Advances in Implementations of Code-based Cryptography on Embedded Systems
|
|
- Hilary Brooks
- 6 years ago
- Views:
Transcription
1 Advances in Implementations of Code-based Cryptography on Embedded Systems Worcester Polytechnic Institute (WPI) September 25, 2013 Tim Güneysu (joint work with Ingo von Maurich and Stefan Heyse) Horst Görtz Institute for IT-Security, Ruhr University Bochum, Germany
2 Public-Key Crypto of Today PK-Cryptosystems used in practice are RSA and ECC Underlying problems of both systems are closely related Discrete Logarithm Problem Factorization Problem Cryptanalytic breakthrough would turn virtually all asymmetric security systems used so far insecure 9/10/2013 Secure Hardware Tim Güneysu 2
3 Intro: Public-Key Crypto Risk Analysis How hard are the underlying problems of RSA and ECC? no security proof or reduction known Latest cryptanalytic improvement in early 90s (factorization: GNFS) more to come? With quantum computing: Shor s algorithm [ 94] solves both problems in polynomial time 9/10/2013 Secure Hardware Tim Güneysu 3
4 Public-Key Crypto Goals Add some alternative PK-cryptosystems to security portfolio Demand security reductions on known hard problems No poly-time attack algorithm on quantum computers Comparable efficiency for implementations to RSA and ECC 9/10/2013 Secure Hardware Tim Güneysu 4
5 Alternative Public-Key Cryptography Four main branches of post-quantum crypto: Code-based Hash-based Multivariate-quadratic Lattice-based Security services desired: encryption and/or signature schemes 9/10/2013 Secure Hardware Tim Güneysu 5
6 Public-Key Crpyto Code-based Cryptography Error-Correcting Codes are well-known in a large variety of applications Detection/Correction of errors in noisy channels by adding redundancy Observation: Some problems in code-based theory are NP-complete Foundation of Code-based Cryptosystems (CBC) 9/10/2013 Secure Hardware Tim Güneysu 6
7 Code-based Cryptography - Further Discussion Advantages NP-complete problems resist known quantum-computing attacks [Quantum Fourier Sampling, Dinh et al., CRYPTO 2010] Encoding is a simple operation (matrix-vector multiplication) Efficient decoders for many codes available Performance can exceed that of conventional cryptosystems Drawbacks Large keys required ( 50 kbyte) to provide sufficient security with original choices of codes 9/10/2013 Secure Hardware Tim Güneysu 7
8 Motivation This talk addresses Choice of suitable codes Choice and improvement of decoders Implementations on embedded Systems Performance results 9/10/2013 Secure Hardware Tim Güneysu 8
9 Overview Motivation Background on Code-based Cryptography Implementations on Embedded Systems Results Conclusions 9/10/2013 Secure Hardware Tim Güneysu 9
10 Linear Codes and Cryptography Linear codes: Error correcting codes for which redundancy depends linearly on the information Generator and parity check matrices for encoding and decoding Matrices can be in systematic form minimizing time/storage Matrix size of G: k x n Rows of G form a basis for the code C[n, k, d] of length n with dimension k and minimum distance d 9/10/2013 Secure Hardware Tim Güneysu 10
11 Linear Codes and Cryptography (cntd.) Parity check matrix H is a (n-k) x k matrix and orthogonal to G Defines the dual C of the code C via the scalar product A codeword c C if and only if Hc = 0 The term s = Hc = Hc + He is called the syndrome of the error 9/10/2013 Secure Hardware Tim Güneysu 11
12 Syndrome Decoding Problem Given H : matrix of size (n - k) n s : vector of GF( 2 r) w : integer Problem: Does there exist an x of GF( 2 n) of weight w so that H x T = s Syndrome decoding problem is NP-complete E.R. BERLEKAMP, R.J. MCELIECE and H.C. VAN TILBORG On the inherent intractability of certain coding problems. IEEE Transactions on Information Theory, 24(3), May /10/2013 Secure Hardware Tim Güneysu 12
13 McEliece Encryption Scheme [1978] Key Generation Given a code C[n, k, d] with generator matrix G and error correcting capability t Private Key: (S, G, P), where S is a scrambling and P a permutation matrix Public Key: G = S G P Encryption Message m F n r 2, error vector e R F n 2, wt e x mg + e t Decryption Let Ψ H be a t-error-correcting decoding algorithm. Sm Ψ H x P removing the error e Extract m by computing S 1 Sm 9/10/2013 Secure Hardware Tim Güneysu 13
14 Niederreiter Encryption Scheme [1986] Key Generation Given a code C[n, k, d] with parity check matrix H and error correcting capability t Private Key: (S, H, P), where S is a scrambling and P a permutation matrix Public Key: H = S H P Encryption Encode the message m into an error vector e R F n 2, wt e x H e T t Decryption Let Ψ H be a t-error-correcting decoding algorithm. Pm T Ψ H S 1 x Extract m by transposing the compution P 1 Pm T. 9/10/2013 Secure Hardware Tim Güneysu 14
15 Security parameters for Goppa-Codes Original proposal of McEliece and Niederreiter schemes based on Goppa codes Security of Goppa codes revisited by Bernstein, Lange, Peters [PQCrypto 2008] Public key is a (n-k) k bit matrix (non-identity part stored only) 9/10/2013 Secure Hardware Tim Güneysu 15
16 Design of Code-based Cryptosystems Selection of underlying code is the most critical issue Properties of code determine key size Structures in codes reduce key size, but often simplify attacks Encoding is typically a very fast operation on nearly all platforms (matrix multiplication) Decoding is typically the most complex process, requires efficient decoding techniques/decoding algorithms in terms of time/memory Computational efforts on constant weight encoding algorithm for Niederreiter s scheme 9/10/2013 Secure Hardware Tim Güneysu 16
17 Optimizations for the McEliece Encryption Scheme McEliece Encryption Public key G = S G P Secret key (H defined by Goppa polynomial g(z) and support list) Encryption c=m G +e Decryption - c =c P -1 - Decode c to m - m=m S -1 Modern McEliece Enc. Public key G in systematic form Secret key (as before) Encryption c=m G +e Decryption - Decode directly c to m - S can be omitted - P merged into decoding algorithm 9/10/2013 Secure Hardware Tim Güneysu 17
18 Optimizations for the Niederreiter Encryption Scheme Niederreiter Encryption Public key H =S H P Secret key (Goppa polynomial g(z) and support list) Encryption - Convert m into e - c=h e Decryption - c =S -1 c - Decode c to e - e=p -1 e - Convert e to m Modern Niederreiter Enc. Public key H =S H in systematic form Secret key (Goppa polynomial g(z) and permuted support list) Encryption - Convert m into e - c=h e Decryption - c =S -1 c - Decode c directly to e - Convert e to m 9/10/2013 Secure Hardware Tim Güneysu 18
19 Code-based Cryptosystems Code-based Encryption Schemes McEliece [M78] Niederreiter [N86] Generalized Reed-Solomon Srivastava Goppa Elliptic Concatenated Turbo/LDPC/MDPC Reed Muller 9/10/2013 Secure Hardware Tim Güneysu 19
20 Code-based Cryptosystems Code-based Encryption Schemes Key sizes for 80-bit equivalent symmetric security. McEliece [M78] Niederreiter [N86] Generalized Reed-Solomon Srivastava Goppa Elliptic Concatenated Reed Muller Turbo/LDPC/MDPC 9/10/2013 Secure Hardware Tim Güneysu 20
21 Code-based Cryptosystems Code-based Encryption Schemes Key sizes for 80-bit equivalent symmetric security. McEliece [M78] Niederreiter [N86] Generalized Reed-Solomon Srivastava PK: 2.5 kb SK: 1.5 kb PK: 63 kb SK: 2.5 kb Goppa Reed Muller Elliptic Concatenated Turbo/LDPC/MDPC PK: 0.6 kb SK: 180 B 9/10/2013 Secure Hardware Tim Güneysu 21
22 Improved Codes: Background on (QC-)MDPC Codes Given a t-error correcting (n, r, w)-qc-mdpc code of length n Parity check matrix H consists of n 0 blocks, fixed row weight w Code/Key Generation 1. Randomly pick n 0 first rows of parity check matrix blocks H i n h i F 2 of weight w i s.t. w = n 0 1 i=0 2. Obtain remaining rows by r 1 quasi-cyclic shifts of h i 3. H = [H 0 H 1 H n0 1] 4. Generator matrix of systematic form G = I Q, (H 1 n0 1 H 0 ) T Q = (H 1 n0 1 H 1 ) T H n0 2) T (H 1 n0 1 w i 9/10/2013 Secure Hardware Tim Güneysu 22
23 Improved Codes: Background on (QC-)MDPC Codes Parity check matrix H H 0 H 1 Generator matrix G I 9/10/2013 Secure Hardware Tim Güneysu 23
24 Overview Motivation Background on Code-based Cryptography Implementations on Embedded Systems Results Conclusions 9/10/2013 Secure Hardware Tim Güneysu 24
25 Implementations on Embedded Systems Requirements for encryption Random number generator (sometimes critical) Matrix-vector multiplier (despite of size, simple) Requirements for decryption (dependant on deployed code) Two decoders for Goppa codes (originally proposed) Berlekamp-Massey Patterson Decoding variants for QC-MDPC codes Gallager Huffman-Pless 9/10/2013 Secure Hardware Tim Güneysu 25
26 Efficient Decoding of MDPC Codes General Decoding Principle 1. Compute syndrome s of the received codeword 2. Count the number of unsatisfied parity-check-equations # upc for each codeword bit 3. Flip codeword bits that violate more than b equations 4. Recompute syndrome 5. Repeat until s = 0 or reaching predefined maximum of iterations (decoding failure) Main difference is how threshold b is computed Precompute b i for each iteration [Gal62] b = max upc [HP03] b = max upc δ [MTSB12] 9/10/2013 Secure Hardware Tim Güneysu 26
27 Decoding Optimizations Observations Decoders recompute syndrome after each iteration Syndrome computation is expensive! Optimizations If threshold exceeded, flip codeword bit j the syndrome changes Syndrome does not change arbitrarily! s new = s old + h j No syndrome recomputation Decoding with up-to-date syndrome Syndrome 9/10/2013 Secure Hardware Tim Güneysu 27
28 Benchmarking Performance evaluation of different decoder options Direct vs. temporary syndrome update Different threshold techniques Decoding failure if no success within 10 iterations C implementation on Intel Xeon E5345 CPU@2.33 GHz 1000 random QC-MDPC codes with n 0 = 2, n = 9600, r = 4800, w = 90, t = ,000 random decoding tries for each decoder 9/10/2013 Secure Hardware Tim Güneysu 28
29 Most Efficient (QC-)MDPC Decoders Proposed Decoder 1 1. Compute the syndrome 2. Count # upc for each bit, flip the current codeword bit j if # upc exceeds threshold b i and add h j to the syndrome Proposed Decoder 2 Decoder 1 + additionally checks s = 0 after each update 9/10/2013 Secure Hardware Tim Güneysu 29
30 Iterations Decoder Evaluation 7 Average decoding iterations Number of errors wt(e) [MTSB12] [Gal62] Proposal 1 Proposal 2 9/10/2013 Secure Hardware Tim Güneysu 30
31 [µs] Decoder Evaluation 35 Decoding time Number of errors wt(e) [MTSB12] [Gal62] Proposal 1 Proposal 2 9/10/2013 Secure Hardware Tim Güneysu 31
32 Failure rate Decoder Evaluation 0,25 Decoding failure rate 0,2 0,15 0,1 0, Number of errors wt(e) [MTSB12] [Gal62] Proposal 1 Proposal 2 9/10/2013 Secure Hardware Tim Güneysu 32
33 Overview Motivation Background on Code-based Cryptography Implementations on Embedded Systems Results Conclusions 9/10/2013 Secure Hardware Tim Güneysu 33
34 FPGA Implementations using Goppa Codes Results on FPGAs for roughly 80 bit of equivalent symmetric security Parameter set (n=2048, k=1751, t=27) using Goppa codes (63.5 KB public key!) Niederreiter McEliece Niederreiter McEliece Niederreiter [enc] [dec] [enc] [dec] [enc] [dec] [enc] [dec] [enc] [dec] 9/10/2013 Secure Hardware Tim Güneysu 34
35 Comparison with other McEliece implementations PK size: 0.59 kbyte vs kbyte [SWM + 10], 63.5 kbyte [GDU + 12] Performance evaluation: Time/operation vs. Mbit/s Faster than previous McEliece implementations 9/10/2013 Secure Hardware Tim Güneysu 36
36 FPGA Implementations using QC-MDPC Codes Performance evaluation: Time/operation vs. Mbit/s PK size: 0.59 kbyte vs kbyte [38], 63.5 kbyte [16][21] McEliece [enc] [dec fast] [dec small] 9/10/2013 Secure Hardware Tim Güneysu 37
37 Results for QC-MDPC Codes on Microcontrollers Encoder Very frequent memory access (>50% of the runtime) Runtime Decoder Shifting sparse polynomial in 720 cycles Adding sparse polynomial to syndrome in 2,200 cycles Again very frequent memory access Runtime 9/10/2013 Secure Hardware Tim Güneysu 38
38 Results for QC-MDPC Codes on Microcontrollers Much smaller than previous McEliece implementations Faster and smaller than RSA More cycles/op than most competitors 9/10/2013 Secure Hardware Tim Güneysu 39
39 Overview Motivation Background on Code-based Cryptography Implementations on Embedded Systems Results Conclusions 9/10/2013 Secure Hardware Tim Güneysu 40
40 Conclusions Code-based encryption with practical key sizes can be done even on embedded systems (efficient on FPGAs, slow/large on microcontrollers) McEliece/Niederreiter encryption provides protection against quantum computers attacks Open research topic: analysis of security properties of underlying codes Signature scheme based on code-based cryptography are far less efficient (the only existing solution P-CFS is not suitable for embedded systems 9/10/2013 Secure Hardware Tim Güneysu 41
41 Advances in Implementations of Code-based Cryptography on Embedded Systems Worcester Polytechnic Institute (WPI) Tim Güneysu (joint work with Ingo von Maurich and Stefan Heyse) Horst Görtz Institute for IT-Security, Ruhr University Bochum, Germany Thank you! Questions?
42 References [Gal62] R. Gallager. Low-density Parity-check Codes. Information Theory, IRE Transactions on, 8(1):21 28, [GDU + 12] S. Ghosh, J. Delvaux, L. Uhsadel, and I. Verbauwhede. A Speed Area Optimized Embedded Co-processor for McEliece Cryptosystem. In Application-Specific Systems, Architectures and Processors (ASAP), 2012 IEEE 23 rd International Conference on, pages , [HP03] W. Huffman and V. Pless. Fundamentals of Error-Correcting Codes. Cambridge University Press, [MTSB12] R. Misoczki, J.-P. Tillich, N. Sendrier, and P. S. L. M. Barreto. MDPC- McEliece: New McEliece Variants from Moderate Density Parity-Check Codes. Cryptology eprint Archive, Report 2012/409, [SWM + 10] A. Shoufan, T. Wink, H. G. Molter, S. A. Huss, and E. Kohnert. A Novel Cryptoprocessor Architecture for the McEliece Public-Key Cryptosystem. IEEE Trans. Computers, 59(11): , /10/2013 Secure Hardware Tim Güneysu 43
43 FPGA Comparison Performance evaluation: Time/operation vs. Mbit/s PK size: 0.59 kbyte vs kbyte [38], 63.5 kbyte [16][21] 9/10/2013 Secure Hardware Tim Güneysu 44
44 QC-MDPC McEliece FPGA Implementation QC-MDPC Encryption Given first 4800-bit row g of G and message m, compute x = mg + e G is of systematic form first half of x is equal to m Computation of redundant part Iterate over message bit by bit and rotate g accordingly If message bit is set, XOR current g to the redundant part 9/10/2013 Secure Hardware Tim Güneysu 45
45 QC-MDPC McEliece FPGA Implementation QC-MDPC Decryption Syndrome computation s = Hx T, with H = H 0 H 1 Given 9600-bit h = [h 0 h 1 ] and x = [x 0 x 1 ] Sequentially iterate over every bit of x 0 and x 1 in parallel, rotate h 0 and h 1 accordingly If bit in x 0 and/or x 1 is set, XOR current h 0 and/or h 1 to intermediate syndrome s = 0? Logical OR tree, lowest level based on 6-input LUTs Added registers to minimize critical path 9/10/2013 Secure Hardware Tim Güneysu 46
46 QC-MDPC McEliece FPGA Implementation QC-MDPC Decryption Count # upc for current row h = [h 0 h 1 ] Compute HW(s AND h 0 ), HW(s AND h 1 ) Split AND results into 6-bit blocks and lookup HW Adder tree with registers on every level accumulates overall HW Parallel vs. iterative design Bit-flipping step If HW exceeds threshold b i the corresponding bit in codeword x 0 and/or x 1 is flipped Syndrome is updated by XORing current secret poly h 0 and/or h 1 Generate next row h and repeat 9/10/2013 Secure Hardware Tim Güneysu 47
Lightweight Code-based Cryptography: QC-MDPC McEliece Encryption on Reconfigurable Devices
Lightweight Code-based Cryptography: QC-MDPC McEliece Encryption on Reconfigurable Devices Ingo von Maurich HGI, Ruhr-Universität Bochum Germany ingo.vonmaurich@rub.de Tim Güneysu HGI, Ruhr-Universität
More informationA Implementing QC-MDPC McEliece Encryption
A Implementing QC-MDPC McEliece Encryption INGO VON MAURICH, Ruhr-Universität Bochum TOBIAS ODER, Ruhr-Universität Bochum TIM GÜNEYSU, Ruhr-Universität Bochum With respect to performance, asymmetric code-based
More informationTable of Contents. Preface... vii Abstract... vii Kurzfassung... x Acknowledgements... xiii. I The Preliminaries 1
Preface............................................ vii Abstract............................................ vii Kurzfassung.......................................... x Acknowledgements......................................
More informationWorst case QC-MDPC decoder for McEliece cryptosystem
Worst case QC-MDPC decoder for McEliece cryptosystem Julia Chaulet, Nicolas Sendrier To cite this version: Julia Chaulet, Nicolas Sendrier. Worst case QC-MDPC decoder for McEliece cryptosystem. IEEE International
More informationMcEliece Cryptosystem in real life: security and implementation
McEliece Cryptosystem in real life: security and implementation SECRET - INRIA Rocq. Some numbers! scheme key gen enc cycle dec cycle Ntru 203983313 894427 1617090 RSA1-1024 188582730 225593 6240622 RSA1-2048
More informationA note on CCA2-protected McEliece cryptosystem with a systematic public key
A note on CCA2-protected McEliece cryptosystem with a systematic public key Pavol Zajac UIM FEI STU, Ilkovicova 3, 81219 Bratislava, Slovakia pavol.zajac@stuba.sk Abstract. We show that the plaintext of
More informationBotan s Implementation of the McEliece PKC
Botan s Implementation of the McEliece PKC Falko Strenzke cryptosource GmbH 1 1 Introduction The cryptographic C++ library Botan [1] features an implementation of the McEliece public key cryptosystem (PKC)
More informationOptimizing the Decoding Process of a Post-Quantum Cryptographic Algorithm
Optimizing the Decoding Process of a Post-Quantum Cryptographic Algorithm Antonio Guimarães 1, Diego F. Aranha 1, Edson Borin 1 1 Institute of Computing University of Campinas (UNICAMP) Av. Albert Einstein,
More informationClassic McEliece: conservative code-based cryptography
Classic McEliece: conservative code-based cryptography 1 D. J. Bernstein classic.mceliece.org Fundamental literature: 1962 Prange (attack) + many more attack papers. 1968 Berlekamp (decoder). 1970 1971
More informationInitial recommendations of long-term secure post-quantum systems
Initial recommendations of long-term secure post-quantum systems Tanja Lange 07 September 2015 Dagstuhl Workshop on Quantum Cryptanalysis Post-Quantum Cryptography for Long-term Security Project funded
More informationRecommendation to Protect Your Data in the Future
Recommendation to Protect Your Data in the Future Prof. Dr.-Ing. Tim Güneysu Arbeitsgruppe Technische Informatik / IT-Sicherheit (CEITS) LEARNTEC Karlsruhe 27.01.2016 Long-Term Security in the Real World
More informationCode-Based Cryptography Error-Correcting Codes and Cryptography
Code-Based Cryptography Error-Correcting Codes and Cryptography I. Márquez-Corbella 0 1. Error-Correcting Codes and Cryptography 1. Introduction I - Cryptography 2. Introduction II - Coding Theory 3. Encoding
More informationThe McEliece Cryptosystem
The McEliece Cryptosystem Suanne Au Christina Eubanks-Turner Jennifer Everson September 17, 2003 Abstract The McEliece cryptosystem is a public key cryptosystem whose security rests on the difficult problem
More informationThe H2020 PQCRYPTO project
The H2020 PQCRYPTO project Andreas Hülsing 05 October 2015 3rd ETSI/IQC Workshop on Quantum-Safe Cryptography Post-Quantum Cryptography for Long-term Security Project funded by EU in Horizon 2020. Starting
More informationComparison between Separable and Irreducible Goppa Code in McEliece Cryptosystem
Comparison between Separable and Irreducible Goppa Code in McEliece Cryptosystem Thuraya M. Qaradaghi, Newroz N. Abdulrazaq Abstract The McEliece cryptosystem is an asymmetric type of cryptography based
More informationA Key Recovery Attack on MDPC with CCA Security Using Decoding Errors
A Key Recovery Attack on MDPC with CCA Security Using Decoding Errors Qian Guo 1, Thomas Johansson 1, and Paul Stankovski 1 Dept. of Electrical and Information Technology, Lund University, Lund, Sweden
More informationCoding-theoretic problems in public key cryptography
Coding-theoretic problems in public key cryptography Carl Löndahl Department of Electrical and Information Technology Lund University, Sweden SWITS 12 June 3rd, 2012 Outline 1 Error correcting codes 2
More informationSECURE AND ANONYMOUS HYBRID ENCRYPTION FROM CODING THEORY
SECURE AND ANONYMOUS HYBRID ENCRYPTION FROM CODING THEORY Edoardo Persichetti University of Warsaw 06 June 2013 (UNIVERSITY OF WARSAW) SECURE AND ANONYMOUS KEM 06 JUNE 2013 1 / 20 Part I PRELIMINARIES
More informationIntroduction to Post-Quantum Cryptography
Introduction to Post-Quantum Cryptography CERG @ GMU http://cryptography.gmu.edu 10 PhD students 3 MS students Features Required from Today s Ciphers STRENGTH PERFORMANCE software hardware FUNCTIONALITY
More informationIntroduction to Post-Quantum Cryptography
Introduction to Post-Quantum Cryptography CERG @ GMU http://cryptography.gmu.edu 10 PhD students 3 MS students 1 Features Required from Today s Ciphers STRENGTH PERFORMANCE software hardware FUNCTIONALITY
More information8/30/17. Introduction to Post-Quantum Cryptography. Features Required from Today s Ciphers. Secret-key (Symmetric) Ciphers
CERG @ GMU http://cryptography.gmu.edu Introduction to Post-Quantum Cryptography 10 PhD students 3 MS students Features Required from Today s Ciphers Secret-key (Symmetric) Ciphers STRENGTH PERFORMANCE
More informationMcBits: fast constant-time code-based cryptography. (to appear at CHES 2013)
McBits: fast constant-time code-based cryptography (to appear at CHES 2013) D. J. Bernstein University of Illinois at Chicago & Technische Universiteit Eindhoven Joint work with: Tung Chou Technische Universiteit
More informationPOST-QUANTUM CRYPTOGRAPHY VIENNA CYBER SECURITY WEEK DR. DANIEL SLAMANIG
POST-QUANTUM CRYPTOGRAPHY VIENNA CYBER SECURITY WEEK 2018 02.02.2018 DR. DANIEL SLAMANIG WHAT IS POST-QUANTUM CRYPTOGRAPHY? Also called quantum safe/resistant cryptography NOT quantum cryptography (= quantum
More informationAttacking Code-Based Cryptosystems with Information Set Decoding using Special-Purpose Hardware
Attacking Code-Based Cryptosystems with Information Set Decoding using Special-Purpose Hardware Stefan Heyse, Ralf Zimmermann, and Christof Paar Horst Görtz Institute for IT-Security (HGI) Ruhr-University
More informationVectorized implementations of post-quantum crypto
Vectorized implementations of post-quantum crypto Peter Schwabe January 12, 2015 DIMACS Workshop on the Mathematics of Post-Quantum Cryptography The multicore revolution Until early years 2000 each new
More informationPractical Power Analysis Attacks on Software Implementations of McEliece
Practical Power Analysis Attacks on Software Implementations of McEliece Stefan Heyse, Amir Moradi, and Christof Paar Horst Görtz Institute for IT Security, Ruhr University Bochum, Germany {heyse, moradi,
More informationCountermeasure against the SPA attack on an embedded McEliece cryptosystem
Countermeasure against the SPA attack on an embedded McEliece cryptosystem Martin Petrvalsky, Tania Richmond, Milos Drutarovsky, Pierre-Louis Cayrel, Viktor Fischer To cite this version: Martin Petrvalsky,
More informationRecent progress in code-based cryptography
Recent progress in code-based cryptography Pierre-Louis Cayrel, Mohamed ElYousfi, Gerhard Hoffmann, Mohammed Meziani and Robert Niebuhr CASED Center for Advanced Security Research Darmstadt, Mornewegstrasse,
More informationMicroEliece: McEliece for Embedded Devices
MicroEliece: McEliece for Embedded Devices Thomas Eisenbarth, Tim Güneysu, Stefan Heyse, Christof Paar Horst Görtz Institute for IT Security Ruhr University Bochum 44780 Bochum, Germany {eisenbarth,gueneysu,heyse,cpaar}@crypto.rub.de
More informationComputer Security. 08. Cryptography Part II. Paul Krzyzanowski. Rutgers University. Spring 2018
Computer Security 08. Cryptography Part II Paul Krzyzanowski Rutgers University Spring 2018 March 23, 2018 CS 419 2018 Paul Krzyzanowski 1 Block ciphers Block ciphers encrypt a block of plaintext at a
More informationInternational Journal of Scientific & Engineering Research Volume 9, Issue 5, May ISSN
International Journal of Scientific & Engineering Research Volume 9, Issue 5, May2018 2014 ISSN 22295518 McEliece in RADG using Diffie Hellman Security System Zahraa Naseer 1,* 1,**, and Salah Albermany0F
More informationImplementing the NewHope-Simple Key Exchange on Low-Cost FPGAs
Implementing the NewHope-Simple Key Exchange on Low-Cost FPGAs Tobias Oder and Tim Güneysu Ruhr-University Bochum Latincrypt 2017 20.09.2017 Public-Key Crypto and Long-Term Security 2 Lattice-Based Cryptography
More informationCryptography Today. Ali El Kaafarani. Mathematical Institute Oxford University. 1 of 44
Cryptography Today Ali El Kaafarani Mathematical Institute Oxford University 1 of 44 About the Course Regular classes with worksheets so you can work with some concrete examples (every Friday at 1pm).
More informationQUANTUM SAFE PKI TRANSITIONS
QUANTUM SAFE PKI TRANSITIONS Quantum Valley Investments Headquarters We offer quantum readiness assessments to help you identify your organization s quantum risks, develop an upgrade path, and deliver
More informationIntroduction. CSE 5351: Introduction to cryptography Reading assignment: Chapter 1 of Katz & Lindell
Introduction CSE 5351: Introduction to cryptography Reading assignment: Chapter 1 of Katz & Lindell 1 Cryptography Merriam-Webster Online Dictionary: 1. secret writing 2. the enciphering and deciphering
More informationComputer Security 3/23/18
s s encrypt a block of plaintext at a time and produce ciphertext Computer Security 08. Cryptography Part II Paul Krzyzanowski DES & AES are two popular block ciphers DES: 64 bit blocks AES: 128 bit blocks
More informationTechnological foundation
Technological foundation Carte à puce et Java Card 2010-2011 Jean-Louis Lanet Jean-louis.lanet@unilim.fr Cryptology Authentication Secure upload Agenda Cryptology Cryptography / Cryptanalysis, Smart Cards
More informationInternational Journal of Scientific & Engineering Research, Volume 4, Issue 5, May-2013 ISSN
255 CORRECTIONS TO FAULT SECURE OF MAJORITY LOGIC DECODER AND DETECTOR FOR MEMORY APPLICATIONS Viji.D PG Scholar Embedded Systems Prist University, Thanjuvr - India Mr.T.Sathees Kumar AP/ECE Prist University,
More informationUnderstanding Cryptography by Christof Paar and Jan Pelzl. Chapter 9 Elliptic Curve Cryptography
Understanding Cryptography by Christof Paar and Jan Pelzl www.crypto-textbook.com Chapter 9 Elliptic Curve Cryptography ver. February 2nd, 2015 These slides were prepared by Tim Güneysu, Christof Paar
More informationA CCA2 Secure PKE Based on McEliece Assumptions in the Standard Model
A CCA2 Secure PKE Based on McEliece Assumptions in the Standard Model Jörn Müller-Quade European Institute for System Security KIT, Karlsruhe, Germany 04/23/09 Session ID: CRYP301 Session Classification:
More informationCryptography: More Primitives
Design and Analysis of Algorithms May 8, 2015 Massachusetts Institute of Technology 6.046J/18.410J Profs. Erik Demaine, Srini Devadas and Nancy Lynch Recitation 11 Cryptography: More Primitives 1 Digital
More informationReduced Memory Meet-in-the-Middle Attack against the NTRU Private Key
Reduced Memory Meet-in-the-Middle Attack against the NTRU Private Key Christine van Vredendaal Eindhoven, University of Technology c.v.vredendaal@tue.nl Twelfth Algorithmic Number Theory Symposium University
More informationFailure of the McEliece Public-Key Cryptosystem Under Message-Resend and Related-Message Attack
B. Kaliski (Ed.), Advances in Cryptology -- Proceedings of Crypto '97, Lecture Notes in Computer Science, Vol. 194, pages 13-0, Springer Verlag, 1997 Failure of the McEliece Public-Key Cryptosystem Under
More informationQcBits: Constant-Time Small-Key Code-Based Cryptography
QcBits: Constant-Time Small-Key Code-Based Cryptography Tung Chou Department of Mathematics and Computer Science Technische Universiteit Eindhoven, P.O. Box 513, 5600 MB Eindhoven, the Netherlands blueprint@crypto.tw
More informationLink Layer: Error detection and correction
Link Layer: Error detection and correction Topic Some bits will be received in error due to noise. What can we do? Detect errors with codes Correct errors with codes Retransmit lost frames Later Reliability
More informationACHIEVING 128-BIT SECURITY AGAINST QUANTUM ATTACKS IN OPENVPN
August 9, 016 MASTER THESIS ACHIEVING 18-BIT SECURITY AGAINST QUANTUM ATTACKS IN OPENVPN Simon de Vries Faculty of Electrical Engineering, Mathematics and Computer Science (EEMCS Services, Cybersecurity
More informationSide-Channel Countermeasures for Hardware: is There a Light at the End of the Tunnel?
Side-Channel Countermeasures for Hardware: is There a Light at the End of the Tunnel? 11. Sep 2013 Ruhr University Bochum Outline Power Analysis Attack Masking Problems in hardware Possible approaches
More informationPublic-Key Cryptography
Computer Security Spring 2008 Public-Key Cryptography Aggelos Kiayias University of Connecticut A paradox Classic cryptography (ciphers etc.) Alice and Bob share a short private key using a secure channel.
More informationLinearization Attacks Against Syndrome Based Hashes
Linearization Attacks Against Syndrome Based Hashes Markku-Juhani O. Saarinen Information Security Group Royal Holloway, University of London Egham, Surrey TW20 0EX, UK. m.saarinen@rhul.ac.uk Abstract.
More informationPost-Quantum Cryptography. Dr. Thomas Pöppelmann Infineon Technologies AG
Post-Quantum Cryptography Dr. Thomas Pöppelmann Infineon Technologies AG Agenda 1 Introduction 2 Post-Quantum Cryptography 3 Lattice-Based Cryptography 4 Hash- and Code-Based Cryptography 5 Outlook 2 Agenda
More informationCSc 466/566. Computer Security. 6 : Cryptography Symmetric Key
1/56 CSc 466/566 Computer Security 6 : Cryptography Symmetric Key Version: 2012/02/22 16:14:16 Department of Computer Science University of Arizona collberg@gmail.com Copyright c 2012 Christian Collberg
More informationGoals for Today. Substitution Permutation Ciphers. Substitution Permutation stages. Encryption Details 8/24/2010
Encryption Details COMP620 Goals for Today Understand how some of the most common encryption algorithms operate Learn about some new potential encryption systems Substitution Permutation Ciphers A Substitution
More informationOptimizing Post-Quantum Cryptographic Algorithms for Modern and Future Processor Architectures
Post-quantum cryptography for long-term security PQCRYPTO ICT-645622 PQCrypto Review Meeting / Workshop, Utrecht, the Netherlands, June 28, 2016 Optimizing Post-Quantum Cryptographic Algorithms for Modern
More informationPaper presentation sign up sheet is up. Please sign up for papers by next class. Lecture summaries and notes now up on course webpage
1 Announcements Paper presentation sign up sheet is up. Please sign up for papers by next class. Lecture summaries and notes now up on course webpage 2 Recap and Overview Previous lecture: Symmetric key
More informationLecturers: Mark D. Ryan and David Galindo. Cryptography Slide: 24
Assume encryption and decryption use the same key. Will discuss how to distribute key to all parties later Symmetric ciphers unusable for authentication of sender Lecturers: Mark D. Ryan and David Galindo.
More informationPublic-Key Cryptography. Professor Yanmin Gong Week 3: Sep. 7
Public-Key Cryptography Professor Yanmin Gong Week 3: Sep. 7 Outline Key exchange and Diffie-Hellman protocol Mathematical backgrounds for modular arithmetic RSA Digital Signatures Key management Problem:
More informationA Binary Redundant Scalar Point Multiplication in Secure Elliptic Curve Cryptosystems
International Journal of Network Security, Vol3, No2, PP132 137, Sept 2006 (http://ijnsnchuedutw/) 132 A Binary Redundant Scalar Multiplication in Secure Elliptic Curve Cryptosystems Sangook Moon School
More informationPublic-Key Cryptanalysis
http://www.di.ens.fr/ pnguyen INRIA and École normale supérieure, Paris, France MPRI, 2010 Outline 1 Introduction Asymmetric Cryptology Course Overview 2 Textbook RSA 3 Euclid s Algorithm Applications
More informationHigh-Performance Cryptography in Software
High-Performance Cryptography in Software Peter Schwabe Research Center for Information Technology Innovation Academia Sinica September 3, 2012 ECRYPT Summer School: Challenges in Security Engineering
More informationWeek 4. : Block Ciphers and DES
Week 4. : Block Ciphers and DES Model of Symmetric Cryptosystem Cryptanalyst Adversary M K E Insecure Channel D Plaintext M Ciphertext C Secure Channel Plaintext M Key K Shared Secret Key C = E K (M) D
More informationWinter 2011 Josh Benaloh Brian LaMacchia
Winter 2011 Josh Benaloh Brian LaMacchia Symmetric Cryptography January 20, 2011 Practical Aspects of Modern Cryptography 2 Agenda Symmetric key ciphers Stream ciphers Block ciphers Cryptographic hash
More informationEncryption Details COMP620
Encryption Details COMP620 Encryption is a powerful defensive weapon for free people. It offers a technical guarantee of privacy, regardless of who is running the government It s hard to think of a more
More informationCryptography and Network Security
Cryptography and Network Security CRYPTOGRAPHY AND NETWORK SECURITY PRAKASH C. GUPTA Former Head Department of Information Technology Maharashtra Institute of Technology Pune Delhi-110092 2015 CRYPTOGRAPHY
More informationA post-quantum proxy signature scheme based on rainbow digital signature
527 A post-quantum proxy signature scheme based on rainbow digital signature Shaohua Tang Lingling Xu ICM 2012, 11-14 March, Al Ain Abstract Quantum computers have recently emerged as a threat to the traditional
More informationClassical Encryption Techniques. CSS 322 Security and Cryptography
Classical Encryption Techniques CSS 322 Security and Cryptography Contents Terminology and Models Requirements, Services and Attacks Substitution Ciphers Caesar, Monoalphabetic, Polyalphabetic, One-time
More informationThis chapter continues our overview of public-key cryptography systems (PKCSs), and begins with a description of one of the earliest and simplest
1 2 3 This chapter continues our overview of public-key cryptography systems (PKCSs), and begins with a description of one of the earliest and simplest PKCS, Diffie- Hellman key exchange. This first published
More informationBasic Concepts and Definitions. CSC/ECE 574 Computer and Network Security. Outline
CSC/ECE 574 Computer and Network Security Topic 2. Introduction to Cryptography 1 Outline Basic Crypto Concepts and Definitions Some Early (Breakable) Cryptosystems Key Issues 2 Basic Concepts and Definitions
More informationA SIGNATURE ALGORITHM BASED ON DLP AND COMPUTING SQUARE ROOTS
A SIGNATURE ALGORITHM BASED ON DLP AND COMPUTING SQUARE ROOTS Ounasser Abid 1 and Omar Khadir 2 1, 2 Laboratory of Mathematics, Cryptography and Mechanics, FSTM University Hassan II of Casablanca, Morocco
More informationStream Ciphers An Overview
Stream Ciphers An Overview Palash Sarkar Indian Statistical Institute, Kolkata email: palash@isicalacin stream cipher overview, Palash Sarkar p1/51 Classical Encryption Adversary message ciphertext ciphertext
More informationAn IBE Scheme to Exchange Authenticated Secret Keys
An IBE Scheme to Exchange Authenticated Secret Keys Waldyr Dias Benits Júnior 1, Routo Terada (Advisor) 1 1 Instituto de Matemática e Estatística Universidade de São Paulo R. do Matão, 1010 Cidade Universitária
More informationAdvanced Security for Systems Engineering VO 09: Applied Cryptography
Advanced Security for Systems Engineering VO 09: Applied Cryptography Clemens Hlauschek Lukas Brandstetter Christian Schanes INSO Industrial Software Institute of Computer Aided Automation Faculty of Informatics
More informationCryptanalyzing the Polynomial Reconstruction based Public-Key System under Optimal Parameter Choice
Cryptanalyzing the Polynomial Reconstruction based Public-Key System under Optimal Parameter Choice Aggelos Kiayias - Moti Yung U. of Connecticut - Columbia U. (Public-Key) Cryptography intractability
More informationLDPC Codes a brief Tutorial
LDPC Codes a brief Tutorial Bernhard M.J. Leiner, Stud.ID.: 53418L bleiner@gmail.com April 8, 2005 1 Introduction Low-density parity-check (LDPC) codes are a class of linear block LDPC codes. The name
More informationAttacking and defending the McEliece cryptosystem
Attacking and defending the McEliece cryptosystem Daniel J. Bernstein 1, Tanja Lange 2, and Christiane Peters 2 1 Department of Mathematics, Statistics, and Computer Science (M/C 249) University of Illinois
More informationImplementation of a Real Time Programmable Encoder for Low Density Parity Check Code on a Reconfigurable Instruction Cell Architecture
Implementation of a Real Time Programmable Encoder for Low Density Parity Check Code on a Reconfigurable Instruction Cell Architecture Zahid Khan, Tughrul Arslan System Level Integration Group, The University
More informationUsing Error Detection Codes to detect fault attacks on Symmetric Key Ciphers
Using Error Detection Codes to detect fault attacks on Symmetric Key Ciphers Israel Koren Department of Electrical and Computer Engineering Univ. of Massachusetts, Amherst, MA collaborating with Luca Breveglieri,
More informationFPGA Implementation of Optimized DES Encryption Algorithm on Spartan 3E
FPGA Implementation of Optimized DES Encryption Algorithm on Spartan 3E Amandeep Singh, Manu Bansal Abstract - Data Security is an important parameter for the industries. It can be achieved by Encryption
More informationHigh-Performance Integer Factoring with Reconfigurable Devices
FPL 2010, Milan, August 31st September 2nd, 2010 High-Performance Integer Factoring with Reconfigurable Devices Ralf Zimmermann, Tim Güneysu, Christof Paar Horst Görtz Institute for IT-Security Ruhr-University
More informationECC Elliptic Curve Cryptography. Foundations of Cryptography - ECC pp. 1 / 31
ECC Elliptic Curve Cryptography Foundations of Cryptography - ECC pp. 1 / 31 Elliptic Curve an elliptic curve E is a smooth, projective, algebraic curve defined by the following equation: y 2 3 2 a xy
More informationPerformance Analysis of Gray Code based Structured Regular Column-Weight Two LDPC Codes
IOSR Journal of Electronics and Communication Engineering (IOSR-JECE) e-issn: 2278-2834,p- ISSN: 2278-8735.Volume 11, Issue 4, Ver. III (Jul.-Aug.2016), PP 06-10 www.iosrjournals.org Performance Analysis
More information90A John Muir Drive Buffalo, New York Tel: Fax:
Reed Solomon Coding The VOCAL implementation of Reed Solomon (RS) Forward Error Correction (FEC) algorithms is available in several forms. The forms include pure software and software with varying levels
More informationA Parallel, In-Place, Rectangular Matrix Transpose Algorithm
Stefan Amberger ICA & RISC amberger.stefan@gmail.com A Parallel, In-Place, Rectangular Matrix Transpose Algorithm Description of Algorithm and Correctness Proof Table of Contents 1. Introduction 2. Description
More informationAdaptive Multi-bit Crosstalk-Aware Error Control Coding Scheme for On-Chip Communication
Abstract: Adaptive Multi-bit Crosstalk-Aware Error Control Coding Scheme for On-Chip Communication The presence of different noise sources and continuous increase in crosstalk in the deep sub micrometer
More informationA New Non-Iterative Decoding Algorithm for the Erasure Channel : Comparisons with Enhanced Iterative Methods
SUBMITTED TO ISIT 2005 ON 31 JANUARY 2005 1 arxiv:cs/0503006v1 [cs.it] 2 Mar 2005 A New Non-Iterative Decoding Algorithm for the Erasure Channel : Comparisons with Enhanced Iterative Methods J. Cai, C.
More informationFPGA Accelerated Tate Pairing Cryptosystems over Binary Fields
FPGA Accelerated ate Pairing Cryptosystems over Binary Fields Chang Shu, Soonhak Kwon, and Kris Gaj Dept. of ECE, George Mason University Fairfax VA, USA Dept. of Mathematics, Sungkyukwan University Suwon,
More informationAdvanced Encryption Standard and Modes of Operation. Foundations of Cryptography - AES pp. 1 / 50
Advanced Encryption Standard and Modes of Operation Foundations of Cryptography - AES pp. 1 / 50 AES Advanced Encryption Standard (AES) is a symmetric cryptographic algorithm AES has been originally requested
More informationCode-Based Cryptography McEliece Cryptosystem
Code-Based Cryptography McEliece Cryptosystem I. Márquez-Corbella 0 2. McEliece Cryptosystem 1. Formal Definition 2. Security-Reduction Proof 3. McEliece Assumptions 4. Notions of Security 5. Critical
More informationInformation Security CS526
Information CS 526 Topic 3 Ciphers and Cipher : Stream Ciphers, Block Ciphers, Perfect Secrecy, and IND-CPA 1 Announcements HW1 is out, due on Sept 10 Start early, late policy is 3 total late days for
More information3 Symmetric Key Cryptography 3.1 Block Ciphers Symmetric key strength analysis Electronic Code Book Mode (ECB) Cipher Block Chaining Mode (CBC) Some
3 Symmetric Key Cryptography 3.1 Block Ciphers Symmetric key strength analysis Electronic Code Book Mode (ECB) Cipher Block Chaining Mode (CBC) Some popular block ciphers Triple DES Advanced Encryption
More informationCSE 127: Computer Security Cryptography. Kirill Levchenko
CSE 127: Computer Security Cryptography Kirill Levchenko October 24, 2017 Motivation Two parties want to communicate securely Secrecy: No one else can read messages Integrity: messages cannot be modified
More informationLecture 6 - Cryptography
Lecture 6 - Cryptography CMPSC 443 - Spring 2012 Introduction Computer and Network Security Professor Jaeger www.cse.psu.edu/~tjaeger/cse443-s12 Question Setup: Assume you and I donʼt know anything about
More informationCSCI 454/554 Computer and Network Security. Topic 2. Introduction to Cryptography
CSCI 454/554 Computer and Network Security Topic 2. Introduction to Cryptography Outline Basic Crypto Concepts and Definitions Some Early (Breakable) Cryptosystems Key Issues 2 Basic Concepts and Definitions
More informationType-II optimal polynomial bases. D. J. Bernstein University of Illinois at Chicago. Joint work with: Tanja Lange Technische Universiteit Eindhoven
Type-II optimal polynomial bases D. J. Bernstein University of Illinois at Chicago Joint work with: Tanja Lange Technische Universiteit Eindhoven Bigger project: Breaking ECC2K-130. Daniel V. Bailey,
More informationCAKE: Code-based Algorithm for Key Encapsulation
CAKE: Code-based Algorithm for Key Encapsulation Paulo S. L. M. Barreto 1,2, Shay Gueron 3,4, Tim Güneysu 5,6, Rafael Misoczki 7, Edoardo Persichetti 8, Nicolas Sendrier 9, Jean-Pierre Tillich 9 1 University
More informationThe transition to post-quantum cryptography. Peter Schwabe February 19, 2018
The transition to post-quantum cryptography Peter Schwabe peter@cryptojedi.org https://cryptojedi.org February 19, 2018 About me Assistant professor at Radboud University Working on high-speed high-security
More informationComputational Security, Stream and Block Cipher Functions
Computational Security, Stream and Block Cipher Functions 18 March 2019 Lecture 3 Most Slides Credits: Steve Zdancewic (UPenn) 18 March 2019 SE 425: Communication and Information Security 1 Topics for
More informationPublic Key Cryptography and RSA
Public Key Cryptography and RSA Major topics Principles of public key cryptosystems The RSA algorithm The Security of RSA Motivations A public key system is asymmetric, there does not have to be an exchange
More informationHardware Architectures
Hardware Architectures Secret-key Cryptography Public-key Cryptography Cryptanalysis AES & AES candidates estream candidates Hash Functions SHA-3 Montgomery Multipliers ECC cryptosystems Pairing-based
More informationCryptography CS 555. Topic 16: Key Management and The Need for Public Key Cryptography. CS555 Spring 2012/Topic 16 1
Cryptography CS 555 Topic 16: Key Management and The Need for Public Key Cryptography CS555 Spring 2012/Topic 16 1 Outline and Readings Outline Private key management between two parties Key management
More informationCryptography. Summer Term 2010
Summer Term 2010 Chapter 2: Hash Functions Contents Definition and basic properties Basic design principles and SHA-1 The SHA-3 competition 2 Contents Definition and basic properties Basic design principles
More information