Survey on cryptanalysis of code-based cryptography: From theoretical to physical attacks

Nowadays public-key cryptography is based on number theory problems, such as computing the discrete logarithm on an elliptic curve or factoring big integers. Even though these problems are considered difficult to solve with the help of a classical computer, they can be solved in polynomial time on a quantum computer. Which is why the research community proposed alternative solutions that are quantum-resistant. The process of finding adequate post-quantum cryptographic schemes has moved to the next level, right after NIST's announcement for post-quantum standardization. One of the oldest quantum-resistant proposition goes back to McEliece in 1978, who proposed a public-key cryptosystem based on coding theory. It benefits of really efficient algorithms as well as a strong mathematical background. Nonetheless, its security has been challenged many times and several variants were cryptanalyzed. However, some versions remain unbroken. In this paper, we propose to give some background on coding theory in order to present some of the main flawless in the protocols. We analyze the existing side-channel attacks and give some recommendations on how to securely implement the most suitable variants. We also detail some structural attacks and potential drawbacks for new variants.

[1]  Ayoub Otmani,et al.  Weak Keys for the Quasi-Cyclic MDPC Public Key Encryption Scheme , 2016, AFRICACRYPT.

[2]  Jacques Stern,et al.  A method for finding codewords of small weight , 1989, Coding Theory and Applications.

[3]  Alexander Barg Minimum Distance Decoding Algorithms for Linear Codes , 1997, AAECC.

[4]  Elwyn R. Berlekamp,et al.  On the inherent intractability of certain coding problems (Corresp.) , 1978, IEEE Trans. Inf. Theory.

[5]  Gilles Zémor,et al.  Ouroboros: A Simple, Secure and Efficient Key Exchange Protocol Based on Coding Theory , 2017, PQCrypto.

[6]  Bhaskar Biswas,et al.  McEliece Cryptosystem Implementation: Theory and Practice , 2008, PQCrypto.

[7]  Tim Güneysu,et al.  Towards Side-Channel Resistant Implementations of QC-MDPC McEliece Encryption on Constrained Devices , 2014, PQCrypto.

[8]  Paulo S. L. M. Barreto,et al.  DAGS: Key encapsulation using dyadic GS codes , 2017, IACR Cryptol. ePrint Arch..

[9]  Enrico Thomae,et al.  Decoding Random Linear Codes in Õ(20.054n) , 2012 .

[10]  Vlad Dragoi,et al.  Algebraic approach for the study of algorithmic problems coming from cryptography and the theory of error correcting codes. (Approche algébrique pour l'étude et la résolution de problèmes algorithmiques issus de la cryptographie et de la théorie des codes ) , 2017 .

[11]  W. Cary Huffman,et al.  Fundamentals of Error-Correcting Codes , 1975 .

[12]  Abdulhadi Shoufan,et al.  A Timing Attack against Patterson Algorithm in the McEliece PKC , 2009, ICISC.

[13]  Kazukuni Kobara,et al.  Modeling Bit Flipping Decoding Based on Nonorthogonal Check Sums With Application to Iterative Decoding Attack of McEliece Cryptosystem , 2007, IEEE Transactions on Information Theory.

[14]  Pierre-Louis Cayrel,et al.  McEliece/Niederreiter PKC: Sensitivity to Fault Injection , 2010, 2010 5th International Conference on Future Information Technology.

[15]  Joachim Rosenthal,et al.  Using LDGM Codes and Sparse Syndromes to Achieve Digital Signatures , 2013, PQCrypto.

[16]  Falko Strenzke A Timing Attack against the Secret Permutation in the McEliece PKC , 2010, PQCrypto.

[17]  Dominic Bucerzan,et al.  Evolution of the McEliece Public Key Encryption Scheme , 2017, SECITC.

[18]  Nicolas Sendrier,et al.  Worst case QC-MDPC decoder for McEliece cryptosystem , 2016, 2016 IEEE International Symposium on Information Theory (ISIT).

[19]  Nicolas Sendrier,et al.  Analysis of Information Set Decoding for a Sub-linear Error Weight , 2016, PQCrypto.

[20]  Tania Richmond Implantation sécurisée de protocoles cryptographiques basés sur les codes correcteurs d'erreurs. (Secure implementation of cryptographic protocols based on error-correcting codes) , 2016 .

[21]  Yongge Wang,et al.  Quantum resistant random linear code based public key encryption scheme RLCE , 2015, 2016 IEEE International Symposium on Information Theory (ISIT).

[22]  Christof Paar,et al.  Practical Power Analysis Attacks on Software Implementations of McEliece , 2010, PQCrypto.

[23]  Matthieu Finiasz,et al.  How to Achieve a McEliece-Based Digital Signature Scheme , 2001, ASIACRYPT.

[24]  Pierre-Louis Cayrel,et al.  Differential power analysis attack on the secure bit permutation in the McEliece cryptosystem , 2016, 2016 26th International Conference Radioelektronika (RADIOELEKTRONIKA).

[25]  Raphael Overbeck,et al.  Statistical Decoding Revisited , 2006, ACISP.

[26]  Amin Shokrollahi,et al.  Cryptanalysis of the Sidelnikov Cryptosystem , 2007, EUROCRYPT.

[27]  Antoine Joux,et al.  Decoding Random Binary Linear Codes in 2n/20: How 1+1=0 Improves Information Set Decoding , 2012, IACR Cryptol. ePrint Arch..

[28]  Vlad Dragoi,et al.  Cryptanalysis of a Public Key Encryption Scheme Based on QC-LDPC and QC-MDPC Codes , 2017, IEEE Communications Letters.

[29]  Ayoub Otmani,et al.  Algebraic properties of polar codes from a new polynomial formalism , 2016, 2016 IEEE International Symposium on Information Theory (ISIT).

[30]  I. V. Chizhov,et al.  The failure of McEliece PKC based on Reed-Muller codes , 2013, IACR Cryptol. ePrint Arch..

[31]  Yair Be'ery,et al.  Moderate-Density Parity-Check Codes , 2009, ArXiv.

[32]  Raphael Overbeck,et al.  Code-based cryptography , 2009 .

[33]  Jean-Pierre Tillich,et al.  An Efficient Attack on a Code-Based Signature Scheme , 2016, PQCrypto.

[34]  Pierre Loidreau,et al.  A New Rank Metric Codes Based Encryption Scheme , 2017, PQCrypto.

[35]  Nicolas Sendrier,et al.  Finding the permutation between equivalent linear codes: The support splitting algorithm , 2000, IEEE Trans. Inf. Theory.

[36]  Paulo S. L. M. Barreto,et al.  BIKE: Bit Flipping Key Encapsulation , 2017 .

[37]  Robert H. Deng,et al.  On the equivalence of McEliece's and Niederreiter's public-key cryptosystems , 1994, IEEE Trans. Inf. Theory.

[38]  Koh-ichi Nagao Masking Large Keys in Hardware: A Masked Implementation of McEliece. , 2015 .

[39]  C. S. Park Improving code rate of McEliece's public-key cryptosystem , 1989 .

[40]  Ron M. Roth,et al.  Introduction to Coding Theory , 2019, Discrete Mathematics.

[41]  Erik Tews,et al.  Side Channels in the McEliece PKC , 2008, PQCrypto.

[42]  Jean-Charles Faugère,et al.  A Distinguisher for High-Rate McEliece Cryptosystems , 2011, IEEE Transactions on Information Theory.

[43]  Peter Schwabe,et al.  McBits: Fast Constant-Time Code-Based Cryptography , 2013, CHES.

[44]  Alain Couvreur,et al.  A polynomial time attack against algebraic geometry code based public key cryptosystems , 2014, 2014 IEEE International Symposium on Information Theory.

[45]  Thomas Eisenbarth,et al.  Horizontal and Vertical Side Channel Analysis of a McEliece Cryptosystem , 2016, IEEE Transactions on Information Forensics and Security.

[46]  A. Kh. Al Jabri,et al.  A Statistical Decoding Algorithm for General Linear Block Codes , 2001, IMACC.

[47]  Falko Strenzke Timing Attacks against the Syndrome Inversion in Code-Based Cryptosystems , 2013, PQCrypto.

[48]  Michael Hamburg,et al.  A Side-Channel Assisted Cryptanalytic Attack Against QcBits , 2017, CHES.

[49]  Jean-Pierre Tillich,et al.  Statistical decoding , 2017, 2017 IEEE International Symposium on Information Theory (ISIT).

[50]  Gilles Zémor,et al.  New Results for Rank-Based Cryptography , 2014, AFRICACRYPT.

[51]  Pierre Loidreau,et al.  Weak keys in the McEliece public-key cryptosystem , 2001, IEEE Trans. Inf. Theory.

[52]  Ayoub Otmani,et al.  Cryptanalysis of the McEliece Public Key Cryptosystem Based on Polar Codes , 2016, PQCrypto.

[53]  Thomas Eisenbarth,et al.  Differential Power Analysis of a McEliece Cryptosystem , 2015, ACNS.

[54]  V. Sidelnikov,et al.  A public-key cryptosystem based on binary Reed-Muller codes , 1994 .

[55]  Falko Strenzke,et al.  Message-aimed side channel and fault attacks against public key cryptosystems with homomorphic properties , 2011, Journal of Cryptographic Engineering.

[56]  Ingo von Maurich Efficient implementation of code- and hash-based cryptography , 2017 .

[57]  Tung Chou,et al.  QcBits: Constant-Time Small-Key Code-Based Cryptography , 2016, CHES.

[58]  Peter W. Shor,et al.  Algorithms for quantum computation: discrete logarithms and factoring , 1994, Proceedings 35th Annual Symposium on Foundations of Computer Science.

[59]  Eugene Prange,et al.  The use of information sets in decoding cyclic codes , 1962, IRE Trans. Inf. Theory.

[60]  Young-Sik Kim,et al.  New McEliece cryptosystem based on polar codes as a candidate for post-quantum cryptography , 2014, 2014 14th International Symposium on Communications and Information Technologies (ISCIT).

[61]  Erez Petrank,et al.  Is code equivalence easy to decide? , 1997, IEEE Trans. Inf. Theory.

[62]  Paulo S. L. M. Barreto,et al.  MDPC-McEliece: New McEliece variants from Moderate Density Parity-Check codes , 2013, 2013 IEEE International Symposium on Information Theory.

[63]  Alexander Vardy,et al.  The intractability of computing the minimum distance of a code , 1997, IEEE Trans. Inf. Theory.

[64]  V. Fischer,et al.  Countermeasure against the SPA attack on an embedded McEliece cryptosystem , 2015, 2015 25th International Conference Radioelektronika (RADIOELEKTRONIKA).

[65]  Roberto Maria Avanzi,et al.  Side-channel attacks on the McEliece and Niederreiter public-key cryptosystems , 2011, Journal of Cryptographic Engineering.

[66]  Falko Strenzke,et al.  Efficiency and implementation security of code-based cryptosystems , 2013 .

[67]  Ayoub Otmani,et al.  Square Code Attack on a Modified Sidelnikov Cryptosystem , 2015, C2SI.

[68]  Nicolas Sendrier,et al.  On the Security of the McEliece Public-Key Cryptosystem , 2002 .

[69]  Abdulhadi Shoufan,et al.  A simple power analysis attack on a McEliece cryptoprocessor , 2011, Journal of Cryptographic Engineering.

[70]  Michael Alekhnovich More on Average Case vs Approximation Complexity , 2011, computational complexity.

[71]  Alain Couvreur,et al.  Distinguisher-based attacks on public-key cryptosystems using Reed–Solomon codes , 2013, Des. Codes Cryptogr..

[72]  Nicolas Sendrier,et al.  Code-Based Cryptography: State of the Art and Perspectives , 2017, IEEE Security & Privacy.

[73]  Jean-Pierre Tillich,et al.  A new signature scheme based on (U|U+V) codes , 2017, IACR Cryptol. ePrint Arch..

[74]  Nicholas J. Patterson,et al.  The algebraic decoding of Goppa codes , 1975, IEEE Trans. Inf. Theory.

[75]  Nicolas Sendrier,et al.  On the Dimension of the Hull , 1997, SIAM J. Discret. Math..

[76]  Ayoub Otmani,et al.  Cryptanalysis of Two McEliece Cryptosystems Based on Quasi-Cyclic Codes , 2008, Math. Comput. Sci..

[77]  Alexander May,et al.  On Computing Nearest Neighbors with Applications to Decoding of Binary Linear Codes , 2015, EUROCRYPT.