Abstract
In 2013, Misoczki, Tillich, Sendrier and Barreto proposed a variant of the McEliece cryptosystem based on quasi-cyclic moderate-density parity-check (QC-MDPC) codes. This proposal uses an iterative bit-flipping algorithm in its decryption procedure. Such algorithms fail with a small probability.
At Asiacrypt 2016, Guo, Johansson and Stankovski (GJS) exploited these failures to perform a key recovery attack. They introduced the notion of the distance spectrum of a sparse vector and showed that the knowledge of the spectrum is enough to find the vector. By observing many failing plaintexts they recovered the distance spectrum of the QC-MDPC secret key.
In this work, we explore the underlying causes of this attack, ways in which it can be improved, and how it can be mitigated.
We prove that correlations between the spectrum of the key and the spectrum of the error induce a bias on the distribution of the syndrome weight. Hence, the syndrome weight is the fundamental quantity from which secret information leaks. Assuming a side-channel allows the observation of the syndrome weight, we are able to perform a key-recovery attack, which has the advantage of exploiting all known plaintexts, not only those leading to a decryption failure. Based on this study, we derive a timing attack. It performs well on most decoding algorithms, even on the recent variants where the decryption failure rate is low, a case which is more challenging to the GJS attack. To our knowledge, this is the first timing attack on a QC-MDPC scheme.
Finally, we show how to construct a new KEM, called ParQ that can reduce the decryption failure rate to a level negligible in the security parameter, without altering the QC-MDPC parameters. This is done through repeated encryption. We formally prove the IND-CCA2 security of ParQ, in a model that considers decoding failures. This KEM offers smaller key sizes and is suitable for purposes where the public key is used statically.
N. Sendrier—Supported in part by the Commission of the European Communities through the Horizon 2020 program under project number 645622 (PQCRYPTO).
Access this chapter
Tax calculation will be finalised at checkout
Purchases are for personal use only
Notes
- 1.
In case of a tie, we choose the smallest threshold, but never smaller than d/2.
- 2.
We use the linear approximation unless the quadratic approximation gives different values of \(b_i(\sigma )=\lceil g_i(\sigma )\rceil \) for \(\sigma \) in the observed range.
References
NIST post-quantum cryptography project, round 1 submissions (2017). https://csrc.nist.gov/projects/post-quantum-cryptography/round-1-submissions
Aragon, N., Barreto, P.S.L.M., Bettaieb, S., Bidoux, L., Blazy, O., Deneuville, J.C., Gaborit, P., Gueron, S., Güneysu, T., Melchor, C.A., Misoczki, R., Persichetti, E., Sendrier, N., Tillich, J.P., Zémor, G.: BIKE—bit flipping key encapsulation (2017). http://bikesuite.org
Augot, D., Batina, L., Bernstein, D.J., Bos, J., Buchmann, J., Castryck, W., Dunkelman, O., Güneysu, T., Gueron, S., Hülsing, A., Lange, T., Mohamed, M.S.E., Rechberger, C., Schwabe, P., Sendrier, N., Vercauteren, F., Yang, B.Y.: Initial recommendations of long-term secure post-quantum systems (2015). http://pqcrypto.eu.org/docs/initial-recommendations.pdf
Baldi, M., Bodrato, M., Chiaraluce, F.: A new analysis of the McEliece cryptosystem based on QC-LDPC codes. In: Ostrovsky, R., De Prisco, R., Visconti, I. (eds.) SCN 2008. LNCS, vol. 5229, pp. 246–262. Springer, Heidelberg (2008). https://doi.org/10.1007/978-3-540-85855-3_17
Barreto, P.S.L.M., Gueron, S., Güneysu, T., Misoczki, R., Persichetti, E., Sendrier, N., Tillich, J.P.: CAKE: code-based algorithm for key encapsulation. Cryptology ePrint Archive, Report 2017/757 (2017)
Bernstein, D.J., Chou, T., Lange, T., von Maurich, I., Misoczki, R., Niederhagen, R., Persichetti, E., Peters, C., Schwabe, P., Sendrier, N., Szefer, J., Wang, W.: Classic McEliece (2017). https://classic.mceliece.org
Bernstein, D.J., Chou, T., Schwabe, P.: McBits: fast constant-time code-based cryptography. In: Bertoni, G., Coron, J.-S. (eds.) CHES 2013. LNCS, vol. 8086, pp. 250–272. Springer, Heidelberg (2013). https://doi.org/10.1007/978-3-642-40349-1_15
Boneh, D., Dagdelen, Ö., Fischlin, M., Lehmann, A., Schaffner, C., Zhandry, M.: Random oracles in a quantum world. In: Lee, D.H., Wang, X. (eds.) ASIACRYPT 2011. LNCS, vol. 7073, pp. 41–69. Springer, Heidelberg (2011). https://doi.org/10.1007/978-3-642-25385-0_3
Chaulet, J.: Étude de cryptosystèmes à clé publique basés sur les codes MDPC quasi-cycliques. Ph.D. thesis, Université Pierre et Marie Curie-Paris VI (2017)
Chaulet, J., Sendrier, N.: Worst case QC-MDPC decoder for McEliece cryptosystem. In: IEEE International Symposium on Information Theory, (ISIT 2016), pp. 1366–1370 (2016)
Chen, C., Eisenbarth, T., von Maurich, I., Steinwandt, R.: Differential power analysis of a McEliece cryptosystem. In: Malkin, T., Kolesnikov, V., Lewko, A.B., Polychronakis, M. (eds.) ACNS 2015. LNCS, vol. 9092, pp. 538–556. Springer, Cham (2015). https://doi.org/10.1007/978-3-319-28166-7_26
Chen, C., Eisenbarth, T., von Maurich, I., Steinwandt, R.: Horizontal and vertical side channel analysis of a McEliece cryptosystem. IEEE Trans. Inf. Forensics Secur. 11(6), 1093–1105 (2016)
Chou, T.: QcBits: constant-time small-key code-based cryptography. In: Gierlichs, B., Poschmann, A.Y. (eds.) CHES 2016. LNCS, vol. 9813, pp. 280–300. Springer, Heidelberg (2016). https://doi.org/10.1007/978-3-662-53140-2_14
Deneuville, J.-C., Gaborit, P., Zémor, G.: Ouroboros: a simple, secure and efficient key exchange protocol based on coding theory. In: Lange, T., Takagi, T. (eds.) PQCrypto 2017. LNCS, vol. 10346, pp. 18–34. Springer, Cham (2017). https://doi.org/10.1007/978-3-319-59879-6_2
Dent, A.W.: A designer’s guide to KEMs. In: Paterson, K.G. (ed.) Cryptography and Coding 2003. LNCS, vol. 2898, pp. 133–151. Springer, Heidelberg (2003). https://doi.org/10.1007/978-3-540-40974-8_12
Döttling, N., Dowsley, R., Müller-Quade, J., Nascimento, A.C.A.: A CCA2 secure variant of the McEliece cryptosystem. IEEE Trans. Inf. Theory 58(10), 6672–6680 (2012)
Fabšič, T., Hromada, V., Stankovski, P., Zajac, P., Guo, Q., Johansson, T.: A reaction attack on the QC-LDPC McEliece cryptosystem. In: Lange, T., Takagi, T. (eds.) PQCrypto 2017. LNCS, vol. 10346, pp. 51–68. Springer, Cham (2017). https://doi.org/10.1007/978-3-319-59879-6_4
Gaborit, P.: Shorter keys for code based cryptography. In: Proceedings of WCC, pp. 81–90 (2005)
Gallager, R.G.: Low-density parity-check codes. Ph.D. thesis, Massachusetts Institute of Technology (1963)
Guo, Q., Johansson, T., Stankovski, P.: A key recovery attack on MDPC with CCA security using decoding errors. In: Cheon, J.H., Takagi, T. (eds.) ASIACRYPT 2016 Part I. LNCS, vol. 10031, pp. 789–815. Springer, Heidelberg (2016). https://doi.org/10.1007/978-3-662-53887-6_29
Habib, M., McDiarmid, C., Ramirez-Alfonsin, J., Reed, B.: Probabilistic methods for algorithmic discrete mathematics, vol. 16. Springer Science & Business Media, Heidelberg (2013). https://doi.org/10.1007/978-3-662-12788-9
Heyse, S., von Maurich, I., Güneysu, T.: Smaller keys for code-based cryptography: QC-MDPC McEliece implementations on embedded devices. In: Bertoni, G., Coron, J.-S. (eds.) CHES 2013. LNCS, vol. 8086, pp. 273–292. Springer, Heidelberg (2013). https://doi.org/10.1007/978-3-642-40349-1_16
Kobara, K., Imai, H.: Semantically secure McEliece public-key cryptosystems -conversions for McEliece PKC -. In: Kim, K. (ed.) PKC 2001. LNCS, vol. 1992, pp. 19–35. Springer, Heidelberg (2001). https://doi.org/10.1007/3-540-44586-2_2
Kocher, P.C.: Timing attacks on implementations of Diffie-Hellman, RSA, DSS, and other systems. In: Koblitz, N. (ed.) CRYPTO 1996. LNCS, vol. 1109, pp. 104–113. Springer, Heidelberg (1996). https://doi.org/10.1007/3-540-68697-5_9
von Maurich, I., Güneysu, T.: Towards side-channel resistant implementations of QC-MDPC McEliece encryption on constrained devices. In: Mosca, M. (ed.) PQCrypto 2014. LNCS, vol. 8772, pp. 266–282. Springer, Cham (2014). https://doi.org/10.1007/978-3-319-11659-4_16
von Maurich, I., Heberle, L., Güneysu, T.: IND-CCA secure hybrid encryption from QC-MDPC niederreiter. In: Takagi, T. (ed.) PQCrypto 2016. LNCS, vol. 9606, pp. 1–17. Springer, Cham (2016). https://doi.org/10.1007/978-3-319-29360-8_1
von Maurich, I., Oder, T., Güneysu, T.: Implementing QC-MDPC McEliece encryption. ACM Trans. Embed. Comput. Syst. (TECS) 14(3), 44:1–44:27 (2015)
McEliece, R.J.: A public-key cryptosystem based on algebraic coding theory. Deep Space Netw. Prog. Rep. 44, 114–116 (1978)
Misoczki, R., Tillich, J.P., Sendrier, N., Barreto, P.S.L.M.: MDPC-McEliece: new McEliece variants from moderate density parity-check codes. In: 2013 IEEE International Symposium on Information Theory, pp. 2069–2073 (2013)
Monico, C., Rosenthal, J., Shokrollahi, A.: Using low density parity check codes in the McEliece cryptosystem. In: IEEE International Symposium on Information Theory - ISIT 2000, p. 215. IEEE (2000)
Niederreiter, H.: Knapsack type of cryptosystems and algebraic coding theory 15, 19–34 (1986)
Rosen, A., Segev, G.: Chosen-ciphertext security via correlated products. In: Reingold, O. (ed.) TCC 2009. LNCS, vol. 5444, pp. 419–436. Springer, Heidelberg (2009). https://doi.org/10.1007/978-3-642-00457-5_25
Strenzke, F.: A timing attack against the secret permutation in the McEliece PKC. In: Sendrier, N. (ed.) PQCrypto 2010. LNCS, vol. 6061, pp. 95–107. Springer, Heidelberg (2010). https://doi.org/10.1007/978-3-642-12929-2_8
Strenzke, F.: Timing attacks against the syndrome inversion in code-based cryptosystems. In: Gaborit, P. (ed.) PQCrypto 2013. LNCS, vol. 7932, pp. 217–230. Springer, Heidelberg (2013). https://doi.org/10.1007/978-3-642-38616-9_15
Strenzke, F., Tews, E., Molter, H.G., Overbeck, R., Shoufan, A.: Side channels in the McEliece PKC. In: Buchmann, J., Ding, J. (eds.) PQCrypto 2008. LNCS, vol. 5299, pp. 216–229. Springer, Heidelberg (2008). https://doi.org/10.1007/978-3-540-88403-3_15
Yoshida, Y., Morozov, K., Tanaka, K.: Ouroboros: a simple, secure and efficient key exchange protocol based on coding theory. In: PQCrypto 2017. LNCS, vol. 10346, pp. 35–50. Springer (2017)
Author information
Authors and Affiliations
Corresponding author
Editor information
Editors and Affiliations
Appendices
A Security Definitions and Games
These standard definitions, used in the security proof for ParQ, have been replicated from [15] for the sake of completeness.
The IND-CCA2 and OW-CPA games take place between two parties, the challenger \(\mathcal {C}\), and the attacker or adversary, \(\mathcal {A}\).
Game 1
(IND-CCA2 Challenge).
-
1.
\(\mathcal {C}\) obtains \((pk,sk) \leftarrow \mathsf {ParQ{.}KeyGen}(1^\lambda )\), and sends pk to \(\mathcal {A}\). \(\mathcal {C}\) runs \(\mathsf {ParQ{.}Enc}(s)\) with a uniformly random s, obtaining \(K_0, C\). \(\mathcal {C}\) then generates a uniformly random \(K_1 \in \{0,1\}^\lambda \), and a uniformly random bit \(b \in \{0,1\}\). \(\mathcal {C}\) then sends C and \(K_b\) to \(\mathcal {A}\).
-
2.
\(\mathcal {A}\) may freely send decapsulation queries C to \(\mathcal {C}\). \(\mathcal {C}\) responds by sending \(\mathsf {ParQ{.}Dec}(C)\) to \(\mathcal {A}\). The only exception is that \(\mathcal {A}\) may not send the challenge encapsulation C as a decapsulation query.
-
3.
Eventually, \(\mathcal {A}\) must return a bit \(b'\) as a guess for the bit b. \(\mathcal {A}\) is said to have won the IND-CCA2 game if \(b' = b\).
We write \(\mathcal {A}\)’s ability to win Game 1 as \(1/2 + \epsilon \). We call \(\epsilon \) the adversary’s advantage in breaking IND-CCA2 security.
Game 2
(OW-CPA Challenge).
-
1.
\(\mathcal {C}\) generates \((pk,sk) \leftarrow \mathsf {QCMDPC{.}KeyGen}(1^\lambda )\). They select a uniformly random \(x \xleftarrow {\$} \{ 0,1\}^k\) and \(e \xleftarrow {\$} \{0,1\}^n\), with e having weight t. They then compute \(c^* \leftarrow \mathsf {QCMDPC{.}Enc}(pk,x,e)\) and sends \(c^*\) and pk to \(\mathcal {A}\).
-
2.
\(\mathcal {A}\) performs some computation on \(c^*\) and pk. Eventually they must produce an \(x'\). \(\mathcal {A}\) is said to have won the OW-CPA game if \(x' = x\).
B Choosing the Bit-Flipping Thresholds
In standard literature, rules for threshold computation are heuristic and are not available for all parameter sets. To convince that our experiments were fair we describe the rules we used for fixed and variable threshold. We denote \(d=w/2\) the column weight.
Monitoring Strategy: For a given set of parameters, we run the bit-flipping algorithm on many random instances and we choose at each iteration the threshold which minimizes the error weight at the end of all flipsFootnote 1. This is possible in a simulation because we know the initial error pattern and we can monitor its evolution. We will refer to this as the “monitoring strategy” and use it as a tool to define the thresholds.
Fixed Thresholds: For a given set of parameters, we run a simulation using the monitoring strategy and we keep track of the threshold values used at the first iteration. The maximum of those values is kept as the fixed threshold, say \(b_0\), for the first iteration. We run a second simulation, for which the first threshold is fixed to \(b_0\) and the monitoring strategy is used for the following iterations. We keep track of the threshold values used at the second iteration. The maximum of those values is kept as the fixed threshold, say \(b_1\), for the second iteration. We repeat this until we reach the maximal expected number of iterations.
Variable thresholds: For a given set of parameters, the goal here is to establish a rule \(b_i(\sigma )\), \(i\ge 0\), giving the i-th iteration threshold as a function of the syndrome weight \(\sigma \). Assuming all \(b_\ell \) for \(\ell <i\) are known, we run a simulation using the functions \(b_0,\ldots {},b_{i-1}\) for the first i iterations and using the monitoring strategy after that. We keep track of the pairs \((\sigma ,b)\) of syndrome weights and threshold values used at the i-th iteration. For each syndrome weight \(\sigma \), we define \(f_i(\sigma )\) as the average of all thresholds observed. Next, using the least square method, we find the quadraticFootnote 2 function \(g_i(\sigma )\) which best approximates all the \((\sigma ,f_i(\sigma ))\) where each \((\sigma ,f_i(\sigma ))\) is weighted by the number of occurrences of the syndrome weight \(\sigma \). The threshold function for the i-th iteration will be \(\lceil g_i(\sigma )\rceil \). We add the condition that \(b_i\) is increasing with \(\sigma \) and we get \(b_i:\sigma \rightarrow \max \left( b_i^{\mathrm {min}},\lceil g_i(\sigma )\rceil \right) \) where \(b_i^{\mathrm {min}}\) is the minimal value of \(\lceil g_i(\sigma )\rceil \) over the observed range for \(\sigma \), and is never smaller than d/2.
Results and Comments. We give below the threshold rules we used for our simulations deduced from the above-mentioned process. Note that we do not claim, nor observed, that those rules are giving any kind of improvement in speed or failure rate.
Fixed Thresholds. For 80-bit security parameters, \((k,w,t)=(4801,90,84)\), we have \((b_i)_{i\ge 0} =(30,28,26,25,23,\ldots {})\). The dots meaning that the last value is repeated as much as necessary. We remark that, for the same parameters, QcBits [13] uses thresholds that are exactly one unit lower for the first 4 iterations. This probably reflects the fact that our strategy is rather conservative.
For 128-bit security, \((k,w,t)=(10163,142,134)\), we get \((b_i)_{i\ge 0} = (46, 43, 41,\) \(40, 39, 37, 36,\ldots {})\). Finally for 256-bit security, \((k,w,t)=(32771,274,264)\) we obtain \((b_i)_{i\ge 0} =(83,80,77,74,72,\ldots {})\).
Variable Thresholds.
Rights and permissions
Copyright information
© 2018 Springer International Publishing AG, part of Springer Nature
About this paper
Cite this paper
Eaton, E., Lequesne, M., Parent, A., Sendrier, N. (2018). QC-MDPC: A Timing Attack and a CCA2 KEM. In: Lange, T., Steinwandt, R. (eds) Post-Quantum Cryptography. PQCrypto 2018. Lecture Notes in Computer Science(), vol 10786. Springer, Cham. https://doi.org/10.1007/978-3-319-79063-3_3
Download citation
DOI: https://doi.org/10.1007/978-3-319-79063-3_3
Published:
Publisher Name: Springer, Cham
Print ISBN: 978-3-319-79062-6
Online ISBN: 978-3-319-79063-3
eBook Packages: Computer ScienceComputer Science (R0)