attacks, and takes advantage of a new decoding algorithm that
provides faster decoding than the classical bit-flipping decoder commonly
adopted in this kind of systems. The main attacks against LEDAkem are
investigated, taking into account quantum speedups. Some instances of LEDAkem
are designed to achieve different security levels against classical and quantum
computers. Some performance figures obtained through an efficient C99
implementation of LEDAkem are provided.Comment: 21 pages, 3 table
Algorithmic Security is Insufficient: A Comprehensive Survey on Implementation Attacks Haunting Post-Quantum Security
This survey is on forward-looking, emerging security concerns in post-quantum
era, i.e., the implementation attacks for 2022 winners of NIST post-quantum
cryptography (PQC) competition and thus the visions, insights, and discussions
can be used as a step forward towards scrutinizing the new standards for
applications ranging from Metaverse, Web 3.0 to deeply-embedded systems. The
rapid advances in quantum computing have brought immense opportunities for
scientific discovery and technological progress; however, it poses a major risk
to today's security since advanced quantum computers are believed to break all
traditional public-key cryptographic algorithms. This has led to active
research on PQC algorithms that are believed to be secure against classical and
powerful quantum computers. However, algorithmic security is unfortunately
insufficient, and many cryptographic algorithms are vulnerable to side-channel
attacks (SCA), where an attacker passively or actively gets side-channel data
to compromise the security properties that are assumed to be safe
theoretically. In this survey, we explore such imminent threats and their
countermeasures with respect to PQC. We provide the respective, latest
advancements in PQC research, as well as assessments and providing visions on
the different types of SCAs
Performance Evaluation of Round 2 Submission for the NIST Post-Quantum Cryptography Project
This paper looks at the submissions for round 2 of a competition held by National Institute of Standards and Technology (NIST) to find an encryption standard resistant to attacks by post-quantum computers. NIST announced its call for submissions in February 2016 with a deadline of November 2017 and announced the 69 algorithms that made the cut for round 1. In January 2019 the candidates for round 2 were announced with round 3 projected for 2020/2021
- …