Advances in Implementations of Code-based Cryptography on Embedded Systems

Transcription

1 Advances in Implementations of Code-based Cryptography on Embedded Systems Worcester Polytechnic Institute (WPI) September 25, 2013 Tim Güneysu (joint work with Ingo von Maurich and Stefan Heyse) Horst Görtz Institute for IT-Security, Ruhr University Bochum, Germany

2 Public-Key Crypto of Today PK-Cryptosystems used in practice are RSA and ECC Underlying problems of both systems are closely related Discrete Logarithm Problem Factorization Problem Cryptanalytic breakthrough would turn virtually all asymmetric security systems used so far insecure 9/10/2013 Secure Hardware Tim Güneysu 2

3 Intro: Public-Key Crypto Risk Analysis How hard are the underlying problems of RSA and ECC? no security proof or reduction known Latest cryptanalytic improvement in early 90s (factorization: GNFS) more to come? With quantum computing: Shor s algorithm [ 94] solves both problems in polynomial time 9/10/2013 Secure Hardware Tim Güneysu 3

4 Public-Key Crypto Goals Add some alternative PK-cryptosystems to security portfolio Demand security reductions on known hard problems No poly-time attack algorithm on quantum computers Comparable efficiency for implementations to RSA and ECC 9/10/2013 Secure Hardware Tim Güneysu 4

5 Alternative Public-Key Cryptography Four main branches of post-quantum crypto: Code-based Hash-based Multivariate-quadratic Lattice-based Security services desired: encryption and/or signature schemes 9/10/2013 Secure Hardware Tim Güneysu 5

6 Public-Key Crpyto Code-based Cryptography Error-Correcting Codes are well-known in a large variety of applications Detection/Correction of errors in noisy channels by adding redundancy Observation: Some problems in code-based theory are NP-complete Foundation of Code-based Cryptosystems (CBC) 9/10/2013 Secure Hardware Tim Güneysu 6

7 Code-based Cryptography - Further Discussion Advantages NP-complete problems resist known quantum-computing attacks [Quantum Fourier Sampling, Dinh et al., CRYPTO 2010] Encoding is a simple operation (matrix-vector multiplication) Efficient decoders for many codes available Performance can exceed that of conventional cryptosystems Drawbacks Large keys required ( 50 kbyte) to provide sufficient security with original choices of codes 9/10/2013 Secure Hardware Tim Güneysu 7

8 Motivation This talk addresses Choice of suitable codes Choice and improvement of decoders Implementations on embedded Systems Performance results 9/10/2013 Secure Hardware Tim Güneysu 8

9 Overview Motivation Background on Code-based Cryptography Implementations on Embedded Systems Results Conclusions 9/10/2013 Secure Hardware Tim Güneysu 9

10 Linear Codes and Cryptography Linear codes: Error correcting codes for which redundancy depends linearly on the information Generator and parity check matrices for encoding and decoding Matrices can be in systematic form minimizing time/storage Matrix size of G: k x n Rows of G form a basis for the code C[n, k, d] of length n with dimension k and minimum distance d 9/10/2013 Secure Hardware Tim Güneysu 10

11 Linear Codes and Cryptography (cntd.) Parity check matrix H is a (n-k) x k matrix and orthogonal to G Defines the dual C of the code C via the scalar product A codeword c C if and only if Hc = 0 The term s = Hc = Hc + He is called the syndrome of the error 9/10/2013 Secure Hardware Tim Güneysu 11

12 Syndrome Decoding Problem Given H : matrix of size (n - k) n s : vector of GF( 2 r) w : integer Problem: Does there exist an x of GF( 2 n) of weight w so that H x T = s Syndrome decoding problem is NP-complete E.R. BERLEKAMP, R.J. MCELIECE and H.C. VAN TILBORG On the inherent intractability of certain coding problems. IEEE Transactions on Information Theory, 24(3), May /10/2013 Secure Hardware Tim Güneysu 12

13 McEliece Encryption Scheme [1978] Key Generation Given a code C[n, k, d] with generator matrix G and error correcting capability t Private Key: (S, G, P), where S is a scrambling and P a permutation matrix Public Key: G = S G P Encryption Message m F n r 2, error vector e R F n 2, wt e x mg + e t Decryption Let Ψ H be a t-error-correcting decoding algorithm. Sm Ψ H x P removing the error e Extract m by computing S 1 Sm 9/10/2013 Secure Hardware Tim Güneysu 13

14 Niederreiter Encryption Scheme [1986] Key Generation Given a code C[n, k, d] with parity check matrix H and error correcting capability t Private Key: (S, H, P), where S is a scrambling and P a permutation matrix Public Key: H = S H P Encryption Encode the message m into an error vector e R F n 2, wt e x H e T t Decryption Let Ψ H be a t-error-correcting decoding algorithm. Pm T Ψ H S 1 x Extract m by transposing the compution P 1 Pm T. 9/10/2013 Secure Hardware Tim Güneysu 14

15 Security parameters for Goppa-Codes Original proposal of McEliece and Niederreiter schemes based on Goppa codes Security of Goppa codes revisited by Bernstein, Lange, Peters [PQCrypto 2008] Public key is a (n-k) k bit matrix (non-identity part stored only) 9/10/2013 Secure Hardware Tim Güneysu 15

16 Design of Code-based Cryptosystems Selection of underlying code is the most critical issue Properties of code determine key size Structures in codes reduce key size, but often simplify attacks Encoding is typically a very fast operation on nearly all platforms (matrix multiplication) Decoding is typically the most complex process, requires efficient decoding techniques/decoding algorithms in terms of time/memory Computational efforts on constant weight encoding algorithm for Niederreiter s scheme 9/10/2013 Secure Hardware Tim Güneysu 16

17 Optimizations for the McEliece Encryption Scheme McEliece Encryption Public key G = S G P Secret key (H defined by Goppa polynomial g(z) and support list) Encryption c=m G +e Decryption - c =c P -1 - Decode c to m - m=m S -1 Modern McEliece Enc. Public key G in systematic form Secret key (as before) Encryption c=m G +e Decryption - Decode directly c to m - S can be omitted - P merged into decoding algorithm 9/10/2013 Secure Hardware Tim Güneysu 17

18 Optimizations for the Niederreiter Encryption Scheme Niederreiter Encryption Public key H =S H P Secret key (Goppa polynomial g(z) and support list) Encryption - Convert m into e - c=h e Decryption - c =S -1 c - Decode c to e - e=p -1 e - Convert e to m Modern Niederreiter Enc. Public key H =S H in systematic form Secret key (Goppa polynomial g(z) and permuted support list) Encryption - Convert m into e - c=h e Decryption - c =S -1 c - Decode c directly to e - Convert e to m 9/10/2013 Secure Hardware Tim Güneysu 18

19 Code-based Cryptosystems Code-based Encryption Schemes McEliece [M78] Niederreiter [N86] Generalized Reed-Solomon Srivastava Goppa Elliptic Concatenated Turbo/LDPC/MDPC Reed Muller 9/10/2013 Secure Hardware Tim Güneysu 19

20 Code-based Cryptosystems Code-based Encryption Schemes Key sizes for 80-bit equivalent symmetric security. McEliece [M78] Niederreiter [N86] Generalized Reed-Solomon Srivastava Goppa Elliptic Concatenated Reed Muller Turbo/LDPC/MDPC 9/10/2013 Secure Hardware Tim Güneysu 20

21 Code-based Cryptosystems Code-based Encryption Schemes Key sizes for 80-bit equivalent symmetric security. McEliece [M78] Niederreiter [N86] Generalized Reed-Solomon Srivastava PK: 2.5 kb SK: 1.5 kb PK: 63 kb SK: 2.5 kb Goppa Reed Muller Elliptic Concatenated Turbo/LDPC/MDPC PK: 0.6 kb SK: 180 B 9/10/2013 Secure Hardware Tim Güneysu 21

22 Improved Codes: Background on (QC-)MDPC Codes Given a t-error correcting (n, r, w)-qc-mdpc code of length n Parity check matrix H consists of n 0 blocks, fixed row weight w Code/Key Generation 1. Randomly pick n 0 first rows of parity check matrix blocks H i n h i F 2 of weight w i s.t. w = n 0 1 i=0 2. Obtain remaining rows by r 1 quasi-cyclic shifts of h i 3. H = [H 0 H 1 H n0 1] 4. Generator matrix of systematic form G = I Q, (H 1 n0 1 H 0 ) T Q = (H 1 n0 1 H 1 ) T H n0 2) T (H 1 n0 1 w i 9/10/2013 Secure Hardware Tim Güneysu 22

23 Improved Codes: Background on (QC-)MDPC Codes Parity check matrix H H 0 H 1 Generator matrix G I 9/10/2013 Secure Hardware Tim Güneysu 23

24 Overview Motivation Background on Code-based Cryptography Implementations on Embedded Systems Results Conclusions 9/10/2013 Secure Hardware Tim Güneysu 24

25 Implementations on Embedded Systems Requirements for encryption Random number generator (sometimes critical) Matrix-vector multiplier (despite of size, simple) Requirements for decryption (dependant on deployed code) Two decoders for Goppa codes (originally proposed) Berlekamp-Massey Patterson Decoding variants for QC-MDPC codes Gallager Huffman-Pless 9/10/2013 Secure Hardware Tim Güneysu 25

26 Efficient Decoding of MDPC Codes General Decoding Principle 1. Compute syndrome s of the received codeword 2. Count the number of unsatisfied parity-check-equations # upc for each codeword bit 3. Flip codeword bits that violate more than b equations 4. Recompute syndrome 5. Repeat until s = 0 or reaching predefined maximum of iterations (decoding failure) Main difference is how threshold b is computed Precompute b i for each iteration [Gal62] b = max upc [HP03] b = max upc δ [MTSB12] 9/10/2013 Secure Hardware Tim Güneysu 26

27 Decoding Optimizations Observations Decoders recompute syndrome after each iteration Syndrome computation is expensive! Optimizations If threshold exceeded, flip codeword bit j the syndrome changes Syndrome does not change arbitrarily! s new = s old + h j No syndrome recomputation Decoding with up-to-date syndrome Syndrome 9/10/2013 Secure Hardware Tim Güneysu 27

28 Benchmarking Performance evaluation of different decoder options Direct vs. temporary syndrome update Different threshold techniques Decoding failure if no success within 10 iterations C implementation on Intel Xeon E5345 CPU@2.33 GHz 1000 random QC-MDPC codes with n 0 = 2, n = 9600, r = 4800, w = 90, t = ,000 random decoding tries for each decoder 9/10/2013 Secure Hardware Tim Güneysu 28

29 Most Efficient (QC-)MDPC Decoders Proposed Decoder 1 1. Compute the syndrome 2. Count # upc for each bit, flip the current codeword bit j if # upc exceeds threshold b i and add h j to the syndrome Proposed Decoder 2 Decoder 1 + additionally checks s = 0 after each update 9/10/2013 Secure Hardware Tim Güneysu 29

30 Iterations Decoder Evaluation 7 Average decoding iterations Number of errors wt(e) [MTSB12] [Gal62] Proposal 1 Proposal 2 9/10/2013 Secure Hardware Tim Güneysu 30

31 [µs] Decoder Evaluation 35 Decoding time Number of errors wt(e) [MTSB12] [Gal62] Proposal 1 Proposal 2 9/10/2013 Secure Hardware Tim Güneysu 31

32 Failure rate Decoder Evaluation 0,25 Decoding failure rate 0,2 0,15 0,1 0, Number of errors wt(e) [MTSB12] [Gal62] Proposal 1 Proposal 2 9/10/2013 Secure Hardware Tim Güneysu 32

33 Overview Motivation Background on Code-based Cryptography Implementations on Embedded Systems Results Conclusions 9/10/2013 Secure Hardware Tim Güneysu 33

34 FPGA Implementations using Goppa Codes Results on FPGAs for roughly 80 bit of equivalent symmetric security Parameter set (n=2048, k=1751, t=27) using Goppa codes (63.5 KB public key!) Niederreiter McEliece Niederreiter McEliece Niederreiter [enc] [dec] [enc] [dec] [enc] [dec] [enc] [dec] [enc] [dec] 9/10/2013 Secure Hardware Tim Güneysu 34

35 Comparison with other McEliece implementations PK size: 0.59 kbyte vs kbyte [SWM + 10], 63.5 kbyte [GDU + 12] Performance evaluation: Time/operation vs. Mbit/s Faster than previous McEliece implementations 9/10/2013 Secure Hardware Tim Güneysu 36

36 FPGA Implementations using QC-MDPC Codes Performance evaluation: Time/operation vs. Mbit/s PK size: 0.59 kbyte vs kbyte [38], 63.5 kbyte [16][21] McEliece [enc] [dec fast] [dec small] 9/10/2013 Secure Hardware Tim Güneysu 37

37 Results for QC-MDPC Codes on Microcontrollers Encoder Very frequent memory access (>50% of the runtime) Runtime Decoder Shifting sparse polynomial in 720 cycles Adding sparse polynomial to syndrome in 2,200 cycles Again very frequent memory access Runtime 9/10/2013 Secure Hardware Tim Güneysu 38

38 Results for QC-MDPC Codes on Microcontrollers Much smaller than previous McEliece implementations Faster and smaller than RSA More cycles/op than most competitors 9/10/2013 Secure Hardware Tim Güneysu 39

39 Overview Motivation Background on Code-based Cryptography Implementations on Embedded Systems Results Conclusions 9/10/2013 Secure Hardware Tim Güneysu 40

40 Conclusions Code-based encryption with practical key sizes can be done even on embedded systems (efficient on FPGAs, slow/large on microcontrollers) McEliece/Niederreiter encryption provides protection against quantum computers attacks Open research topic: analysis of security properties of underlying codes Signature scheme based on code-based cryptography are far less efficient (the only existing solution P-CFS is not suitable for embedded systems 9/10/2013 Secure Hardware Tim Güneysu 41

41 Advances in Implementations of Code-based Cryptography on Embedded Systems Worcester Polytechnic Institute (WPI) Tim Güneysu (joint work with Ingo von Maurich and Stefan Heyse) Horst Görtz Institute for IT-Security, Ruhr University Bochum, Germany Thank you! Questions?

42 References [Gal62] R. Gallager. Low-density Parity-check Codes. Information Theory, IRE Transactions on, 8(1):21 28, [GDU + 12] S. Ghosh, J. Delvaux, L. Uhsadel, and I. Verbauwhede. A Speed Area Optimized Embedded Co-processor for McEliece Cryptosystem. In Application-Specific Systems, Architectures and Processors (ASAP), 2012 IEEE 23 rd International Conference on, pages , [HP03] W. Huffman and V. Pless. Fundamentals of Error-Correcting Codes. Cambridge University Press, [MTSB12] R. Misoczki, J.-P. Tillich, N. Sendrier, and P. S. L. M. Barreto. MDPC- McEliece: New McEliece Variants from Moderate Density Parity-Check Codes. Cryptology eprint Archive, Report 2012/409, [SWM + 10] A. Shoufan, T. Wink, H. G. Molter, S. A. Huss, and E. Kohnert. A Novel Cryptoprocessor Architecture for the McEliece Public-Key Cryptosystem. IEEE Trans. Computers, 59(11): , /10/2013 Secure Hardware Tim Güneysu 43

43 FPGA Comparison Performance evaluation: Time/operation vs. Mbit/s PK size: 0.59 kbyte vs kbyte [38], 63.5 kbyte [16][21] 9/10/2013 Secure Hardware Tim Güneysu 44

44 QC-MDPC McEliece FPGA Implementation QC-MDPC Encryption Given first 4800-bit row g of G and message m, compute x = mg + e G is of systematic form first half of x is equal to m Computation of redundant part Iterate over message bit by bit and rotate g accordingly If message bit is set, XOR current g to the redundant part 9/10/2013 Secure Hardware Tim Güneysu 45

45 QC-MDPC McEliece FPGA Implementation QC-MDPC Decryption Syndrome computation s = Hx T, with H = H 0 H 1 Given 9600-bit h = [h 0 h 1 ] and x = [x 0 x 1 ] Sequentially iterate over every bit of x 0 and x 1 in parallel, rotate h 0 and h 1 accordingly If bit in x 0 and/or x 1 is set, XOR current h 0 and/or h 1 to intermediate syndrome s = 0? Logical OR tree, lowest level based on 6-input LUTs Added registers to minimize critical path 9/10/2013 Secure Hardware Tim Güneysu 46

46 QC-MDPC McEliece FPGA Implementation QC-MDPC Decryption Count # upc for current row h = [h 0 h 1 ] Compute HW(s AND h 0 ), HW(s AND h 1 ) Split AND results into 6-bit blocks and lookup HW Adder tree with registers on every level accumulates overall HW Parallel vs. iterative design Bit-flipping step If HW exceeds threshold b i the corresponding bit in codeword x 0 and/or x 1 is flipped Syndrome is updated by XORing current secret poly h 0 and/or h 1 Generate next row h and repeat 9/10/2013 Secure Hardware Tim Güneysu 47