 So next talk is called smaller decoding exponents both collision decoding by Dan Bernstein Tanya Lange and Christiana Peters and then will be the speaker Testing one two three leakage leakage leakage Okay All right. It's getting very near the end. So I think it's time to relax a bit look at the big picture There's a lot of users who have performance problems Well other problems, too But users in particular have cryptographic performance problems. And so they ask questions like what's the fastest public key encryption system? I'm trying to run a web server on my cell phone and it has to be secure And what should I do and well cryptographers have answers to these questions like let's Give them RSA 1024. That's pretty fast. And actually we have even faster public encryption systems like RSA 512 or RSA 256 we can make really really fast public encryption systems, but okay This is not a meaningful question, but at some point the user says where it I actually want some security here And the users are gonna vary in their idea of what security level they want I'll just leave this as a variable 2 to the be the user wants security 2 to the be and then asks whatever the be they have in Mind what is the fastest public key encryption system? Well, you still have to do some definitions here to make this question meaningful for instance Okay Security level 2 to the be does that mean that that every attack costs at least 2 to the be no Of course you can have attacks that cost a lot less and and don't work very often and okay Should you just say attacks with probability one? Well, no, that's that's allowing That's saying your attack has to work all the time But you also want to say I'm looking at attacks which occasionally work who say 1% of the time and then you start Making the definition more complicated and eventually end up with something which is kind of meaningful for the users But then you have to do some real work then you have to say okay There's all these encryption systems out there and now which ones are the fastest ones with security level at least 2 to the be Maybe you first look at the security spend years and years figuring out what the most secure systems are and for each system You then know okay the best attacks we have are taking more than 2 to the be time and now out of all those systems What are the fastest ones and these are some algorithm design questions which? Occupy thousands and thousands of papers these Crypt analytic and cryptographic algorithms are something that these are one of the core activities in cryptography for instance for RSA There's all these papers on integer factorization and other attacks against RSA But if you use RSA sensibly then the best attacks we know are integer factorization There's some complicated formula for how fast the number field sieve is which is the the fastest integer factorization algorithm It's this 2 to the cube root of log n well, maybe not exactly cube root It's like some power of log n that converges to one-third as n goes to infinity if you want to know for a particular value of n How hard this is you have to do a much more detailed analysis But this is the the asymptotic and then once you know this 2 to the cube root of log n if you want that to be at At least 2 to the b. Okay, that means cube root of log n has to be at least b So log n should be like b cubed and you figure out What exactly it should be looking in more detail if you want to know for a particular b then once you know that log n your number Of bits in your RSA modulus n is b cubed then you look at how fast the encryption algorithms are and lots and lots of papers On that and asymptotically it's something essentially linear in log n Which means at the end of the day that RSA encryption costs b cubed bit operation Okay, that's not the best that we have for instance Elliptic curve cryptography is certainly faster and again you have to use sensible elliptic curve cryptography throw away all the The low security variants that people have Explored and say okay, we want a conservative system and the best elliptic curves that we have appear to be breakable in at best time something like square root of q where q is the field size or to use this Exponential notation two to the half log q if you want half log q to be at least b Where b is your security level then okay? That means that that log q should be something like to be something linear in b on the other hand the the encryption in Elliptic curve cryptography is quite a bit slower compared to the the size q the number of bits log q It's it's quadratic in log q to do scalar multiplication to elliptic curve encryption So at the end of the day you end up with well elliptic curve cryptography is the square of this log q where log q is linear in B so elliptic curve cryptography cost b squared which is a lot better than b cubed this asymptotic analysis Tells you that well once be as sufficiently large elliptic curve cryptography is much much faster than than RSA and actually It's got other advantages like the decryption is also very very fast, but maybe there's something better Another conservative system that's been studied a lot been around for a while is the McLeese Code-based system and again, there's all sorts of ways that you can vary this system which Can get you in trouble just like for elliptic curve cryptography and RSA But if you take conservative choices that have been around for a long time and studied a lot Then the best attacks that we have against this system take time Well in terms of some code length n they take time 2 to the some constant n over log n now if you want that to be At least 2 to the b then that tells you n should be some constant times b log b and Then you look at how fast the encryption operation is which is some very easy matrix multiplication takes time n squared along with some padding which also fits in time n squared and That means that McLeese well at first glance it's very very similar to elliptic curve cryptography and speed It's it's taking time n squared where n is is like b log b and okay Haven't figured out what the little o of 1 is at this level of detail you actually can't tell which of these is asymptotically faster But hey, let's look in a little more detail And here's what you see elliptic curve cryptography if you're doing a scale or multiplication over fq You need something like log q elliptic curve operations which turn into some constant times log q field operations each of which costs Something like log q log log q log log log q sound like an analytic number theorist here Bit operation so the total time is something like log q was was b times some constant So total times b squared log b log log b McLeese if you use Standard speed up then you end up in terms of this code length n whatever that is you end up taking n over log n additions of n bit vectors and Over log n times n exclusive ores where n was okay b log b I said before so the total is there n squared over log n where n is b log b That's b squared log b which is asymptotically better than b squared log b log log b Hey, McLeese is actually faster first sufficiently large b than elliptic curve cryptography And actually it's got other advantages like people often point to the post quantum feature of it that it as far as we know Is immune to quantum computers? I guess there will be some comments on this in the next talk It's also got very very fast Decryption All right I've been telling you some asymptotics which are reflecting the current knowledge of crypt analytic and cryptographic algorithms But of course these algorithms change you could have for instance faster multiplication algorithms And actually I've already told you something a little behind the state of the art for elliptic curve cryptography You can speed up the multiplications in elliptic curve cryptography get something which is asymptotically Closing a lot of that gap between ecc and McLeese and maybe you can close the entire gap with more work on multiplication or on higher level aspects of ecc you could also Try to speed up attacks and that's what the rest of this talk is about is faster attacks against McLeese Which mean that you need bigger McLeese key sizes and that slows McLeese down Which also maybe closes the gap between ecc and McLeese and Different type of speed up which I'll mention here is you can look at variations Which are harder to break have more defenses and we think that a particular variation of McLeese subfield AG code-based cryptography is Going to be better than McLeese have a better trade-off between speed and security It hopefully will even get rid of the log factor. So instead of B squared log B. It'll be just B squared encryption time Okay, rest of the talk. I'll focus on part two attacking McLeese The attacks that we have the best attacks since McLeese introduced the system have always been generic decoding attacks lots and lots of papers looking at this and I'm not going to describe how these attacks break McLeese or the neater rider version But I will describe what these attacks are supposed to be doing a generic decoding algorithm for people who know coding theory This is you have a some random code pretty much any code and you have somebody's given you a code word with some errors and then find the Errors it's a closest vector problem for codes instead of lattices so here's what the problem looks like for for I for everybody if You look at this problem. You should think of this as a some sort of subset some problem You're given 900 in this case vectors each of them is 500 bits long our one through our 900 And the problem is to come up with a subset of those of a particular size The size being 50 so find 50 of these rows that have their some mod to their exclusive or equal to s Whereas there's another input. All right, so that's the decoding problem That's what all these papers have been looking at is for for random choices of our for essentially any choices of our And random choices of s that are sums of 50 of these rows How can you figure out what those rows are maybe s is equal to r2 plus r7 plus r34 Etc. How do you figure out that two seven thirty four and so on you can try to simplify this problem a bit and do some Self-reducibility of this problem for instance you can take the rows and and permute them like let me try switching It's gonna work. Yeah, so I'll flip r1 and r2 and if you look at the bottom You see that s is changing as well between r1 and r2 you can permute the rows doesn't change the the problem You can also permute the columns So let me try flipping Two of the columns. Hey, that works too PDF animation amazing thing. Uh, and You can actually do more you can add one column to another it also doesn't change the problem Which means actually you can do row reduction you can do Gaussian elimination you can make an identity matrix assuming you have a full-rank matrix of ours which 900 random vectors are essentially always going to have dimension 500 and assuming you have that then you can turn the first 500 of those into an identity matrix and Now is s a sum of 50 of these vectors assume it is how do you figure out those 50 vectors? Well, maybe maybe you get really lucky. This is a starting point of the algorithms saying maybe You have s being a sum of some of those identity matrix rows up at the top You have a really easy subset some problem if you're adding up say r1 and r2 or Any of the first 50 there any of the first 500 if you have 50 out of those then you'll just see exactly those red bits showing up In s and maybe that's what happened in this example Okay, it's not a huge chance of it happening This means that your 50 rows have to all be in the first half roughly something like a 2 to the minus 50 Chance of this happening do a more precise binomial coefficient analysis of this There's some chance that it happens and then if it happens It's really really easy to see that if that happens Then you just look at s and see where the the red bits are and then I mean see where the ones are if s has weight 50 has the number of 1 bits being exactly 50 then you're done Once you've reduced this matrix to systematic form If that doesn't happen if you don't get lucky then well You just repermute the rows and repermute the columns do row reduction again try again with another selection of rows Okay, so this is information set decoding and it's most basic form and all the subsequent literature is is Refining this idea in all sorts of cute ways and let me show you a few of those ways and then try to say what it is That we did in this paper Libre Cal in 88 said, okay You could have all your 50 rows being among the first 500 But there's a significantly well much better chance of having a split of say 48 on top and two on the bottom Actually have a picture of this Okay, so 48 out of the first 500 rows are selected and then two out of the remaining 400 are selected some r.i and rj Which together add up to s and you can recognize this by searching through the possibilities for i and j There's some quadratic number of possibilities for the r.i and rj and then Xor them into s and see if you have weight 48 if you have exactly 48 bit set for the for the result then okay That tells you the 48 rows out of the first 500 and actually this is not just an algorithm Which is more likely to succeed on each iteration? But actually each iteration is almost as fast as the previous algorithm because you've spent about as much time on linear Algebra as you do searching through the the possibilities for the i and j and then Leon and independently crook came along and said well if You're looking for some s plus r.i plus rj where there's only 48 bits set out of 500 then there's a pretty good chance that the first 10 bits are all going to be zeros It's not guaranteed, but you won't lose much success probability if you insist on that and you're getting quite a lot of speed in each iteration It's certainly worthwhile to do this so you insist that the first 10 bits of s plus r.i plus rj be zero and Then if they are all zero Which is like a 2 to the minus 10 chance then you check wait 48 for the rest of it This speeds up the iteration so much to be worthwhile compared to The loss of success probability and then Stern The gold standard in these algorithms for many years which we call collision decoding said hey exactly this algorithm There's a square root attack Look at what happened here. There's there's this s Plus r.i plus rj which we want to have the first 10 bits of that being all zero That's the same as saying that s plus r.i First 10 bits are equal to rj first 10 bits and now we separated the i and j So Stern says look through the the r.i's look through the the possibilities for i take the first 10 bits of s plus r.i put them in a hash table or something and then Look through the first 10 bits of all the rj's and then match do a certain match or hashing whatever and then you get a very fast iteration much faster than you do for Leon and crook and then once you found collisions between the s plus r.i and the r.j Then you check the weight of those collisions s plus r.i plus rj All right, here's another picture. Here's what it looks like for Stern you've got i you're insisting now on having no i Out of the the weight 48 vector the the 48 rows selected out of the first 500 The first 10 of those don't appear so the first 10 rows don't appear in the in the sum And then that out of the next 490 48 of those appear and then out of the remaining 402 of those appear and you search through the 2 by separately looking at the searching through the i's Adding to s searching through the j's do this square root attack and then you find For each of the results do you have weight 48? Now looking at this because Stern has sped up the the search through the ij pairs by only looking through the i's and j's separately He has time to actually look for more so he says okay Let's let's have a bunch of i's and a bunch of j's for instance two i's and two j's But actually the optimum number goes to infinity as everything gets bigger and bigger So Stern actually has more and more rows on the bottom that are being added together and then of course all the other Parameters you have to optimize as well all right, so what does our algorithm do for this example? Well instead of saying just look for collisions between s plus ri or After you've put in more rows s plus ri 1 plus ri 2 instead of looking for collisions between the first 10 bits of that and The first 10 bits of say rj 1 plus rj 2 take each of those 10 bit strings and Add some errors in every possible position so make a little hamming ball around those 10 bit vectors take 10 bits And then take for instance out of the first five bits Put change each of those five bits so now you have five different vectors Related to this 10 bit vector and then do the same with the other vector and the other Five bits and then look for collisions between all those 25 possibilities, so there's more searching going on here There's there's some extra Collision detection more bigger lists of stuff to look through But we get an increase in the success chance. We're allowing now two errors out of the first 10 rows And then 44 out of the remaining 490 in the top half and then four on the bottom or whatever the right parameters are you have to of course optimize all the Numbers, but this is the the basic change that we make to to Stern's algorithm, which is looking for collisions between these balls instead of between the individual points So last slide is that the main theorem? Which you can find a proof of online the main theorem that we have is that the the exponent of this algorithm is Better than the exponent of Stern's algorithm for any particular constant Ratio between all the sizes involved the number of rows involved in the total size of the matrix and so on We have a smaller exponent alpha prime compared to the exponent of Stern's algorithm And we also if you look at the paper, we have reasons to think that this is optimal We've optimized everything that we can if you can find another idea great You can do maybe better We also say in the paper if you want to be just totally sure about all these algorithms being fine We have some lower bounds that you would have an incredibly difficult time getting anywhere near those and to make sure that our Analysis is completely correct. We did it in so much detail that we could check it against a computer implementation To finish let me just say I think this is the end even if it's not the end for For attacks against McLeese It's so close to the end that I'm very very confident in McLeese and I'm looking forward to somebody building a quantum computer So we can actually start deploying this in practice. Thanks for your attention So we have time for one brief question So the lower bound is saying we've got a very broad idea of what these kinds of algorithms do and then we say if you have anything that looks like that and anything with any sort of iterations like that and be extremely Optimistic and how far algorithms like this could conceivably go then Here's how fast that best possible algorithm could be of course if you go outside that that structure for the algorithms Then you could conceivably do better the lower bounds are not too painful for implementers that they're separated by something like 10 or 20 percent in Final key size from from what you would get by looking at the best attacks and of course if you if you want to Really cut things close and have a system. That's just barely Beyond the best attacks that we have then you're going to have a system which is well smaller key size a little faster But these lower bounds are saying as usual for this kind of for this kind of analysis They're saying we have a general idea of what these algorithms should do and then if you have anything in this class It's not going to do better than the following quantitative performance So let's thank the speaker again