Some numbers! Motivation and Chronology System description Security Implementation Simulation results Conclusion McEliece Cryptosystem in real life: security and implementation Bhaskar Biswas and Nicolas Sendrier SECRET - INRIA Rocq. Bhaskar Biswas and Nicolas Sendrier McEliece Cryptosystem in real life: security and implementation
40
Embed
McEliece Cryptosystem in real life: security and implementation · 2008-03-26 · Bhaskar Biswas and Nicolas Sendrier McEliece Cryptosystem in real life: security and implementation.
This document is posted to help you gain knowledge. Please leave a comment to let me know what you think about it! Share it to your friends and learn new things together.
Transcript
Some numbers!Motivation and Chronology
System descriptionSecurity
ImplementationSimulation results
Conclusion
McEliece Cryptosystem in real life:security and implementation
Bhaskar Biswas and Nicolas Sendrier
SECRET - INRIA Rocq.
Bhaskar Biswas and Nicolas Sendrier McEliece Cryptosystem in real life: security and implementation
Bhaskar Biswas and Nicolas Sendrier McEliece Cryptosystem in real life: security and implementation
Some numbers!Motivation and Chronology
System descriptionSecurity
ImplementationSimulation results
Conclusion
MotivationChronology
Motivation
Old and considered fast but implementation of McEliecepublic-key system never been thoroughly studied.
Bhaskar Biswas and Nicolas Sendrier McEliece Cryptosystem in real life: security and implementation
Some numbers!Motivation and Chronology
System descriptionSecurity
ImplementationSimulation results
Conclusion
MotivationChronology
Motivation
Old and considered fast but implementation of McEliecepublic-key system never been thoroughly studied.
Consider the problem and provide a careful implementationtogether with cryptanalysis.
Bhaskar Biswas and Nicolas Sendrier McEliece Cryptosystem in real life: security and implementation
Some numbers!Motivation and Chronology
System descriptionSecurity
ImplementationSimulation results
Conclusion
MotivationChronology
Motivation
Old and considered fast but implementation of McEliecepublic-key system never been thoroughly studied.
Consider the problem and provide a careful implementationtogether with cryptanalysis.
Provide a reference for measuring speed and scalability.
Bhaskar Biswas and Nicolas Sendrier McEliece Cryptosystem in real life: security and implementation
Some numbers!Motivation and Chronology
System descriptionSecurity
ImplementationSimulation results
Conclusion
MotivationChronology
Motivation
Old and considered fast but implementation of McEliecepublic-key system never been thoroughly studied.
Consider the problem and provide a careful implementationtogether with cryptanalysis.
Provide a reference for measuring speed and scalability.
Compare with other, number-theory based, public keyschemes.
Bhaskar Biswas and Nicolas Sendrier McEliece Cryptosystem in real life: security and implementation
Some numbers!Motivation and Chronology
System descriptionSecurity
ImplementationSimulation results
Conclusion
MotivationChronology
Chronology
Proposed in 1978 by Robert J. McEliece.
Bhaskar Biswas and Nicolas Sendrier McEliece Cryptosystem in real life: security and implementation
Some numbers!Motivation and Chronology
System descriptionSecurity
ImplementationSimulation results
Conclusion
MotivationChronology
Chronology
Proposed in 1978 by Robert J. McEliece.
Niederreiter proposed a variance! Knapsack type. 1986.
Bhaskar Biswas and Nicolas Sendrier McEliece Cryptosystem in real life: security and implementation
Some numbers!Motivation and Chronology
System descriptionSecurity
ImplementationSimulation results
Conclusion
MotivationChronology
Chronology
Proposed in 1978 by Robert J. McEliece.
Niederreiter proposed a variance! Knapsack type. 1986.
Decoding Attacks:
Bhaskar Biswas and Nicolas Sendrier McEliece Cryptosystem in real life: security and implementation
Some numbers!Motivation and Chronology
System descriptionSecurity
ImplementationSimulation results
Conclusion
MotivationChronology
Chronology
Proposed in 1978 by Robert J. McEliece.
Niederreiter proposed a variance! Knapsack type. 1986.
Decoding Attacks:Lee and Brickell - Eurocrypt-’88.Leon - ITIT-’88.H. van Tilborg - CRYPTO-’88.J. Stern - Coding theory and applications-’89.A. Canteaut and F. Chabaud - ’95.
Bhaskar Biswas and Nicolas Sendrier McEliece Cryptosystem in real life: security and implementation
Some numbers!Motivation and Chronology
System descriptionSecurity
ImplementationSimulation results
Conclusion
MotivationChronology
Chronology
Proposed in 1978 by Robert J. McEliece.
Niederreiter proposed a variance! Knapsack type. 1986.
Decoding Attacks:Lee and Brickell - Eurocrypt-’88.Leon - ITIT-’88.H. van Tilborg - CRYPTO-’88.J. Stern - Coding theory and applications-’89.A. Canteaut and F. Chabaud - ’95.
N. Courtois and M. Finiasz and N. Sendrier - SignatureScheme. 2001.
Bhaskar Biswas and Nicolas Sendrier McEliece Cryptosystem in real life: security and implementation
Some numbers!Motivation and Chronology
System descriptionSecurity
ImplementationSimulation results
Conclusion
Problem statementSystem descriptionThe hybrid McEliece encryption scheme
Problem statement
Implementing a (public key) cryptosystem is a tradeoffbetween security and efficiency.
Bhaskar Biswas and Nicolas Sendrier McEliece Cryptosystem in real life: security and implementation
Some numbers!Motivation and Chronology
System descriptionSecurity
ImplementationSimulation results
Conclusion
Problem statementSystem descriptionThe hybrid McEliece encryption scheme
Problem statement
Implementing a (public key) cryptosystem is a tradeoffbetween security and efficiency.
Large public key, but the McEliece cryptosystem has a goodsecurity reduction and low complexity algorithms forencryption and decryption.
Bhaskar Biswas and Nicolas Sendrier McEliece Cryptosystem in real life: security and implementation
Some numbers!Motivation and Chronology
System descriptionSecurity
ImplementationSimulation results
Conclusion
Problem statementSystem descriptionThe hybrid McEliece encryption scheme
Problem statement
Implementing a (public key) cryptosystem is a tradeoffbetween security and efficiency.
Large public key, but the McEliece cryptosystem has a goodsecurity reduction and low complexity algorithms forencryption and decryption.
We present a slightly modified version of the scheme (whichwe call hybrid).
Bhaskar Biswas and Nicolas Sendrier McEliece Cryptosystem in real life: security and implementation
Some numbers!Motivation and Chronology
System descriptionSecurity
ImplementationSimulation results
Conclusion
Problem statementSystem descriptionThe hybrid McEliece encryption scheme
Problem statement
Implementing a (public key) cryptosystem is a tradeoffbetween security and efficiency.
Large public key, but the McEliece cryptosystem has a goodsecurity reduction and low complexity algorithms forencryption and decryption.
We present a slightly modified version of the scheme (whichwe call hybrid).
Two modifications, increases the information rate by puttingsome data in the error pattern and reduces the public key sizeby making use of a generator matrix in row echelon form.
Bhaskar Biswas and Nicolas Sendrier McEliece Cryptosystem in real life: security and implementation
Some numbers!Motivation and Chronology
System descriptionSecurity
ImplementationSimulation results
Conclusion
Problem statementSystem descriptionThe hybrid McEliece encryption scheme
System description
The McEliece encryption scheme, as any public key encryptionscheme, has to be described by a triple of procedures:
a key generation procedure,
Bhaskar Biswas and Nicolas Sendrier McEliece Cryptosystem in real life: security and implementation
Some numbers!Motivation and Chronology
System descriptionSecurity
ImplementationSimulation results
Conclusion
Problem statementSystem descriptionThe hybrid McEliece encryption scheme
System description
The McEliece encryption scheme, as any public key encryptionscheme, has to be described by a triple of procedures:
a key generation procedure,
an encryption procedure,
Bhaskar Biswas and Nicolas Sendrier McEliece Cryptosystem in real life: security and implementation
Some numbers!Motivation and Chronology
System descriptionSecurity
ImplementationSimulation results
Conclusion
Problem statementSystem descriptionThe hybrid McEliece encryption scheme
System description
The McEliece encryption scheme, as any public key encryptionscheme, has to be described by a triple of procedures:
a key generation procedure,
an encryption procedure,
a decryption procedure.
Bhaskar Biswas and Nicolas Sendrier McEliece Cryptosystem in real life: security and implementation
Some numbers!Motivation and Chronology
System descriptionSecurity
ImplementationSimulation results
Conclusion
Problem statementSystem descriptionThe hybrid McEliece encryption scheme
System description
We define an injective mapping ϕ : 0, 1ℓ → Wn,t . Both ϕ andϕ−1 should be easy to compute.
System parameters: two integers m and t. Let n = 2m andk = n − tm.
Bhaskar Biswas and Nicolas Sendrier McEliece Cryptosystem in real life: security and implementation
Some numbers!Motivation and Chronology
System descriptionSecurity
ImplementationSimulation results
Conclusion
Problem statementSystem descriptionThe hybrid McEliece encryption scheme
System description
We define an injective mapping ϕ : 0, 1ℓ → Wn,t . Both ϕ andϕ−1 should be easy to compute.
System parameters: two integers m and t. Let n = 2m andk = n − tm.
Key generation:
generate a support L = (α1, . . . , αn) of n distinct elements ofF2m ,generate a monic irreducible generator polynomialg(z) ∈ F2m [z] of degree t.The secret key is the pair (L, g) (i.e. the Goppa code Γ(L, g)and its decoder)The public key is a binary k × (n − k) matrix R whereG = (Id | R) is a generator matrix of Γ(L, g) in row echelonform.
Bhaskar Biswas and Nicolas Sendrier McEliece Cryptosystem in real life: security and implementation
Some numbers!Motivation and Chronology
System descriptionSecurity
ImplementationSimulation results
Conclusion
Problem statementSystem descriptionThe hybrid McEliece encryption scheme
System description...
Encryption: the plaintext is in 0, 1k × 0, 1ℓ and theciphertext in 0, 1n
0, 1k × 0, 1ℓ −→ 0, 1n
(x , x ′) 7−→ EG (x , ϕ(x ′))
Bhaskar Biswas and Nicolas Sendrier McEliece Cryptosystem in real life: security and implementation
Some numbers!Motivation and Chronology
System descriptionSecurity
ImplementationSimulation results
Conclusion
Problem statementSystem descriptionThe hybrid McEliece encryption scheme
System description...
Encryption: the plaintext is in 0, 1k × 0, 1ℓ and theciphertext in 0, 1n
0, 1k × 0, 1ℓ −→ 0, 1n
(x , x ′) 7−→ EG (x , ϕ(x ′))
Decryption: the ciphertext has the form y = xG + e, withe = ϕ(x ′) of Hamming weight ≤ t. Applying the decoder ofΓ(L, g) on y will provide x and x ′ = ϕ−1(e).
Bhaskar Biswas and Nicolas Sendrier McEliece Cryptosystem in real life: security and implementation
Some numbers!Motivation and Chronology
System descriptionSecurity
ImplementationSimulation results
Conclusion
Problem statementSystem descriptionThe hybrid McEliece encryption scheme
System description...
Encryption: the plaintext is in 0, 1k × 0, 1ℓ and theciphertext in 0, 1n
0, 1k × 0, 1ℓ −→ 0, 1n
(x , x ′) 7−→ EG (x , ϕ(x ′))
Decryption: the ciphertext has the form y = xG + e, withe = ϕ(x ′) of Hamming weight ≤ t. Applying the decoder ofΓ(L, g) on y will provide x and x ′ = ϕ−1(e).
There are two differences compared with the original system:
We use the error to encode information bits.
Bhaskar Biswas and Nicolas Sendrier McEliece Cryptosystem in real life: security and implementation
Some numbers!Motivation and Chronology
System descriptionSecurity
ImplementationSimulation results
Conclusion
Problem statementSystem descriptionThe hybrid McEliece encryption scheme
System description...
Encryption: the plaintext is in 0, 1k × 0, 1ℓ and theciphertext in 0, 1n
0, 1k × 0, 1ℓ −→ 0, 1n
(x , x ′) 7−→ EG (x , ϕ(x ′))
Decryption: the ciphertext has the form y = xG + e, withe = ϕ(x ′) of Hamming weight ≤ t. Applying the decoder ofΓ(L, g) on y will provide x and x ′ = ϕ−1(e).
There are two differences compared with the original system:
We use the error to encode information bits.We use a public key in row echelon form.
Bhaskar Biswas and Nicolas Sendrier McEliece Cryptosystem in real life: security and implementation
Some numbers!Motivation and Chronology
System descriptionSecurity
ImplementationSimulation results
Conclusion
Problem statementSystem descriptionThe hybrid McEliece encryption scheme
System description...
Encryption: the plaintext is in 0, 1k × 0, 1ℓ and theciphertext in 0, 1n
0, 1k × 0, 1ℓ −→ 0, 1n
(x , x ′) 7−→ EG (x , ϕ(x ′))
Decryption: the ciphertext has the form y = xG + e, withe = ϕ(x ′) of Hamming weight ≤ t. Applying the decoder ofΓ(L, g) on y will provide x and x ′ = ϕ−1(e).
There are two differences compared with the original system:
We use the error to encode information bits.We use a public key in row echelon form.
Those changes improve credentiality and as we will see, have noreal impact on security.
Bhaskar Biswas and Nicolas Sendrier McEliece Cryptosystem in real life: security and implementation
Some numbers!Motivation and Chronology
System descriptionSecurity
ImplementationSimulation results
Conclusion
One way encryption schemeSecurity assumptionsThe hybrid scheme is one way
One way encryption scheme
Definition (OWE)
A public key encryption scheme is a One Way Encryption scheme ifthe probability of success of any of its adversary running inpolynomial time is negligible.
Bhaskar Biswas and Nicolas Sendrier McEliece Cryptosystem in real life: security and implementation
Some numbers!Motivation and Chronology
System descriptionSecurity
ImplementationSimulation results
Conclusion
One way encryption schemeSecurity assumptionsThe hybrid scheme is one way
One way encryption scheme
Definition (OWE)
A public key encryption scheme is a One Way Encryption scheme ifthe probability of success of any of its adversary running inpolynomial time is negligible.
In practice, one needs more than just an OWE scheme.
McE, though it is OWE, is vulnerable to many attacks.
Given perfect hash functions exists, there are genericconversions, which, starting from an OWE scheme, provide ascheme resistant against adaptative chosen ciphertext attack.
Bhaskar Biswas and Nicolas Sendrier McEliece Cryptosystem in real life: security and implementation
Some numbers!Motivation and Chronology
System descriptionSecurity
ImplementationSimulation results
Conclusion
One way encryption schemeSecurity assumptionsThe hybrid scheme is one way
One way encryption scheme
Definition (OWE)
A public key encryption scheme is a One Way Encryption scheme ifthe probability of success of any of its adversary running inpolynomial time is negligible.
In practice, one needs more than just an OWE scheme.
McE, though it is OWE, is vulnerable to many attacks.
Given perfect hash functions exists, there are genericconversions, which, starting from an OWE scheme, provide ascheme resistant against adaptative chosen ciphertext attack.
We can prove, given the two following assumptions, the hybridMcEliece encryption scheme is OWE.
Bhaskar Biswas and Nicolas Sendrier McEliece Cryptosystem in real life: security and implementation
Some numbers!Motivation and Chronology
System descriptionSecurity
ImplementationSimulation results
Conclusion
One way encryption schemeSecurity assumptionsThe hybrid scheme is one way
Security assumptions
Hardness of decoding in the average case: The successprobability
PrΩ
(A(xG + e,G ) = (x , e)) |Ω = 0, 1k × Wn,t ×Mk×n
of any adversary A running in polynomial time is negligible.
Pseudo-randomness of binary Goppa Codes: there exists noefficient distinguisher for Goppa codes. In other words, thegenerator matrix of a Goppa code looks random.
Bhaskar Biswas and Nicolas Sendrier McEliece Cryptosystem in real life: security and implementation
Some numbers!Motivation and Chronology
System descriptionSecurity
ImplementationSimulation results
Conclusion
One way encryption schemeSecurity assumptionsThe hybrid scheme is one way
The hybrid scheme is one way
Theorem
The hybrid McEliece scheme is one-way.
Proof omitted.
Bhaskar Biswas and Nicolas Sendrier McEliece Cryptosystem in real life: security and implementation
Some numbers!Motivation and Chronology
System descriptionSecurity
ImplementationSimulation results
Conclusion
Key generation and EncryptionConstant weight encodingDecryptionGoppa code decodingPatterson algorithm and Computation of roots
Key generation and Encryption
Recall, we generate the support L and generator polynomial g .
The pair L, g is the private key(s).
The public keys is R , a binary k × (n − k) matrix, whereG = (Id | R) is a generator matrix of Γ(L, g) in row echelonform.
Recall again, encryption is computed as,
(x , x ′) 7−→ EG (x , ϕ(x ′))
Bhaskar Biswas and Nicolas Sendrier McEliece Cryptosystem in real life: security and implementation
Some numbers!Motivation and Chronology
System descriptionSecurity
ImplementationSimulation results
Conclusion
Key generation and EncryptionConstant weight encodingDecryptionGoppa code decodingPatterson algorithm and Computation of roots
Constant weight encoding
Prof. Nicolas Sendrier is going to deliver a talk on this part.Il vaut mieux prier Dieu que ses saints!!!.
Bhaskar Biswas and Nicolas Sendrier McEliece Cryptosystem in real life: security and implementation
Some numbers!Motivation and Chronology
System descriptionSecurity
ImplementationSimulation results
Conclusion
Key generation and EncryptionConstant weight encodingDecryptionGoppa code decodingPatterson algorithm and Computation of roots
Decryption
Decryption consist of 2 distinct stages.
Decoding of Goppa code to generate the error positions.Next 2 slides!
Retrieval of plain text.This is the inverse function applied to retrieve the message.Where, x ′ = ϕ−1(e).
Bhaskar Biswas and Nicolas Sendrier McEliece Cryptosystem in real life: security and implementation
Some numbers!Motivation and Chronology
System descriptionSecurity
ImplementationSimulation results
Conclusion
Key generation and EncryptionConstant weight encodingDecryptionGoppa code decodingPatterson algorithm and Computation of roots
Goppa code decoding
The 3 stages involved in the decoding process, are,
The syndrome computation.
Solving the key equatoin.
Computation of roots.
We precompute all the fj(z) = (z − αj)−1 mod g(z). The
syndrome of the word a = (a1, . . . , an) is the sum
Ra(z) =n∑
j=1
fj(z) =n∑
j=1
aj
z − αj
mod g(z)
Bhaskar Biswas and Nicolas Sendrier McEliece Cryptosystem in real life: security and implementation
Some numbers!Motivation and Chronology
System descriptionSecurity
ImplementationSimulation results
Conclusion
Key generation and EncryptionConstant weight encodingDecryptionGoppa code decodingPatterson algorithm and Computation of roots
Patterson algorithm and Computation ofroots
The key equation is solved by Patterson algorithm. We choseto precompute the square roots modulo g(z) (that is the si(z)such that si (z)2 = z i mod g(z), 0 ≤ i < t).
The roots of the locator polynomial are found by anexhaustive search on the field elements.
Bhaskar Biswas and Nicolas Sendrier McEliece Cryptosystem in real life: security and implementation
Some numbers!Motivation and Chronology
System descriptionSecurity
ImplementationSimulation results
Conclusion
Simulation results
Simulation results
320
480
640
800
960
1120
1280
1440
40 90 140 190 240
Enc
rypt
ion
cost
(cp
u-cy
cles
per
byt
e)
Binary work factor (power of 2)
extension degree m = 11extension degree m = 12extension degree m = 13
Figure: Encryption cost vs binary work factor for different extensiondegrees
Bhaskar Biswas and Nicolas Sendrier McEliece Cryptosystem in real life: security and implementation
Some numbers!Motivation and Chronology
System descriptionSecurity
ImplementationSimulation results
Conclusion
Simulation results
Simulation results
0
4000
8000
12000
16000
20000
24000
28000
32000
40 90 140 190 240
Dec
rypt
ion
cost
(cp
u-cy
cles
per
byt
e)
Binary work factor (power of 2)
extension degree m = 11extension degree m = 12extension degree m = 13
Figure: Decryption cost vs binary work factor for different extensiondegrees
Bhaskar Biswas and Nicolas Sendrier McEliece Cryptosystem in real life: security and implementation
Some numbers!Motivation and Chronology
System descriptionSecurity
ImplementationSimulation results
Conclusion
ConclusionQuestions?
Conclusion
We presented here a new modified version of McEliececryptosystem and its full implementation. We have shown thatcode-based public key encryption scheme compares favorably withoptimized implementation of number theory based schemes.We plan to explore possibilities to improve the implementation, aswell as widening the scope of parameters in our simulations.
Bhaskar Biswas and Nicolas Sendrier McEliece Cryptosystem in real life: security and implementation
Some numbers!Motivation and Chronology
System descriptionSecurity
ImplementationSimulation results
Conclusion
ConclusionQuestions?
Thank you! Questions?
Questions and remarks....shoot please!
Bhaskar Biswas and Nicolas Sendrier McEliece Cryptosystem in real life: security and implementation