Post on 16-Aug-2020
Software implementation of McEliece McEliece encryption in practice McEliece in protocols Summary*
McEliece in practice
NATO Workshop on Secure Implementation of PQC
Secure implementation of post-quantum cryptographySPS Project Number: 984520
O. Grošek, V. Hromada, Pavol Zajac
Institute of Computer Science and MathematicsSlovak University of Technology
September 26, 2016
P. Zajac, UIM FEI STU McEliece in practice 1/22
Software implementation of McEliece McEliece encryption in practice McEliece in protocols Summary*
Outline
Software implementation of McElieceBitPunch
McEliece encryption in practiceCCA2 conversionsHybrid encryption
McEliece in protocols
Summary*
P. Zajac, UIM FEI STU McEliece in practice 2/22
Software implementation of McEliece McEliece encryption in practice McEliece in protocols Summary*
Software implementations
Various student projects:• Main version of BitPunch:https://github.com/FrUh/BitPunch
• Crypto-box extension:https://github.com/n0whereman/cryptobox
• LDGM signatures based on BitPunch:https://github.com/schwarzwald/dp2015
• Other implementations:• Android McEliece messenger based on BouncyCastle• Standalone AVR QC-MDPC implementation
P. Zajac, UIM FEI STU McEliece in practice 3/22
Software implementation of McEliece McEliece encryption in practice McEliece in protocols Summary*
BitPunchStandalone, modular C implementation of McEliececryptosystem, developed at UIM FEI STU
P. Zajac, UIM FEI STU McEliece in practice 4/22
Software implementation of McEliece McEliece encryption in practice McEliece in protocols Summary*
Side Channel Attacks resistance• Original BitPunch: vulnerable to timing based reaction
attack
0 500 1000 1500 2000
0.92
0.94
0.96
0.98
1.00
1.02
1.04
1e7
t=50mean=9849209t=49mean=9786155
P. Zajac, UIM FEI STU McEliece in practice 5/22
Software implementation of McEliece McEliece encryption in practice McEliece in protocols Summary*
SCA countermeasures
• Resistance to Error Locator Polynomial attack:• Constant-time multiplication in finite field• Constant-time evaluation of polynomials• Evaluation of ELP ≈ 2.5 times slower
• Open problem: efficient constant time XGCD• Open problem: cache timing effects
P. Zajac, UIM FEI STU McEliece in practice 6/22
Software implementation of McEliece McEliece encryption in practice McEliece in protocols Summary*
SCA resistance
0 20 40 60 80 100 120 140 1603230000
3240000
3250000
3260000
3270000
3280000
3290000
3300000
3310000
t=50mean=3304830std=254t=49mean=3239563std=330
0 100 200 300 400 500 6008895000
8900000
8905000
8910000
8915000
8920000
8925000
8930000
8935000
t=50mean=8923571std=5912t=49mean=8923430std=5797
Figure: Evaluation of polynomials without (left) and with (right)countermeasures.
P. Zajac, UIM FEI STU McEliece in practice 7/22
Software implementation of McEliece McEliece encryption in practice McEliece in protocols Summary*
BitPunch extensions and modules
• Internal code choice: Goppa or QC-MDPC• Experimental signatures (standalone): LDGM• Cryptobox (standalone)
P. Zajac, UIM FEI STU McEliece in practice 8/22
Software implementation of McEliece McEliece encryption in practice McEliece in protocols Summary*
CCA2 security
Original McEliece is not secure:• Known partial-plaintext reduces computational costs• Related-message / message-resend attack• Reaction attack• Message malleability
Solution: CCA2-secure conversion (padding)
P. Zajac, UIM FEI STU McEliece in practice 9/22
Software implementation of McEliece McEliece encryption in practice McEliece in protocols Summary*
Incorrect version of Pointcheval’s conversion
• Potential problem with systematic public key G = (I|R)
• Original CCA2 conversion in BitPunch (from Shoufan et.al.2010):
y1|| y2|| y3|| y4|| y5
ke ⊕ e1|| hash(m||ki)⊕ e2|| m̃ · R ⊕ e3|| m ⊕ hash(ke)|| ki ⊕ hash(e)
• y1, y4 — ”symmetric” encryption• y2, y5 — integrity of ciphertext• y3 — McEliece encryption overhead
P. Zajac, UIM FEI STU McEliece in practice 10/22
Software implementation of McEliece McEliece encryption in practice McEliece in protocols Summary*
Incorrect version of Pointcheval’s conversion
• Potential problem with systematic public key G = (I|R)
• Original CCA2 conversion in BitPunch (from Shoufan et.al.2010):
y1|| y2|| y3|| y4|| y5
ke ⊕ e1|| hash(m||ki)⊕ e2|| m̃ · R ⊕ e3|| m ⊕ hash(ke)|| ki ⊕ hash(e)
• ATTACK: only find errors in y1 part, instead of y1||y2||y3.• Security paradox: Longer hashes lead to a weaker system.
P. Zajac, UIM FEI STU McEliece in practice 11/22
Software implementation of McEliece McEliece encryption in practice McEliece in protocols Summary*
Kobara-Imai conversion
P. Zajac, UIM FEI STU McEliece in practice 12/22
Software implementation of McEliece McEliece encryption in practice McEliece in protocols Summary*
Kobara-Imai conversion — streaming version
P. Zajac, UIM FEI STU McEliece in practice 13/22
Software implementation of McEliece McEliece encryption in practice McEliece in protocols Summary*
Hybrid encryption — KEM/DEM approach
Persichetti’s Hybrid version of Niederreiter encryption:
P. Zajac, UIM FEI STU McEliece in practice 14/22
Software implementation of McEliece McEliece encryption in practice McEliece in protocols Summary*
Hybrid encryption — Cryptobox version
Our proposal based on MECS:
P. Zajac, UIM FEI STU McEliece in practice 15/22
Software implementation of McEliece McEliece encryption in practice McEliece in protocols Summary*
Hybrid schemes comparison
Persichetti (Niederreiter) n − k + len(PT ) + len(MAC)Naive KEM/DEM McEliece n + len(PT ) + len(MAC)Our KEM/DEM McEliece n − k + max(len(PT ) + len(MAC), k)
Security:1. (CT|TAG) behaves as random string,2. (CT|TAG) can be verified only if e is found.3. Reaction attacks: (CT|TAG) must be always verified, even
if MECS decryption fails (potential side-channel).
P. Zajac, UIM FEI STU McEliece in practice 16/22
Software implementation of McEliece McEliece encryption in practice McEliece in protocols Summary*
Hybrid schemes comparison
Persichetti (Niederreiter) n − k + len(PT ) + len(MAC)Naive KEM/DEM McEliece n + len(PT ) + len(MAC)Our KEM/DEM McEliece n − k + max(len(PT ) + len(MAC), k)
Security:1. (CT|TAG) behaves as random string,2. (CT|TAG) can be verified only if e is found.3. Reaction attacks: (CT|TAG) must be always verified, even
if MECS decryption fails (potential side-channel).
P. Zajac, UIM FEI STU McEliece in practice 16/22
Software implementation of McEliece McEliece encryption in practice McEliece in protocols Summary*
Hybrid schemes comparison
Persichetti (Niederreiter) n − k + len(PT ) + len(MAC)Naive KEM/DEM McEliece n + len(PT ) + len(MAC)Our KEM/DEM McEliece n − k + max(len(PT ) + len(MAC), k)
Security:1. (CT|TAG) behaves as random string,2. (CT|TAG) can be verified only if e is found.3. Reaction attacks: (CT|TAG) must be always verified, even
if MECS decryption fails (potential side-channel).
P. Zajac, UIM FEI STU McEliece in practice 16/22
Software implementation of McEliece McEliece encryption in practice McEliece in protocols Summary*
Android messenger application
• MSc. thesis: A. Boledovic• Secure messenger for Android with McEliece encryption
• Public Keys are handled by trusted server• McEliece encryption (+Kobara-Imai) is used to established
symmetric session keys• Parameters: m = 11, t = 50 (140kB PK, 90+ bit sec.)
• Uses development version of BouncyCastle (Java)
P. Zajac, UIM FEI STU McEliece in practice 17/22
Software implementation of McEliece McEliece encryption in practice McEliece in protocols Summary*
Android messenger — protocol
Modified Needham-Schroeder with forward secrecy
1A Generate ephemeral key +encrypt
2A 2× decrypt1B 1× decrypt2B 2× encrypt
P. Zajac, UIM FEI STU McEliece in practice 18/22
Software implementation of McEliece McEliece encryption in practice McEliece in protocols Summary*
Android messenger — performance
Note: Total time includes communication overhead
P. Zajac, UIM FEI STU McEliece in practice 19/22
Software implementation of McEliece McEliece encryption in practice McEliece in protocols Summary*
Android messenger — memory
Note: Key generation in BC uses multiple large matrices
P. Zajac, UIM FEI STU McEliece in practice 20/22
Software implementation of McEliece McEliece encryption in practice McEliece in protocols Summary*
Forward-secrecy protocol with BitPunchEphemeral keygen: 1.5s Enc/Dec: 0.050s
P. Zajac, UIM FEI STU McEliece in practice 21/22
Software implementation of McEliece McEliece encryption in practice McEliece in protocols Summary*
Summary
• Basic McEliece decryption must be secured against timingattacks.
• A practical CCA2 conversion/padding scheme is required:• Hybrid encryption / crypto-box approach seem preferable,• Potential side-channels / security problems with padding
scheme.
• „Protocol balance”: Encryption is significantly faster.• Forward secrecy: even if protocol overhead is acceptable,
ephemeral key generation is too slow.
Questions, comments?
P. Zajac, UIM FEI STU McEliece in practice 22/22