McEliece Needs a Break – Solving McEliece-1284 and Quasi-Cyclic-2918 with Modern ISD

Esser, Andre; May, Alexander; Zweydinger, Floyd

doi:10.1007/978-3-031-07082-2_16

Cited by 17 publications

(7 citation statements)

References 15 publications

Supporting

Mentioning

Contrasting

Order By: Relevance

“…A few recent papers [134][135][136] have attempted to provide concrete security estimates for the parameter sets submitted to the NIST PQC Standardization Process based on the above classical and quantum ISD attack papers. The analysis of [134] gave an anomalously low estimate for the cost of the MMT attack [122].…”

Section: Code-basedmentioning

confidence: 99%

“…The subsequent analysis of [135] determined that the previous analysis was in error and gave corrected estimates for the cost of several attacks (including MMT) in a variety of memory cost models. In [136] a software implementation was used to attempt to determine an appropriate memory cost model; however, since computationally intensive tasks typically benefit more from specialized hardware support than memory intensive tasks, this approach may underestimate the relative cost of memory access.…”

Section: Code-basedmentioning

confidence: 99%

See 1 more Smart Citation

Status report on the third round of the NIST Post-Quantum Cryptography Standardization process

Moody¹

2022

101

View full text Add to dashboard Cite

The National Institute of Standards and Technology is in the process of selecting public-key cryptographic algorithms through a public, competition-like process. The new public-key cryptography standards will specify additional digital signature, public-key encryption, and key-establishment algorithms to augment Federal Information Processing Standard (FIPS) 186-4, Digital Signature Standard (DSS), as well as NIST Special Publication (SP) 800-56A Revision 3, Recommendation for Pair-Wise Key-Establishment Schemes Using Discrete Logarithm Cryptography, and SP 800-56B Revision 2, Recommendation for Pair-Wise Key Establishment Using Integer Factorization Cryptography. It is intended that these algorithms will be capable of protecting sensitive information well into the foreseeable future, including after the advent of quantum computers. The first round of the NIST Post-Quantum Cryptography Standardization Process began in December 2017 with 69 candidate algorithms that met both the minimum acceptance criteria and submission requirements. The first round lasted until January 2019, during which candidate algorithms were evaluated based on their security, performance, and other characteristics. NIST selected 26 algorithms to advance to the second round for more analysis. The second round continued until July 2020, after which seven 'finalist' and eight 'alternate' candidate algorithms were selected to move into the third round. This report describes the evaluation and selection process, based on public feedback and internal review, of the third-round candidates. The report summarizes each of the 15 third-round candidate algorithms and identifies those selected for standardization, as well as those that will continue to be evaluated in a fourth round of analysis. The public-key encryption and key-establishment algorithm that will be standardized is CRYSTALS-Kyber. The digital signatures that will be standardized are CRYSTALS-Dilithium, Falcon, and SPHINCS+. While there are multiple signature algorithms selected, NIST recommends CRYSTALS-Dilithium as the primary algorithm to be implemented. In addition, four of the alternate key-establishment candidate algorithms will advance to a fourth round of evaluation: BIKE, Classic McEliece, HQC, and SIKE. These candidates are still being considered for future standardization. NIST will also issue a new Call for Proposals for public-key digital signature algorithms to augment and diversify its signature portfolio.

show abstract

Section: Code-basedmentioning

confidence: 99%

Section: Code-basedmentioning

confidence: 99%

Status report on the third round of the NIST Post-Quantum Cryptography Standardization process

Moody¹

2022

101

View full text Add to dashboard Cite

show abstract

“…The decisional version of the SDP, also known as the coset weight problem, belongs to the class of NP-complete problems [1]. Hence, all the existing algorithms for solving SDP are exponential in the code parameters [34], [35], [36], [37], [14]. Algorithms for solving the SDP include [38], [39], [40], [41], [42], [43], [44], [10], [11], [12], [13].…”

Section: Definition 1 (Binary Syndrome Decoding Problem Sdp)mentioning

confidence: 99%

“…The parameters of the cryptosystem are set with respect to the complexity of the best information-set decoding (ISD) attack strategy [10], [11], [12], [13], [14], which is the best known general attack path against code-based cryptosystems. As the scheme started to gain scientific confidence, sustained efforts were directed towards the practical side, i.e., implementations [15], [16], [17], [18], [19], [20], [21], [22], [23] as well as physical attacks, both side-channel [24] and fault injection attacks [25], [26], [27].…”

Section: Introductionmentioning

confidence: 99%

Profiled Side-Channel Attack on Cryptosystems Based on the Binary Syndrome Decoding Problem

Colombier

Drăgoi

Cayrel

et al. 2022

IEEE Trans.Inform.Forensic Secur.

View full text Add to dashboard Cite

The NIST standardization process for post-quantum cryptography has been drawing the attention of researchers to the submitted candidates. One direction of research consists in implementing those candidates on embedded systems and that exposes them to physical attacks in return. The Classic McEliece cryptosystem, which is among the four finalists of round 3 in the Key Encapsulation Mechanism category, builds its security on the hardness of the syndrome decoding problem, which is a classic hard problem in code-based cryptography. This cryptosystem was recently targeted by a laser fault injection attack leading to message recovery. Regrettably, the attack setting is very restrictive and it does not tolerate any error in the faulty syndrome. Moreover, it depends on the very strong attacker model of laser fault injection, and does not apply to optimised implementations of the algorithm that make optimal usage of the machine words capacity. In this article, we propose a to change the angle and perform a message-recovery attack that relies on side-channel information only. We improve on the previously published work in several key aspects. First, we show that sidechannel information, obtained with power consumption analysis, is sufficient to obtain an integer syndrome, as required by the attack framework. This is done by leveraging classic machine learning techniques that recover the Hamming weight information very accurately. Second, we put forward a computationallyefficient method, based on a simple dot product and informationset decoding algorithms, to recover the message from the, possibly inaccurate, recovered integer syndrome. Finally, we present a masking countermeasure against the proposed attack.

show abstract

“…There is existing research on fast ISD implementations, including FPGA [14] and GPU implementations of Dumer's algorithm [15]. Recently, Esser et al presented fast CPUbased concrete implementations of the MMT and BJMM algorithms in [16]. There are also papers on proposals for quantum ISD algorithms, albeit simulation-based [17,18].…”

Section: Introductionmentioning

confidence: 99%

Multiparallel MMT: Faster ISD Algorithm Solving High-Dimensional Syndrome Decoding Problem

Narisada

Fukushima

Kiyomoto

2023

IEICE Trans. Fundamentals

View full text Add to dashboard Cite

The hardness of the syndrome decoding problem (SDP) is the primary evidence for the security of code-based cryptosystems, which are one of the finalists in a project to standardize post-quantum cryptography conducted by the U.S. National Institute of Standards and Technology (NIST-PQC). Information set decoding (ISD) is a general term for algorithms that solve SDP efficiently. In this paper, we conducted a concrete analysis of the time complexity of the latest ISD algorithms under the limitation of memory using the syndrome decoding estimator proposed by Esser et al. As a result, we present that theoretically nonoptimal ISDs, such as May-Meurer-Thomae (MMT) and May-Ozerov, have lower time complexity than other ISDs in some actual SDP instances. Based on these facts, we further studied the possibility of multiple parallelization for these ISDs and proposed the first GPU algorithm for MMT, the multiparallel MMT algorithm. In the experiments, we show that the multiparallel MMT algorithm is faster than existing ISD algorithms. In addition, we report the first successful attempts to solve the 510-, 530-, 540-and 550-dimensional SDP instances in the Decoding Challenge contest using the multiparallel MMT.

show abstract

McEliece Needs a Break – Solving McEliece-1284 and Quasi-Cyclic-2918 with Modern ISD

Cited by 17 publications

References 15 publications

Status report on the third round of the NIST Post-Quantum Cryptography Standardization process

Status report on the third round of the NIST Post-Quantum Cryptography Standardization process

Profiled Side-Channel Attack on Cryptosystems Based on the Binary Syndrome Decoding Problem

Multiparallel MMT: Faster ISD Algorithm Solving High-Dimensional Syndrome Decoding Problem

Contact Info

Product

Resources

About