Abstract
Current widely-used key exchange (KE) mechanisms will be vulnerable to quantum attacks when sufficiently strong quantum computers become available. Therefore, devising quantum-resistant replacements that combine efficiency with solid security guarantees is an important and challenging task. This paper proposes several contributions towards this goal. First, we introduce “CAKE”, a key encapsulation algorithm based on the QC-MDPC McEliece encryption scheme, with two major improvements: (a) the use of ephemeral keys that defeats a recent reaction attack against MDPC decoding of the corresponding encryption scheme and (b) a highly efficient key generation procedure for QC-MDPC-based cryptosystems. Then, we present an authenticated key exchange protocol based on CAKE, which is suitable for the Internet Key Exchange (IKE) standard. We prove that CAKE is IND-CPA secure, that the protocol is SK-Secure, and suggest practical parameters. Compared to other post-quantum schemes, we believe that CAKE is a promising candidate for post-quantum key exchange standardization.
Access this chapter
Tax calculation will be finalised at checkout
Purchases are for personal use only
Notes
- 1.
This security notion was originally introduced in [12]. The main difference between [12] and [13] is that in the former there was an implicit requirement that the identities of the parties must be known to each other beforehand, while the latter attains a more realistic (internet-oriented) scenario where the identities of the parties are not initially known and only becomes known after the protocol run evolves (this model is called the “post-specified peer model” and is the one used in our proposal).
References
Alkim, E., Ducas, L., Pöppelmann, T., Schwabe, P.: Post-Quantum Key Exchange - A New Hope. Cryptology ePrint Archive, Report 2015/1092, http://eprint.iacr.org/2015/1092 (2015)
Baldi, M., Bodrato, M., Chiaraluce, F.: A new analysis of the McEliece cryptosystem based on QC-LDPC codes. In: Ostrovsky, R., de Prisco, R., Visconti, I. (eds.) SCN 2008. LNCS, vol. 5229, pp. 246–262. Springer, Heidelberg (2008). https://doi.org/10.1007/978-3-540-85855-3_17
Baldi, M., Chiaraluce, F.: Cryptanalysis of a new instance of McEliece cryptosystem based on QC-LDPC codes. In: Proceedings of the IEEE International Symposium on Information Theory (ISIT 2007), pp. 2591–2595, June 2007
Baldi, M., Chiaraluce, F., Garello, R.: On the usage of quasi-cyclic low-density parity-check codes in the McEliece cryptosystem. In: Proceedings of the First International Conference on Communication and Electronics (ICEE 2006), pp. 305–310, October 2006
Baldi, M., Chiaraluce, F., Garello, R., Mininni, F.: Quasi-cyclic low-density parity-check codes in the McEliece cryptosystem. In: Proceedings of the IEEE International Conference on Communications (ICC 2007), pp. 951–956, June 2007
Becker, A., Joux, A., May, A., Meurer, A.: Decoding random binary linear codes in 2n/20: how 1 + 1 = 0 improves information set decoding. In: Pointcheval, D., Johansson, T. (eds.) EUROCRYPT 2012. LNCS, vol. 7237, pp. 520–536. Springer, Heidelberg (2012). https://doi.org/10.1007/978-3-642-29011-4_31
Berlekamp, E., McEliece, R., van Tilborg, H.: On the inherent intractability of certain coding problems (corresp.). IEEE Trans. Inf. Theory 24(3), 384–386 (1978)
Bernstein, D.J.: Grover vs. McEliece, pp. 73–80. Springer, Berlin (2010)
Bernstein, D.J., Chou, T., Schwabe, P.: McBits: fast constant-time code-based cryptography. In: Bertoni, G., Coron, J.-S. (eds.) CHES 2013. LNCS, vol. 8086, pp. 250–272. Springer, Heidelberg (2013). https://doi.org/10.1007/978-3-642-40349-1_15
Bos, J., Costello, C., Ducas, L., Mironov, I., Naehrig, M., Nikolaenko, V., Raghunathan, A., Stebila, D.: Frodo: Take off the ring! Practical, Quantum-secure Key Exchange from LWE. Cryptology ePrint Archive, Report 2016/659 (2016). http://eprint.iacr.org/2016/659
Bos, J.W., Costello, C., Naehrig, M., Stebila, D.: Post-quantum key exchange for the TLS protocol from the ring learning with errors problem. In: Proceedings of the 2015 IEEE Symposium on Security and Privacy (SP), pp. 553–570. IEEE (2015)
Canetti, R., Krawczyk, H.: Analysis of key-exchange protocols and their use for building secure channels. In: Pfitzmann, B. (ed.) EUROCRYPT 2001. LNCS, vol. 2045, pp. 453–474. Springer, Heidelberg (2001). https://doi.org/10.1007/3-540-44987-6_28
Canetti, R., Krawczyk, H.: Security analysis of IKE’s signature-based key-exchange protocol. In: Yung, M. (ed.) Advances in Cryptology. LNCS, vol. 2442. Springer, Heidelberg (2002)
Cayrel, P.-L., Hoffmann, G., Persichetti, E.: Efficient implementation of a CCA2-secure variant of McEliece using generalized Srivastava codes. In: Fischlin, M., Buchmann, J., Manulis, M. (eds.) PKC 2012. LNCS, vol. 7293, pp. 138–155. Springer, Heidelberg (2012). https://doi.org/10.1007/978-3-642-30057-8_9
Chaulet, J., Sendrier, N.: Worst case QC-MDPC decoder for McEliece cryptosystem. In: Proceedings of the 2016 IEEE International Symposium on Information Theory (ISIT), pp. 1366–1370. IEEE (2016)
Costello, C., Longa, P., Naehrig, M.: Efficient algorithms for supersingular isogeny Diffie-Hellman. In: Robshaw, M., Katz, J. (eds.) CRYPTO 2016. LNCS, vol. 9814, pp. 572–601. Springer, Heidelberg (2016). https://doi.org/10.1007/978-3-662-53018-4_21
Cramer, R., Shoup, V.: Design and analysis of practical public-key encryption schemes secure against adaptive chosen ciphertext attack. SIAM J. Comput. 33(1), 167–226 (2004)
Faugere, J.-C., Gauthier-Umana, V., Otmani, A., Perret, L., Tillich, J.-P.: A distinguisher for high-rate McEliece cryptosystems. IEEE Trans. Inf. Theory 59(10), 6830–6844 (2013)
Fluhrer, S.: Cryptanalysis of ring-LWE based key exchange with key share reuse. Cryptology ePrint Archive, Report 2016/085 (2016). http://eprint.iacr.org/2016/085
Gaborit, P.: Shorter keys for code based cryptography. In: International Workshop on Coding and Cryptography (WCC 2005), pp. 81–91. ACM Press, Bergen (2005)
Gallager, R.G.: Low-density parity-check codes. Ph.D. thesis, M.I.T. (1963)
Guo, Q., Johansson, T., Stankovski, P.: A key recovery attack on MDPC with CCA security using decoding errors. In: Cheon, J.H., Takagi, T. (eds.) ASIACRYPT 2016. LNCS, vol. 10031, pp. 789–815. Springer, Heidelberg (2016). https://doi.org/10.1007/978-3-662-53887-6_29
Hamdaoui, Y., Sendrier, N.: A non asymptotic analysis of information set decoding. Cryptology ePrint Archive, Report 2013/162 (2013). http://eprint.iacr.org/2013/162
Harkins, D., Carrel, D.: RFC 2409: The Internet Key Exchange (IKE). Status: Proposed Standard (1998)
Heyse, S., von Maurich, I., Güneysu, T.: Smaller keys for code-based cryptography: QC-MDPC McEliece implementations on embedded devices. In: Bertoni, G., Coron, J.-S. (eds.) CHES 2013. LNCS, vol. 8086, pp. 273–292. Springer, Heidelberg (2013). https://doi.org/10.1007/978-3-642-40349-1_16
Jao, D., De Feo, L.: Towards quantum-resistant cryptosystems from supersingular elliptic curve isogenies. In: Yang, B.-Y. (ed.) PQCrypto 2011. LNCS, vol. 7071, pp. 19–34. Springer, Heidelberg (2011). https://doi.org/10.1007/978-3-642-25405-5_2
Kachigar, G., Tillich, J.-P.: Quantum information set decoding algorithms. In: Lange, T., Takagi, T. (eds.) PQCrypto 2017. LNCS, vol. 10346, pp. 69–89. Springer, Cham (2017). https://doi.org/10.1007/978-3-319-59879-6_5
Kiayias, A., Russell, A., David, B., Oliynykov, R.: Ouroboros: a provably secure proof-of-stake blockchain protocol. In: Katz, J., Shacham, H. (eds.) CRYPTO 2017. LNCS, vol. 10401, pp. 357–388. Springer, Cham (2017). https://doi.org/10.1007/978-3-319-63688-7_12
Krawczyk, H.: SIGMA: the ‘SIGn-and-MAc’ approach to authenticated Diffie-Hellman and its use in the IKE protocols. In: Boneh, D. (ed.) CRYPTO 2003. LNCS, vol. 2729, pp. 400–425. Springer, Heidelberg (2003). https://doi.org/10.1007/978-3-540-45146-4_24
Lange, T.: Initial recommendations of long-term secure post-quantum systems. PQCRYPTO. EU. Horizon, 2020 (2015)
Lndahl, C., Johansson, T., Koochak Shooshtari, M., Ahmadian-Attari, M., Aref, M.R.: Squaring attacks on McEliece public-key cryptosystems using quasi-cyclic codes of even dimension. Des. Codes Cryptogr. 80(2), 359–377 (2016)
Lyubashevsky, V., Peikert, C., Regev, O.: On ideal lattices and learning with errors over rings. In: Gilbert, H. (ed.) EUROCRYPT 2010. LNCS, vol. 6110, pp. 1–23. Springer, Heidelberg (2010). https://doi.org/10.1007/978-3-642-13190-5_1
Von Maurich, I., Oder, T., Güneysu, T.: Implementing QC-MDPC McEliece encryption. ACM Trans. Embed. Comput. Syst. 14(3), 44:1–44:27 (2015)
May, A., Ozerov, I.: On computing nearest neighbors with applications to decoding of binary linear codes. In: Oswald, E., Fischlin, M. (eds.) EUROCRYPT 2015. LNCS, vol. 9056, pp. 203–228. Springer, Heidelberg (2015). https://doi.org/10.1007/978-3-662-46800-5_9
McEliece, R.J.: A public-key cryptosystem based on algebraic coding theory. Deep Space Netw. Prog. Rep. 44, 114–116 (1978)
Micciancio, D.: Improving lattice based cryptosystems using the hermite normal form. In: Silverman, J.H. (ed.) CaLC 2001. LNCS, vol. 2146, pp. 126–145. Springer, Heidelberg (2001). https://doi.org/10.1007/3-540-44670-2_11
Miller, V.S.: Use of elliptic curves in cryptography. In: Williams, H.C. (ed.) CRYPTO 1985. LNCS, vol. 218, pp. 417–426. Springer, Heidelberg (1986). https://doi.org/10.1007/3-540-39799-X_31
Misoczki, R., Barreto, P.S.L.M.: Compact McEliece keys from Goppa codes. In: Jacobson, M.J., Rijmen, V., Safavi-Naini, R. (eds.) SAC 2009. LNCS, vol. 5867, pp. 376–392. Springer, Heidelberg (2009). https://doi.org/10.1007/978-3-642-05445-7_24
Misoczki, R., Tillich, J.P, Sendrier, N., Barreto, P.L.S.M.: MDPC-McEliece: new McEliece variants from moderate density parity-check codes. In: Proceedings of the IEEE International Symposium on Information Theory - ISIT 2013, Istambul, Turkey, pp. 2069–2073. IEEE (2013)
Monico, C., Rosenthal, J., Shokrollahi, A.: Using low density parity check codes in the McEliece cryptosystem. In: Proceedings of the IEEE International Symposium on Information Theory (ISIT 2000), Sorrento, Italy, p. 215. IEEE (2000)
Peikert, C.: Lattice cryptography for the internet. In: Mosca, M. (ed.) PQCrypto 2014. LNCS, vol. 8772, pp. 197–219. Springer, Cham (2014). https://doi.org/10.1007/978-3-319-11659-4_12
Peikert, C.: A decade of lattice cryptography. Found. Trends\(^{\textregistered }\) Theor. Comput. Sci. 10(4), 283–424 (2016)
Persichetti, E.: Compact mceliece keys based on quasi-dyadic Srivastava codes. J. Math. Cryptol. 6(2), 149–169 (2012)
Persichetti, E.: Secure and anonymous hybrid encryption from coding theory. In: Gaborit, P. (ed.) PQCrypto 2013. LNCS, vol. 7932, pp. 174–187. Springer, Heidelberg (2013). https://doi.org/10.1007/978-3-642-38616-9_12
Prange, E.: The use of information sets in decoding cyclic codes. IRE Trans. Inf. Theor. 8, S5–S9 (1962)
Regev, O.: On lattices, learning with errors, random linear codes, and cryptography. J. ACM (JACM) 56(6), 34 (2009)
Rivest, R.L., Shamir, A., Adleman, L.M.: A method for obtaining digital signatures and public-key cryptosystems. Commun. ACM 21(2), 120–126 (1978)
Sendrier, N.: Decoding one out of many. In: Yang, B.-Y. (ed.) PQCrypto 2011. LNCS, vol. 7071, pp. 51–67. Springer, Heidelberg (2011). https://doi.org/10.1007/978-3-642-25405-5_4
Seo, K., Kent, S.: Security architecture for the internet protocol. Status: Proposed Standard (2005)
Shor, P.W.: Polynomial-time algorithms for prime factorization and discrete logarithms on a quantum computer. SIAM J. Comput. 26(5), 1484–1509 (1997)
Canto Torres, R., Sendrier, N.: Analysis of information set decoding for a sub-linear error weight. In: Takagi, T. (ed.) PQCrypto 2016. LNCS, vol. 9606, pp. 144–161. Springer, Cham (2016). https://doi.org/10.1007/978-3-319-29360-8_10
Von Maurich, I., Güneysu, T.: Lightweight code-based cryptography: QC-MDPC McEliece encryption on reconfigurable devices. In: Proceedings of the Conference on Design, Automation and Test in Europe. European Design and Automation Association, p. 38 (2014)
von Maurich, I., Güneysu, T.: Towards side-channel resistant implementations of QC-MDPC McEliece encryption on constrained devices. In: Mosca, M. (ed.) PQCrypto 2014. LNCS, vol. 8772, pp. 266–282. Springer, Cham (2014). https://doi.org/10.1007/978-3-319-11659-4_16
Acknowledgments
Shay Gueron, Tim Güneysu, Nicolas Sendrier and Jean-Pierre Tillich were supported in part by the Commission of the European Communities through the Horizon 2020 program under project number 645622 (PQCRYPTO). Shay Gueron was also partially supported by the Israel Science Foundation (grant No. 1018/16). Paulo S. L. M. Barreto was partially supported by Intel and FAPESP through the project “Efficient Post-Quantum Cryptography for Building Advanced Security Applications” (grant No. 2015/50520-6).
Author information
Authors and Affiliations
Corresponding author
Editor information
Editors and Affiliations
Appendices
Appendix
A Efficiently Sampling Invertible Elements from \(\mathbb {F}_2[x]/\langle X^r - 1 \rangle \)
In this section, we prove that one can efficiently sample an invertible element from \(\mathbb {F}_2[x]/\langle x^r - 1 \rangle \) by taking any polynomial such that \(\mathsf {wt}(h)\) is odd.
Lemma 1
Let \(h \in \mathbb {F}_2[x]\) have even weight. Then h is not invertible modulo \(x^r - 1\).
Proof
We show that \((x - 1) \mid h\) by induction on \(\mathsf {wt}(h)\). For \(\mathsf {wt}(h) = 0\) trivially \((x - 1) \mid h\). Assume that \((x - 1) \mid h\) whenever \(\mathsf {wt}(h) = 2k\) for some \(k \geqslant 0\). Now consider any \(h \in \mathbb {F}_2[x]\) with weight \(\mathsf {wt}(h) = 2(k+1)\), and take two distinct terms \(x^i\), \(x^j\) of h such that \(i < j\). Define \(h' = h - x^i - x^j\), so that \(\mathsf {wt}(h') = 2k\). Then \((x - 1) \mid h'\) by induction, i.e. \(h' = (x - 1)h''\) for some \(h'' \in \mathbb {F}_2[x]\). Hence \(h = h' + x^i + x^j = (x - 1)h'' + x^i(x^{j - i} + 1) = (x - 1)h'' + x^i(x - 1)(x^{j - i - 1} + \dots + 1) = (x - 1)(h'' + x^i(x^{j - i - 1} + \dots + 1))\), and therefore \((x - 1) \mid h\). \(\square \)
Theorem 2
Let r a prime such that \((x^r - 1)/(x - 1) \in \mathbb {F}_2[x]\) is irreducible. Then any \(h \in \mathbb {F}_2[x]\) with \(\deg (h) < r\) is invertible modulo \(x^r - 1\) iff \(h \ne x^{r - 1} + \dots + 1\) and \(\mathsf {wt}(h)\) is odd.
Proof
Take a term \(x^i\) of h. Then \(\mathsf {wt}(h + x^i) = \mathsf {wt}(h) - 1\) is even, and by Lemma 1 \((x - 1) \mid (h + x^i)\). Hence \(h \bmod (x - 1) = x^i \bmod (x - 1) = 1\), meaning that h is invertible modulo \(x - 1\).
Now, because \((x^r - 1)/(x - 1) = x^{r - 1} + \dots + 1\) is irreducible, if \(\deg (h) < r - 1\) then \(\gcd (h, x^{r - 1} + \dots + 1) = 1\), and if \(\deg (h) = r - 1\), then \(\gcd (h, x^{r - 1} + \dots + 1) = \gcd (h + x^{r - 1} + \dots + 1, x^{r - 1} + \dots + 1) = 1\), since \(\deg (h + x^{r - 1} + \dots + 1) < r - 1\). Hence h is invertible modulo \(x^{r - 1} + \dots + 1\).
Therefore, the combination of the inverses of h modulo \(x - 1\) and modulo \(x^{r - 1} + \dots + 1\) via the Chinese remainder theorem is well defined, and by construction it is the inverse of h modulo \((x - 1)(x^{r - 1} + \dots + 1) = x^r - 1\). \(\square \)
Corollary 1
One can efficiently sample an invertible element from \({\mathbb {F}_2[x]/\langle x^r - 1 \rangle }\) by taking any polynomial such that \(\mathsf {wt}(h)\) is odd. \(\square \)
Rights and permissions
Copyright information
© 2017 Springer International Publishing AG
About this paper
Cite this paper
Barreto, P.S.L.M. et al. (2017). CAKE: Code-Based Algorithm for Key Encapsulation. In: O'Neill, M. (eds) Cryptography and Coding. IMACC 2017. Lecture Notes in Computer Science(), vol 10655. Springer, Cham. https://doi.org/10.1007/978-3-319-71045-7_11
Download citation
DOI: https://doi.org/10.1007/978-3-319-71045-7_11
Published:
Publisher Name: Springer, Cham
Print ISBN: 978-3-319-71044-0
Online ISBN: 978-3-319-71045-7
eBook Packages: Computer ScienceComputer Science (R0)