Abstract
Code-based cryptography is one of the main techniques enabling cryptographic primitives in a post-quantum scenario. In particular, the MDPC scheme is a basic scheme from which many other schemes have been derived. These schemes rely on iterative decoding in the decryption process and thus have a certain small probability p of having a decryption (decoding) error.In this paper we show a very fundamental and important property of code-based encryption schemes. Given one initial error pattern that fails to decode, the time needed to generate another message that fails to decode is strictly much less than 1/p. We show this by developing a method for fast generation of undecodable error patterns (error pattern chaining), which additionally proves that a measure of closeness in ciphertext space can be exploited through its strong linkage to the difficulty of decoding these messages. Furthermore, if side-channel information is also available (time to decode), then the initial error pattern no longer needs to be given since one can be easily generated in this case.These observations are fundamentally important because they show that a, say, 128- bit encryption scheme is not inherently safe from reaction attacks even if it employs a decoder with a failure rate of 2−128. In fact, unless explicit protective measures are taken, having a failure rate at all – of any magnitude – can pose a security problem because of the error amplification effect of our method.A key-recovery reaction attack was recently shown on the MDPC scheme as well as similar schemes, taking advantage of decoding errors in order to recover the secret key. It was also shown that knowing the number of iterations in the iterative decoding step, which could be received in a timing attack, would also enable and enhance such an attack. In this paper we apply our error pattern chaining method to show how to improve the performance of such reaction attacks in the CPA case. We show that after identifying a single decoding error (or a decoding step taking more time than expected in a timing attack), we can adaptively create new error patterns that have a much higher decoding error probability than for a random error. This leads to a significant improvement of the attack based on decoding errors in the CPA case and it also gives the strongest known attack on MDPC-like schemes, both with and without using side-channel information.
Highlights
Future quantum computers will be able to break cryptography based on integer factorization and discrete log in polynomial time
When side-channel information such as decoding time or number of iteration used during decoding is available, the initial error pattern no longer needs to be given since one can be generated instead. These observations are fundamentally important because they show that a, say, 128-bit encryption scheme is not inherently safe from reaction attacks even if it employs a decoder with a failure rate of [2−128]
We have shown that the advertised decoding failure rate of a decoder implementation might not always tell the whole truth about the security of the particular implementation
Summary
Future quantum computers will be able to break cryptography based on integer factorization and discrete log in polynomial time. This fact opens the door for possible timing attacks based on the number of required decoding rounds It was shown by Guo, Johansson and Stankovski [GJS16], that decoding errors can be used to reconstruct the secret key. The attack breaks the chosen-ciphertext attack (CCA) security of the scheme and provides attackers with a key recovery attack that requires submitting [200-350] million ciphertexts for decryption This was based on proposed parameters for 80-bit security and the decryption device using an iterative decoding algorithm with a decoding error probability around [10−4]. In the recent NIST post-quantum standardization project [CJL+16], a number of code-based schemes have been submitted Looking through these submissions, one can see that the above described attack has impact on the security analysis of such schemes. Did they provide the framework for a timing attack, but they gave an extended theoretical treatment of the attack and showed the dependence on the syndrome weight in decoding
Sign-in/Register to view highlights & summary Talk to us
Join us for a 30 min session where you can share your feedback and ask us any queries you have
Schedule a callMore From: IACR Transactions on Cryptographic Hardware and Embedded Systems
Disclaimer: All third-party content on this website/platform is and will remain the property of their respective owners and is provided on "as is" basis without any warranties, express or implied. Use of third-party content does not indicate any affiliation, sponsorship with or endorsement by them. Any references to third-party content is to identify the corresponding services and shall be considered fair use under The CopyrightLaw.
