Error Amplification in Code-based Cryptography

Nilsson, Alexander; Johansson, Thomas; Wagner, Paul Stankovski

doi:10.46586/tches.v2019.i1.238-258

Cited by 8 publications

(10 citation statements)

References 11 publications

Supporting

Mentioning

Contrasting

Order By: Relevance

“…success or failure), the required time for decoding, the power consumption of some particular step, etc. (see [14,15,[17][18][19]25] for some concrete possibilities). The adversary first collects all the oracle replies, and then performs a statistical analysis on them, with the aim of guessing some information about the secret key.…”

Section: Gsa Attackmentioning

confidence: 99%

“…Such a probabilistic nature of decoding has been shown to leak some information about the secret key. The first-ever published attack of this kind, which is due to Guo et al [14], exploits events of decoding failure to recover the secret key; after that, the same attack procedure has been extended, in order to consider different schemes and other kinds of information leakage [15][16][17][18][19]. Essentially, all these attacks can be divided into two common phases.…”

Section: Introductionmentioning

confidence: 99%

See 1 more Smart Citation

Complexity of statistical attacks on QC‐LDPC code‐based cryptosystems

Santini

Baldi

Chiaraluce

2020

IET Information Security

View full text Add to dashboard Cite

Section: Gsa Attackmentioning

confidence: 99%

Section: Introductionmentioning

confidence: 99%

Complexity of statistical attacks on QC‐LDPC code‐based cryptosystems

Santini

Baldi

Chiaraluce

2020

IET Information Security

View full text Add to dashboard Cite

“…In this paper we focus on systems with security against a Chosen Ciphertext Attack (CCA), that is, the case in which a proper conversion (like the one of [16]) is applied to the McEliece/Niederreiter cryptosystem, in order to achieve CCA security. In our attack model, this corresponds to assuming that the oracle queries are all randomly generated, i.e., the error vectors used during encryption can be seen as randomly picked elements from the ensemble of all n-uples with weight t. Opposed to the CCA case, in the Chosen Plaintext Attack (CPA) case the opponent is free to choose the error vectors used during encryption: from the adversary standpoint, the CPA assumption is clearly more optimistic than that of CCA, and leads to improvements in the attack [15], [21]. Obviously, all results we discuss in this paper can be extended to the CPA case.…”

Section: A General Framework For Reaction and Timing Attacksmentioning

confidence: 99%

“…Such a feature is crucial, since it has been shown how this probabilistic nature of the decoder actually exposes the system to cryptanalysis techniques based on the observation of the decryption phase. State-of-the-art attacks of this kind are commonly called reaction attacks, when based on decoding failures events [12], [13], [15], [22], or side-channel attacks, when based on information such as the duration of the decoding phase (in this case we speak properly of timing attacks) or other quantities [10], [11], [21]. All these previous techniques exploit the QC structure of the code and aim at recovering some characteristics of the secret key by performing a statistical analysis on a sufficiently large amount of collected data.…”

Section: Introductionmentioning

confidence: 99%

“…Our analysis is general and can be easily extended to other decoders than those considered here. Indeed, many different decoders have been analyzed in the literature (for instance, see [10] and [21]), and, as for the outcome of reaction and timing attacks, there is no meaningful difference between them. This strongly hints that such attacks are possible because of the probabilistic nature of the decoder, and are only slightly affected by the particular choice of the decoder and its settings.…”

mentioning

confidence: 99%

See 1 more Smart Citation

Analysis of Reaction and Timing Attacks Against Cryptosystems Based on Sparse Parity-Check Codes

Santini

Battaglioni

Chiaraluce

et al. 2019

Code-Based Cryptography

View full text Add to dashboard Cite

In this paper we study reaction and timing attacks against cryptosystems based on sparse paritycheck codes, which encompass low-density parity-check (LDPC) codes and moderate-density paritycheck (MDPC) codes. We show that the feasibility of these attacks is not strictly associated to the quasi-cyclic (QC) structure of the code but is related to the intrinsically probabilistic decoding of any sparse parity-check code. So, these attacks not only work against QC codes, but can be generalized to broader classes of codes. We provide a novel algorithm that, in the case of a QC code, allows recovering a larger amount of information than that retrievable through existing attacks and we use this algorithm to characterize new side-channel information leakages. We devise a theoretical model for the decoder that describes and justifies our results. Numerical simulations are provided that confirm the effectiveness of our approach.

show abstract

On the Decoding Failure Rate of QC-MDPC Bit-Flipping Decoders

Sendrier

Vasseur

2019

Post-Quantum Cryptography

View full text Add to dashboard Cite

Quasi-cyclic moderate density parity check codes [1] allow the design of McEliece-like public-key encryption schemes with compact keys and a security that provably reduces to hard decoding problems for quasi-cyclic codes.In particular, QC-MDPC are among the most promising code-based key encapsulation mechanisms (KEM) that are proposed to the NIST call for standardization of quantum safe cryptography (two proposals, BIKE and QC-MDPC KEM).The first generation of decoding algorithms suffers from a small, but not negligible, decoding failure rate (DFR in the order of 10 −7 to 10 −10 ). This allows a key recovery attack that exploits a small correlation between the faulty message patterns and the secret key of the scheme [2], and limits the usage of the scheme to KEMs using ephemeral public keys. It does not impact the interactive establishment of secure communications (e.g. TLS), but the use of static public keys for asynchronous applications (e.g. email) is rendered dangerous.Understanding and improving the decoding of QCMDPC is thus of interest for cryptographic applications. In particular, finding parameters for which the failure rate is provably negligible (typically as low as 2 −64 or 2 −128 ) would allow static keys and increase the applicability of the mentioned cryptosystems.We study here a simple variant of bit-flipping decoding, which we call step-by-step decoding. It has a higher DFR but its evolution can be modelled by a Markov chain, within the theoretical framework of [3]. We study two other, more efficient, decoders. One is the textbook algorithm implemented as in [3]. The other is (close to) the BIKE decoder. For all those algorithms we provide simulation results, and, assuming an evolution similar to the step-by-step decoder, we extrapolate the value of the DFR as a function of the block length. This will give an indication of how much the code parameters must be increased to ensure resistance to the GJS attack.

show abstract

Error Amplification in Code-based Cryptography

Cited by 8 publications

References 11 publications

Complexity of statistical attacks on QC‐LDPC code‐based cryptosystems

Complexity of statistical attacks on QC‐LDPC code‐based cryptosystems

Analysis of Reaction and Timing Attacks Against Cryptosystems Based on Sparse Parity-Check Codes

On the Decoding Failure Rate of QC-MDPC Bit-Flipping Decoders

Contact Info

Product

Resources

About