Introducing Arithmetic Failures to Accelerate QC-MDPC Code-Based Cryptography

Abstract

In this work, we optimize the performance of QC-MDPC code-based cryptosystems through the insertion of configurable failure rates in their arithmetic procedures. We present constant time algorithms with a configurable failure rate for multiplication and inversion over binary polynomials, the two most expensive subroutines used in QC-MDPC implementations. Using a failure rate negligible compared to the security level (\(2^{-128}\)), our multiplication is 2 times faster than NTL on sparse polynomials and 1.6 times faster than a naive constant-time sparse polynomial multiplication. Our inversion algorithm, based on Wu et al., is 2 times faster than the original algorithm and 12 times faster than Itoh-Tsujii using the same modulus polynomial (\(x^{32749} - 1\)). By inserting these algorithms in a version of QcBits at the 128-bit quantum security level, we were able to achieve a speedup of 1.9 on the key generation and up to 1.4 on the decryption time. Comparing with variant 2 of the BIKE suite, which also implements the Niederreiter Cryptosystem using QC-MDPC codes, our final version of QcBits performs the uniform decryption 2.7 times faster.

Appendices

A Implementing Conditional Statements (Ifs) in Constant-Time

Listing 1 shows an example of a non-constant-time conditional operation. Assuming that A and B are secret data, this implementation is vulnerable to timing side-channel attacks. Listing 2 shows the equivalent constant-time implementation (considering that Function1 and Function2 do not have side effects). The operations using 64-bit integers (uint64_t) had their results conditionally selected through a bit-wise AND with the mask cond. When using AVX-512 registers, the implementation of conditional operations is significantly simplified. The AVX-512 instruction set extension already provides masked versions for most of its instructions. In this way, we simply use the mask cond in the mask field of the intrinsics of these instructions.

B Implementing the Degree Verification Efficiently

Our modification of Wu et al. algorithm introduced two main drawbacks in the performance of the algorithm. The first is the constant-time implementation of the function \(Smallest\_Monomial\_Degree\). For large polynomials (such as the ones used in code-based cryptography), it would be very expensive to search the smallest monomial on the entire polynomial. Therefore, we search only the first E bits of the polynomial, change the If condition to test if the result is different of E and adjust the number of iterations to compensate for this limitation. Algorithm 11 shows this modification. Using the inverted binary representation of the polynomial (shown in Fig. 5), we can obtain the degree of the smallest monomial by calculating the number of leading zeros of the representation. Most of the modern architectures enable this calculation with a single instruction. Intel, for instance, provides instructions for counting the leading zeros running in constant-time for 32-bit words (since i386), 64-bit words (since Haswell), and 64-bit lanes on SIMD registers (AVX-512). Other architectures enable equivalent or complementary operations, such as rounded binary logarithm or trailing zeros, which may require modifications in the polynomial representation, but, ultimately, would not impact performance.

Fig. 5.

Example polynomial, its inverted binary representation and its sparse representation, respectively.

The second drawback in our version are the divisions. In the original algorithm, the divisor was always x. We modified it to \(x^b\), where \(0 < b \le E\). Constant-time divisions usually have its execution time defined by the upper bound of the divisor and, thus, the parameter E also appears as a trade-off between the number of iterations and the performance of each iteration. Fortunately, it is easy to optimize its value in our case. Using SIMD registers in the Intel architecture, the execution time of dividing by x or \(x^{64}\) is the same, while greater exponents require much more expensive instructions to move bits across the SIMD lanes. In this way, we choose \(E = 64\), which also helps the implementation of the function \(Smallest\_Monomial\_Degree\).

C Proof of Eq. 2

Proposition 1

In Eq. 2, if \(P(r_{j,0} = 1) \le 0.5\) then \(P(r_{j,i} = 1) \le 0.5\) for all \(i \ge 0\).

Proof

We prove it using induction on i.

Base case: If \(i = 0\), then \(P(r_{j,i} = 1) = P(r_{j,0} = 1) \le 0.5\).

Inductive Hypothesis: if \(P(r_{j,0} = 1) \le 0.5\) then \(P(r_{j,i} = 1) \le 0.5\) for all \(1 \le i < n\)

Inductive Step: Let \(i = n\).

$$\begin{aligned} \begin{aligned} P(r_{j,n} = 1) = P(r_{0, n-1} = 1) \times P(s_{j+1, n-1} \oplus r_{j+1, n-1} = 1)\ +\ P(r_{0, n-1} = 0)\\ \times \,P(r_{j+1, n-1} = 1) \end{aligned} \end{aligned}$$

Knowing that

$$\begin{aligned} \begin{aligned} P((X \oplus Y) = 1) = P(X = 1) \times P(Y = 0) + P(X = 0) \times P(Y = 1) \\ = P(X = 1) \times (1 - P(Y = 1)) + (1 - P(X = 1)) \times P(Y = 1) \\ = P(X = 1) + P(Y = 1) - 2 \times P(Y = 1) \times P(X = 1) \end{aligned} \end{aligned}$$

We have

$$\begin{aligned} \begin{aligned} P(r_{j,n} = 1) = P(r_{0, n-1} = 1) \times [P(r_{j+1, n-1} = 1) + P(s_{j+1, n-1} = 1) \\ - 2 \times P(s_{j+1, n-1} = 1) \times P(r_{j+1, n-1} = 1)] + P(r_{0, n-1} = 0) \times P(r_{j+1, n-1} = 1) \\ = P(r_{j+1, n-1} = 1) + P(r_{0, n-1} = 1) \times [P(s_{j+1, n-1} = 1) \\ - 2 \times P(s_{j+1, n-1} = 1) \times P(r_{j+1, n-1} = 1)] \end{aligned} \end{aligned}$$

Let f(X, Y, Z) be the value of \(P(r_{j,n} = 1)\) for \(X = P(r_{0, n-1} = 1)\), \(Y = P(r_{j+1, n-1} = 1)\) and \(Z = P(s_{j+1, n-1} = 1)\). By our inductive hypothesis, \(0 \le P(r_{0, n-1} = 1) \le 0.5\) and \(0 \le P(r_{j+1, n-1} = 1) \le 0.5\). We could obtain a tighter interval for \(P(s_{j+1, n-1} = 1)\) addressing its own recurrence relation, but that is not necessary. Thus, we consider \(0 \le P(s_{j+1, n-1} = 1) \le 1\). To maximize the value of f in these intervals, we first check the boundaries:

$$f(0,0,0) = f(0,0,1) = f(0.5,0,0) = 0$$

$$f(0,0.5,0) = f(0,0.5,1) = f(0.5,0,1) = f(0.5,0.5,0) = f(0.5,0.5,1) = 0.5$$

The next step would be a search for a local maximum, which clearly does not exist since f is linear in all variables.