codecode-code-based pkcs and their based pkcs and their ... · codecode-code-based pkcs and their...
TRANSCRIPT
CodeCode--Based PKCs And Their Based PKCs And Their CodeCode--Based PKCs And Their Based PKCs And Their ApplicationsApplicationsApplicationsApplications
K k i K bK k i K bKazukuni KobaraKazukuni Kobara
RCIS/AISTRCIS/AIST
ICITS 2009ICITS 2009ICITS 2009ICITS 2009No. 1
PKCs can be divided intoPKCs can be divided intoPKCs can be divided intoPKCs can be divided into
Integer Factoring Based Code BasedNumber Theoretic (Cyclic) Problem Combinatorial Problem
Integer Factoring BasedRSA[RSA78]Rabin[Ra79]
Code BasedMcEliece[Mc78]Niederreiter[Ni86][ ]
Okamoto-Uchiyama[OU98]Paillier[Pa99] S Paillier[CHGN01]
[ ]Lattice Based
NTRU[HS96]Ajt iD k[AD97]S-Paillier[CHGN01]
…Discrete Logarithm Based
AjtaiDwork[AD97]Goldreich-Goldwasser-Halevi [GGH97]g
Diffie-Hellman[DH77]ElGamal[El84]ECC[Mi85][K 87]
Ajtai[Ajt05]Regev[Reg03,Reg05]Peikert[Pei09]ECC[Mi85][Ko87]
XTR[LV00]Cramer-Shoup[CS03]
Peikert[Pei09]…
Subset Sum Basedp[ ]Kurosawa-Desmedt[KD04]…
Okamoto-Tanaka-Uchiyama[OTU00]
No. 2
Cyclic Cyclic Problem:Problem:Integer Factoring (IF)Integer Factoring (IF)
Cyclic Cyclic Problem:Problem:Integer Factoring (IF)Integer Factoring (IF)Integer Factoring (IF)Integer Factoring (IF)Integer Factoring (IF)Integer Factoring (IF)
Given a positive integer n find its prime Given a positive integer n, find its prime factor pi
Equivalent to finding r s.t. gr≡1 (mod n)for a g of GCD(g,n)=1 and g≡±1 (mod n)
Since GCD(gr/2-1,n) or GCD(gr/2+1,n) is pii
gi mod n IF This cycle can be determined in poly time
i
g mod n determined in poly time with 1D-QFT, a.k.a. Shor’s quantum algorithm.
r r ri
No. 3QFT : Quantum Fourier Transform
Cyclic Cyclic Problem:Problem:DiscreteDiscrete Log (DL)Log (DL)Cyclic Cyclic Problem:Problem:
DiscreteDiscrete Log (DL)Log (DL)DiscreteDiscrete--Log (DL) Log (DL) DiscreteDiscrete--Log (DL) Log (DL)
Given p, g and y, find r s.t. pgx r mod ≡p, g y,p: prime, g: generator of Zp*, x a member of Zp* except 1, p-1.p
Equivalent to finding a0, a1, b0 and b1 s.t. pgxgx baba mod1100 ≡
Since p mod )()()( 100101 bbaaraa ggx −−− ≡≡)( bb −
pgg
a 1-pmod)()(
01
10
aabbr
−≡a
a0
DL
xagbmod p
0
a1
This inclination can be determined in poly time
h 2 Q k Sh ’No. 4
-b
g p1
b0 b1
with 2D-QFT, a.k.a. Shor’s quantum algorithm.
Lesson to learnLesson to learnLesson to learnLesson to learn
If a problem is written in the form If a problem is written in the form of determining a cycle, o de e g a cyc e, Then it can be solved in polynomial time using a quantum computer.
No. 5
Combinatorial ProblemsCombinatorial ProblemsCombinatorial ProblemsCombinatorial Problems
A set of vectorsfindNote: Underlying security d d l h tA set of vectors
or scalarsfind depends also on how to
make the trapdoor
00010000100100100r1, r2, r3… ri, -1r1, r2, r3… ri, -1 =
public-key A ithmeticpublic key Arithmetic Unit
ConditionCondition
ciphertextciphertext
givenNo. 6
Code Based: Code Based: McElieceMcElieceCode Based: Code Based: McElieceMcEliece
PK is a kxn generator matrix ofPlaintextfind PK is a kxn generator matrix of a linear code over GF(q) , usually q=2
Plaintextfind
00010000100100100=
public-key wt() <=t
r1, r2, r3… ri, -1r1, r2, r3… ri, -1
public key
GF(q)
()
Condition
ciphertextciphertext
givenNo. 7
wt(): Hamming weight (# of non zeros)
Code Based: Code Based: NiederreiterNiederreiterCode Based: Code Based: NiederreiterNiederreiter
PK is a nx(n-k) parity check Plaintextfindmatrix of a linear code over GF(q), usually q=2
Plaintextfind
00000000000000000=
public-key All Zerowt(r) <=t1 2 3 ir1, r2, r3… ri, -1
public key
GF(q)},,,{ 21 irrrr L∈
Condition
ciphertextciphertextCondition
givenNo. 8
Lattice Based: NTRU Lattice Based: NTRU Lattice Based: NTRU Lattice Based: NTRU
find PK is a n dimensional Plaintextfind PK is a n dimensional cyclic vector over Zq , q=2048 etc.
Plaintext
00100-100100-10000=
public-key
1 2 3 ir1, r2, r3… ri, -1
},1,0,1{−∈ir dwt()}101{ =−∈mpublic key
Zqrdwt()
},,,{=
i mdwt()},1,0,1{ =∈im
ConditionciphertextciphertextCondition
givenNo. 9
Lattice Based: Lattice Based: RegevRegevLattice Based: Lattice Based: RegevRegev
find PlaintextPK is a (u+v)x(n+v) matrix
finduxv parity-with-noise Axs+E
uxn random binary matrix A
0000000000=r1, r2,…,ri, m1, …,mv, -1
All Zerot( )}10{ qA
Zq
Axs+E2 wt(r)},1,0{, qmr ii <∈
Condition0000000000000 0 00000000000000 002
q
2q
ciphertextciphertextCondition 0000000000000 00
0000000000000 0 02
2q
givenNo. 10
Subset Sum Problem: Subset Sum Problem: OTUOTU
Subset Sum Problem: Subset Sum Problem: OTUOTUOTUOTUOTUOTU
PK is a set of n positivePlaintextfind PK is a set of n positive integers
Plaintextfind
0=
public-key Zero
1 2 3 ir1, r2, r3… ri, -1
kr =∈ wt(r)}10{ public key
Zkri =∈ wt(r)},1,0{
Condition
ciphertextciphertextCondition
givenNo. 11
So far it is not knownSo far it is not knownSo far it is not knownSo far it is not known
To reduce combinatorial problems to a To reduce combinatorial problems to a cyclic problemThe best attack on combinatorial problem is:p
Grover’s algorithmG ’ l ith dGrover’s algorithm can reduce
Running time to but it is still statesexponential to its input size
No. 12
Advantages of Advantages of Combinatorial BasedCombinatorial Based
Advantages of Advantages of Combinatorial BasedCombinatorial BasedCombinatorial BasedCombinatorial BasedCombinatorial BasedCombinatorial Based
Quantum Tolerant: Quantum Tolerant: No polynomial time algorithm is known so f t tfar even on quantum computers
Arithmetic unit is small:for encryption (and signature verification)Usually xors or additions in a small Usually xors or additions in a small Field/RingTh hi hl ll li blThey are highly parallelizableNo heavy multi-precision modular exponentiation
No. 13
Advantages of CodeAdvantages of Code--BasedBased
Advantages of CodeAdvantages of Code--BasedBasedBasedBasedBasedBased
I f ti R ti iInformation Ratio, i.e.( )SizePlaintest
is better( )( )Size Ciphertext
Arithmetic unit is smaller:e c u s s a e :for encryption and signature verificationUsually xorsUsually xors
=> Suitable for low computational power or
No. 14
=> Suitable for low computational power or Ubiquitous devices
History of CodeHistory of Code--Based Based PKEsPKEs
History of CodeHistory of Code--Based Based PKEsPKEsPKEsPKEsPKEsPKEs
1978: McEliece 1977: RSA1977 Hiffie-Hellman
Code-based
1985: ECC2000: Error expansion/hold [Loi00]
Number Theoretic
1986: NiederreiterHellman 1985: ECC
Attack on Attack on small cardinality including BCH [LS01]
1991: GPT PKC [GPT91] (rank code)
hem
Attack [KI03]
GRS [SS92]Goppa code (more generally alternant code) with large cardinality
including BCH [LS01]
Att k LDPCome
of t
hn
atta
cks
Attack on sparse S [MRS00]
2001: IND-CCA2 Conv. in RO [KI02]
LDPC
Attack on
Attack on LDPC in general
whe
re s
ore
actio
n
2005: Quasi-CyclicBCH subcode 2007: QC-
2009 Q asi
2005: with GRS subcode [BL05] 2009: Quasi-
Cyclic alternant
subfield P [Ove05]
atta
cks
witi
cal l
ike
Attack
[Gab05] Q
LDPC [BC07]
2009: Quasi-Dyadic [MB09]Attack on GRS
subcode
[ ]
Attack on small
Cyclic alternant code [BCG+09] 2008: ext field
P [Gab08]
Large extension
A lo
t of
w
ere
cri Attack
on QC[OTD08]
No. 15
[Wie06] [Wie09]
Attack on small extension degrees [UL09]
Large extension degree Idea can be
applied to
How to see the historyHow to see the historyHow to see the historyHow to see the history
Green Letters: Underlying Liner CodeGreen Letters: Underlying Liner Code
: Attack
: Already Broken
N t Y t B k : Not Yet Broken (as far as I know as of Dec. 2009)( )
No. 16
History of Non PKE History of Non PKE CodeCode Based PrimitivesBased Primitives
History of Non PKE History of Non PKE CodeCode Based PrimitivesBased PrimitivesCodeCode--Based PrimitivesBased PrimitivesCodeCode--Based PrimitivesBased Primitives
1994: ZKIP (as well as Digital ZKIP: Zero Knowledge Interactive ProofOT: Oblivious Transfer( g
Signature applying Fiat-Shamir heuristic) (random code) [Ste94]
2001 Di it lPublic matrix can be compressed by generating
OT: Oblivious Transfer
2005: Hash
2001: Digital Signature (Goppa) [CFS01]
compressed by generating it from a random seed
Function (random code) [AFS05]Bleichenbacher’s
attack [Ble06] 2007: Light Weight Unlinkable-ID for [ ] g gRFID (Goppa) [SKI06][CKM+07]
2008: Bit (1,2)-OT(Goppa) [DGQ+08]
2008: String (1,2)-OT (Goppa) [KMO08]
(Goppa) [DGQ+08]
With appropriate parameter choice [FS09]
No. 17
parameter choice [FS09]
Construction of CodeConstruction of Code--Based Based Construction of CodeConstruction of Code--Based Based PKCsPKCsPKCsPKCs
No. 18
Keys for Keys for McElieceMcEliece PKEPKEKeys for Keys for McElieceMcEliece PKEPKE
Secret key Random Permutation Matrixy
Pn
Non-Singular MatrixP
GS k
Generator matrix of ECCwhich can correct up to t-error symbols
Public key
which can correct up to t error symbols
Public key
G’ G’’I
May be systematic if an appropriate IND-CC 2CCA2 conversion is applied
No. 19
Encryption of Encryption of Primitive Primitive M EliM Eli PKEPKE
Encryption of Encryption of Primitive Primitive M EliM Eli PKEPKEMcElieceMcEliece PKEPKEMcElieceMcEliece PKEPKE
C=MG’+ZZ
C=MG +Z Random vector with weight t
(0,1,0,0,1,0, ... 0,0,1,0)
MG’
CPlaintext is a k dimensional vector Ciphertext
M
MGdimensional vector over GF(2)
Ciphertext
M
G’
No. 20
Decryption of Decryption of Primitive Primitive M EliM Eli PKEPKE
Decryption of Decryption of Primitive Primitive M EliM Eli PKEPKEMcElieceMcEliece PKEPKEMcElieceMcEliece PKEPKE
1. CP-1=MSG+ZP-11P-1
C
2. Correct the t-error bits using error-C
correction algorithm and obtain MS3 M=MS S-13. M=MS S
S-1MS MMS M
No. 21
Keys for Keys for NiederreiterNiederreiterPKEPKE
Keys for Keys for NiederreiterNiederreiterPKEPKEPKEPKEPKEPKE
Secret key n-kyRandom Permutation
Non-Singular MatrixP H
S
nPermutation Matrix
Matrix
Parity check matrix of ECCwhich can correct up to t-error symbols
Public key
which can correct up to t error symbols
IPublic key IMay be systematic if an appropriate IND-CC 2
H’H’’CCA2 conversion
is applied No. 22
Encryption of Encryption of Primitive Primitive Ni d itNi d it PKEPKE
Encryption of Encryption of Primitive Primitive Ni d itNi d it PKEPKENiederreiterNiederreiter PKEPKENiederreiterNiederreiter PKEPKE
C=ZH’C=ZH
Plainstext is an n dimensional
Z C
vector of weight t Ciphertext
ZZH’C
(0,1,0,0,1,0, ... 0,0,1,0) =H’
No. 23
Decryption of Decryption of Primitive Primitive Ni d itNi d it PKEPKE
Decryption of Decryption of Primitive Primitive Ni d itNi d it PKEPKENiederreiterNiederreiter PKEPKENiederreiterNiederreiter PKEPKE
1 CS 1 ZH’S 1 ZPH SS 1 (ZP)H1. CS-1=ZH’S-1=ZPH SS-1=(ZP)HS-1
C2. Correct the t-error bits using error-correction algorithm and obtain ZP
C
correction algorithm and obtain ZP3. Z=ZP P-1
ZP Z
P-1
No. 24
UnfortunatelyUnfortunatelyUnfortunatelyUnfortunately
Due to the simple structure of a linear Due to the simple structure of a linear code, a lot of practical attacks are kknown
This is the reason why some people still think that code-based PKEs have already been broken
Ex )Ex.)Reaction attack can decrypt a given
i h t t i O(k)ciphertext in O(k).No. 25
Reaction Reaction Attack Attack on on McElieceMcEliece PKCPKC
Reaction Reaction Attack Attack on on McElieceMcEliece PKCPKCMcElieceMcEliece PKCPKCMcElieceMcEliece PKCPKC
Flip one bit of the given ciphertext Flip one bit of the given ciphertext Let the receiver decrypt itIf its reaction is normal, error is within the error correction bounderror correction bound.
1 Receiver (decryption
l )
0 1 1 0 0 0 1 0 1 0 1 1 0 1C=
oracle)
0 1 1 0 0 0 1 0 1 0 1 1 0 1C=
ReactionGiven ciphertext Reaction
CountermeasuresCountermeasuresCountermeasuresCountermeasures
Attacks Attacks Using decryption oracles Against indistinguishability or non-malleability
Can be prevented applying an “appropriate” conversion schemeappropriate conversion scheme
Naïve application sometimes does not workwork
No. 27
NaNaïïve application of ve application of OAEP is vulnerableOAEP is vulnerableNaNaïïve application of ve application of OAEP is vulnerableOAEP is vulnerableOAEP is vulnerable OAEP is vulnerable OAEP is vulnerable OAEP is vulnerable
mm Const
GRandom Plaintext
r
Gen
Ha
Number PlaintextOAEP module
ash
y1
yy2
y3
G’
Primitive
cc
PrimitiveMcEliece PKCz
Ciphertext
No. 28
Slight Modification Makes it Slight Modification Makes it Provably Secure and CompactProvably Secure and Compact
Slight Modification Makes it Slight Modification Makes it Provably Secure and CompactProvably Secure and CompactProvably Secure and CompactProvably Secure and CompactProvably Secure and CompactProvably Secure and Compact
m Constr Encryptionm Const
Gen
Random Number Plaintext
r yp
Hash
OAEP module
y1
y5 y3y4
G’
y2
G’
Conv PrimitiveMcEliece PKCz
ccCiphertext
y5y5
)) and swappingby )()((or ))()(((and ))()()()((
434131
3412
yyyLenyLenyLenyLenyLenyLenyLenyLen
≥≥+≥+ must hold
No. 29
Decryption of Decryption of ConversionConversion
Decryption of Decryption of ConversionConversionConversion Conversion Conversion Conversion
mm
Ge
Plaintext Const=?
Error messages between thisOAEP
enH
as
Error messages between this integrity check and undecodable error must be indistinguishable.
OAEP module
sh
y1
y5 y3y4
y2
indistinguishable.(Implementation must take care this!!)
y5 y3y4
G’
Conv Primitive
cch
McEliece PKCz
y5y5
Ciphertext
No. 30
In The Case of In The Case of NiederreiterNiederreiter
In The Case of In The Case of NiederreiterNiederreiterNiederreiterNiederreiterNiederreiterNiederreiter
Make the ciphertext most compact and Make the ciphertext most compact and provably secure in the RO
OAEP+ for short plaintextOAEP+ for short plaintextOAEP++ for long plaintext f b t tt kNo proof but no attackOAEPSAEP+
Insecure (since Niederreiter primitive is Insecure (since Niederreiter primitive is position-wise malleable)
SAEP SAEP No. 31
Provable Security in the Provable Security in the Standard ModelStandard Model
Provable Security in the Provable Security in the Standard ModelStandard ModelStandard ModelStandard ModelStandard ModelStandard Model
2007: IND-CPA in the standard model [NIK+07]2008: IND-CCA2 in the standard model 2008: IND CCA2 in the standard model [DQN08]
IND: Indistinguishability
No. 32
CPA: Chosen Plaintext AttackCCA2: Adaptive Chosen Ciphertext Attack
Secure Constructions Secure Constructions are Availableare Available
Secure Constructions Secure Constructions are Availableare Availableare Availableare Availableare Availableare Available
As long as the primitive As long as the primitive McEliece/Niederreiter PKC satisfies OW-CPACPAParameters meeting OW-CPA against g gmost powerful attacks ISD and GBA are estimated in [FS09]estimated in [FS09]
OW-CPA: One-Wayness against Chosen Plaintext Attack
No. 33
ISD: Information Set DecodingGBA: Generalized Birthday Attack
Parameters for PKEParameters for PKEParameters for PKEParameters for PKE
m t Binary work PK size Plaintext /Ciphertext sizem t Binary work factor
PK size (KB)
Plaintext /Ciphertext sizeMcEliece Niederreiter
11 32 286 8 72 9KB 1696/2048 bit 233/352bit11 32 286.8 72.9KB 1696/2048 bits 233/352bits12 41 2128.5 216.5KB 3604/4096 bits 327/492bits
Public-key size isPublic key size is large compared to Number Theoretic
No. 34
Number Theoretic ones.
Parameters for Digital Parameters for Digital SignatureSignature
Parameters for Digital Parameters for Digital SignatureSignatureSignatureSignatureSignatureSignature
m t Binary PK size Iteration Signature Size ywork factor
(KB) *1g
*2,*3
22 9 281.7 101,371KB 218.5 198~216.5 bits15 12 281.5 716.0KB 228.8 180~208.8 bits
14 13 280.7 360.0KB 232.5 182~214.5 bits13 14 280.0 178 0KB 236.4 182~218 4 bits13 14 2 178.0KB 2 182 218.4 bits12 15 288.2 86.0KB 240.3 180~220.3 bits
*1: affects the signing cost*2: Signature size depends on how to express the error pattern and it affects the verification speed
No. 35
verification speed.*3: Signature size can be reduced further by removing some error positions while increasing the verification cost further [CFS01]
How to Reduce PublicHow to Reduce Public--Key SizeKey Size
How to Reduce PublicHow to Reduce Public--Key SizeKey SizeKey SizeKey SizeKey SizeKey Size
Increase the error correction capabilityIncrease the error correction capabilityCapacity Approaching Codes
LDPC QC-LDPCLDPC, QC-LDPCList Decoding
corrects only a couple of more errors for corrects only a couple of more errors for practical parameters while increasing the decoding complexity
Compress the public-keyQuasi-CyclicQuasi CyclicQuasi-Dyadic
Small extension degreeSmall extension degreeLarge extension degree
No. 36
Attack on LDPC CodesAttack on LDPC CodesAttack on LDPC CodesAttack on LDPC Codes
Exploits the fact the density of the secret matrix low.
H’THT: Parity Check Matri of LDPC S=
Exploits the fact the density of the secret matrix low.
H’T Matrix of LDPC code
S=P
Thi b hidd ith S d P b t bThis may be hidden with S and P but can be recovered.
Let
H1 H2
HT: Parity Check Matrix of LDPC
code =
No. 37
code
Attack on LDPC CodesAttack on LDPC CodesAttack on LDPC CodesAttack on LDPC Codes
1. Make H’ systematic
H’TI H’’T S1=2. Multiply a low density vector h1 , and check if the density of h2 is low.
I H’’T H1 H2=H1
h2 is low.h1 h1 h2?
Since # of candidates C(n-k,w) where w is the Hamming i h f h ( d l h ibili f b i h lweight of h1 (and also the possibility of being another low
density matrix is negligible), H can be recovered.
No. 38
If one uses this direction, they must find a good code of Middle Density (we call MDPC).
List DecodingList DecodingList DecodingList Decoding
Exhaustive Search ⎟⎟⎞
⎜⎜⎛
⎟⎟⎞
⎜⎜⎛n
Exhaustive SearchCorrect any t’ more errors but with th l it ⎟⎟
⎟⎟
⎜⎜⎜⎜
⎟⎟⎠
⎞⎜⎜⎝
⎛ +
⎟⎟⎠
⎜⎜⎝
''
'tt
tO
the complexity '' '1' tt nt
ntn
⎟⎞
⎜⎛≥
⎟⎟⎠
⎞⎜⎜⎝
⎛
≥⎟⎞
⎜⎛ +−
⎟⎠
⎜⎝
⎟⎠
⎜⎝ 't
Bernstein’s List Decoding [Ber08]
''
'1 ttt
ttt⎟⎠
⎜⎝ +
≥
⎟⎟⎠
⎞⎜⎜⎝
⎛ +≥⎟
⎠⎜⎝ +t+t’ errors in the n coordinates
Bernstein’s List Decoding [Ber08]t’ more errors in poly time where
⎟⎞
⎜⎛ ⎞⎛
−−−−=
)1(2)1(2
)22('
rr
ttnnntmm rknt
nm
m
)1(2)(2
−−
=
No. 39
⎟⎟⎠
⎞⎜⎜⎝
⎛−⎟⎟⎠
⎞⎜⎜⎝
⎛ −−−
−−= 2)1(2222)1(22
mr
mr mmm
mmt )()(
==
# of extra # of extra errorerror correctable bitscorrectable bits
# of extra # of extra errorerror correctable bitscorrectable bitserrorerror--correctable bitscorrectable bitserrorerror--correctable bitscorrectable bits
Extra error correction bits Extra error correction bits
5 Recommende 3
4
Recommended parameters for PKEs Recommended
2
m2
3 parameters for Digital Signatures
1
1
2 Signatures
No. 40
r=k/n r=k/n
How to Reduce PublicHow to Reduce Public--Key SizeKey Size
How to Reduce PublicHow to Reduce Public--Key SizeKey SizeKey SizeKey SizeKey SizeKey Size
Increase the error correction capabilityIncrease the error correction capabilityCapacity Approaching Codes
LDPC QC-LDPCLDPC, QC-LDPCList Decoding
corrects only a couple of more errors for corrects only a couple of more errors for practical parameters while increasing the decoding complexity
Compress the public-keyQuasi-CyclicQuasi CyclicQuasi-Dyadic
Small extension degreeSmall extension degreeLarge extension degree
No. 41
Dyadic MatrixDyadic MatrixDyadic MatrixDyadic Matrix
⎤⎡ ⎤⎡⎤⎡⎥⎤
⎢⎡
⎥⎤
⎢⎡
⎥⎤
⎢⎡ DCBA
⎤⎡ β⎥⎥⎥
⎢⎢⎢
⎤⎡⎤⎡
⎥⎦
⎢⎣
⎥⎦
⎢⎣
BADCCDAB
⎥⎦
⎤⎢⎣
⎡β
βα=
⎥⎥
⎦⎢⎢
⎣⎥⎦
⎤⎢⎣
⎡⎥⎦
⎤⎢⎣
⎡ABBA
CDDC⎥
⎦⎢⎣ αβ
⎦⎣⎥⎦
⎢⎣
⎥⎦
⎢⎣ ABCD
No. 42
Advantage of Advantage of Dyadic MatrixDyadic MatrixAdvantage of Advantage of Dyadic MatrixDyadic MatrixDyadic MatrixDyadic MatrixDyadic MatrixDyadic Matrix
⎥⎤
⎢⎡ ⎤⎡⎤⎡ DCBA A B C D
⎥⎥
⎢⎢ ⎥
⎦
⎤⎢⎣
⎡⎥⎦
⎤⎢⎣
⎡CDAB
⎥⎥⎥
⎢⎢⎢
⎥⎤
⎢⎡
⎥⎤
⎢⎡
⎦⎣⎦⎣BADC
⎥⎦
⎢⎣
⎥⎦
⎢⎣
⎥⎦
⎢⎣ ABCD
No. 43
Dyadic Matrix and Dyadic Matrix and GoppaGoppa CodesCodes
Dyadic Matrix and Dyadic Matrix and GoppaGoppa CodesCodesGoppaGoppa CodesCodesGoppaGoppa CodesCodes
have an intersection over the extension field of GF(2)
Goppa Codes(M ll
Public-Key (More generally,
Alternant Code with large cardinality)
Dyadic Matrix can be compressed!! large cardinality)ed!!
No. 44
GoppaGoppa Codes and Codes and Cauchy MatrixCauchy Matrix
GoppaGoppa Codes and Codes and Cauchy MatrixCauchy MatrixCauchy MatrixCauchy MatrixCauchy MatrixCauchy Matrix
Binary Goppa code is the set of ally pp
1n−( ) n
n GFcccc )2(110 ∈= −L s.t.
)(mod0)(1
0Xg
LXcXS
n
i i
ie ≡
−≡∑
=
⎤⎡
If distinct are and where)()( 1
0 jit
i i LzxzXg ∏−
=−=
it can be written
111
111
0101000⎥⎤
⎢⎡⎥⎥⎥⎤
⎢⎢⎢⎡
−−− −n cLzLzLzL
0111
)( 1
111101=
⎥⎥⎥⎥
⎢⎢⎢⎢
⎥⎥⎥⎥
⎢⎢⎢⎢
−−−=−n
T cLzLzLzcH
MMOMM
L
No. 45
111 1
111101
⎥⎦
⎢⎣⎥⎥⎥
⎦⎢⎢⎢
⎣ −−−−
−−−−
n
nttt
cLzLzLz
L
To Make It Dyadic To Make It Dyadic (more generic than [MB09])(more generic than [MB09])
To Make It Dyadic To Make It Dyadic (more generic than [MB09])(more generic than [MB09])
2δ⊕
(more generic than [MB09])(more generic than [MB09])(more generic than [MB09])(more generic than [MB09])
3δ⊕ 2δ⊕can be applied
to either of a δ⊕
2δ⊕
δ⊕1δ⊕
⎥⎤
⎢⎡
⎥⎤
⎢⎡
⎥⎤
⎢⎡
⎥⎤
⎢⎡
⎥⎤
⎢⎡
⎥⎤
⎢⎡
⎥⎤
⎢⎡ 11111111
LLLLLLLL
3
1δ⊕ 1δ⊕ 1δ⊕2δ⊕numerator, a
denominator or a fraction
1δ⊕
⎥⎥⎥⎥⎥⎥
⎢⎢⎢⎢⎢⎢
⎥⎥⎥⎥⎥⎥
⎢⎢⎢⎢⎢⎢
⎤⎡⎤⎡⎥⎥⎥⎥
⎦⎢⎢⎢⎢
⎣ −−
−−
⎥⎥⎥⎥
⎦⎢⎢⎢⎢
⎣ −−
−−
⎥⎥⎥⎥⎥⎥
⎢⎢⎢⎢⎢⎢
⎤⎡⎤⎡⎥⎥⎥⎥
⎦⎢⎢⎢⎢
⎣ −−
−−
⎥⎥⎥⎥
⎦⎢⎢⎢⎢
⎣ −−
−−
7161
7060
5141
5040
3121
3020
1101
1000
1111
1111
1111
1111LzLz
LzLz
LzLz
LzLz
LzLz
LzLz
LzLz
LzLz
2δ⊕
1δ⊕⎥⎥⎥⎥⎥
⎢⎢⎢⎢⎢
⎥⎥⎥⎥⎥
⎦⎢⎢⎢⎢⎢
⎣ ⎥⎥⎥⎥
⎦
⎤
⎢⎢⎢⎢
⎣
⎡
−−
−−
⎥⎥⎥⎥
⎦
⎤
⎢⎢⎢⎢
⎣
⎡
−−
−−
⎥⎥⎥⎥⎥
⎦⎢⎢⎢⎢⎢
⎣ ⎥⎥⎥⎥
⎦
⎤
⎢⎢⎢⎢
⎣
⎡
−−
−−
⎥⎥⎥⎥
⎦
⎤
⎢⎢⎢⎢
⎣
⎡
−−
−−
7363
7262
5343
5242
3323
3222
1303
120211
11
11
11
11
11
11
11
LzLz
LzLz
LzLz
LzLz
LzLz
LzLz
LzLz
LzLz
3δ⊕
1δ⊕ ⎥⎥⎥⎥⎥⎥
⎢⎢⎢⎢⎢⎢
⎥⎥⎥⎤
⎢⎢⎢⎡
⎥⎥⎥⎤
⎢⎢⎢⎡
−−
⎥⎥⎥⎤
⎢⎢⎢⎡
−−⎥⎥⎥⎤
⎢⎢⎢⎡
⎥⎥⎥⎤
⎢⎢⎢⎡
−−
⎥⎥⎥⎤
⎢⎢⎢⎡
−−
⎥⎦⎢⎣ ⎥⎦⎢⎣⎥⎦⎢⎣⎥⎦⎢⎣ ⎥⎦⎢⎣⎥⎦⎢⎣
7464544434241404
7363534333231303
11
11
11
11
11
11
11
11LzLzLzLzLzLzLzLz
LzLzLzLzLzLzLzLz3δ⊕
1
δ⊕ ⎥⎥⎥⎥⎥
⎢⎢⎢⎢⎢
⎥⎥⎥⎥⎥⎥
⎢⎢⎢⎢⎢⎢
⎥⎥⎤
⎢⎢⎡
−−⎥⎥⎤
⎢⎢⎡
−−
⎥⎥⎦⎢
⎢⎣ −−⎥
⎥⎦⎢
⎢⎣ −−
⎥⎥⎥⎥⎥⎥
⎢⎢⎢⎢⎢⎢
⎥⎥⎤
⎢⎢⎡
−−⎥⎥⎤
⎢⎢⎡
−−
⎥⎥⎦⎢
⎢⎣ −−⎥
⎥⎦⎢
⎢⎣ −−
76665646
75655545
36261606
35251505
11111111LzLzLzLz
LzLzLzLz
LzLzLzLz
LzLzLzLz2δ⊕
1δ⊕No. 46
⎥⎥⎥
⎦⎢⎢⎢
⎣ ⎥⎥⎥
⎦⎢⎢⎢
⎣ ⎥⎥⎥
⎦⎢⎢⎢
⎣ −−⎥⎥⎥
⎦⎢⎢⎢
⎣ −−⎥⎥⎥
⎦⎢⎢⎢
⎣ ⎥⎥⎥
⎦⎢⎢⎢
⎣ −−⎥⎥⎥
⎦⎢⎢⎢
⎣ −− 7767
7666
5747
5646
3727
3626
1707
160611111111
LzLzLzLzLzLzLzLz
[MB09] generates a large full [MB09] generates a large full Dyadic block then picks upDyadic block then picks up
[MB09] generates a large full [MB09] generates a large full Dyadic block then picks upDyadic block then picks upDyadic block then picks upDyadic block then picks upDyadic block then picks upDyadic block then picks up
We propose to generate a small full Dyadic We propose to generate a small full Dyadic block and then generate other full Dyadic blocks by introducing (we call it outer Δ⊕blocks by introducing (we call it outer delta)
Whereas we call inner delta (since it
Δ⊕
δ⊕Whereas we call inner delta (since it defines the inner structure of a full Dyadic block
δ⊕
1Δ⊕ 2Δ⊕ 3Δ⊕
⎥⎦
⎤⎢⎣
⎡⎥⎦
⎤⎢⎣
⎡⎥⎦
⎤⎢⎣
⎡⎥⎦
⎤⎢⎣
⎡⎥⎦
⎤⎢⎣
⎡D diFull
D diFull
D diFull
D diFull
No. 47
⎥⎦
⎢⎣
⎥⎦
⎢⎣
⎥⎦
⎢⎣
⎥⎦
⎢⎣
⎥⎦
⎢⎣ DyadicDyadicDyadicDyadic
AdvantagesAdvantages
C t th t D di t i Can generate the txn Dyadic matrix more flexibly,
N=2m can be closer to n+tCan remove the block-wise Can remove the block-wise permutation and removal in key generationgeneration
Since they are already included by the parameter choice of Δ⊕
No. 48
RemarkRemark
Block-Wise Permutation is the same as changing Δj’s appropriately.Removal of one block is the same as Removal of one block is the same as reducing the number of blocks by one
d th h i Δ ’ i t land then changing Δj’s appropriately
1Δ⊕ 2Δ⊕ 3Δ⊕
⎥⎦
⎤⎢⎣
⎡⎥⎦
⎤⎢⎣
⎡⎥⎦
⎤⎢⎣
⎡⎥⎦
⎤⎢⎣
⎡⎥⎦
⎤⎢⎣
⎡D diFull
D diFull
D diFull
D diFull
No. 49
⎥⎦
⎢⎣
⎥⎦
⎢⎣
⎥⎦
⎢⎣
⎥⎦
⎢⎣
⎥⎦
⎢⎣ DyadicDyadicDyadicDyadic
By applying By applying t th d i tt th d i t
By applying By applying t th d i tt th d i t
Δ⊕⊕ and δto the denominatorsto the denominatorsto the denominatorsto the denominators
txn Dyadic matrix can be obtained withtxn Dyadic matrix can be obtained with101 δ⊕=zz 202 δ⊕=zz 210123 δδδ ⊕⊕=⊕= zzz
101 δ⊕=LL 202 δ⊕=LL 210223 δδδ ⊕⊕=⊕= LLL
h 10 Δ⊕=LLt jtj LL Δ⊕=× 0
where )2(,,,,, 1)/(21log2100 2
mtnt GFLz ∈ΔΔΔ −LLδδδ
are chosen at random while making all the
1)/(21log2100 2 tnt
njLtiz <≤<≤ 0forand0forthe distinct. No. 50
njLtiz ji <≤<≤ 0for and0for
Shuffle While Keeping Shuffle While Keeping Dyadic StructureDyadic Structure
Shuffle While Keeping Shuffle While Keeping Dyadic StructureDyadic StructureDyadic StructureDyadic StructureDyadic StructureDyadic Structure
With Column Block Wise Scalar With Column-Block-Wise Scalar Multiplication
[ ][ ] ⎥
⎥⎤
⎢⎢⎡
⎥⎤
⎢⎡ ⎤⎡⎤⎡⎤⎡ 1
01
FullFullFull p[ ]
[ ]⎥⎥⎥
⎦⎢⎢⎢
⎣
⎥⎦
⎢⎣
⎥⎦
⎤⎢⎣
⎡⎥⎦
⎤⎢⎣
⎡⎥⎦
⎤⎢⎣
⎡ 1
0DyadicDyadicDyadicp
pO
L
[ ]⎥⎦⎢⎣ −1bp
ntnb =}0{\)( m
i qGFp ∈where and
No. 51
GF(GF(qqmm) to GF(q)) to GF(q)GF(GF(qqmm) to GF(q)) to GF(q)
)(qGFA m∈γ theis}{ γγγ L
)()(,
qGFaqGFA
i
i
∈∈γ
)(ofbasis dual
theis},{ 1-m21mqGF
γγγ
⎥⎤
⎢⎡
⎥⎤
⎢⎡ )( 00 Atra γ
)(qi )(q
⎥⎥⎤
⎢⎢⎡
=⎥⎥⎤
⎢⎢⎡
=)()(
1
0
1
0
AtraA
γγ
⎥⎥⎥
⎢⎢⎢=
⎥⎥⎥
⎢⎢⎢=A
MM⎥⎦
⎢⎣
⎥⎦
⎢⎣ −− )( 11 Atra mm γ
No. 52 )(
12 −
++++=mqqq AAAAAtr L
GF(GF(qqmm) to GF(q)) to GF(q)GF(GF(qqmm) to GF(q)) to GF(q)
⎤⎡ ⎤⎡⎤⎡ 00 ba
⎥⎥⎤
⎢⎢⎡
⎥⎥⎤
⎢⎢⎡
⎥⎥⎤
⎢⎢⎡ 00 ba
MM
⎥⎥⎥
⎢⎢⎢
⎤⎡⎤⎡⎥⎥⎦⎢
⎢⎣⎥
⎥⎦⎢
⎢⎣=⎥
⎤⎢⎡ −− 11 mm
bbaBA
⎥⎤
⎢⎡
⎥⎤
⎢⎡ 00 ba
⎥⎥⎥
⎢⎢⎢
⎥⎥⎤
⎢⎢⎡
⎥⎥⎤
⎢⎢⎡⎥
⎦⎢⎣ 00 abAB
MM ⎥⎥⎥
⎢⎢⎢ ⎥
⎦⎢⎣ 00 ab
M⎥⎥⎥
⎦⎢⎢⎢
⎣ ⎥⎥⎦⎢
⎢⎣⎥
⎥⎦⎢
⎢⎣ −− 11 mm ab
MM
⎥⎥
⎢⎢
⎤⎡ 11 baM
⎥⎦⎢⎣ ⎦⎣⎦⎣ 11 mm
⎥⎥⎥
⎦⎢⎢⎢
⎣⎥⎦
⎤⎢⎣
⎡ −−
11
11 mm
abba
No. 53
⎥⎦⎢⎣ ⎦⎣ −− 11 mm ab
Shuffle While Keeping Shuffle While Keeping Dyadic StructureDyadic Structure
Shuffle While Keeping Shuffle While Keeping Dyadic StructureDyadic StructureDyadic StructureDyadic StructureDyadic StructureDyadic Structure
Multiplication of a Random Dyadic Matrix
F llF llF llF ll ⎤⎡ ⎤⎡⎤⎡⎤⎡⎤⎡⎤⎡ ⎤⎡⎤⎡
Multiplication of a Random Dyadic Matrix
DyadicFull
DyadicFull
DyadicFull
DyadicFull
R dR dDyadicRandom
DyadicRandom
⎥⎥⎥⎤
⎢⎢⎢⎡
⎤⎡⎤⎡⎤⎡⎤⎡
⎥⎦
⎤⎢⎣
⎡⎥⎦
⎤⎢⎣
⎡⎥⎦
⎤⎢⎣
⎡⎥⎦
⎤⎢⎣
⎡
⎥⎥⎥⎤
⎢⎢⎢⎡
⎤⎡⎤⎡
⎥⎦
⎤⎢⎣
⎡⎥⎦
⎤⎢⎣
⎡
DyadicFull
DyadicFull
DyadicFull
DyadicFull
DyadicRandom
DyadicRandom
⎥⎥⎥
⎦⎢⎢⎢
⎣⎥⎦
⎤⎢⎣
⎡⎥⎦
⎤⎢⎣
⎡⎥⎦
⎤⎢⎣
⎡⎥⎦
⎤⎢⎣
⎡⎥⎥
⎦⎢⎢
⎣⎥⎦
⎤⎢⎣
⎡⎥⎦
⎤⎢⎣
⎡
THS)(=
Note: Dyadic X Dyadic = Dyadic
⎥⎤
⎢⎡ ++
=⎥⎤
⎢⎡⎥⎤
⎢⎡ BCADBDACDCBA
Note: Dyadic X Dyadic Dyadic
No. 54
⎥⎦
⎢⎣ ++⎥
⎦⎢⎣⎥⎦
⎢⎣ ACBDADBCCDAB
Attack on Quasi Dyadic Attack on Quasi Dyadic [UL09][UL09]
Attack on Quasi Dyadic Attack on Quasi Dyadic [UL09][UL09][UL09][UL09][UL09][UL09]
Exploits the fact that each column of Exploits the fact that each column of each low of H’T is tr(f(Li)) where f() and Li
kare unknownIf one can make f(x)=const, tr(f(Li)) ( ) , ( ( i))becomes independent of Li and all the coordinates in the same block of the coordinates in the same block of the low take the same value.On the contrary, by choosing ri s.t.
]),,[,],,,[],,,([' 111100= bibiiiiiT
i hhhhhhHr LLLL
f(x) can be const with high probability. No. 55
]),,[,],,,[],,,([ 1,1,1,1,0,0, −− bibiiiiii hhhhhhHr
Attack on Quasi Dyadic Attack on Quasi Dyadic [UL09][UL09]
Attack on Quasi Dyadic Attack on Quasi Dyadic [UL09][UL09][UL09][UL09][UL09][UL09]
])[][]([' 111100= bbT hhhhhhHr LLLL ]),,[,],,,[],,,([ 1,1,1,1,0,0, −−= bibiiiiii hhhhhhHr
These constants are linear combinations f t ( t t)⎤⎡ 0r
of tr(constant)
⎥⎤
⎢⎡1
=⎥⎥⎥⎤
⎢⎢⎢⎡
M'1
0
Hrr
T m(m-1) unknown in GF(q) so the uncertainty of (p1 to
⎥⎥⎥⎥
⎢⎢⎢⎢0M
=
⎤⎡⎤⎡
⎥⎥
⎦⎢⎢
⎣ −
M
])([])1([1
ptrtrh
rm
γγββ
pm-1) is m(m-1)log2 q ⎥⎦
⎢⎣0
⎥⎥⎥⎤
⎢⎢⎢⎡
⎥⎥⎥⎤
⎢⎢⎢⎡
−
−
MM
LLL
LLL
MOMM
L
L
]),([]),1([]),([]),1([
111
100
1,11,10,1
1,01,00,0
ptrtrptrtr
hh
m
m
γγγγ
ββββ
No. 56
⎥⎥
⎦⎢⎢
⎣⎥⎥
⎦⎢⎢
⎣ −−−−−− LLL
LMM
L
MOMM
]),([]),1([ 1111,11,10,1 ptrtrh mmmmmm γγββ
Countermeasure Against Countermeasure Against The Attack on Quasi DyadicThe Attack on Quasi Dyadic
Countermeasure Against Countermeasure Against The Attack on Quasi DyadicThe Attack on Quasi DyadicThe Attack on Quasi DyadicThe Attack on Quasi DyadicThe Attack on Quasi DyadicThe Attack on Quasi Dyadic
m(m 1) unknown in GF(q) and hence m(m-1) unknown in GF(q) and hence the uncertainty of (p1 to pm-1) is m(m-1)l bit1)log2 q bitsE.g.)g )For q=2, by making m>=10, the uncertainty becomes > 90 bits and this uncertainty becomes >=90 bits and this attack can be avoided(though this attack might be improved in future) in future)
No. 57
Parameters for PKEParameters for PKEParameters for PKEParameters for PKE
m t Binary work PK size Plaintext /Ciphertext sizefactor (KB) McEliece Niederreiter
11 32 286.8 72.9KB 1696/2048 bits 233/352bits
QD (Parameters are not optimized)
12 41 2128.5 216.5KB 3604/4096 bits 327/492bits
m t n p l Binary k
PK size (KB)
Plaintext/Ciph t t Si
QD (Parameters are not optimized)
work factor
(KB) hertext SizeQD
16 64 2560 1 12 291.3 3.0KB 427/1024 bits13 64 2048 2 16 290.2 1.9KB 406/832 bits
No. 58
12 128 2400 1 8 290.7 1.3KB 716/1536 bits
Parameters for Digital Parameters for Digital SignatureSignature
Parameters for Digital Parameters for Digital SignatureSignatureSignatureSignatureSignatureSignature
m t BWF PK size (KB)
Iteration *1
Signature Size *2 *3(KB) *1 *2,*3
14 13 280.7 360.0KB 232.5 182~214.5 bits13 14 280.0 178.0KB 236.4 182~218.4 bits12 15 288.2 86.0KB 240.3 180~220.3 bits
m t n Binary PK size Iteration Signature Size QD (Parameters are not optimized)
m t n Binary work factor
PK size (KB)
Iteration *1
Signature Size *2,*3
factor15 12 26528 284.0 48.2KB 232.5 180~212.5 bits14 13 13316 283.4 22 4KB 236.4 182~218 4 bits
No. 59
14 13 13316 2 22.4KB 2 182 218.4 bits13 14 6736 282.9 10.4KB 240.3 182~222.3 bits
Suitable Applications for CodeSuitable Applications for Code--Suitable Applications for CodeSuitable Applications for Code--Based PKCsBased PKCsBased PKCsBased PKCs
No. 60
CodeCode--Based PKCs Fit With Based PKCs Fit With Heterogeneous Heterogeneous
//
CodeCode--Based PKCs Fit With Based PKCs Fit With Heterogeneous Heterogeneous
//Network/ApplicationsNetwork/ApplicationsNetwork/ApplicationsNetwork/Applications
D1D2
D3 Di
A lot of low cost and lowA lot of low cost and low computational power devices, such as RFIDs, sensors and
One side has high computational power
SCADA devicesSince•Encryption and signature verification consist•Encryption and signature verification consist mostly of xors and they are highly parallelizable.•They do not require heavy multi precision•They do not require heavy multi precision modular exponentiations
No. 61
Broadcast Broadcast AuthenticationAuthentication
Broadcast Broadcast AuthenticationAuthenticationAuthenticationAuthenticationAuthenticationAuthentication
One (powerful) sender
Applications include:
One (powerful) sender
pp•Transmission of mission critical commands and
broadcasts a message data to sensors and SCADA devices.•Issue of disaster warning
broadcasts a message
•Issue of disaster warning
D1D3D2
DiD3D2
a lot of (lightweight) receivers receive it and check its authenticity and dataand check its authenticity and data integrity.
No. 62
In emergency applications,In emergency applications,low latency is cruciallow latency is crucial
In emergency applications,In emergency applications,low latency is cruciallow latency is cruciallow latency is crucial low latency is crucial low latency is crucial low latency is crucial
A i tAgainst•Earthquake•TsunamiEspecially Tsunami•Flood•Tornado•Thunderbolt•Fire
Disaster warning…
D1 DiD1D3D2
Di
No. 63
Such warning receivers Such warning receivers may be deployedmay be deployed
Such warning receivers Such warning receivers may be deployedmay be deployedmay be deployedmay be deployedmay be deployedmay be deployed
at home, critical infrastructures, and then take appropriate actions if a warning is
h
take appropriate actions if a warning is verified.
homes
Turn off gases•Turn off gases•Unlock and open doors
Factories
(nuclear) power plants•Stop the lines
•Slow down the trains
In some cases, a few seconds are enough to mitigate
( ) p phospitals
•Slow down the trains
serious damages, and hence delay is should be minimized while maintaining adequate security level. No. 64
Comparison Among Comparison Among SolutionsSolutions
Comparison Among Comparison Among SolutionsSolutionsSolutionsSolutionsSolutionsSolutions
MACith
MAC ith
TESLA (h h
Digital Signaturewith one
master
with pair-wise
(hash-chain and delayed
Conventional (RSA,
DSA,
Code-Based
key keys auth)DSA,
ECDSA) Authenticity
d D tX*1 O O O O
and DataIntegrity
Computational O O O X OComputational Cost
O O O X O
Delay O X*2 X*3 X O
*1: Crack of one device breaks it.*2: Sender must broadcast a lot of MACs and each device must wait until his MAC is received
TESLA: Timed Efficient Stream Loss-tolerant Authentication No. 65
received.*3: Verification key is released in the next time slot.
Comparison Among Comparison Among SolutionsSolutions
Comparison Among Comparison Among SolutionsSolutionsSolutionsSolutionsSolutionsSolutions
MACith
MAC ith
TESLA (h h
Digital Signaturewith one
master
with pair-wise
(hash-chain and delayed
Conventional (RSA,
DSA,
Code-Based
key keys auth)DSA,
ECDSA) Authenticity
d D tX*1 O O O O
and DataIntegrity
Computational O O O X OComputational Cost
O O O X O
Delay O X*2 X*3 X O
*1: Crack of one device breaks it.*2: Sender must broadcast a lot of MACs and each device must wait until his MAC is received
TESLA: Timed Efficient Stream Loss-tolerant Authentication No. 66
received.*3: Verification key is released in the next time slot.
Privacy Enhanced RFIDPrivacy Enhanced RFIDPrivacy Enhanced RFIDPrivacy Enhanced RFID
a tag used for reading/writing ID (and RFID: g g g (information) via wireless communication.
RFID t i l
thi ( i l h l)
RFID system in general:item
tag
thing, animal orhuman
(wireless channel)
databasetag
readerIDUser-data
server
management of items, e.g. in supply chainApplications:No. 67
RFID (for long distance) requires RFID (for long distance) requires privacy protection mechanismprivacy protection mechanism
RFID (for long distance) requires RFID (for long distance) requires privacy protection mechanismprivacy protection mechanismprivacy protection mechanismprivacy protection mechanismprivacy protection mechanismprivacy protection mechanism
user station a.k.a. location privacy
Area-2
malicious readers
Area-1
Reader-2
Area-3
Area-4Reader-1 Reader-4
IDA IDAReader-3
hospital
Same IDs!!A user who carries a tag may
adversary
A user who carries a tag may be traced by someone else.
No. 68
Solutions Can Be Divided Solutions Can Be Divided IntoInto
Solutions Can Be Divided Solutions Can Be Divided IntoIntoIntoIntoIntoInto
Tag disabling Tag enabling Tag disabling solutions
Manually removal or
Tag enabling solutions
Randomized hash ydestructionKill command
lock [WSRE03]HB+ [JW05] and its
i tTemporally tag-disabling solutions
variantsCode-Based Unlinkable-ID [SKI06] Faraday cage
Access passwordH h l k
Unlinkable ID [SKI06] [CKM+07]
Tag enabling solutions:Hash lockBlocker tagMode switch
Tag enabling solutions:Enable RFID functionalities while providing Mode switch while providing unlinkability of IDs
No. 69
ComparisonComparisonComparisonComparison
Exhaustive search of IDs at the server
Unlinkability
Randomized hash lock
Necessary (Tag identification cost
○lock,HB+ and its variants
identification cost depends on # of tags)
variantsCode-Based U li k bl ID
Unnecessary (Tag id ifi i i
○Unlinkable-ID identification cost is
independent of # of )tags)
No. 70
CodeCode--Based UnlikableBased Unlikable--ID ID (1/3)(1/3)
CodeCode--Based UnlikableBased Unlikable--ID ID (1/3)(1/3)
n – k(WH(): Hamming weight)
Niederreiter PKE:
(1/3)(1/3)(1/3)(1/3)
'mHc =n n – kn k
mWH(m) = t
nH’ = ca ciphertext
/ /t tCode-Based Unlinkable-ID:
n1'H
n – k
n1 n2
n21 nnn +=
1 1/ /a n n t t= =
n11H
2'H n2
m =ttt +=
nr id1 2
W (r) = t W (d) = t='H
2 n221 ttt +=
(ID)(random num.)
WH(r) = t1 WH(d) = t2No. 71
CodeCode--Based Based UnlinkableUnlinkable--ID ID (2/3)(2/3)
CodeCode--Based Based UnlinkableUnlinkable--ID ID (2/3)(2/3)(2/3)(2/3)(2/3)(2/3)
× ×r id'H 'H= ⊕c × ×r id1H 2H= ⊕c
c2c1 ⊕
Pre compute this at the server and assigns it to each tag
Let each tag calculate this
No. 72
CodeCode--Based Based UnlinkableUnlinkable--IDID(3/3)(3/3)
CodeCode--Based Based UnlinkableUnlinkable--IDID(3/3)(3/3)(3/3)(3/3)(3/3)(3/3)
Q & R l Ph ReaderTag ),'( 21 cH
Query
Query & Reply Phase ),,( PHS
×r 'Hc =
QueryRNG( )
×r 1Hc1 =
c = c2c1 ⊕ ID Resolve Phase
cc c2c1
r||id := Decrypt(c)⊕
Unlinkable-ID =
This scheme p o ides nlinkabilit of IDs against passi e attack B t b make this
No. 73
This scheme provides unlinkability of IDs against passive attack. But by make this challenge-response type, this can also be secure against adaptive attack [CKM+07]
Conclusion (1/2)Conclusion (1/2)Conclusion (1/2)Conclusion (1/2)
Code based PKCs are suitable forCode-based PKCs are suitable forHeterogeneous Network/Applications, such as
Broadcast Authentication and Unlinkable-ID for light weight devices such as
RFID, sensors, SCADA devices
Since theySince theydo not require heavy multi-precision modular exponentiationexponentiationcan be executed mostly using only xors highly i ll l in parallel
No. 74
Conclusion (2/2)Conclusion (2/2)Conclusion (2/2)Conclusion (2/2)
Research themes left in this area includeResearch themes left in this area includeFurther reduction of PK sizesNew attacks (especially on QD)New primitives/applicationsp / ppImplementation and side-channel attacksProvable securityProvable securityetc.
No. 75
Thank you very much for your Thank you very much for your Thank you very much for your Thank you very much for your kind attention!!kind attention!!kind attention!!kind attention!!
No. 76
ReferencesReferencesReferencesReferences
[GPT91] E.M. Gabidulin, A.V. Paramonov, O.V. Tretjakov, “Ideals over a Non commutative Ring and Their Ideals over a Non-commutative Ring and Their Application in Cryptology,” Proc. of Eurocrypt’91, LNCS 547, pp.482-489, 1991[SS92] V Sidelnikov and S Shestakov “On insecurity of [SS92] V. Sidelnikov and S. Shestakov, On insecurity of cryptosystems based on generalized Reed-Solomon codes.”Discrete Math. Appl. 2(4), pp. 439–444, 1992[MRS00]C Monico J Rosenthal and A Shokrollahi “Using [MRS00]C. Monico, J. Rosenthal, and A. Shokrollahi, Using low density parity check codes in the McEliececryptosystem,” Proc. of IEEE ISIT’00, p. 215, 2000[Loi00] P Loidreau “Strengthening McEliece cryptosystem ” [Loi00] P. Loidreau “Strengthening McEliece cryptosystem,” Proc. of ASIACRYPT’00, pp. 585–598, 2000[PCT+02] A. Perrig, R. Canetti, J.D. Tyger and D. Song, “The TESLA Broadcast A thentication Protocol ” Cr ptoB tes TESLA Broadcast Authentication Protocol,” CryptoBytes, Vol.5, No.2, Summer/Fall, pp. 2-13[KI02] K. Kobara and H. Imai “Semantically secure McEliece
bli k t t ” IEICE T E85 A(1) 74 83 public-key cryptosystem”. IEICE Trans., E85-A(1), pp. 74–83, 2002
No. 77
ReferencesReferencesReferencesReferences
[KI03] K. Kobara and H. Imai “On the one-wayness against [ ] y gchosen-plaintext attacks on the Loidreau’s modified McEliece PKC”. IEEE Trans. on IT, 49(12), pp. 3136–3168, 2003[Ove05] R. Overbeck, “A new structural attack for GPT and variants,” Proc. of Mycrypt’05, LNCS 3517, pp. 50-63, 2005[AFS05] D. Augot, M. Finiasz, and N. Sendrier, “A family of [ ] g , , , yfast syndrome based cryp-tographic hash function,” Proc. of Mycrypt’05, LNCS 3715, pp. 64-83, 2005[Gab05] P. Gaborit, “Shorter keys for code based [ ] , ycryptography,” Proc of WCC’05, pp. 81–91, 2005[SKI06] M. Suzuki, K. Kobara, and H. Imai. “Privacy enhanced and light weight RFID system without tag enhanced and light weight RFID system without tag synchronization and exhaustive search,” Proc. of IEEE SMC’06, pp. 1250-1255, 2006[Wie06] C. Wieschebrink, “An attack on a modified [Wie06] C. Wieschebrink, An attack on a modified Niederreiter encryption scheme,” Proc. of PKC’06, LNCS 3958, pp.14–26, 2006
No. 78
ReferencesReferencesReferencesReferences
[Ble06] D. Bleichenbacher, htt // d k il /N / i t/2006http://www.derkeiler.com/Newsgroups/sci.crypt/2006-12/msg00480.html , 2006[BC07] M. Baldi and F. Chiaraluce “Cryptanalysis of a new instance of McEliece cryptosystem based on QC LDPC Codes ” instance of McEliece cryptosystem based on QC-LDPC Codes, IEEE ISIT, pp. 2591-2595, 2007[CKM+07] Y. Cui, K. Kobara, K. Matsuura, and H. Imai “Lightweight Asymmetric Privacy-Preserving Authentication Lightweight Asymmetric Privacy Preserving Authentication Protocols Secure against Active Attack” Proc. of PerSec’07, pp. 223–228, 2007[NIK+07] R. Nojima, H. Imai, K. Kobara and K. Morozov, “Semantic [ ] j , , ,Security for the McEliece Cryptosystem without Random Oracles,” Proc. Of WCC’07, pp. 257-268, 2007[DQN08] R. Dowsley, J. Müller-Quade and A. C. A. Nascimento, “A CCA2 S P bli K E ti S h B d th “A CCA2 Secure Public Key Encryption Scheme Based on the McEliece Assumptions in the Standard Model,” http://eprint.iacr.org/2008/468 ,2008
No. 79
ReferencesReferencesReferencesReferences
[AFG+08] D. Augot, M. Finiasz, Ph. Gaborit, S. Manuel, and N. S d i “SHA 3 l FSB ” SHA 3 NIST titi 2008Sendrier, “SHA-3 proposal: FSB,” SHA-3 NIST competition, 2008[Ber08] D. J. Bernstein “List decoding for binary Goppa codes,” http://cr.yp.to/codes/goppalist-20081107.pdf , 2008[DGQ 08] R D l J d G f J M Q d d A [DGQ+08] R. Dowsley, J. van de Graaf, J. M.-Quade, and A. Nascimento. “Oblivious transfer based on the McElieceassumptions.” Proc. of ICITS’08, LNCS 5155, pp. 107-117, 2008[KMO08] K Kobara K Morozov and R Overbeck “Coding Based [KMO08] K. Kobara, K. Morozov and R. Overbeck Coding-Based Oblivious Transfer” Proc. of Mathematical Methods in Computer Science, LNCS 5393, pp. 142-156, 2008[BLN+09] D J Bernstein T Lange R Niederhagen C Peters P [BLN+09] D. J. Bernstein, T. Lange, R. Niederhagen, C. Peters, P. Schwabe. “FSBday: implementing Wagner's generalized birthday attack against the SHA-3 round-1 candidate FSB.” URL: http://cr.yp.to/papers.html#fsbday , 2009
No. 80
ReferencesReferencesReferencesReferences
[OTD08] A. Otmani, J.P. Tillich, L. Dallot, [O 08] . O a , J. . c , . a o , “Cryptanalysis of Two McEliece Cryptosystems Based on Quasi-Cyclic Codes,” http://arxiv org/abs/0804 0409 2008http://arxiv.org/abs/0804.0409 2008[DQN08] R. Dowsley and J. M. Quade and A. C. A. Nascimento, “A CCA2 Secure Public Key A. Nascimento, A CCA2 Secure Public Key Encryption Scheme Based on the McElieceAssumptions in the Standard Model,” http://eprint iacr org/2008/468 2008http://eprint.iacr.org/2008/468, 2008[FS09] M. Finiasz and N. Sendrier, “Security Bounds for the Design of Code-based Bounds for the Design of Code based Cryptosystems ” Proc of Asiacrypt’09, http://eprint.iacr.org/2009/414 , 2009
No. 81
ReferencesReferencesReferencesReferences
[Wie09] C. Wieschebrink, “Cryptanalysis of the Niederreiter[ ] yp yPublic Key Scheme Based on GRS Subcodes,” http://eprint.iacr.org/2009/452, 2009[MB09] R. Misoczki and P. Barreto, “Compact McEliece[ ] pKeys from Goppa Codes,” Proc. of SAC’09, pp. 2009 [MB09a] R. Misoczki and P. Barreto, personal communication, 2009 ,[BCG+09] T. Berger, P.-L. Cayrel, P. Gaborit, and A. Otmani, “Reducing Key Length of the McEliece Cryptosystem,” Proc. of AFRICACRYPT’09, LNCS5580, pp. 77-97, 2009, , pp ,[UL09] V. G. Umana and G. Leander “Practical Key Recovery Attacks On Two McEliece Variants,” http://eprint.iacr.org/2009/509, 2009http://eprint.iacr.org/2009/509, 2009
No. 82