Vulnerabilities of ``McEliece in the World of Escher

Recently, Gligoroski et al. proposed code-based encryption and signature schemes using list decoding, blockwise triangular private keys, and a nonuniform error pattern based on ``generalized error sets. The general approach was referred to as \emph{McEliece in the World of Escher.} This paper demonstrates attacks which are significantly cheaper than the claimed security level of the parameters given by Gligoroski et al. We implemented an attack on the proposed 80-bit parameters which was able to recover private keys for both encryption and signatures in approximately 2 hours on a single laptop. We further find that increasing the parameters to avoid our attack will require parameters to grow by almost an order of magnitude for signatures, and (at least) two orders of magnitude for encryption

An Encryption Scheme based on Random Split of St-Gen Codes

Staircase-Generator codes (St-Gen codes) have recently been introduced in the design of code-based public key schemes and for the design of steganographic matrix embedding schemes. In this paper we propose a method for random splitting of St-Gen Codes and use it to design a new coding based public key encryption scheme. The scheme uses the known list decoding method for St-Gen codes, but introduces a novelty in the creation of the public and private key. We modify the classical approach for hiding the structure of the generator matrix by introducing a technique for splitting it into random parts. This approach counters the weaknesses found in the previous constructions of public key schemes using St-Gen codes. Our initial software implementation shows that encryption using Random Split of St-Gen Codes compared to original St-Gen Codes is slower by a linear factor in the number of random splits of the St-Gen code, while the decryption complexity remains the same

Information-Set Decoding with Hints

This paper studies how to incorporate small information leakages (called “hints”) into information-set decoding (ISD) algorithms. In particular, the influence of these hints on solving the (n, k, t)-syndrome-decoding problem (SDP), i.e., generic syndrome decoding of a code of length n, dimension k, and an error of weight t, is analyzed. We motivate all hints by leakages obtainable through realistic side-channel attacks on code-based post-quantum cryptosystems. One class of studied hints consists of partial knowledge of the error or message, which allow to reduce the length, dimension, or error weight using a suitable transformation of the problem. As a second class of hints, we assume that the Hamming weights of subblocks of the error are known, which can be motivated by a template attack. We present adapted ISD algorithms for this type of leakage. For each third-round code-based NIST submission (Classic McEliece, BIKE, HQC), we show how many hints of each type are needed to reduce the work factor below the claimed security level. E.g., for Classic McEliece mceliece348864, the work factor is reduced below 2^128 for 175 known message entries, 9 known error locations, 650 known error-free positions, or known Hamming weights of 29 subblocks of roughly equal size

Semantic Security and Key-Privacy With Random Split of St-Gen Codes

Recently we have defined Staircase-Generator codes (St-Gen codes) and their variant with a random split of the generator matrix of the codes. One unique property of these codes is that they work with arbitrary error sets. In this paper we give a brief overview of St-Gen codes and the list decoding algorithm for their decoding. We also analyze the semantic security against chosen plaintext attack (IND-CPA) and key-privacy i.e. indistinguishability of public keys under chosen plaintext attack (IK-CPA) of the encryption scheme with random split of St-Gen codes. In a similar manner as it was done by Nojima et al., and later by Yamakawa et al., we show that padding the plaintext with a random bit-string provides IND-CPA and IK-CPA in the standard model. The difference with McEliece scheme is that with our scheme the length of the padded random string is significantly shorter

A Modified pqsigRM: RM Code-Based Signature Scheme

We propose a novel signature scheme based on a modified Reed--Muller (RM) code, which reduces the signing complexity and key size compared to existing code-based signature schemes. This cheme is called as the modified pqsigRM, and corresponds to an improvement of pqsigRM, the proposal submitted to NIST. Courtois, Finiasz, and Sendrier (CFS) proposed a code-based signature scheme using the Goppa codes based on a full domain hash approach. However, owing to the properties of Goppa codes, the CFS signature scheme has drawbacks such as signing complexity and large key size. We overcome these disadvantages of the CFS signature scheme using partially permuted RM code and its decoding, which finds a near codeword for any received vector. Using a partially permuted RM code, the signature scheme resists various known attacks on the RM code-based cryptography. Additionally, we further modify the RM codes by row insertion/deletion of the generator matrix and thereafter resolve the problems reported in the post-quantum cryptography forum by NIST, such as the Hamming weight distribution of the public code

A Digital Signature Scheme Based on Random Split of St-Gen Codes

Recently we proposed a method for a random split of Staircase-Generator codes (St-Gen codes) to counter the weaknesses found in the previous constructions of public key schemes using St-Gen codes. The initial proposal for the random split addressed only the encryption scheme, and we left the problem of how to apply the random splitting on the signature scheme open. In this work we solve that open problem and describe a digital signature scheme based on random split of St-Gen codes

FuLeeca: A Lee-based Signature Scheme

In this work we introduce a new code-based signature scheme, called \textsf{FuLeeca}, based on the NP-hard problem of finding codewords of given Lee-weight. The scheme follows the Hash-and-Sign approach applied to quasi-cyclic codes. Similar approaches in the Hamming metric have suffered statistical attacks, which revealed the small support of the secret basis. Using the Lee metric, we are able to thwart such attacks. We use existing hardness results on the underlying problem and study adapted statistical attacks. We propose parameters for \textsf{FuLeeca}~and compare them to an extensive list of proposed post-quantum secure signature schemes including the ones already standardized by NIST. This comparison reveals that \textsf{FuLeeca}~is competitive. For example, for NIST category I, i.e., 160 bit of classical security, we obtain an average signature size of 1100 bytes and public key sizes of 1318 bytes. Comparing the total communication cost, i.e., the sum of the signature and public key size, we see that \textsf{FuLeeca} is only outperformed by Falcon while the other standardized schemes Dilithium and SPHINCS+ show larger communication costs than \textsf{FuLeeca}

Wave: A New Family of Trapdoor One-Way Preimage Sampleable Functions Based on Codes

We present here a new family of trapdoor one-way Preimage Sampleable Functions (PSF) based on codes, the Wave-PSF family. The trapdoor function is one-way under two computational assumptions: the hardness of generic decoding for high weights and the indistinguishability of generalized $(U,U+V)$-codes. Our proof follows the GPV strategy [GPV08]. By including rejection sampling, we ensure the proper distribution for the trapdoor inverse output. The domain sampling property of our family is ensured by using and proving a variant of the left-over hash lemma. We instantiate the new Wave-PSF family with ternary generalized $(U,U+V)$-codes to design a "hash-and-sign" signature scheme which achieves existential unforgeability under adaptive chosen message attacks (EUF-CMA) in the random oracle model. For 128 bits of classical security, signature sizes are in the order of 15 thousand bits, the public key size in the order of 4 megabytes, and the rejection rate is limited to one rejection every 10 to 12 signatures.Comment: arXiv admin note: text overlap with arXiv:1706.0806

정보 보호 기계 학습의 암호학 기반 기술: 근사 동형 암호와 부호 기반 암호

학위논문 (박사) -- 서울대학교 대학원 : 공과대학 전기·정보공학부, 2021. 2. 노종선.In this dissertation, three main contributions are given as; i) a protocol of privacy-preserving machine learning using network resources, ii) the development of approximate homomorphic encryption that achieves less error and high-precision bootstrapping algorithm without compromising performance and security, iii) the cryptanalysis and the modification of code-based cryptosystems: cryptanalysis on IKKR cryptosystem and modification of the pqsigRM, a digital signature scheme proposed to the post-quantum cryptography (PQC) standardization of National Institute of Standards and Technology (NIST). The recent development of machine learning, cloud computing, and blockchain raises a new privacy problem; how can one outsource computation on confidential data? Moreover, as research on quantum computers shows success, the need for PQC is also emerging. Multi-party computation (MPC) is the cryptographic protocol that makes computation on data without revealing it. Since MPC is designed based on homomorphic encryption (HE) and PQC, research on designing efficient and safe HE and PQC is actively being conducted. First, I propose a protocol for privacy-preserving machine learning (PPML) that replaces bootstrapping of homomorphic encryption with network resources. In general, the HE ciphertext has a limited depth of circuit that can be calculated, called the level of a ciphertext. We call bootstrapping restoring the level of ciphertext that has exhausted its level through a method such as homomorphic decryption. Bootstrapping of homomorphic encryption is, in general, very expensive in time and space. However, when deep computations like deep learning are performed, it is required to do bootstrapping. In this protocol, both the client's message and servers' intermediate values are kept secure, while the client's computation and communication complexity are light. Second, I propose an improved bootstrapping algorithm for the CKKS scheme and a method to reduce the error by homomorphic operations in the CKKS scheme. The Cheon-Kim-Kim-Song (CKKS) scheme (Asiacrypt '17) is one of the highlighted fully homomorphic encryption (FHE) schemes as it is efficient to deal with encrypted real numbers, which are the usual data type for many applications such as machine learning. However, the precision drop due to the error growth is a drawback of the CKKS scheme for data processing. I propose a method to achieve high-precision approximate FHE using the following two methods .First, I apply the signal-to-noise ratio (SNR) concept and propose methods to maximize SNR by reordering homomorphic operations in the CKKS scheme. For that, the error variance is minimized instead of the upper bound of error when we deal with the encrypted data. Second, from the same perspective of minimizing error variance, I propose a new method to find the approximate polynomials for the CKKS scheme. The approximation method is especially applied to the CKKS scheme's bootstrapping, where we achieve bootstrapping with smaller error variance compared to the prior arts. In addition to the above variance-minimizing method, I cast the problem of finding an approximate polynomial for a modulus reduction into an L2-norm minimization problem. As a result, I find an approximate polynomial for the modulus reduction without using the sine function, which is the upper bound for the polynomial approximation of the modulus reduction. By using the proposed method, the constraint of q = O(m^{3/2}) is relaxed as O(m), and thus the level loss in bootstrapping can be reduced. The performance improvement by the proposed methods is verified by implementation over HE libraries, that is, HEAAN and SEAL. The implementation shows that by reordering homomorphic operations and using the proposed polynomial approximation, the reliability of the CKKS scheme is improved. Therefore, the quality of services of various applications using the proposed CKKS scheme, such as PPML, can be improved without compromising performance and security. Finally, I propose an improved code-based signature scheme and cryptanalysis of code-based cryptosystems. A novel code-based signature scheme with small parameters and an attack algorithm on recent code-based cryptosystems are presented in this dissertation. This scheme is based on a modified Reed-Muller (RM) code, which reduces the signing complexity and key size compared with existing code-based signature schemes. The proposed scheme has the advantage of the pqsigRM decoder and uses public codes that are more difficult to distinguish from random codes. I use (U, U+V) -codes with the high-dimensional hull to overcome the disadvantages of code-based schemes. The proposed a decoder which efficiently samples from coset elements with small Hamming weight for any given syndrome. The proposed signature scheme resists various known attacks on RM code-based cryptography. For 128 bits of classical security, the signature size is 4096 bits, and the public key size is less than 1 MB. Recently, Ivanov, Kabatiansky, Krouk, and Rumenko (IKKR) proposed three new variants of the McEliece cryptosystem (CBCrypto 2020, affiliated with Eurocrypt 2020). This dissertation shows that one of the IKKR cryptosystems is equal to the McEliece cryptosystem. Furthermore, a polynomial-time attack algorithm for the other two IKKR cryptosystems is proposed. The proposed attack algorithm utilizes the linearity of IKKR cryptosystems. Also, an implementation of the IKKR cryptosystems and the proposed attack is given. The proposed attack algorithm finds the plaintext within 0.2 sec, which is faster than the elapsed time for legitimate decryption.본 논문은 크게 다음의 세 가지의 기여를 포함한다. i) 네트워크를 활용해서 정보 보호 딥러닝을 개선하는 프로토콜 ii) 근사 동형 암호에서 보안성과 성능의 손해 없이 에러를 낮추고 높은 정확도로 부트스트래핑 하는 방법 iii) IKKR 암호 시스템과 pqsigRM 등 부호 기반 암호를 공격하는 방법과 효율적인 부호 기반 전자 서명 시스템. 근래의 기계학습과 블록체인 기술의 발전으로 인해서 기밀 데이터에 대한 연산을 어떻게 외주할 수 있느냐에 대한 새로운 보안 문제가 대두되고 있다. 또한, 양자 컴퓨터에 관한 연구가 성공을 거듭하면서, 이를 이용한 공격에 저항하는 포스트 양자 암호의 필요성 또한 커지고 있다. 다자간 컴퓨팅은 데이터를 공개하지 않고 데이터에 대한 연산을 수행할 수 있도록 하는 암호학적 프로토콜의 총칭이다. 다자간 컴퓨팅은 동형 암호와 포스트 양자 암호에 기반하고 있으므로, 효율적인 동형 암호와 포스트 양자 암호에 관한 연구가 활발하게 수행되고 있다. 동형 암호는 암호화된 데이터에 대한 연산이 가능한 특수한 암호화 알고리즘이다. 일반적으로 동형 암호의 암호문에 대해서 수행 가능한 연산의 깊이가 정해져 있으며, 이를 암호문의 레벨이라고 칭한다. 레벨을 모두 소비한 암호문의 레벨을 다시 복원하는 과정을 부트스트래핑 (bootstrapping)이라고 칭한다. 일반적으로 부트스트래핑은 매우 오래 걸리는 연산이며 시간 및 공간 복잡도가 크다. 그러나, 딥러닝과 같이 깊이가 큰 연산을 수행하는 경우 부트스트래핑이 필수적이다. 본 논문에서는 정보 보호 기계학습을 위한 새로운 프로토콜을 제안한다. 이 프로토콜에서는 입력 메시지와 더불어 신경망의 중간값들 또한 안전하게 보호된다. 그러나 여전히 사용자의 통신 및 연산 복잡도는 낮게 유지된다. Cheon, Kim, Kim 그리고 Song (CKKS)가 제안한 암호 시스템 (Asiacrypt 17)은 기계학습 등에서 가장 널리 쓰이는 데이터인 실수를 효율적으로 다룰 수 있으므로 가장 촉망받는 완전 동형 암호 시스템이다. 그러나, 오류의 증폭과 전파가 CKKS 암호 시스템의 가장 큰 단점이다. 이 논문에서는 아래의 기술을 활용하여 CKKS 암호 시스템의 오류를 줄이는 방법을 제안하며, 이는 근사 동형 암호에 일반화하여 적용할 수 있다. 첫째, 신호 대비 잡음 비 (signal-to-noise ratio, SNR)의 개념을 도입하여, SNR를 최대화하도록 연산의 순서를 재조정한다. 그러기 위해서는, 오류의 최대치 대신 분산이 최소화되어야 하며, 이를 관리해야 한다. 둘째, 오류의 분산을 최소화한다는 같은 관점에서 새로운 다항식 근사 방법을 제안한다. 이 근사 방법은 특히, CKKS 암호 시스템의 부트스트래핑에 적용되었으며, 종래 기술보다 더 낮은 오류를 달성한다. 위의 방법에 더하여, 근사 다항식을 구하는 문제를 L2-norm 최소화 문제로 치환하는 방법을 제안한다. 이를 통해서 사인 함수의 도입 없이 근사 다항식을 구하는 방법을 제안한다. 제안된 방법을 사용하면, q=O(m^{3/2})라는 제약을 q=O(m)으로 줄일 수 있으며, 부트스트래핑에 필요한 레벨 소모를 줄일 수 있다. 성능 향상은 HEAAN과 SEAL 등의 동형 암호 라이브러리를 활용한 구현을 통해 증명했으며, 구현을 통해서 연산 재정렬과 새로운 부트스트래핑이 CKKS 암호 시스템의 성능을 향상함을 확인했다. 따라서, 보안성과 성능의 타협 없이 근사 동형 암호를 사용하는 서비스의 질을 향상할 수 있다. 양자 컴퓨터를 활용하여 전통적인 공개키 암호를 공격하는 효율적인 알고리즘이 공개되면서, 포스트 양자 암호에 대한 필요성이 증대했다. 부호 기반 암호는 포스트 양자 암호로써 널리 연구되었다. 작은 키 크기를 갖는 새로운 부호 기반 전자 서명 시스템과 부호 기반 암호를 공격하는 방법이 논문에 제안되어 있다. pqsigRM이라 명명한 전자 서명 시스템이 그것이다. 이 전자 서명 시스템은 수정된 Reed-Muller (RM) 부호를 활용하며, 서명의 복잡도와 키 크기를 종래 기술보다 많이 줄인다. pqsigRM은 hull의 차원이 큰 (U, U+V) 부호와 이의 복호화를 이용하여, 서명에서 큰 이득이 있다. 이 복호화 알고리즘은 주어진 모든 코셋 (coset)의 원소에 대하여 작은 헤밍 무게를 갖는 원소를 반환한다. 또한, 수정된 RM 부호를 이용하여, 알려진 모든 공격에 저항한다. 128비트 안정성에 대해서 서명의 크기는 4096 비트이고, 공개 키의 크기는 1MB보다 작다. 최근, Ivanov, Kabatiansky, Krouk, 그리고 Rumenko (IKKR)가 McEliece 암호 시스템의 세 가지 변형을 발표했다 (CBCrypto 2020, Eurocrypt 2020와 함께 진행). 본 논문에서는 IKKR 암호 시스템중 하나가 McEliece 암호 시스템과 동치임을 증명한다. 또한 나머지 IKKR 암호 시스템에 대한 다항 시간 공격을 제안한다. 제안하는 공격은 IKKR 암호 시스템의 선형성을 활용한다. 또한, 이 논문은 제안한 공격의 구현을 포함하며, 제안된 공격은 0.2초 이내에 메시지를 복원하고, 이는 정상적인 복호화보다 빠른 속도이다.Contents Abstract i Contents iv List of Tables ix List of Figures xi 1 Introduction 1 1.1 Homomorphic Encryption and Privacy-Preserving Machine Learning 4 1.2 High-Precision CKKS Scheme and Its Bootstrapping 5 1.2.1 Near-Optimal Bootstrapping of the CKKS Scheme Using Least Squares Method 6 1.2.2 Variance-Minimizing and Optimal Bootstrapping of the CKKS Scheme 8 1.3 Efficient Code-Based Signature Scheme and Cryptanalysis of the Ivanov-Kabatiansky-Krouk-Rumenko Cryptosystems 10 1.3.1 Modified pqsigRM: An Efficient Code-Based Signature Scheme 11 1.3.2 Ivanov-Kabatiansky-Krouk-Rumenko Cryptosystems and Its Equality 13 1.4 Organization of the Dissertation 14 2 Preliminaries 15 2.1 Basic Notation 15 2.2 Privacy-Preserving Machine Learning and Security Terms 16 2.2.1 Privacy-Preserving Machine Learning and Security Terms 16 2.2.2 Privacy-Preserving Machine Learning 17 2.3 The CKKS Scheme and Its Bootstrapping 18 2.3.1 The CKKS Scheme 18 2.3.2 CKKS Scheme in RNS 22 2.3.3 Bootstrapping of the CKKS Scheme 24 2.3.4 Statistical Characteristics of Modulus Reduction and Failure Probability of Bootstrapping of the CKKS Scheme 26 2.4 Approximate Polynomial and Signal-to-Noise Perspective for Approximate Homomorphic Encryption 27 2.4.1 Chebyshev Polynomials 27 2.4.2 Signal-to-Noise Perspective of the CKKS Scheme 28 2.5 Preliminary for Code-Based Cryptography 29 2.5.1 The McEliece Cryptosystem 29 2.5.2 CFS Signature Scheme 30 2.5.3 ReedMuller Codes and Recursive Decoding 31 2.5.4 IKKR Cryptosystems 33 3 Privacy-Preserving Machine Learning via FHEWithout Bootstrapping 37 3.1 Introduction 37 3.2 Information Theoretic Secrecy and HE for Privacy-Preserving Machine Learning 38 3.2.1 The Failure Probability of Ordinary CKKS Bootstrapping 39 3.3 Comparison With Existing Methods 43 3.3.1 Comparison With the Hybrid Method 43 3.3.2 Comparison With FHE Method 44 3.4 Comparison for Evaluating Neural Network 45 4 High-Precision Approximate Homomorphic Encryption and Its Bootstrapping by Error Variance Minimization and Convex Optimization 50 4.1 Introduction 50 4.2 Optimization of Error Variance in the Encrypted Data 51 4.2.1 Tagged Information for Ciphertext 52 4.2.2 WorstCase Assumption 53 4.2.3 Error in Homomorphic Operations of the CKKS Scheme 54 4.2.4 Reordering Homomorphic Operations 59 4.3 Near-Optimal Polynomial for Modulus Reduction 66 4.3.1 Approximate Polynomial Using L2-Norm optimization 66 4.3.2 Efficient Homomorphic Evaluation of the Approximate Polynomial 70 4.4 Optimal Approximate Polynomial and Bootstrapping of the CKKS Scheme 73 4.4.1 Polynomial Basis Error and Polynomial Evaluation in the CKKS Scheme 73 4.4.2 Variance-Minimizing Polynomial Approximation 74 4.4.3 Optimal Approximate Polynomial for Bootstrapping and Magnitude of Its Coefficients 75 4.4.4 Reducing Complexity and Error Using Odd Function 79 4.4.5 Generalization of Weight Constants and Numerical Method 80 4.5 Comparison and Implementation 84 4.6 Reduction of Level Loss in Bootstrapping 89 4.7 Implementation of the Proposed Method and Performance Comparison 92 4.7.1 Error Variance Minimization 92 4.7.2 Weight Constant and Minimum Error Variance 93 4.7.3 Comparison of the Proposed MethodWith the Previous Methods 96 5 Efficient Code-Based Signature Scheme and Cryptanalysis of Code-Based Cryptosystems 104 5.1 Introduction 104 5.2 Modified ReedMuller Codes and Proposed Signature Scheme 105 5.2.1 Partial Permutation of Generator Matrix and Modified ReedMuller Codes 105 5.2.2 Decoding of Modified ReedMuller Codes 108 5.2.3 Proposed Signature Scheme 110 5.3 Security Analysis of Modified pqsigRM 111 5.3.1 Decoding One Out of Many 112 5.3.2 Security Against Key Substitution Attacks 114 5.3.3 EUFCMA Security 114 5.4 Indistinguishability of the Public Code and Signature 120 5.4.1 Modifications of Public Code 121 5.4.2 Public Code Indistinguishability 124 5.4.3 Signature Leaks 126 5.5 Parameter Selection 126 5.5.1 Parameter Sets 126 5.5.2 Statistical Analysis for Determining Number of Partial Permutations 128 5.6 Equivalence of the Prototype IKKR and the McEliece Cryptosystems 131 5.7 Cryptanalysis of the IKKR Cryptosystems 133 5.7.1 Linearity of Two Variants of IKKR Cryptosystems 133 5.7.2 The Attack Algorithm 134 5.7.3 Implementation 135 6 Conclusion 139 6.1 Privacy-Preserving Machine Learning Without Bootstrapping 139 6.2 Variance-Minimization in the CKKS Scheme 140 6.3 L2-Norm Minimization for the Bootstrapping of the CKKS Scheme 141 6.4 Modified pqsigRM: RM Code-Based Signature Scheme 142 6.5 Cryptanalysis of the IKKR Cryptosystem 143 Abstract (In Korean) 155 Acknowlegement 158Docto

Wave: A New Code-Based Signature Scheme

preprint IACR disponible sur https://eprint.iacr.org/2018/996/20181022:154324We present here Wave the first "hash-and-sign" code-based signature scheme which strictly follows the GPV strategy [GPV08]. It uses the family of ternary generalized (U, U + V) codes. We prove that Wave achieves existential unforgeability under adaptive chosen message attacks (EUF-CMA) in the random oracle model (ROM) with a tight reduction to two assumptions from coding theory: one is a distinguishing problem that is related to the trapdoor we insert in our scheme, the other one is DOOM, a multiple target version of syndrome decoding. The algorithm produces uniformly distributed signatures through a suitable rejection sampling. Our scheme enjoys efficient signature and verification algorithms. For 128 bits of classical security, signature are 8 thousand bits long and the public key size is slightly smaller than one megabyte. Furthermore, with our current choice of parameters, the rejection rate is limited to one rejection every 3 or 4 signatures