Since their introduction in 2004, Polynomial Modular Number Systems (PMNS) have become a very int... more Since their introduction in 2004, Polynomial Modular Number Systems (PMNS) have become a very interesting tool for implementing cryptosystems relying on modular arithmetic in a secure and efficient way. However, while their implementation is simple, their parameterization is not trivial and relies on a suitable choice of the polynomial on which the PMNS operates. The initial proposals were based on particular binomials and trinomials. But these polynomials do not always provide systems with interesting characteristics such as small digits, fast reduction, etc. In this work, we study a larger family of polynomials that can be exploited to design a safe and efficient PMNS. To do so, we first state a complete existence theorem for PMNS which provides bounds on the size of the digits for a generic polynomial, significantly improving previous bounds. Then, we present classes of suitable polynomials which provide numerous PMNS for safe and efficient arithmetic.
Code-based cryptography is one of the main propositions for the post-quantum cryptographic contex... more Code-based cryptography is one of the main propositions for the post-quantum cryptographic context, and several protocols of this kind have been submitted on the NIST platform. Among them, BIKE and HQC are part of the five alternate candidates selected in the third round of the NIST standardization process in the KEM category. These two schemes make use of multiplication of large polynomials over binary rings, and due to the polynomial size (from 10,000 to 60,000 bits), this operation is one of the costliest during key generation, encapsulation, or decapsulation mechanisms. In this work, we revisit the different existing constant-time algorithms for arbitrary polynomial multiplication. We explore the different Karatsuba and Toom-Cook constructions in order to determine the best combinations for each polynomial degree range, in the context of AVX2 and AVX512 instruction sets. This leads to different kernels and constructions in each case. In particular, in the context of AVX512, we u...
The iterative conditional branchings appear in various sensitive algorithms, like the modular exp... more The iterative conditional branchings appear in various sensitive algorithms, like the modular exponentiation in the RSA cryptosystem or the scalar multiplication in ellipticcurve cryptography. In this paper, we abstract away the desirable security properties achieved by the Montgomery ladder, and formalize systems of equations necessary to obtain what we call the semi-interleaved and fully-interleaved ladder properties. This fruitful approach allows us to design novel fault-injection attacks, able to obtain some/all bits of the secret against different ladders, including the common Montgomery ladder. We also demonstrate the generality of our approach by applying the ladder equations to the modular exponentiation and the scalar multiplication, both in the semi-and fully-interleaved cases, thus proposing novel and more secure algorithms.
Since their introduction in 2004, Polynomial Modular Number Systems (PMNS) have become a very int... more Since their introduction in 2004, Polynomial Modular Number Systems (PMNS) have become a very interesting tool for implementing cryptosystems relying on modular arithmetic in a secure and efficient way. However, while their implementation is simple, their parameterization is not trivial and relies on a suitable choice of the polynomial on which the PMNS operates. The initial proposals were based on particular binomials and trinomials. But these polynomials do not always provide systems with interesting characteristics such as small digits, fast reduction, etc.In this work, we study a larger family of polynomials that can be exploited to design a safe and efficient PMNS. To do so, we first state a complete existence theorem for PMNS which provides bounds on the size of the digits for a generic polynomial, significantly improving previous bounds. Then, we present classes of suitable polynomials which provide numerous PMNS for safe and efficient arithmetic.
Code based cryptography is one of the main proposition for the post-quantum cryptographic context... more Code based cryptography is one of the main proposition for the post-quantum cryptographic context, and several protocols of this kind have been submitted on the NIST platform. Among them, BIKE and HQC are part of the five alternate candidates selected in the third round of the NIST standardization process in the KEM category. These two schemes make use of multiplication of large polynomials over binary rings, and due to the polynomial size (from 10000 to 60000 bits), this operation is one of the costliest during key generation, encapsulation or decapsulation mechanisms. In BIKE-2, there is also a polynomial inversion which is time consuming and this problem has been addressed in [11]. In this work, we revisit the different existing constant-time algorithms for arbitrary polynomial multiplication. We explore the different Karatsuba and Toom-Cook constructions in order to determine the best combinations for each polynomial degree range, in the context of AVX2 and AVX512 instruction sets. This leads to different kernels and constructions in each case. In particular, in the context of AVX512, we use the VPCLMULQDQ instruction, which is a vectorized binary polynomial multiplication instruction. This instruction deals with up to four polynomial (of degree up to 63) multiplications, that is four operand pairs of 64-bit words with 128-bit word storing each results, the four results being stored in one single 512-bit word. This allows to divide by roughly 3 the retired instruction number of the operation in comparison with the AVX2 instruction set implementations, while the speedup is
2019 IEEE 26th Symposium on Computer Arithmetic (ARITH), 2019
The Polynomial Modular Number System (PMNS) is an integer number system designed to speed up arit... more The Polynomial Modular Number System (PMNS) is an integer number system designed to speed up arithmetic operations modulo a prime p. Such a system is defined by a tuple B = (p, n, , ⇢, E) where E 2 Z[X] and E() ⌘ 0 (mod p). In a PMNS, an element a of Z/pZ is represented by a polynomial A such that: A() ⌘ a (mod p), deg A < n and k Ak 1 < ⇢. In [6], the authors mentioned that PMNS can be highly redundant but they didn't really take advantage of this possibility. In this paper we use, for the first time, the redundancy of PMNS to protect algorithms against Side Channel Attacks (SCA). More precisely, we focus on elliptic curve cryptography. We show how to randomize the modular multiplication in order to be safe against existing SCA and we demonstrate the resistance of our construction. We describe the generation of a PMNS while guaranteeing, for all elements of Z/pZ, the minimum number of distinct representations we want. We also show how to reach all these representations.
Proceedings of the 18th International Conference on Security and Cryptography, 2021
The random generation of Euclidean addition chains fits well with a GLV context (Dosso et al., 20... more The random generation of Euclidean addition chains fits well with a GLV context (Dosso et al., 2018) and provides a method with decent performance despite the growth of the base field required to get the same level of security. The aim of this paper is to reduce the size of the base field required. Combined with an algorithmic improvement, we obtain a reduction of 21% of the memory usage. Hence, our method appears to be one of the most compact scalar multiplication procedure and is particularly suitable for lightweight applications.
The concept of threshold ring signature in code-based cryptography was introduced by Aguilar et a... more The concept of threshold ring signature in code-based cryptography was introduced by Aguilar et al. in [1]. Their proposal uses Stern's identification scheme as basis. In this paper we construct a novel threshold ring signature scheme built on the q-SD identification scheme recently proposed by Cayrel et al. in [14]. Our proposed scheme benefits of a performance gain as a result of the reduction in the soundness error from 2/3 for Stern's scheme to 1/2 per round for the q-SD scheme. Our threshold ring signature scheme uses random linear codes over the field Fq, secure in the random oracle model and its security relies on the hardness of an error-correcting codes problem (namely the q-ary syndrome decoding problem). In this paper we also provide implementation results of the Aguilar et al. scheme and our proposal, this is the first efficient implementation of this type of code-based schemes.
Dans cette these, de nouveaux schemas d'identification sont proposes. Leur securite depend d&... more Dans cette these, de nouveaux schemas d'identification sont proposes. Leur securite depend d'un probleme np-complet issue de la theorie des codes correcteurs d'erreurs: celui du decodage du syndrome (probleme sd). Plusieurs variantes sont decrites afin de minimiser les trois quantites suivantes: le volume memoire necessaire au prouveur, la complexite des calculs effectues par ce dernier, le debit de transaction (nombre de bits echanges entre le verifieur et le prouveur lors d'un processus d'identification). A ce jour, l'un des schemas proposes possede, parmi tous les autres schemas sd existants, les meilleurs resultats en ce qui concerne ces trois criteres. Une cryptanalyse efficace du premier schema d'identification base sur le probleme sd, propose par s. Harari, est decrite. Finalement une sous-classe des codes de goppa est presentee: les codes goppa-trace. Il est demontre que la dimension de ces codes n'atteint jamais la borne generale. De nouvelles bornes sont donnees selon que ces codes soient definis: sur une extension quelconque d'un corps premier, sur une extension de degre pair d'un corps premier, sur une extension de degre pair du corps a deux elements. De plus, dans le cas binaire, il est montre que ces codes sont a poids pair
Addition chains are classical tools used to speed up exponentiation in cryptographic algorithms. ... more Addition chains are classical tools used to speed up exponentiation in cryptographic algorithms. In this paper we proposed to use a subset of addition chains, the Euclidean addition chains, in order to define a new public key cryptosystem.
Since their introduction in 2004, Polynomial Modular Number Systems (PMNS) have become a very int... more Since their introduction in 2004, Polynomial Modular Number Systems (PMNS) have become a very interesting tool for implementing cryptosystems relying on modular arithmetic in a secure and efficient way. However, while their implementation is simple, their parameterization is not trivial and relies on a suitable choice of the polynomial on which the PMNS operates. The initial proposals were based on particular binomials and trinomials. But these polynomials do not always provide systems with interesting characteristics such as small digits, fast reduction, etc. In this work, we study a larger family of polynomials that can be exploited to design a safe and efficient PMNS. To do so, we first state a complete existence theorem for PMNS which provides bounds on the size of the digits for a generic polynomial, significantly improving previous bounds. Then, we present classes of suitable polynomials which provide numerous PMNS for safe and efficient arithmetic.
Code-based cryptography is one of the main propositions for the post-quantum cryptographic contex... more Code-based cryptography is one of the main propositions for the post-quantum cryptographic context, and several protocols of this kind have been submitted on the NIST platform. Among them, BIKE and HQC are part of the five alternate candidates selected in the third round of the NIST standardization process in the KEM category. These two schemes make use of multiplication of large polynomials over binary rings, and due to the polynomial size (from 10,000 to 60,000 bits), this operation is one of the costliest during key generation, encapsulation, or decapsulation mechanisms. In this work, we revisit the different existing constant-time algorithms for arbitrary polynomial multiplication. We explore the different Karatsuba and Toom-Cook constructions in order to determine the best combinations for each polynomial degree range, in the context of AVX2 and AVX512 instruction sets. This leads to different kernels and constructions in each case. In particular, in the context of AVX512, we u...
The iterative conditional branchings appear in various sensitive algorithms, like the modular exp... more The iterative conditional branchings appear in various sensitive algorithms, like the modular exponentiation in the RSA cryptosystem or the scalar multiplication in ellipticcurve cryptography. In this paper, we abstract away the desirable security properties achieved by the Montgomery ladder, and formalize systems of equations necessary to obtain what we call the semi-interleaved and fully-interleaved ladder properties. This fruitful approach allows us to design novel fault-injection attacks, able to obtain some/all bits of the secret against different ladders, including the common Montgomery ladder. We also demonstrate the generality of our approach by applying the ladder equations to the modular exponentiation and the scalar multiplication, both in the semi-and fully-interleaved cases, thus proposing novel and more secure algorithms.
Since their introduction in 2004, Polynomial Modular Number Systems (PMNS) have become a very int... more Since their introduction in 2004, Polynomial Modular Number Systems (PMNS) have become a very interesting tool for implementing cryptosystems relying on modular arithmetic in a secure and efficient way. However, while their implementation is simple, their parameterization is not trivial and relies on a suitable choice of the polynomial on which the PMNS operates. The initial proposals were based on particular binomials and trinomials. But these polynomials do not always provide systems with interesting characteristics such as small digits, fast reduction, etc.In this work, we study a larger family of polynomials that can be exploited to design a safe and efficient PMNS. To do so, we first state a complete existence theorem for PMNS which provides bounds on the size of the digits for a generic polynomial, significantly improving previous bounds. Then, we present classes of suitable polynomials which provide numerous PMNS for safe and efficient arithmetic.
Code based cryptography is one of the main proposition for the post-quantum cryptographic context... more Code based cryptography is one of the main proposition for the post-quantum cryptographic context, and several protocols of this kind have been submitted on the NIST platform. Among them, BIKE and HQC are part of the five alternate candidates selected in the third round of the NIST standardization process in the KEM category. These two schemes make use of multiplication of large polynomials over binary rings, and due to the polynomial size (from 10000 to 60000 bits), this operation is one of the costliest during key generation, encapsulation or decapsulation mechanisms. In BIKE-2, there is also a polynomial inversion which is time consuming and this problem has been addressed in [11]. In this work, we revisit the different existing constant-time algorithms for arbitrary polynomial multiplication. We explore the different Karatsuba and Toom-Cook constructions in order to determine the best combinations for each polynomial degree range, in the context of AVX2 and AVX512 instruction sets. This leads to different kernels and constructions in each case. In particular, in the context of AVX512, we use the VPCLMULQDQ instruction, which is a vectorized binary polynomial multiplication instruction. This instruction deals with up to four polynomial (of degree up to 63) multiplications, that is four operand pairs of 64-bit words with 128-bit word storing each results, the four results being stored in one single 512-bit word. This allows to divide by roughly 3 the retired instruction number of the operation in comparison with the AVX2 instruction set implementations, while the speedup is
2019 IEEE 26th Symposium on Computer Arithmetic (ARITH), 2019
The Polynomial Modular Number System (PMNS) is an integer number system designed to speed up arit... more The Polynomial Modular Number System (PMNS) is an integer number system designed to speed up arithmetic operations modulo a prime p. Such a system is defined by a tuple B = (p, n, , ⇢, E) where E 2 Z[X] and E() ⌘ 0 (mod p). In a PMNS, an element a of Z/pZ is represented by a polynomial A such that: A() ⌘ a (mod p), deg A < n and k Ak 1 < ⇢. In [6], the authors mentioned that PMNS can be highly redundant but they didn't really take advantage of this possibility. In this paper we use, for the first time, the redundancy of PMNS to protect algorithms against Side Channel Attacks (SCA). More precisely, we focus on elliptic curve cryptography. We show how to randomize the modular multiplication in order to be safe against existing SCA and we demonstrate the resistance of our construction. We describe the generation of a PMNS while guaranteeing, for all elements of Z/pZ, the minimum number of distinct representations we want. We also show how to reach all these representations.
Proceedings of the 18th International Conference on Security and Cryptography, 2021
The random generation of Euclidean addition chains fits well with a GLV context (Dosso et al., 20... more The random generation of Euclidean addition chains fits well with a GLV context (Dosso et al., 2018) and provides a method with decent performance despite the growth of the base field required to get the same level of security. The aim of this paper is to reduce the size of the base field required. Combined with an algorithmic improvement, we obtain a reduction of 21% of the memory usage. Hence, our method appears to be one of the most compact scalar multiplication procedure and is particularly suitable for lightweight applications.
The concept of threshold ring signature in code-based cryptography was introduced by Aguilar et a... more The concept of threshold ring signature in code-based cryptography was introduced by Aguilar et al. in [1]. Their proposal uses Stern's identification scheme as basis. In this paper we construct a novel threshold ring signature scheme built on the q-SD identification scheme recently proposed by Cayrel et al. in [14]. Our proposed scheme benefits of a performance gain as a result of the reduction in the soundness error from 2/3 for Stern's scheme to 1/2 per round for the q-SD scheme. Our threshold ring signature scheme uses random linear codes over the field Fq, secure in the random oracle model and its security relies on the hardness of an error-correcting codes problem (namely the q-ary syndrome decoding problem). In this paper we also provide implementation results of the Aguilar et al. scheme and our proposal, this is the first efficient implementation of this type of code-based schemes.
Dans cette these, de nouveaux schemas d'identification sont proposes. Leur securite depend d&... more Dans cette these, de nouveaux schemas d'identification sont proposes. Leur securite depend d'un probleme np-complet issue de la theorie des codes correcteurs d'erreurs: celui du decodage du syndrome (probleme sd). Plusieurs variantes sont decrites afin de minimiser les trois quantites suivantes: le volume memoire necessaire au prouveur, la complexite des calculs effectues par ce dernier, le debit de transaction (nombre de bits echanges entre le verifieur et le prouveur lors d'un processus d'identification). A ce jour, l'un des schemas proposes possede, parmi tous les autres schemas sd existants, les meilleurs resultats en ce qui concerne ces trois criteres. Une cryptanalyse efficace du premier schema d'identification base sur le probleme sd, propose par s. Harari, est decrite. Finalement une sous-classe des codes de goppa est presentee: les codes goppa-trace. Il est demontre que la dimension de ces codes n'atteint jamais la borne generale. De nouvelles bornes sont donnees selon que ces codes soient definis: sur une extension quelconque d'un corps premier, sur une extension de degre pair d'un corps premier, sur une extension de degre pair du corps a deux elements. De plus, dans le cas binaire, il est montre que ces codes sont a poids pair
Addition chains are classical tools used to speed up exponentiation in cryptographic algorithms. ... more Addition chains are classical tools used to speed up exponentiation in cryptographic algorithms. In this paper we proposed to use a subset of addition chains, the Euclidean addition chains, in order to define a new public key cryptosystem.
Uploads
Papers by Pascal Véron