 And it's my pleasure to introduce the last speaker of the session, Chen Guo, who will be talking about MDPC codes. OK. The title is Key Recovery Attack on MDPC with CCU security using decoding errors. And this is a joint work with my supervisors, Thomas Johnson and Paul Stankowski. This is Outline. I will start with motivation background. And then I will introduce the new ideas. And I include how to do key recovery from distance spectrum and also how to get the distance spectrum playing QC MDPC and also on the CCU secure version. Then I will give an intuitive explanation that why this works and also results and discussion conclusion. So let's go to motivation. We know that quantum computer with very good system based on the harness of factoring and discrete log, like I see on the ECC. So people are looking for post-quantum candidates. There are four competitive directions, like lattice-based, code-based, hash-based, and multivariate-based crypto. For here, I will talk about code-based crypto. One important primitive is MACLIS-PKC using Gopal codes. But it has drawback. It has extremely large key size. So in 2013, Musovsky, Tilesh, Sandro, and Bertol, they proposed a new scheme called QC MDPC. It has much smaller key size, and it has good security arguments. And also, it can be easily implemented. So this is a scheme recommended by some EU project for the third day. Here, our goal is to recover the secret key. Background, QC MDPC. So let's start with QC MDPC codes. Quad-cycle codes is a linear code that every shackle shift by this step remains a code word. So we will assume that N0 is 2. And if we do some index permutation, we can write the patch check matrix in this form. And here, HIR circulate matrices. We can also write G, get a systematic generator matrix. It's a dense matrix. So operations can be built in this polynomial ring. And we can write polynomial in the vector form. So what is MDPC? We know that it's an extension of LDPC. Low-density parity check code is a linear code that has a sparse parity check matrix. Usually, it has small constant raw weights. But for MDPC, it's a linear code with a denser, but still sparse parity check matrix. So it's always scaling this order of square root of n log n. And QC MDPC is just a quasi-cyclic MDPC code. And this is code parameter. This is QC MDPC scheme, PKC scheme. For key generation, we just generate a patch check matrix H. So this H is a sparse matrix. And we derive the systematic generator matrix G. Here, P is a dense matrix. So the public key is a dense matrix. And the private key is a sparse matrix. So for encoding, we generate a random error vector E with weight this. And we compute ciphertexts like this. So for decoding, because we know this sparse matrix, we can build a ternograph and do this iterative decoding to get the noise E. And we can get plain text from this if we know the noise. In this slide, this is a secure version. And if we extend in the security model beyond CPAs, then there are many attacks like resend attacks, reaction attacks, et cetera, too. So if we want to achieve CC security, one can use a CC conversion like one suggested by Kabara in May in this year. And there are many other conversions. And these conversions make the choice of error vector E random. So this is the stress parameters. OK, this slide we discussed about Gallagher's speed flipping strategy. So after computing the syndrome and because we know this sparse matrix H, we can build this ternograph. This is check nodes. And these are check nodes. And these are digit nodes. We can add a counter to each digit node. So for the t-th iteration, we just will run through all the check nodes and to check if this check equation is satisfied. If not, we just increase the counter corresponding to its neighbor. Increase counter. Then after we run through the check node, we run through all the digit nodes to check its counter. If it's too large, then we flip the bit. OK, next is the new idea part. This is our attacking scenario. So Alice will send many messages to Bob. These messages are encrypted using Bob's public key. And Bob will decrypt and tell Alice whether the decryption is successful or not. In terms of secure model, this is called a reaction attack. And this is a weaker model than CCA because Alice just need to know that the decryption is yes or not. She actually don't need to know the decryption information. So in this sense, this is a stronger attack. We know that recent and reaction attack have appeared before, but all the previous attacks are message recovered attack. Here, we will try to recover the key. We will show that how to get the private key from decoding error property for different error patterns. First, I will introduce a key related property called distance spectrum. The distance spectrum is a set that includes all the possible distances that in this vector exist a pair of ones with distance d. And here, cyclic shift is allowed. And the distance can appear many times in this vector, so in H0. So we also introduce a multiplicity. This is an example. If we have this bit pattern, so we have R is 7. The possible distance is like 1, 2, 3. But since in this, we have this pattern like 1, 1. So for distance 1, the multiplicity is 1. But we don't have the pattern like 101, so this one is 0. But we have 2, 1, 0, 0, 1, and also dual shift 1, 0, 1. So we have this multiplicity 2. If we say the distance spectrum is 1, 3. So I will show how to construct a private key from this distance spectrum. It's a quite naive algorithm. Because we can do cyclic shift, so we put the first bit non-zero bit in position 0, and we put the second one position I0 here. I0 is the smallest value in this distance spectrum. Then we inject the third bit, the fourth bit, et cetera. The point is that if we inject the fourth bit here, then this distance and this distance and also this distance should be all in the distance spectrum. So if it is unsatisfied, it is an invalid pattern, so we just choose another value. We will show that it's efficient for this circumstance. So the remaining problem is how to recover the distance spectrum from the decoding error probability for different error patterns. We have an observation is that if we give a distance, we consider a pattern that at least one pile of ones at distance d. So if d is in the distance spectrum, then the decoding error probability is smaller than that if d is not in the distance spectrum. So this is a CPA case for playing QC MDPC. In this case, error is not protected, so we can choose error from this PCD that it's a set of all binary vectors having exactly t1s and all the t1s are placed as a pairs with distance d in the first half. So this is an example. We see that this is a pair of ones with distance d and this is another pair. But for the second part, it's all 0. So the attack is like this. Alice will repeat for every distance and he will choose error selected from PCD and send message to Bob. And if there's a decoding error with Bob, then she will record it. And after m messages, she will be able to compute an empirical decoding error probability. So another question is if she has this decoding error probability, how to decide the multiplicity? Actually, this is general shape. This is error probability. So we can say that it's grouped according to its multiplicity. And this is empirical results. We see that if we use this many decoding trials and use proposed parameter for 8-bit security, we'll choose the error t is 84. We can say that it can be easily distinguished. So the algorithm is like for every distance d, we just decoding trials and get the empirical error probability and do statistics test to get the multiplicity. And if it's non-zero, we add it with multiplicity into the distance spectrum. So this is a complex state. For a CC secure version, because we can no longer control the error, because error looks random. So we just form different subjects with desired error patterns. That is, given a distance d, we choose error patterns that contain at least one occurrence of distance d. We will show that these subjects can still be used to decide the distance spectrum. This is algorithm. So we get a collection of t cipher attacks. And we record the decipherability. We just choose subsets we want to have. And we record the empirical decoding error probability and do multiplicity classification. And this is a complex state. So I will give an intuitive explanation. Here, we choose error pattern from per CD. And the W is the weight of H0. We see that actually the first iteration plays a vital role in the decoding process, because Galax speed flipping algorithm will terminate in a small number of iterations, typically 3 to 5 iterations. So this is one parity check equation looks like. So if we look at all the r parity checks, then we will create exactly t times w non-zero terms. Because for each non-zero term HIG, it will do a cyclic shift and meet with half exactly t non-zero terms. So we have the total non-zero terms t times w. So the problem is that we put this t type w different object in this r bucket, because we have r parity check equation. And we count the number of objects in each bucket. Even number of objects will be helpful, because 1 plus 1 is 0. And all number will act in the opposite. This table shows the relation between the number of non-zero HIG, EIS, and also the number of correctly changed counters. Because for each equation, it will change w neighboring counters. It will tell them to stay or to increase. So we see that even it's good and odd is bad for decoding. So here, case one is that H0 contains two ones. And the case zero is that this other case, it doesn't appear. So in case one, we artificially injected pairs of ones that we can see this is the distance distribution. We can see that for this number, it's larger. You call them two, then the probability is almost the same. But for this, this probability is higher and this probability is lower. So in case one, we move the distribution to the direction that are good for decoding. So in this case, the decoding our property will be low. OK, this is results. We use these parameters. And we use Gallagher speed flipping algorithm. So in fact, it takes like 2 to 35 operations. But it can be slow in worst case. In simulation, we perform 3,000 trials using a single call of a personal computer. And the implementation is unoptimized. So on average, it takes like 144 seconds. And in worst case, it's 49 minutes. So in the CPA case, this is how to get the distance spectrum in the CPA case. We see that we use Gallagher speed flipping algorithm. And with error pattern, we choose T is 84 and T is 90. Here, this is just parameters for ADB security. And this is a case that sometimes we can inject more errors to do a fault attack. So if we inject more errors, then we require less numbers, less number of trials. So the complexity in this case for T is 84 is 2 to 28. And for T is 90, it's 2 to 25. This is a result for a CC case also to recover the distance spectrum. This is error probability. And this is distance. So we can see that these points are grouped according to the multiplicity. We need these many side effects. And we do 24 simulations. And this is a worst case result. So for the proposed security parameters using Gallagher speed flipping decoder, then the complexity is about 2 to 40. Discussion. In our implementation, we use original Gallagher speed flipping algorithm. And definitely, this is not the optimal one. The state of the art variant can improve with a factor like this. So we can do a reasonable guess that the TAP time 1 using one of these better decoder is the complexity when using the original one times this factor. So that is 2 to 44 for the CPA case and 2 to 55 for the CC case if we use the suggested parameters of QCMDPC for ATP security. Final remarks. We give a reaction type QA recovery attack. And this attack can break the CCQ version using suggested parameters. So one important question is to design countermeasure to resist this attack. And we think that the best way is to make the decoding error property really small, like 2 to minus 80 for ADB security. But it seems difficult according to recent implementation. And another thing is that even if we can make the decoding error property small, then this attack may still be applicable if some side channel information is provided. Thank you. Thank you very much. Are there questions for Chen? Thank you. So if you take the CCA model, so you manage basically to break a CCA secure scheme using a chosen ciphertext attack. So yeah, it's just a naive question. Was there a mistake in the proof originally? Or do you attack something that was not covered by the original model? I think in the proof, they don't take this decoding error into consideration in the proof. I don't see more questions. I have a question. So you were at the beginning advertising that this is a post-quantum scheme, right? So that this is why people are interested in this. So on the last slide, you said you would need an error probability of something like 2 to the minus 80 for ADB security. If you do post-quantum attacks, shouldn't that be 2 to the minus 160? If you're searching for inputs with Grover, that maybe give you something, or wouldn't that matter? Is it really? I think in actual other schemes, they all have this. I think this is if we can achieve these conditions, then we can, I mean, there's no decoding error. OK. So definitely, we will resist this attack. But maybe it's not necessary condition. And another question is, so if you want to increase the security level to something like 28-bit security, right? Would this become even harder? Or yeah, OK, that was my question. Thanks. I don't see any further questions, so please join me in thanking Chen again. And that concludes the session. So I guess there is coffee outside.