A Key Recovery Reaction Attack on QC-MDPC

Algorithms for secure encryption in a post-quantum world are currently receiving a lot of attention in the research community. One of the most promising such algorithms is the code-based scheme called QC-MDPC, which has excellent performance and a small public key size. In this paper, we present a very efficient key recovery attack on the QC-MDPC scheme using the fact that decryption uses an iterative decoding step, and this can fail with some small probability. We identify a dependence between the secret key and the failure in decoding. This can be used to build what we refer to as a distance spectrum for the secret key, which is the set of all distances between any two ones in the secret key. In a reconstruction step, we then determine the secret key from the distance spectrum. The attack has been implemented and tested on a proposed instance of QC-MDPC for 80-bit security. It successfully recovers the secret key in minutes. A slightly modified version of the attack can be applied on proposed versions of the QC-MDPC scheme that provides IND-CCA security. The attack is a bit more complex in this case, but still very much below the security level. The reason why we can break schemes with proved CCA security is that the model for these proofs typically does not include the decoding error possibility. At last, we present several algorithms for key reconstruction from an empirical distance spectrum. We first improve the naïve algorithm for key reconstruction by a factor of about 3 0000, when the parameters for 80-bit security are implemented. We further develop the algorithm to deal with errors in the distance spectrum. This ultimately reduces the requirement on the number of ciphertexts that need to be collected for a successful key recovery.

[1]  Antoine Joux,et al.  Decoding Random Binary Linear Codes in 2n/20: How 1+1=0 Improves Information Set Decoding , 2012, IACR Cryptol. ePrint Arch..

[2]  David Pointcheval,et al.  The Impact of Decryption Failures on the Security of NTRU Encryption , 2003, CRYPTO.

[3]  Tim Güneysu,et al.  Implementing QC-MDPC McEliece Encryption , 2015, ACM Trans. Embed. Comput. Syst..

[4]  Tung Chou,et al.  QcBits: Constant-Time Small-Key Code-Based Cryptography , 2016, CHES.

[5]  Robert G. Gallager,et al.  Low-density parity-check codes , 1962, IRE Trans. Inf. Theory.

[6]  Daniel Smith-Tone,et al.  Report on Post-Quantum Cryptography , 2016 .

[7]  Jean-Pierre Tillich,et al.  The Decoding Failure Probability of MDPC Codes , 2018, 2018 IEEE International Symposium on Information Theory (ISIT).

[8]  Tim Güneysu,et al.  IND-CCA Secure Hybrid Encryption from QC-MDPC Niederreiter , 2016, PQCrypto.

[9]  Alexander Nilsson,et al.  Error Amplification in Code-based Cryptography , 2018, IACR Trans. Cryptogr. Hardw. Embed. Syst..

[10]  Mihir Bellare,et al.  Relations among Notions of Security for Public-Key Encryption Schemes , 1998, IACR Cryptol. ePrint Arch..

[11]  Thomas Johansson,et al.  On the complexity of some cryptographic problems based on the general decoding problem , 2002, IEEE Trans. Inf. Theory.

[12]  William Whyte,et al.  Choosing Parameters for NTRUEncrypt , 2017, CT-RSA.

[13]  Tim Güneysu,et al.  Smaller Keys for Code-Based Cryptography: QC-MDPC McEliece Implementations on Embedded Devices , 2013, CHES.

[14]  Thomas Johansson,et al.  A Key Recovery Attack on MDPC with CCA Security Using Decoding Errors , 2016, ASIACRYPT.

[15]  Paulo S. L. M. Barreto,et al.  MDPC-McEliece: New McEliece variants from Moderate Density Parity-Check codes , 2013, 2013 IEEE International Symposium on Information Theory.

[16]  Jean-Yves Chouinard,et al.  On the correlation between error weights and syndrome weights for belief propagation decoding of LDPC codes , 2009, 2009 11th Canadian Workshop on Information Theory.

[17]  Robert J. McEliece,et al.  A public key cryptosystem based on algebraic coding theory , 1978 .

[18]  Bruce Schneier,et al.  Reaction Attacks Against Several Public-Key Cryptosystem , 1997 .

[19]  Pavol Zajac,et al.  Overview of the Mceliece Cryptosystem and its Security , 2014 .

[20]  Tim Güneysu,et al.  Lightweight code-based cryptography: QC-MDPC McEliece encryption on reconfigurable devices , 2014, 2014 Design, Automation & Test in Europe Conference & Exhibition (DATE).

[21]  Roberto Garello,et al.  Quasi-Cyclic Low-Density Parity-Check Codes in the McEliece Cryptosystem , 2007, 2007 IEEE International Conference on Communications.

[22]  William Whyte,et al.  NAEP: Provable Security in the Presence of Decryption Failures , 2003, IACR Cryptol. ePrint Arch..

[23]  David Chase,et al.  Class of algorithms for decoding block codes with channel measurement information , 1972, IEEE Trans. Inf. Theory.

[24]  Kazukuni Kobara,et al.  Semantically Secure McEliece Public-Key Cryptosystems-Conversions for McEliece PKC , 2001, Public Key Cryptography.

[25]  Edward Eaton,et al.  QC-MDPC: A Timing Attack and a CCA2 KEM , 2018, IACR Cryptol. ePrint Arch..

[26]  Nicolas Sendrier,et al.  Worst case QC-MDPC decoder for McEliece cryptosystem , 2016, 2016 IEEE International Symposium on Information Theory (ISIT).

[27]  Raphael Overbeck,et al.  Code-based cryptography , 2009 .

[28]  Pavol Zajac,et al.  A Reaction Attack on the QC-LDPC McEliece Cryptosystem , 2017, PQCrypto.

[29]  Nicolas Sendrier,et al.  Decoding One Out of Many , 2011, PQCrypto.

[30]  Bruce Schneier,et al.  Reaction Attacks against several Public-Key Cryptosystems , 1999, ICICS.

[31]  Shu Lin,et al.  Soft-decision decoding of linear block codes based on ordered statistics , 1994, IEEE Trans. Inf. Theory.

[32]  Thomas Johansson,et al.  A New Version of McEliece PKC Based on Convolutional Codes , 2012, ICICS.

[33]  Joseph H. Silverman,et al.  NTRU: A Ring-Based Public Key Cryptosystem , 1998, ANTS.

[34]  Anne Canteaut,et al.  Cryptanalysis of the Original McEliece Cryptosystem , 1998, ASIACRYPT.

[35]  Paulo S. L. M. Barreto,et al.  BIKE: Bit Flipping Key Encapsulation , 2017 .

[36]  Joppe W. Bos,et al.  Initial recommendations of long-term secure post-quantum systems , 2015 .

[37]  Peter W. Shor,et al.  Algorithms for quantum computation: discrete logarithms and factoring , 1994, Proceedings 35th Annual Symposium on Foundations of Computer Science.

[38]  Thomas A. Berson,et al.  Failure of the McEliece Public-Key Cryptosystem Under Message-Resend and Related-Message Attack , 1997, CRYPTO.

[39]  Tim Güneysu,et al.  Towards Side-Channel Resistant Implementations of QC-MDPC McEliece Encryption on Constrained Devices , 2014, PQCrypto.