McBits: Fast Constant-Time Code-Based Cryptography

Abstract. Several ideal-lattice-based cryptosystems have been broken by recent attacks that exploit special structures of the rings used in those cryptosystems. The same structures are also used in the leading proposals for post-quantum lattice-based cryptography, including the classic NTRU cryptosystem and typical Ring-LWE-based cryptosystems. This paper (1) proposes NTRU Prime, which tweaks NTRU to use rings without these structures; (2) proposes Streamlined NTRU Prime, a public-key cryptosystem optimized from an implementation perspective, subject to the standard design goal of IND-CCA2 security; (3) finds high-security post-quantum parameters for Streamlined NTRU Prime; and (4) optimizes a constant-time implementation of those parameters. The resulting sizes and speeds show that reducing the attack surface has very low cost.

show abstract

“…McBits [21] avoids this problem, because it uses a separate output bit from the KEM to indicate a decoding failure.…”

Section: K An Attack On a Kemmentioning

confidence: 99%

“…There are also multiplications by variable powers of x, which at low cost can be absorbed into constant-time multiplications by x in earlier steps. A constanttime version of the Berlekamp-Massey algorithm was used in [21].…”

Section: T Further Notes On Constant-time Computationsmentioning

confidence: 99%

NTRU Prime: Reducing Attack Surface at Low Cost

Bernstein

Chuengsatiansup

Lange

et al. 2017

Lecture Notes in Computer Science

Self Cite

120

View full text Add to dashboard Cite

show abstract

“…The advantage of this algorithm is that it isn't vulnerable to several existing timing attacks and it allows a fast and constant-time computation. Some advantages are listed in [3].…”

Section: Alternant Decodersmentioning

confidence: 99%

“…Falko Strenzke's articles mention several weak points mostly situated in the decoding algorithm [14,16,18,19]. Some of these can be repaired by an intelligent and cautious way of the programming manner where countermeasures were proposed in [1, 3,19]. All of the mentioned attacks were realised on a McEliece PKC implementation using the Patterson algorithm (cf.…”

Section: Introductionmentioning

confidence: 99%

Improved Timing Attacks against the Secret Permutation in the McEliece PKC

Bucerzan¹,

Cayrel²,

Drăgoi³

et al. 2016

INT J COMPUT COMMUN

View full text Add to dashboard Cite

In this paper, we detail two side-channel attacks against the McEliece public-key cryptosystem. They are exploiting timing differences on the Patterson decoding algorithm in order to reveal one part of the secret key: the support permutation. The first one is improving two existing timing attacks and uses the correlation between two different steps of the decoding algorithm. This improvement can be deployed on all error-vectors with Hamming weight smaller than a quarter of the minimum distance of the code. The second attack targets the evaluation of the error locator polynomial and succeeds on several different decoding algorithms. We also give an appropriate countermeasure.

show abstract

“…Nowadays, these problems are partially solved as new variants of the classical McEliece using shorter keys, without compromising the security, were proposed in [7,5,6,17] and more recently in [3]. The latest proposal for embedded devices proposed in [13] is based on QC-MDPC codes.…”

Section: Introductionmentioning

confidence: 99%

Polynomial Structures in Code-Based Cryptography

Drăgoi

Cayrel

Colombier

et al. 2013

Lecture Notes in Computer Science

View full text Add to dashboard Cite

Abstract. In this article we discus a probability problem applied in the code based cryptography. It is related to the shape of the polynomials with exactly t different roots. We will show that the structure is very dense and the probability that this type of polynomials has at least one coefficient equal to zero is extremelly low. We treated this issue in our research of natural countermeasures to a timing attack against the polynomial evaluation.

show abstract

McBits: Fast Constant-Time Code-Based Cryptography

Cited by 72 publications

References 58 publications

NTRU Prime: Reducing Attack Surface at Low Cost

NTRU Prime: Reducing Attack Surface at Low Cost

Improved Timing Attacks against the Secret Permutation in the McEliece PKC

Polynomial Structures in Code-Based Cryptography

Contact Info

Product

Resources

About