Lightweight Post-Quantum-Secure Digital Signature Approach for IoT Motes

Internet-of-Things (IoT) applications often require constrained devices to be deployed in the field for several years, even decades. Protection of these tiny motes is crucial for end-to-end IoT security. Secure boot and attestation techniques are critical requirements in such devices which rely on public key Sign/Verify operations. In a not-so-distant future, quantum computers are expected to break traditional public key Sign/Verify functions (e.g. RSA and ECC signatures). Hash Based Signatures (HBS) schemes, on the other hand, are promising quantum-resistant alternatives. Their security is based on the security of cryptographic hash function which is known to be secure against quantum computers. The XMSS signature scheme is a modern HBS construction with several advantages but it requires thousands of hash operations per Sign/Verify operation, which could be challenging in resource constrained IoT motes. In this work, we investigated the use of the XMSS scheme targeting IoT constrained. We propose a latency-area optimized XMSS Sign or Verify scheme with 128-bit post-quantum security. An appropriate HW-SW architecture has been designed and implemented in FPGA and Silicon where it spans out to 1521 ALMs and 13.5k gates respectively. In total, each XMSS Sign/Verify operation takes 4.8 million clock cycles in our proposed HW-SW hybrid design approach which is 5.35 times faster than its pure SW execution latency on a 32-bit microcontroller

Anonymous Attestation for IoT

Internet of Things (IoT) have seen tremendous growth and are being deployed pervasively in areas such as home, surveillance, health-care and transportation. These devices collect and process sensitive data with respect to user\u27s privacy. Protecting the privacy of the user is an essential aspect of security, and anonymous attestation of IoT devices are critical to enable privacy-preserving mechanisms. Enhanced Privacy ID (EPID) is an industry-standard cryptographic scheme that offers anonymous attestation. It is based on group signature scheme constructed from bilinear pairings, and provides anonymity and sophisticated revocation capabilities (private-key based revocation and signature-based revocation). Despite the interesting privacy-preserving features, EPID operations are very computational and memory intensive. In this paper, we present a small footprint anonymous attestation solution based on EPID that can meet the stringent resource requirements of IoT devices. A specific modular-reduction technique targeting the EPID prime number has been developed resulting in 50% latency reduction compared to conventional reduction techniques. Furthermore, we developed a multi-exponentiation technique that significantly reduces the runtime memory requirements. Our proposed design can be implemented as SW-only, or it can utilize an integrated Elliptic Curve and Galois Field HW accelerator. The EPID SW stack has a small object code footprint of 22kB. We developed a prototype on a 32-bit microcontroller that computes EPID signature generation in 17.9s at 32MHz

LEDAkem: a post-quantum key encapsulation mechanism based on QC-LDPC codes

This work presents a new code-based key encapsulation mechanism (KEM) called LEDAkem. It is built on the Niederreiter cryptosystem and relies on quasi-cyclic low-density parity-check codes as secret codes, providing high decoding speeds and compact keypairs. LEDAkem uses ephemeral keys to foil known statistical attacks, and takes advantage of a new decoding algorithm that provides faster decoding than the classical bit-flipping decoder commonly adopted in this kind of systems. The main attacks against LEDAkem are investigated, taking into account quantum speedups. Some instances of LEDAkem are designed to achieve different security levels against classical and quantum computers. Some performance figures obtained through an efficient C99 implementation of LEDAkem are provided.Comment: 21 pages, 3 table

Efficient implementation of a CCA2-secure variant of McEliece using generalized Srivastava codes

International audienceIn this paper we present efficient implementations of McEliece variants using quasi-dyadic codes. We provide secure parameters for a classical McEliece encryption scheme based on quasi-dyadic generalized Srivastava codes, and successively convert our scheme to a CCA2-secure protocol in the random oracle model applying the Fujisaki-Okamoto transform. In contrast with all other CCA2-secure code-based cryptosystems that work in the random oracle model, our conversion does not require a constant weight encoding function. We present results for both 128-bit and 80-bit security level, and for the latter we also feature an implementation for an embedded device

LEDAcrypt: QC-LDPC Code-Based Cryptosystems with Bounded Decryption Failure Rate

We consider the QC-LDPC code-based cryptosystems named LEDAcrypt, which are under consideration by NIST for the second round of the post-quantum cryptography standardization initiative. LEDAcrypt is the result of the merger of the key encapsulation mechanism LEDAkem and the public-key cryptosystem LEDApkc, which were submitted to the first round of the same competition. We provide a detailed quantification of the quantum and classical computational efforts needed to foil the cryptographic guarantees of these systems. To this end, we take into account the best known attacks that can be mounted against them employing both classical and quantum computers, and compare their computational complexities with the ones required to break AES, coherently with the NIST requirements. Assuming the original LEDAkem and LEDApkc parameters as a reference, we introduce an algorithmic optimization procedure to design new sets of parameters for LEDAcrypt. These novel sets match the security levels in the NIST call and make the C reference implementation of the systems exhibit significantly improved figures of merit, in terms of both running times and key sizes. As a further contribution, we develop a theoretical characterization of the decryption failure rate (DFR) of LEDAcrypt cryptosystems, which allows new instances of the systems with guaranteed low DFR to be designed. Such a characterization is crucial to withstand recent attacks exploiting the reactions of the legitimate recipient upon decrypting multiple ciphertexts with the same private key, and consequentially it is able to ensure a lifecycle of the corresponding key pairs which can be sufficient for the wide majority of practical purposes

Monoidic Codes in Cryptography

International audienceAt SAC 2009, Misoczki and Barreto proposed a new class of codes, which have parity-check matrices that are quasi-dyadic. A special subclass of these codes were shown to coincide with Goppa codes and those were recommended for cryptosystems based on error-correcting codes. Quasi-dyadic codes have both very compact representations and allow for efficient processing, resulting in fast cryptosystems with small key sizes. In this paper, we generalize these results and introduce quasi-monoidic codes, which retain all desirable properties of quasi-dyadic codes. We show that, as before, a subclass of our codes contains only Goppa codes or, for a slightly bigger subclass, only Generalized Srivastava codes. Unlike before, we also capture codes over fields of odd characteristic. These include wild Goppa codes that were proposed at SAC 2010 by Bernstein, Lange, and Peters for their exceptional error-correction capabilities. We show how to instantiate standard code-based encryption and signature schemes with our codes and give some preliminary parameters

Algebraic Attack against Variants of McEliece with Goppa Polynomial of a Special Form

International audienceIn this paper, we present a new algebraic attack against some special cases of Wild McEliece Incognito, a generalization of the original McEliece cryptosystem. This attack does not threaten the original McEliece cryptosystem. We prove that recovering the secret key for such schemes is equivalent to solving a system of polynomial equations whose solutions have the structure of a usual vector space. Consequently, to recover a basis of this vector space, we can greatly reduce the number of variables in the corresponding algebraic system. From these solutions, we can then deduce the basis of a GRS code. Finally, the last step of the cryptanalysis of those schemes corresponds to attacking a McEliece scheme instantiated with particular GRS codes (with a polynomial relation between the support and the multipliers) which can be done in polynomial-time thanks to a variant of the Sidelnikov-Shestakov attack. For Wild McEliece & Incognito, we also show that solving the corresponding algebraic system is notably easier in the case of a non-prime base eld Fq. To support our theoretical results, we have been able to practically break several parameters de ned over a non-prime base field q in {9; 16; 25; 27; 32}, t < 7, extension degrees m in {2,3}, security level up to 2^129 against information set decoding in few minutes or hours

Reducing the Key Size of McEliece Cryptosystem from Automorphism-induced Goppa Codes via Permutations

In this paper, we propose a new general construction to reduce the public key size of McEliece cryptosystems constructed from automorphism-induced Goppa codes. In particular, we generalize the ideas of automorphism-induced Goppa codes by considering nontrivial subsets of automorphism groups to construct Goppa codes with a nice block structure. By considering additive and multiplicative automorphism subgroups, we provide explicit constructions to demonstrate our technique. We show that our technique can be applied to automorphism-induced Goppa codes based cryptosystems to further reduce their key sizes

Optimizing Information Set Decoding Algorithms to Attack Cyclosymmetric MDPC Codes

Abstract. The most important drawback to code-based cryptography has historically been its large key sizes. Recently, several promising ap-proaches have been proposed to reduce keysizes. In particular, signifi-cant keysize reduction has been achieved by using structured, but non-algebraic codes, such as quasi-cyclic (QC) Moderate Density Parity Check (MDPC) codes. Biasi et al. propose further reducing the keysizes of code-based schemes using cyclosymmetric (CS) codes. Biasi et al. analyze the complexity of attacking their scheme using standard information-set-decoding attacks. However, the research presented here shows that information set decoding algorithms can be modified, by choosing the columns of the information set in a way that takes advantage of the added symmetry. The result is an attack that significantly reduces the security of the proposed CS-MDPC schemes to the point that they no longer offer an advantage in keysize over QC-MDPC schemes of the same security level. Key words: information set decoding, code-based cryptography, mod-erate density parity check (MDPC) codes, cyclosymmetri