Error Amplification in Code-based Cryptography

Nilsson, Alexander; Johansson, Thomas; Stankovski, Paul

Error Amplification in Code-based Cryptography

Mark

Nilsson, Alexander ^LU

; Johansson, Thomas ^LU

and Stankovski, Paul ^LU (2018) In IACR Transactions on Cryptographic Hardware and Embedded Systems (TCHES) 2019(1). p.238-258

Abstract: Code-based cryptography is one of the main techniques enabling cryptographic primitives in a post-quantum scenario. In particular, the MDPC scheme is a basic scheme from which many other schemes have been derived. These schemes rely on iterative decoding in the decryption process and thus have a certain small probability p of having a decryption (decoding) error.
In this paper we show a very fundamental and important property of code-based encryption schemes. Given one initial error pattern that fails to decode, the time needed to generate another message that fails to decode is strictly much less than 1/p. We show this by developing a method for fast generation of undecodable error patterns (error pattern chaining), which additionally... (More); Code-based cryptography is one of the main techniques enabling cryptographic primitives in a post-quantum scenario. In particular, the MDPC scheme is a basic scheme from which many other schemes have been derived. These schemes rely on iterative decoding in the decryption process and thus have a certain small probability p of having a decryption (decoding) error.
In this paper we show a very fundamental and important property of code-based encryption schemes. Given one initial error pattern that fails to decode, the time needed to generate another message that fails to decode is strictly much less than 1/p. We show this by developing a method for fast generation of undecodable error patterns (error pattern chaining), which additionally proves that a measure of closeness in ciphertext space can be exploited through its strong linkage to the difficulty of decoding these messages. Furthermore, if side-channel information is also available (time to decode), then the initial error pattern no longer needs to be given since one can be easily generated in this case.
These observations are fundamentally important because they show that a, say, 128- bit encryption scheme is not inherently safe from reaction attacks even if it employs a decoder with a failure rate of 2−128. In fact, unless explicit protective measures are taken, having a failure rate at all – of any magnitude – can pose a security problem because of the error amplification effect of our method.
A key-recovery reaction attack was recently shown on the MDPC scheme as well as similar schemes, taking advantage of decoding errors in order to recover the secret key. It was also shown that knowing the number of iterations in the iterative decoding step, which could be received in a timing attack, would also enable and enhance such an attack. In this paper we apply our error pattern chaining method to show how to improve the performance of such reaction attacks in the CPA case. We show that after identifying a single decoding error (or a decoding step taking more time than expected in a timing attack), we can adaptively create new error patterns that have a much higher decoding error probability than for a random error. This leads to a significant improvement of the attack based on decoding errors in the CPA case and it also gives the strongest known attack on MDPC-like schemes, both with and without using side-channel information. (Less)

Please use this url to cite or link to this publication: https://lup.lub.lu.se/record/ebb7438d-c0bb-4779-bcd8-39bb755108e2

author

Nilsson, Alexander ^LU

; Johansson, Thomas ^LU

and Stankovski, Paul ^LU

organization

publishing date

2018-11-12

type

Contribution to journal

publication status

published

subject

Computer Systems

keywords

post-quantum cryptography, MDPC, timing attack, side-channel attack, iterative decoding, error amplification, error pattern chaining

in

IACR Transactions on Cryptographic Hardware and Embedded Systems (TCHES)

volume

2019

issue

1

pages

238 - 258

publisher

Ruhr-University of Bochum

ISSN

2569-2925

DOI

10.13154/tches.v2019.i1.238-258

project

Side channels on software implementations of post-quantum cryptographic algorithms

language

English

LU publication?

yes

id

ebb7438d-c0bb-4779-bcd8-39bb755108e2

date added to LUP

2018-12-21 11:38:26

date last changed

2020-06-12 13:03:47

@article{ebb7438d-c0bb-4779-bcd8-39bb755108e2,
  abstract     = {{Code-based cryptography is one of the main techniques enabling cryptographic primitives in a post-quantum scenario. In particular, the MDPC scheme is a basic scheme from which many other schemes have been derived. These schemes rely on iterative decoding in the decryption process and thus have a certain small probability p of having a decryption (decoding) error.<br/>In this paper we show a very fundamental and important property of code-based encryption schemes. Given one initial error pattern that fails to decode, the time needed to generate another message that fails to decode is strictly much less than 1/p. We show this by developing a method for fast generation of undecodable error patterns (error pattern chaining), which additionally proves that a measure of closeness in ciphertext space can be exploited through its strong linkage to the difficulty of decoding these messages. Furthermore, if side-channel information is also available (time to decode), then the initial error pattern no longer needs to be given since one can be easily generated in this case.<br/>These observations are fundamentally important because they show that a, say, 128- bit encryption scheme is not inherently safe from reaction attacks even if it employs a decoder with a failure rate of 2−128. In fact, unless explicit protective measures are taken, having a failure rate at all – of any magnitude – can pose a security problem because of the error amplification effect of our method.<br/>A key-recovery reaction attack was recently shown on the MDPC scheme as well as similar schemes, taking advantage of decoding errors in order to recover the secret key. It was also shown that knowing the number of iterations in the iterative decoding step, which could be received in a timing attack, would also enable and enhance such an attack. In this paper we apply our error pattern chaining method to show how to improve the performance of such reaction attacks in the CPA case. We show that after identifying a single decoding error (or a decoding step taking more time than expected in a timing attack), we can adaptively create new error patterns that have a much higher decoding error probability than for a random error. This leads to a significant improvement of the attack based on decoding errors in the CPA case and it also gives the strongest known attack on MDPC-like schemes, both with and without using side-channel information.}},
  author       = {{Nilsson, Alexander and Johansson, Thomas and Stankovski, Paul}},
  issn         = {{2569-2925}},
  keywords     = {{post-quantum cryptography; MDPC; timing attack; side-channel attack; iterative decoding; error amplification; error pattern chaining}},
  language     = {{eng}},
  month        = {{11}},
  number       = {{1}},
  pages        = {{238--258}},
  publisher    = {{Ruhr-University of Bochum}},
  series       = {{IACR Transactions on Cryptographic Hardware and Embedded Systems (TCHES)}},
  title        = {{Error Amplification in Code-based Cryptography}},
  url          = {{http://dx.doi.org/10.13154/tches.v2019.i1.238-258}},
  doi          = {{10.13154/tches.v2019.i1.238-258}},
  volume       = {{2019}},
  year         = {{2018}},
}

Lund University Publications

LUND UNIVERSITY LIBRARIES

Error Amplification in Code-based Cryptography