Assessing and Countering Reaction Attacks Against Post-Quantum Public-Key Cryptosystems Based on QC-LDPC Codes

Abstract: Code-based public-key cryptosystems based on QC-LDPC and QC-MDPC codes are promising post-quantum candidates to replace quantum vulnerable classical alternatives. However, a new type of attacks based on Bob's reactions have recently been introduced and appear to significantly reduce the length of the life of any keypair used in these systems. In this paper we estimate the complexity of all known reaction attacks against QC-LDPC and QC-MDPC code-based variants of the McEliece cryptosystem. We also show how the … Show more

“…Then, in the attack complexity, we can neglect the complexity of the cliques search. The complexity of this attack, which has been extensively studied in [32], can then be estimated as WF FHS + ≥ 2 2n 0 − n (1) − n (2) n 0 ! n (1)…”

“…Thus, an opponent can apply an ISD algorithm to search for vectors with weight n 0 d v , denoted as v¯(x) in polynomial notation, such that G(x)v¯T(x) = 0. In particular, some considerations on G′ can be made in order to ease the application of ISD; details on this procedure can be found in [32]. As for the FHS+ attack, unless the DFR of the system is significantly low, we can neglect the complexity of Algorithm 6 ( Fig.…”

Complexity of statistical attacks on QC‐LDPC code‐based cryptosystems

“…Then, in the attack complexity, we can neglect the complexity of the cliques search. The complexity of this attack, which has been extensively studied in [32], can then be estimated as WF FHS + ≥ 2 2n 0 − n (1) − n (2) n 0 ! n (1)…”

“…Thus, an opponent can apply an ISD algorithm to search for vectors with weight n 0 d v , denoted as v¯(x) in polynomial notation, such that G(x)v¯T(x) = 0. In particular, some considerations on G′ can be made in order to ease the application of ISD; details on this procedure can be found in [32]. As for the FHS+ attack, unless the DFR of the system is significantly low, we can neglect the complexity of Algorithm 6 ( Fig.…”

Complexity of statistical attacks on QC‐LDPC code‐based cryptosystems

“…One final remark is about the schemes we consider: as shown in [24], [25], the complexity of algorithm A can be increased with proper choices in the structure of the secret key.…”

“…Thus, after observing a sufficiently large number of decryption instances, an adversary can exploit the gathered information to reconstruct the secret key, or an equivalent version of it. The reconstruction phase is commonly very efficient, unless some specific choices in the system design are made [24], [25] which, however, may have some significant drawbacks in terms of public key size. All the aforementioned attack techniques are instead prevented if the DFR has negligible values [27] and the algorithm is implemented with constant time.…”

Analysis of Reaction and Timing Attacks Against Cryptosystems Based on Sparse Parity-Check Codes