Development and Evaluation of a Code-based Cryptography Library for Constrained Devices Hans Christoph Hudde Master’s Thesis. February 7, 2013. Chair for Embedded Security – Prof. Dr.-Ing. Christof Paar Advisor: Dipl.-Ing. Stefan Heyse EMSEC Abstract Code-based cryptography is a promising candidate for the diversification of today’s public-key cryptosystems, most of which rely on the hardness of either the Factorization or the Discrete logarithm problem. Both are known to be breakable using an efficient quantum algorithm due to Peter Shor. In contrast, Code-based cryptography is based on the problem of decoding unknown error-correcting codes, which is known to be -hard. N P There exist two basic schemes based on Code-based cryptography, which are named after their inventors Robert McEliece and Harald Niederreiter. Both share the problem of requiring huge key lengths compared to conventional cryptosystems such as RSA, which makes their implementation on embedded devices with very limited ressources challenging. In this thesis, we present an implementation of modern variants of both schemes for AVR microcontrollers and evaluate several different methods of syndrome compu- tation, decoding and root extraction. The implementation includes an adaption of the Berlekamp-Massey-Sugiyama algorithm to binary codes achieving the same level of error- correction as the Patterson algorithm. Moreover we implemented two conversions that turn the McEliece and Niederreiter schemes into CCA2-secure cryptosystems. Our implementation is able to provide a security level of up to 128-bit on an ATxmega256 and hence is capable of fulfilling real-world security requirements. Moreover, the imple- mentation outperforms comparable implementations of RSA and ECC in terms of data throughput and achieves a higher performance than previous implementations of the McEliece and Niederreiter cryptosystems. An optimal balance between memory usage and performance for specific use cases can be achieved using the flexible configuration by choosing the most suitable combination of precomputations, lookup tables or on-the-fly computations. We demonstrate the feasibility of implementing a high-performance Code-based cryp- tography library on a low-cost 8-bit microcontroller and provide evidence that McEliece and Niederreiter can evolve to a fully adequate replacement for traditional cryptosys- tems. i Declaration I hereby declare that this submission is my own work and that, to the best of my knowledge and belief, it contains no material previously published or written by another person nor material which to a substantial extent has been accepted for the award of any other degree or diploma of the university or other institute of higher learning, except where due acknowledgment has been made in the text. Erklärung Hiermit versichere ich, dass ich die vorliegende Arbeit selbstständig verfasst und keine anderen als die angegebenen Quellen und Hilfsmittel benutzt habe, dass alle Stellen der Arbeit, die wörtlich oder sinngemäß aus anderen Quellen übernommen wurden, als solche kenntlich gemacht sind und dass die Arbeit in gleicher oder ähnlicher Form noch keiner Prüfungsbehörde vorgelegt wurde. Hans Christoph Hudde Contents 1 Introduction 1 1.1 Motivation ................................... 1 1.2 Existingimplementations . 3 1.3 Contribution .................................. 4 1.4 Outline ..................................... 5 2 Code-based cryptography 7 2.1 Overview .................................... 7 2.2 Securityparameters .............................. 8 2.3 Classical McEliece cryptosystem . .... 9 2.3.1 Keygeneration ............................. 9 2.3.2 Encryption ............................... 10 2.3.3 Decryption ............................... 10 2.4 ModernMcEliececryptosystem . 11 2.4.1 Keygeneration ............................. 12 2.4.2 Encryption ............................... 12 2.4.3 Decryption ............................... 13 2.5 Niederreitercryptosystem . 13 2.5.1 Keygeneration ............................. 14 2.5.2 Encryption ............................... 15 2.5.3 Decryption ............................... 15 2.6 Security ..................................... 15 2.6.1 Overview ................................ 16 2.6.2 Attacks ................................. 16 2.6.3 Ciphertext indistinguishability . 19 2.7 Keylength ................................... 20 3 Coding theory 21 3.1 Preliminaries .................................. 21 3.2 Linearblockcodes ............................... 22 3.2.1 Basicdefinitions ............................ 23 3.2.2 Importantcodeclasses. 24 3.3 ConstructionofGoppacodes . 26 3.3.1 BinaryGoppacodes .......................... 26 3.3.2 Parity Check Matrix of Goppa Codes . 27 iv Contents 3.4 Decodingalgorithms .............................. 28 3.4.1 Keyequation .............................. 28 3.4.2 Syndromecomputation . 29 3.4.3 Berlekamp-Massey-Sugiyama . 29 3.4.3.1 Generalusage ........................ 29 3.4.3.2 Decoding binary Goppa Codes . 31 3.4.4 Patterson ................................ 32 3.5 Extracting roots of the error locator polynomial . ......... 33 3.5.1 Brute force search using the Horner scheme . 34 3.5.2 Bruteforce search using Chien search . 35 3.5.3 Berlekamp-Trace algorithm and Zinoviev procedures . ....... 35 3.6 Messagerecovery ................................ 36 4 Implementation 39 4.1 MemorymanagementonAVR . 40 4.2 Designcriteria ................................. 40 4.3 Fastfinitefieldarithmetics . 41 4.3.1 Field element representations . 41 4.3.2 Avoiding duplicate conversions (The FASTFIELD switch) . 43 4.4 Keymanagement................................ 43 4.4.1 Matrixdatatype ............................ 43 4.4.2 Keymatrices .............................. 44 4.4.3 Keygeneration ............................. 45 4.5 Encryption ................................... 47 4.5.1 Encoding ................................ 47 4.5.2 Multiplication.............................. 47 4.5.3 Erroraddition ............................. 49 4.6 Decryption ................................... 50 4.6.1 Syndromecomputation . 50 4.6.1.1 McEliece: syndrome computation variants . 51 4.6.1.2 Niederreiter: Constructing a syndrome of double length . 53 4.6.2 Patterson implementation . 54 4.6.3 Berlekamp-Massey implementation . 55 4.6.4 Root extraction using Berlekamp-Trace . 55 4.7 Constantweightencoding . 56 4.8 CCA2-secureconversions. 59 4.8.1 Kobara-Imai-Gamma conversion . 60 4.8.2 Fujisaki-Okamoto conversion . 61 5 Evaluation 67 5.1 Memoryusage ................................. 67 5.1.1 Keysize................................. 67 5.1.2 Message-related memory . 68 5.1.3 Precomputations . .. .. .. .. .. .. .. .. 69 Contents v 5.1.4 Programcodesize ........................... 70 5.2 Performance................................... 71 5.2.1 Overview ................................ 71 5.2.2 80-/128-bit security and the Kobara-Imai-γ conversion . 74 5.2.3 Fujisaki-Okamoto conversion . 76 5.2.4 Syndrome computation variants . 77 5.2.5 Berlekamp-Massey vs. Patterson . 80 5.2.6 Rootextraction............................. 81 5.2.7 Constantweightencoding . 82 5.2.8 Optimalconfiguration . 83 5.2.9 Comparison with other implementations of Code-based and tradi- tionalcryptosystems . 83 6 Conclusion 87 6.1 Summary .................................... 87 6.2 FutureWork .................................. 88 A Acronyms 91 B Appendix 93 B.1 Listings ..................................... 93 B.1.1 Listing primitive polynomials for the construction of Finite fields . 93 B.1.2 Computing a normal basis of a Finite Field using SAGE . 93 B.2 Definitions.................................... 94 B.2.1 Hamming weight and Hamming distance . 94 B.2.2 Minimum distance of a codeword . 94 B.2.3 One-wayfunctions . .. .. .. .. .. .. .. .. 94 B.2.4 CryptographicHashfunctions. 95 B.2.5 One-timepad.............................. 95 List of Figures 97 List of Tables 99 List of Algorithms 100 Bibliography 103 1 Introduction Two years after the first publication of an asymmetric cryptosystem — the Diffie-Hellman key exchange in 1976 — Robert McEliece developed an asymmetric cryptosystem based on error-correcting codes. Mainly due to its very long key size, McEliece’s proposal has been neglected until the recent rise of interest in Post-Quantum cryptography. This chapter introduces the reader to the background and objectives of this thesis. Section 1.1 motivates the need for Post-Quantum cryptography in general and the de- velopment of a Code-based cryptography library for constricted devices in particular. Section 1.2 gives an overview of already existing implementations of Code-based cryp- tosystems. Section 1.3 defines the goals of this thesis and points out the contributions of this work to the research process. Finally an outline of the thesis is given in Section 1.4. 1.1 Motivation Impact of quantum computers on public-key cryptography Public-key cryptography is an integral part of today’s digital communication. For example, it enables two or more parties to communicate confidentially without having a previously shared secret key. All popular public-key cryptosystems rely on the assumption that there is no effi- cient solution for the Integer Factorization problem or the Discrete Logarithm problem. According to Canteaut and Chabaud [CC95] public-key cryptography has become “dan- gerously dependent” on the difficulty of these two problems. Unfortunately, both problems are known to be solvable in polynomial time on quan- tum computers using Shor’s algorithm [Sho94]. Hence, a sufficiently