学术报告
A Study on Decryption Failure Rates in QC-MDPC-Based Post-Quantum Cryptography-王安宇(清华大学)
CHINA·77779193永利(集团)有限公司-Official website
报告题目:A Study on Decryption Failure Rates in QC-MDPC-Based Post-Quantum Cryptography
报告人:王安宇(清华大学)
摘要: Code-based cryptography has received a lot of attention recently because it is considered secure under quantum computing. Among them, the QC-MDPC based scheme is one of the most promising due to its excellent performance. QC-MDPC based schemes are usually subject to a small rate of decryption failure, which can leak information about the secret key. This raises two crucial problems: how to accurately estimate the decryption failure rate and how to use the failure information to recover the secret key. However, the two problems are challenging due to the difficulty of geometrically characterizing the bit-flipping decoder employed in QC-MDPC, such as using decoding radius. In this work, we introduce the gathering property and show it is strongly connected with the decryption failure rate of QC-MDPC. Based on this property, we present two results for QC-MDPC based schemes. The first is a new construction of weak keys obtained by extending the keys that have gathering property via ring isomorphism. For the set of weak keys, we present a rigorous analysis of the probability, as well as experimental simulation of the decryption failure rates. Considering BIKE's parameter set targeting 128-bit security, our result eventually indicates that the average decryption failure rate is lower bounded by 2^{-116.61}. The second entails two key recovery attacks against CCA secure QC-MDPC schemes using decryption failures in a multi-target setting. The two attacks consider whether or not it is allowed to reuse ciphertexts respectively. In both cases, we show the decryption failures can be used to identify whether a target's secret key satisfies the gathering property. Then using the gathering property as an extra information, we present a modified information set decoding algorithm that efficiently retrieves the target's secret key. For BIKE's parameter set targeting128-bit security, we show a key recovery attack with complexity 2^{116.61} can be mounted if ciphertexts reusing is not permitted, and the complexity can bereduced to 2^{98.77} when ciphertexts reusing is permitted.
报告时间:2023 年 6 月 14 日(周三)下午 16:00-17:00
报告地点:首都师范大学本部校区教二楼 612
报告人简介:王安宇,清华大学高等研究院副研究员,主要从事密码和编码理论的研究,在 IEEE Transactions on Information Theory、ASIACRYPT、IEEE INFOCOM 等信息论和密码顶级刊物上以第一或通讯作者身份发表多篇论文,2016 年入选中国科协“青年人才托举工程”,2015 年获中国科学院信息工程研究所“引进优秀青年人才”专项经费支持,主持或作为项目骨干参与了国家自然科学基金、科技部重点研发计划多等多个国家级项目。担任了中国密码学会第三届青年工作委员会委员等学术职务。
邀请人: 张俊
