Verified Post-Quantum Cryptography

Last updated: 2022/04/26

Abstract

Cryptosystems are being developed to resist attacks by quantum computers, and efforts are being made to formally verify software to guard against implementation flaws. In this project we will study post-quantum cryptography and formal verification by implementing the McEliece cryptosystem using refinement types.

Overview

The goal of this project is to learn more about cryptography and formal verification by studying, implementing, and analyzing variants of the McEliece cryptosystem in a language designed for formal verification. This project has two aspects. The first is post-quantum cryptography (PQC). PQC is the study of cryptosystems which are resistant to attacks by quantum computers; in other words, systems for which there are no known quantum algorithms that can effectively break them. An example of a cryptosystem which is not post-quantum is the widely used RSA system which is vulnerable to Shor's algorithm due to being based on integer factorization. The second aspect is formal verification, or using automation to verify program correctness. We use refinement types to eliminate entire classes of errors, and proofs written in code combined with the type system and an automated theorem prover to automatically verify programs after changes are made.

The McEliece cryptosystem dates back to the 70s when it was proposed by Robert McEliece. The McEliece system is based on coding theory and is not vulnerable to any known quantum attacks, and recently a variant of this system known as Classic McEliece has made it to round 3 of the NIST Post Quantum Cryptography standardization effort. Classic McEliece is a KEM (Key Encapsulation Method) based on the Niederreiter PKE (Public Key Encryption) which is a high-performance variant of the original McEliece cryptosystem. For the scope of this project we will focus on implementing and comparing the two PKE variants (McEliece and Niederreiter).

To verify our implementation we use the Haskell programming language with LiquidHaskell which is a functional language with refinement types. LiquidHaskell is an extension that focuses on code verification while the program writen are otherwise regular Haskell.

Plan of Work

Due-dates are based on the in-class presentation schedule. See weekly status for progress.

Milestone 1 - 2022/02/03

2 weekends

• Explore reference materials (coding theory, McEliece and Niederreiter papers).
• Implement Hamming code version of McEliece.

Milestone 2 - 2022/03/01

4 weekends

• Explore Goppa codes and Patterson's algorithm.
• Implement Goppa code version of McEliece.

Milestone 3 - 2022/03/29

4 weekends

• Explore verification techniques (refinement types, measures, lemmas).
• Implement Niederreiter version of McEliece.

Deliverables

• Final Report Abstract (2022/02/24) - Note that the date in this incorrectly said 2021; this was fixed in the outline.
• Final Report Outline (2022/02/28)
• Poster Draft (2022/04/09)
• Final Report Early Draft (2022/04/22)
• Final Report Draft (2022/04/25)
• Poster Final (2022/04/28)
• Final Report (2022/04/28)

Presentations

• Project Overview (2022/01/18)
• Milestone 1 (2022/02/02)
• Milestone 2 (2022/03/01)
• Milestone 2 extended slides (2022/03/03)
• Milestone 3 (2022/03/29)

Source Code

• GIT Repository (Bitbucket)

Resources

McEliece

• Code based cryptography and steganography (INRIA)
• Cryptanalysis of the Original McEliece Cryptosystem (INRIA)
• Linear Codes and Applications in Cryptography (Vienna University of Technology) - Student paper.
• McEliece PKC Calculator (Journal Of Electrical Engineering)
• Coding Theory-Based Cryptography: McEliece Cryptosystems in SAGE (College of St. Benedict & St. John's University) - Student paper. An expanded version of the code is available here.
• How Sage Helps To Implement Goppa Codes and The McEliece Public Key Crypto System (Ubiquitous Computing and Communication Journal)
• Classic McEliece NIST Round 3 Documentation (Classic McEliece)
• White Paper on McEliece with Binary Goppa Codes (Eindhoven University of Technology) - Student paper.
• McEliece Cryptosystem (Wikipedia)
• Niederreiter Cryptosystem (Wikipedia)
• The McEliece Cryptosystem (UC Denver)
• Classic McEliece vs NTS-KEM (Classic McEliece)
• A Summary of McEliece-Type Cryptosystems and their Security (Journal of Mathematical Cryptology)

Coding Theory

• The Theory of Error Correcting Codes (Macwilliams, Sloane)
• Hamming Codes (University of New Brunswick)
• Coding Theory (UC Denver)
• Information Theory (University of Toronto
• Binary Goppa code (Wikipedia)

Cryptography

• Implementation of Cryptosystem Based on Error-Correcting Codes (Charles University in Prague)
• Polynomial Long Division (Wikipedia)
• Finite Field Arithmetic (Wikipedia)
• Galois Fields (University of Pittsburgh)
• Division and Inversion Over Finite Fields (Cryptography and Security in Computing)
• Polynomials in GF2 (University of New Brunswick)
• Key Encapsulation (Wikipedia)

Formal Verification

• Liquid Types (University of California, San Diego)
• Refinement Types for Haskell (University of California, San Diego / Microsoft Research)
• Liquid Haskell Docs (Liquid Haskell)
• Liquid Haskell Tutorial (Liquid Haskell)
• Programming With Refinement Types (Liquid Haskell)
• Compile Time Memory Safety Using Liquid Haskell (Haskell For All)
• HACL - A Verified Modern Cryptographic Library (INRIA / Microsoft Research)

---

Up