TY - THES
T1 - Using Coding Techniques for Attacking Post-Quantum Cryptographic Assumptions and Systems
AU - Guo, Qian
N1 - Defence details
Date: 2016-12-13
Time: 10:15
Place: Lecture hall E:1406, building E, Ole Römers väg 3, Lund University, Faculty of Engineering LTH, Lund
External reviewer
Name: Albrecht, Martin R.
Title: Associate Professor
Affiliation: University of London, UK
---
PY - 2016
Y1 - 2016
N2 - Post-quantum cryptography for resisting possible attacks from malicious quantum adversaries has become one of the key topics in recent cryptographic research. Its ultimate goal is to search for efficient and secure primitives replacing the factoring- and discrete log-based schemes in service that will be broken in polynomial time by Shor’s algorithm. It is now an urgent task to complete this replacement due to the rapid development in building quantum computers.Among all known post-quantum candidates, lattice-based and code-based cryptography are two very attractive branches for their solid mathematical foundations as well as their versatile cryptographic applications. There exist several important hardness assumptions in these two areas, especially that the famous hard learning problems, i.e., the learning parity with noise (LPN) problem, the learning with errors (LWE) problem and their variants, are difficult to solve. It plays a crucial role to determine the concrete complexity of the discussed instances of these problems when characterising the security level of cryptosystems employing these instances.The LPN assumption and its variants also have significance in Lightweight cryptography, a field for building low-cost cryptographic schemes for highly constraint devices. A better solving algorithm will definitely lead to a security reduction of the schemes making use of the suggested parameters.In this thesis, we introduce new algorithmic ideas for improving the solving algorithms of these hard problems and analyse their concrete complexity. Our tools are existing techniques from various aspects of the well-developed coding theory, and many targeted cryptosystems should increase the size of the suggested parameters for a certain security level. We also present the first key-recovery reaction attack against QC-MDPC, a code-based public-key encryption scheme. This attack can be applied to the CCA2 converted version of QC-MDPC to break the claimed CCA2 security. The results can be summarised in the following.• We use covering codes for solving LPN – the instances suggested for 80-bit security in HB variants and LPN-C can be solved in less than 2^80 operations.• We use CRT codes for solving Ring-LPN with a reducible polynomial –we break the Lapin authentication protocol using the proposed instance for 80-bit security in about 2^71 operations.• We use lattice codes for solving LWE and its variants – we reduce the time complexity for solving some suggested parameter settings drastically; for example, for an instance suggested by Regev with dimension n = 512, the improvement factor is about 2^70 . Several other cryptosystems should employ LWE instances with a larger dimension.• Using the Hamming leakage model, we reduce the problem of using a side-channel attack on the fresh re-keying countermeasure to a slightly generalised Ring-LPN problem with a reducible polynomial, and solve it via birthday-type attacks and FWHT – compared with the previous research, the improvement factor is about 2^10 in the 128-bit leakage model with the same amount of SNR and leaking traces.• We make use of the fact that the decoding error probability of the iterative decoding algorithm employed in QC-MDPC is highly correlated with the error patterns, and leaks some information of the secret key – we implement the attack, which works well targeting both the CPA- and CCA2-secure versions of QC-MDPC.Besides these attacks, we propose a new McEliece-type public-key cryptosystem generalising MDPC from the binary case to a larger alphabet and suggest parameters based on knowledge of the concrete complexity of the above hard problems. This scheme is very attractive as a topic related to both lattice-based and code-based cryptography, which takes advantage of iterative decoding, the McEliece structure, the Euclidean metric, as well as a more compact way of representing information. This scheme is still far from mature and needs to be refined further.
AB - Post-quantum cryptography for resisting possible attacks from malicious quantum adversaries has become one of the key topics in recent cryptographic research. Its ultimate goal is to search for efficient and secure primitives replacing the factoring- and discrete log-based schemes in service that will be broken in polynomial time by Shor’s algorithm. It is now an urgent task to complete this replacement due to the rapid development in building quantum computers.Among all known post-quantum candidates, lattice-based and code-based cryptography are two very attractive branches for their solid mathematical foundations as well as their versatile cryptographic applications. There exist several important hardness assumptions in these two areas, especially that the famous hard learning problems, i.e., the learning parity with noise (LPN) problem, the learning with errors (LWE) problem and their variants, are difficult to solve. It plays a crucial role to determine the concrete complexity of the discussed instances of these problems when characterising the security level of cryptosystems employing these instances.The LPN assumption and its variants also have significance in Lightweight cryptography, a field for building low-cost cryptographic schemes for highly constraint devices. A better solving algorithm will definitely lead to a security reduction of the schemes making use of the suggested parameters.In this thesis, we introduce new algorithmic ideas for improving the solving algorithms of these hard problems and analyse their concrete complexity. Our tools are existing techniques from various aspects of the well-developed coding theory, and many targeted cryptosystems should increase the size of the suggested parameters for a certain security level. We also present the first key-recovery reaction attack against QC-MDPC, a code-based public-key encryption scheme. This attack can be applied to the CCA2 converted version of QC-MDPC to break the claimed CCA2 security. The results can be summarised in the following.• We use covering codes for solving LPN – the instances suggested for 80-bit security in HB variants and LPN-C can be solved in less than 2^80 operations.• We use CRT codes for solving Ring-LPN with a reducible polynomial –we break the Lapin authentication protocol using the proposed instance for 80-bit security in about 2^71 operations.• We use lattice codes for solving LWE and its variants – we reduce the time complexity for solving some suggested parameter settings drastically; for example, for an instance suggested by Regev with dimension n = 512, the improvement factor is about 2^70 . Several other cryptosystems should employ LWE instances with a larger dimension.• Using the Hamming leakage model, we reduce the problem of using a side-channel attack on the fresh re-keying countermeasure to a slightly generalised Ring-LPN problem with a reducible polynomial, and solve it via birthday-type attacks and FWHT – compared with the previous research, the improvement factor is about 2^10 in the 128-bit leakage model with the same amount of SNR and leaking traces.• We make use of the fact that the decoding error probability of the iterative decoding algorithm employed in QC-MDPC is highly correlated with the error patterns, and leaks some information of the secret key – we implement the attack, which works well targeting both the CPA- and CCA2-secure versions of QC-MDPC.Besides these attacks, we propose a new McEliece-type public-key cryptosystem generalising MDPC from the binary case to a larger alphabet and suggest parameters based on knowledge of the concrete complexity of the above hard problems. This scheme is very attractive as a topic related to both lattice-based and code-based cryptography, which takes advantage of iterative decoding, the McEliece structure, the Euclidean metric, as well as a more compact way of representing information. This scheme is still far from mature and needs to be refined further.
M3 - Doctoral Thesis (compilation)
SN - 978-91-7623-982-7
PB - Department of Electrical and Information Technology, Lund University
ER -