Partial Key Exposure Attacks on BIKE, Rainbow, and NTRU

Slide Note
Embed
Share

Explore the vulnerability of PQC candidates to partial key exposure attacks in schemes like BIKE, Rainbow, and NTRU. Learn about leakage resistance, modeling leakage, practical bounds, and secret key decoding methods. Dive into the erasure and error models, analyzing the security of secret keys in varying scenarios.

kuchar_d
kuchar_d Follow

Uploaded on Nov 20, 2024 | 0 Views

Download Presentation

Please find below an Image/Link to download the presentation.

The content on the website is provided AS IS for your information and personal use only. It may not be sold, licensed, or shared on other websites without obtaining consent from the author. Download presentation by click this link. If you encounter any issues during the download, it is possible that the publisher has removed the file from their server.

E N D

Presentation Transcript

  1. Partial Key Exposure Attacks on BIKE, Rainbow and NTRU Andre Esser Alexander May Javier Verbel Weiqiang Wen @ CRYPTO 2022, Santa Barbara

  2. Motivation Are PQC candidates leakage resistant? ?-bit key, -bit leaked security of (? ) -bit key? Best known: Enumeration attacks No use of key-redundancy / structure New attacks and bounds on required leakage 2

  3. Methodology How to model leakage? Errors / Erasures Asymptotic leakage bounds (poly-time) Practical leakage bounds 3

  4. Rainbow, BIKE and NTRU 4

  5. Secret Keys Rainbow BIKE NTRU ? ?/2 Vector ? ?3 Vector ?,? ?2 ?2 with few 1 s Matrices over ??: ?/2 ? 0 0 ?1 ? 0 ?2 ?3 ? ? 1=? ? ? , ? 1= 0 Satisfies: ?? = ? Satisfies: ?? = ? ? or ? suffice no intrinsic shortcut Row of ? and constant columns of ?1 suffice for full recovery but stores some extra information for efficiency 5

  6. Information Set Decoding [Prange 62] BIKE Secret key ?,? ?2 Satisfies: ?? = ? and has ? entries equal to 1 (??/2 ?) (?,?) = 0?/2 ?/2 ?2 ?/2 ??/2 ? 0 = e s 6

  7. Information Set Decoding [Prange 62] BIKE Secret key ?,? ?2 Satisfies: ?? = ? and has ? entries equal to 1 ?/2 ?2 ?/2 ??/2 ? 0 = 0 0 0 0 0 0 0 0 0 0 0 0 ? 2 6

  8. Information Set Decoding [Prange 62] BIKE Secret key ?,? ?2 Satisfies: ?? = ? and has ? entries equal to 1 ?/2 ?2 ?/2 0 = ? 0 0 0 0 0 0 0 0 0 0 0 0 e 0 0 0 0 0 0 0 0 0 0 0 0 0 s ? 2 weight ? 6

  9. The Erasure Model 7

  10. The Error Model Secret key (?-bits) 1 0 1 1 0 0 1 1 0 0 0 1 1 0 0 1 1 1 1 0 0 1 1 1 1 0 1 0 0 1 0 0 1 1 1 01 1 0 1 1 1 0 Erased key 1 0 1 1 0 0 1 1 0 0 0 1 1 0 0 1 1 1 1 0 0 1 1 1 1 0 1 0 0 1 0 0 1 1 1 01 1 0 1 1 1 0 ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? Erasure-probability: Pr[ ] = Pr[ ] = p 0 ? 1 ? 8

  11. Asymptotic Bounds Number of Erasures Setting first layer ? ?(?) ? 0 0 ?1 ? 0 ?2 ?3 ? ? 1=? ? ? , ? 1= linear / quadratic Rainbow 0 full key ? ? 2 ? 11 standard 0 1 0 0 1 0 0 0 0 0 0 0 0 0 0 0 1 systems due to key relations BIKE compact 0, 11, 14 NTRU (un) packed unpacked: 0 1 -1 -1 0 0 1 0 0 1 0 0 3? packed: 9

  12. Asymptotic - BIKE BIKE secret key satisfies n/2 known linear equations: As = e standard ? ? ? ? 1 0 ? 0 0 0 ? 0 0 0 0 ? 1 0 0 0 0 ? 0 0 0 ? 0 1 ? ? 0 0 0 0 ? ? ? ? 2 Less than n/2 : solve linear system ? ? 11 compact 1 0 1 ? 1 0 0 ? 0 ? 1 0 ? 0 ? 1 1 0 1 ? 0 1 0 1 ? 1 ? ? ? ? log ? ? 42, 46, 2, 6, 18, 22 1. Enumerate all ? 2. If less than ?/2 candidates ?/2 zeros known : solve linear system 10

  13. Practical Bounds Category I Parameters Setting 60-bit complexity linear / quadratic system Rainbow full key 0.81 standard 0.65 ISD (accelerated) BIKE compact 0.43 unpacked 0.30 lattice reduction NTRU packed 0.09 11

  14. The Error Model 12

  15. Leakage models Secret key 1 0 1 1 0 0 1 1 0 0 0 1 1 0 0 1 1 1 1 0 0 1 1 1 1 0 1 0 0 1 0 0 1 1 1 01 1 0 1 1 1 0 Erroneous Key 1 0 1 0 1 0 0 0 1 0 0 1 0 0 0 0 0 1 1 1 1 0 1 1 0 1 1 0 0 0 0 0 1 0 0 01 1 1 1 1 0 0 Error-probability: Pr[ ] = Pr[ ] = p 0 1 (symmetric) (asymmetric) 1 0 Pr[ ] =0.001, Pr[ ] = p 0 1 1 0 13

  16. Asymptotic Bounds Number of Errors Setting first layer log2? Rainbow full key log ? Information Set Decoding standard ? log ? ? log2? BIKE compact NTRU (un) packed log ? 14

  17. Asymptotic - BIKE standard 0 1 0 0 0 0 1 0 1 0 1 1 1 0 0 0 1 0 0 0 1 0 0 0 1 0 1 0 0 0 0 solve via ISD but sample zeros only from (and ) 0 0 compact 1 0 1 0 1 0 1 1 0 1 1 0 0 0 1 1 0 1 0 1 0 1 1 1 log ? ? 1. Enumerate small-weight errors list of candidates 2. but sample zeros only from non-candidates solve via ISD 15

  18. Practical Bounds 60-bit complexity sym Category I Parameters Setting asym ISD + quadratic system Rainbow full key 0.19 0.38 standard 0.12 0.15 ISD (accelerated) BIKE compact 0.06 0.24 unpacked lattice reduction / meet-in-the-middle 0.01 0.10 NTRU packed 0.01 0.02 16

  19. Conclusion Non-trivial polynomial time recovery Even higher practical bounds Comparable to non-post-quantum systems PQC does not per se enjoy leakage resistance 17

Related


Texas A&M University Alternative Transportation Bike Program Update

Texas A&M University Alternative Transportation Bike Program Update

suad_2
Velofix Mobile Bike Shop: Convenient Bike Services in Chicago

Velofix Mobile Bike Shop: Convenient Bike Services in Chicago

flin_dea
Overview of BIKE Key Exchange Protocol by Ray Perlner

Overview of BIKE Key Exchange Protocol by Ray Perlner

kato_mia
Enhancing Detroit Bike Share Program for Accessibility

Enhancing Detroit Bike Share Program for Accessibility

jar_hol
Nitrous Oxide Occupational Exposure Guidelines and Monitoring

Nitrous Oxide Occupational Exposure Guidelines and Monitoring

briella
Understanding Network Security Vulnerabilities and Attacks

Understanding Network Security Vulnerabilities and Attacks

leyo_5
Types Cyber Attacks: Cyber Security Training Workshop

Types Cyber Attacks: Cyber Security Training Workshop

anara
Rainbow Signatures Overview and New Attacks

Rainbow Signatures Overview and New Attacks

yser703
Introduction to Partial Budgeting in Farm Management

Introduction to Partial Budgeting in Farm Management

beaumont
Bicycle Safety and Preventative Measures for Reducing Injuries

Bicycle Safety and Preventative Measures for Reducing Injuries

mell_4
The Bike: An Emotional Journey of Annie

The Bike: An Emotional Journey of Annie

minahil
G-BIKE: Building Capacities in Agribusiness at Bogor Agricultural University

G-BIKE: Building Capacities in Agribusiness at Bogor Agricultural University

brot_i
Targeted Deanonymization via the Cache Side Channel: Attacks and Defenses

Targeted Deanonymization via the Cache Side Channel: Attacks and Defenses

jmora
Understanding Network Denial of Service (DoS) Attacks

Understanding Network Denial of Service (DoS) Attacks

zahra
Analyzing Improved Cryptanalysis of UOV and Rainbow Signature Algorithms

Analyzing Improved Cryptanalysis of UOV and Rainbow Signature Algorithms

bstev
PACT ACT of 2022: Addressing Comprehensive Toxics Exposure for Veterans

PACT ACT of 2022: Addressing Comprehensive Toxics Exposure for Veterans

mai_kin
Understanding Economic Exposure in International Finance

Understanding Economic Exposure in International Finance

yazl_230
Managing Covid-19 Cyber and Data Protection Risks

Managing Covid-19 Cyber and Data Protection Risks

kaisen
Understanding Denial-of-Service Attacks and Defense Strategies

Understanding Denial-of-Service Attacks and Defense Strategies

delphi
Automated Signature Extraction for High Volume Attacks in Cybersecurity

Automated Signature Extraction for High Volume Attacks in Cybersecurity

klos_k
Preventing Active Timing Attacks in Low-Latency Anonymous Communication

Preventing Active Timing Attacks in Low-Latency Anonymous Communication

kmike
Strategies to Protect School Systems from Cyber Attacks

Strategies to Protect School Systems from Cyber Attacks

alins
Mitigation of DMA-based Rowhammer Attacks on ARM

Mitigation of DMA-based Rowhammer Attacks on ARM

baylee
Nurturing Positive Emotions with Rainbow Moments

Nurturing Positive Emotions with Rainbow Moments

adelisa

More Related Content