A toolbox for software optimization of QC-MDPC code-based cryptosystems

Abstract

The anticipated emergence of quantum computers in the foreseeable future drives the cryptographic community to start considering cryptosystems, which are based on problems that remain intractable even with large-scale quantum computers. One example is the family of code-based cryptosystems that relies on the syndrome decoding problem. Recent work by Misoczki et al. (in: 2013 IEEE international symposium on information theory, pp 2069–2073, 2013. https://doi.org/10.1109/ISIT.2013.6620590) showed a variant of McEliece encryption which is based on quasi cyclic moderate density parity check (QC-MDPC) codes and has significantly smaller keys than the original McEliece encryption. It was followed by the newly proposed QC-MDPC-based cryptosystems CAKE (Barreto et al. in: IMA international conference on cryptography and coding, Springer, Berlin, pp 207–226, 2017) and Ouroboros (Deneuville et al. in Ouroboros: a simple, secure and efficient key exchange protocol based on coding theory, Springer, Cham, pp 18–34, 2017. https://doi.org/10.1007/978-3-319-59879-6_2). These motivate dedicated new software optimizations. This paper lists the cryptographic primitives that QC-MDPC cryptosystems commonly employ, studies their software optimizations on modern processors, and reports the achieved speedups. It also assesses methods for side channel protection of the implementations and their performance costs. These optimized primitives offer a useful toolbox that can be used, in various ways, by designers and implementers of QC-MDPC cryptosystems. Indeed, we applied our methods to generate a platform-specific additional implementation of “BIKE”—a QC-MDPC key encapsulation mechanism (KEM) proposal submitted to the NIST Post-Quantum Project (NIST:Post-Quantum Cryptography—call for proposals, https://csrc.nist.gov/Projects/Post-Quantum-Cryptography, 2017). This gave a \(5\times \) speedup compared to the reference implementation.

Appendices

A AES-CTR-PRF

The statefull algorithm has a state \({\textsf {s}}\) with the following fields: buffer(16 bytes), pos(1 bytes), remInvokations(4 bytes), seed(32 bytes), \({\textsf {j}}\) such that \(0 \le {\textsf {j}}\le 2^{128} - 1\). The cipher is invoked over plaintext blocks of the form \({\textsf {ctr}}={\textsf {encode128({\textsf {s}}.{\textsf {j}})}}\), for the \({\textsf {j}}\mathrm{th}\) invocation. Initialization is done by calling AES-CTR-PRF-Init (Alg. 9), with input \({\textsf {seed}}\) and a maximal number of \({\textsf {AES256}}\) invocations (\({\textsf {maxInvokation}}\)) before reseeding. AES-CTR-PRF-Init initializes s.pos  to point to the end of s.buffer, and s.j to 0. An exception flag \({\textsf {SeedOverUseError}}\) is raised when the algorithm reaches \({\textsf {maxInvokation}}\).

B \({\text {GenPseudoRand}}\) example

Running Alg. 1 to populate a string \({\textsf {A}}\) of \({\textsf {len}}=17\times 8+5=141\) bits, embedded in \({\overline{\textsf {{\textsf {A}}}}}[18:0]\), with pseudorandom values that stem from using an initialized AES-CTR-PRF with the input seed \({\textsf {seed}}= {\textsf {encode128(0)}} || {\textsf {encode128(0)}}\).

C \({{\textsf {ParallelizedHash}}_{{\textsf {8}}, {\textsf {111}}}^{{\textsf {SHA384}}}}\) example

\({{\textsf {ParallelizedHash}}_{{\textsf {8}}, {\textsf {111}}}^{{\textsf {SHA384}}}}\) of the array of \({\textsf {la}}= 2,000\) byte \({\textsf {array}}[j] = j \pmod {255}\), \(j=0, \ldots , {\textsf {la}}-1\).

D Estimating the DFR

To estimate the DFR from N experiments that show \(n_{fail}\) decoding failures, with a \(95\%\) confidence interval, we use the following methodology.

If \(n_{fail}= 0\), we use the “Rule of Three” [32] that places the DFR in the interval [0, 3 / N], which implies the upper bound DFR \(\le 3/N\). Let \({\hat{p}} = \frac{n_{fail}}{N}\) denote the maximum-likelihood estimator for the DFR, and let \(X\sim {}Bin(N,\)DFR) denote the distribution of the failures. This is well approximated by the Poisson distribution \(X\sim {}Poiss(N \times \)DFR), for sufficiently large N. If \({\hat{p}} < 20\), we use the \(\chi ^2\) distribution as an approximation of the related Poisson distribution \(X\sim {}Poiss(N \times \)DFR), getting the confidence interval \(\frac{1}{2N} \times [\chi ^2_{2(n_{fail}+1), 1-\alpha /2}, \chi ^2_{2n_{fail}, \alpha /2}]\). With \(\alpha =0.05\), this gives the upper bound DFR \(\le \frac{1}{2N} \times \chi ^2_{2n_{fail}, 0.025}\). In case \({\hat{p}} \ge 20\), the Poisson distribution can be approximated by the Gaussian distribution, giving DFR \(\le {\hat{p}} + {\mathbb {Z}}_{\alpha } \times \sqrt{{\hat{p}}(1-{\hat{p}}) / N}\).