 So after these short technical difficulties I'm happy to announce the last talk in this session. It's error implication in code-based cryptography and the code talk will be given by Alexander Nielsen. Thank you for that introduction. So I'm going to talk to you about attack but before we do that I want to go into a bit of background. So code-based cryptography is one of the major branches of cryptographic post-quantum research right now and we have a security based on the hardness of the code in random linear code. And the most famous example is the Macalese cryptosystem from 78. It has some problems with large keys but otherwise it's a very good system but the large keys is the reason why we have several variants. One of these are the quasi-cyclic medium density parity check and it has smaller keys and it attains this by using cyclic structures in the key matrices and it's a very simple encryption where we basically take the plaintext times the generator matrix and add some noise. The decryption is very efficient because we use a bit flipping decoding which is iterative. Unfortunately this gives us a decryption failure rate which is non-zero and we use this in order to perform an attack which I will describe in a few moments. But an MDPC code is a linear code with an arrow correction capability t. We have a length n of the ciphertext code dimension r which is the length of the plaintext and we have a row weight w in the parity check matrix h. Also we have that the length of the ciphertext is a small constant times the length of the plaintext. So for 8-bit security we have these parameters where the constant is 2. The ciphertext is 9602 bits long and we have length of the plaintext 4801, a row weight of 90 and the arrow correction capability of 84. So this means that we have about 99 bits out of 100 or zero. So this gives us a very sparse matrix but actually this is the reason why this is a medium density code. A low density code would have even fewer ones in the matrix. The secret key is constructed like this where each h i is a circle and r by r matrix. So for example we have for 8-bit security a secret key like this where each row of the sub matrixes is a secret representation of the first row. So that means we only need to save or transmit the first row of each sub matrix. And actually if we use the public key we only need the first row of the first sub matrix in order to reconstruct the secret key. So we will use this in an attack later. The public key is generate the matrix and it's constructed like this where i is identity matrix. And now we have everything we need in order to perform an encryption. So to encrypt the plaintext m into a plaincypitec c we only need to find or generate a random error vector with a handling weight less than or equal to the arrow correction capability of the code. And then we simply compute the plaintext times the generator matrix and add this error vector. To do encrypt we need a decoding algorithm. We call it psi h because it uses the knowledge of h in order to work. And we simply apply this to the ciphertext, remove the error vector and then we have the plaintext as the first part of the ciphertext minus the error vector. And these decoding algorithms used by mdpc are based on the original Gallagher bit flipping algorithm which is iterative it's very efficient but unless you take special care you can it's not constant time. So I want to show you first an attack before first published in Asia group 16 where the authors did a key recovery attack with about 250 to 300 million ciphertexts. This is for 8-bit security parameters. It was against the cca secure version of mdpc and they did this by discovering a correlation between the distance spectrum of the secret key and of the distance spectrum of the non-decodable error patterns. Now you might wonder what a distance spectrum is and it's works like this where we first have an error pattern at the top and then we have the corresponding distance spectrum DOB below where each index in the distance spectrum corresponds to a distance and the counters or the values of each precision is basically a counter of each distance. So we can see here that where the distance of three occurs two times in this error pattern. So each counter the value of each counter we call this a multiplicity because it determines the number of times we have each distance and now I want to point out that the distance spectrum of age zero is all that we need in order to perform a key recovery attack. So this is the target and it works like this. We have a reaction attack against the cca secure mdpc. We just start with a variable initialized to zero and we increment it for each round in the loop. We encrypt a ciphertext. We send the ciphertext to a victim. The victim decrypts it. The victim sends response back to our attacker and now the attacker only has to decide whether or not the victim suffered a decoding failure. If the victim could not decode the message then we save the distance spectrum of this error pattern that we used to encrypt. And then we repeat as many times as is necessary. So what we do is to combine all the distance spectrums of all the error patterns that did not successfully decode and it turns out that multiplicities are not uniformly distributed but they are distributed according to the distance spectrum of the secret key which we want. So this is how that attack works and of course we need manner samples but still a very efficient attack. Now the question is if we can do better and we shall see. We propose a new adaptive attack with or without side channels against the cpa secure version of mdpc. So we take the original attack and we add a new counter and we also need a first error pattern which is non-decodable and then we encrypt like normal except that this time we don't use a random error vector. Instead we use an error vector that is derived from the last known error vector that could not be decoded. This time if we detect a coding failure we save it to ej increment the counter, reset the eye counter and one of the differences is that this time we save the distance spectrum of the error vector regardless or not we detected a decoding failure. Also if the decoder is not constant time then we save the time measurements of the victim's decryption. We call this deriving of the error pattern the chaining method and we use it to amplify the decoding failure rates in order to get more information that we need to perform the attack. All right so the chaining method works like this where error amplification is gained by generating a chain on non-decodable error vectors and we basically we take an initial error pattern and we mutate it by moving randomly one of the non-series and then we try to decrypt again. If we manage to decrypt we indicate this with white circles and if we don't manage to decrypt or the victim fails to decrypt we indicate this with the red circles and we use that as a new basis and we get the chain. Of course this doesn't give us anything unless we save some information from this so what we do is to take the differences of the distance spectrum for each mutation so for example if we have a successful decoding then we save this differences of the distance spectrum into a new vector and we do the same thing we do decoding failures and also keep in mind that these are all vectors so we need an initial error pattern and we can do that by random like in the original attack or we can actually use the chaining method again if we have a non-concent time decoder and we can see here that by just measuring the time we can easily distinguish the number of iterations required to decode a specific pattern. This is for three different implementations and so if we take a random pattern we try to decode it and each time we find a new pattern that takes longer time to decode we save that as a new basis and we keep going until we find a new pattern that is not decodable and we use that as E0. Alright so let's look at the results. So we save or aggregate each distance spectrum difference into a new vector and we can see here in this graph where each data point represents a single distance in the distance spectrum that is set into multiplicity layers. So for example if we look at the blue ones we can see that these are the distances that do not occur in the secret key and if we look at the brown ones just above these distances as indicated by the x-axis occurs at one time in the secret key and then we have two times and three times and four times. Also we have seen that if we include the inverted information of decoding successes we can improve the results which means that we actually get information from each decoding and not only from failures. And now we have what we need to reconstruct the secret key. Alright so let's take a look at the amplification effect that I was talking about. So this is how it looks like with just random sampling. So the decoding failure rate is indicated by the horizontal lines and the red line is the best implementation where we have a decoding failure rate of around 10 to the minus 7 and if we look at the chain method we see that it has increased to around 10 to the minus 2 or something like that. Yeah, note the logarithm scale on the y-axis and there's more to say about this graph but I won't because it will take time. So just let's wrap up and just conclude that we have made an improvement of the original take by a factor around 20 to 30 depending on whether or not we use side channels. We have in a more general case shown that the low decoding failure rate might not be enough as a protective measure especially if we have side channels. Also we have seen that letting the attacker decide the error patterns is a bad idea. It opens up for attacks and also makes existing text more efficient. We show that by using the knowledge of a single non-decodable error pattern as leverage for generating more patterns. Of course this doesn't work for CCA secure schemes because they do not allow us to select the error pattern. And that's it. Thank you. Thank you. Are there any questions? This is not the case. I have a quick question. So your technique cannot be applied to the CCA secure version, I guess. But the original attack can. Thanks. Okay. If there are no further questions then let's thank the speaker and let's thank the speakers of all of the whole session and then we'll meet at 11.40.