Throughout this section we assess our key-recovery algorithm. We first give a detailed account of how we compute the success rates for our key-recovery algorithm considering several scenarios, each with a different set of SIKE parameters, and finally show how to integrate a quantum key search algorithm (QKEA) to our key-recovery algorithm to improve its overall performance.
5.1. Performance and Success Rates of Our Key-Recovery Algorithm
This section reports success rates of our key-recovery algorithm. We first note that in this setting the attacker procures a noisy version
of
via a cold boot attack, as stated in
Section 4.1, and so our key-recovery algorithm tries to find a full key candidate for
from the noisy version. In order to compute estimates for success rates of our key-recovery algorithm, we analyze the following scenarios. For a given set of instance parameters, we calculate the success rate for our key-recovery algorithm with
NOKEA if it is set to (1) enumerate all the possible full key candidates; (2) enumerate an interval with roughly
full key candidates; (3) enumerate an interval with roughly
full key candidates; (4) enumerate an interval with roughly
full key candidates. In this context, by instance parameters we mean setting the array
, the array
,
w (normally 8),
,
, together with the selected SIKE parameters.
Note that given the noisy version
and the instance parameters, our key-recovery algorithm creates the lists
at the end of step 4, then these are passed to
NOKEA at the beginning of the step 5. Here is where we exploit several features of this algorithm in order to compute estimates for the success rates without actually running an enumeration with
NOKEA. In particular, we exploit the fact that
NOKEA can enumerate full key candidates of which total scores belong to a given interval in order from the highest to the lowest total score and that many scores of block candidates for a given block are repeated [
11,
36,
44]. In particular, once the lists
are created, our tweaked
NOKEA creates factorized lists, one per list
, that contain entries of the form
where
represents a score and
is the number of block candidates having
as score in the corresponding list
. These factorized lists are passed to an alternative version of
OKEA, where
is seen as a candidate value, and it generates another factorized list
L with entries of the same form
, which is sorted by score in descending order, i.e., from the highest to the lowest score. An entry
may be interpreted as there are
full key candidates of which total score is equal to
.
To calculate estimates for success rates, we run our tweaked key-recovery algorithm with all required parameters a fixed number of times (100 times) and then compute the corresponding success rate. Specifically, at each trial the SIKE key generation algorithm is run to obtain according to the selected set of SIKE parameters, and then is perturbed as per and and then our tweaked key-recovery algorithm is called by passing the noisy version , the instance parameters and the original key as parameters. It then runs until generating the lists and, at such point, checks that each block of the original key is found in the corresponding list . If so, it means that a complete enumeration, carried out by NOKEA, would not fail in finding the secret key (it would fail otherwise). On the condition that the complete enumeration will not fail, the tweaked NOKEA is run to create the factorized list L, which is used to determine if the original key may be found by the instance of NOKEA if it enumerates a range having roughly or or full key candidates. In particular, say, we want to determine if the original key can be found via enumerating a range with approximately full key candidates, , then the algorithm finds an entry at index e in L such that e is the smallest integer satisfying . If the score calculated for the original key (from the noisy version) lies in the interval , then it signifies that an enumeration in such interval (which contains at least candidates) will find the original key. We next describe the instance parameters we used to run our trials.
SIKEp434
For this set of SIKE parameters,
has a length of 28 bytes,
, which means that only the first bit of the last byte of
is used. Also, we set
w to 8,
to
and
to
r, for
, where
. Note that the number of chunks is 28 and the number of blocks is 7.
Figure 1 and
Figure 2 show the obtained results for this set of parameters.
Additionally, the function Test for this set of parameters takes about 5,141,167 cycles to run in a virtual machine type e2-highcpu-16 with 16 vCPUs and 16 GB of memory deployed in the Google Cloud Platform.
SIKEp503
For this set of SIKE parameters,
has a length of 32 bytes,
, which means that only the four first bits of the last byte of
are used. Also, we set
w to 8,
to
and
to
r, for
, where
. Note that the number of chunks is 32 and the number of blocks is 8.
Figure 3 and
Figure 4 show the obtained results for this set of parameters.
Additionally, the function Test for this set of parameters takes about 7,069,164 cycles to run in a virtual machine type e2-highcpu-16 with 16 vCPUs and 16 GB of memory deployed in the Google Cloud Platform.
We remark that the success rates for this set of parameters and those obtained for LUOV [
37] are essentially similar. This is expected since both LUOV’s secret key and SIKE’s secret key for this case are of length 32 bytes.
SIKEp610
For this set of SIKE parameters,
has a length of 38 bytes,
, which means that all the bits of the last byte of
are used. We also set
w to 8,
to
and
to
r, for
, where
. Note that the number of chunks is 38 and the number of blocks is 8.
Figure 5 and
Figure 6 show the obtained results for this set of parameters.
Additionally, the function Test for this set of parameters takes about cycles to run in a virtual machine type e2-highcpu-16 with 16 vCPUs and 16 GB of memory deployed in the Google Cloud Platform.
SIKEp751
For this set of SIKE parameters,
has a length of 48 bytes,
, which means that only the two first bits of the last byte of
are used. Also, we set
w to 8,
to
and
to
r, for
, where
. Note that the number of chunks is 48 and the number of blocks is 8.
Figure 7 and
Figure 8 show the obtained results for this set of parameters.
Additionally, the function Test for this set of parameters takes about 21,266,903 cycles to run in a virtual machine type e2-highcpu-16 with 16 vCPUs and 16 GB of memory deployed in the Google Cloud Platform.
Results Discussion
Note that all plots depicted by
Figure 1a–c,
Figure 3a–c,
Figure 5a–c and
Figure 7a–c, show a similar trend, namely, for all set of instance parameters and
, the success rate for a complete enumeration dominates the success rate for a
enumeration, which in turn dominates the success rate for a
enumeration, and which in turn dominates the success rate for a
enumeration. This is in alignment with what we expected. Moreover, we remark that the success rate decreases as long as
increases, although there are a few cases where, given
and
with
, the success rate for
is a bit larger than the success rate for
. This is due to the manner in which an interval is constructed by the
NOKEA algorithm (and hence its tweaked version). However, the general trend is that the success rate decreases while
increases, which is also in line with what is expected. Additionally,
Figure 2a,
Figure 4a,
Figure 6a and
Figure 8a show similar trends when comparing success rates for
in a full enumeration. Analogously,
Figure 2b,
Figure 4b,
Figure 6b and
Figure 8b also show similar trends when comparing success rates for
in a
enumeration.
5.2. Integrating a Quantum Key Search Algorithm with Our Key-Recovery Approach
Throughout this subsection we give a detailed account of a quantum key enumeration algorithm, denoted as
[
42], and show how to combine it with our key-recovery algorithm to improve its overall performance. We additionally derive the running time of step 5 of our key recovery algorithm (worst case) if
is run. Recall that at step 5, the lists
, for
, will be given as parameters to an instance of the quantum key enumeration algorithm (
QKEA).
relies on a non-optimal key enumeration algorithm developed from a rank algorithm (also known as a counting algorithm) by Martin et al. [
17]. The core idea is to leverage the rank algorithm to return a single candidate key with a particular rank within a specific range. Additionally, we remark that this algorithm uses a map that associates each score with a weight (a positive integer), where the smallest weight is regarded as the likeliest one [
17].
We assume the scores from each block candidate in the list
, for
, are mapped to weights, as shown in [
27,
42]. Given the range
, the rank algorithm constructs a two dimensional array
with
entries, and then uses it to compute the number of full key candidates in the range. Algorithm 6 constructs the two dimensional array
and its running time is given by
where
for
,
and
,
,
are constants, i.e., upper bounds on the running time consumed by primitive operations, such as return operations, addition operations, comparison operations.
Algorithm 6 constructs the two dimensional array . |
- 1:
function create() - 2:
; - 3:
- 4:
for do - 5:
for do - 6:
if then - 7:
- 8:
end if - 9:
end for - 10:
end for - 11:
for do - 12:
for do - 13:
for do - 14:
if then - 15:
; - 16:
end if - 17:
end for - 18:
end for - 19:
end for - 20:
return ; - 21:
end function
|
Note that, by construction,
is the number of full key candidates of which total scores are in the interval
. So the rank algorithm simply returns
and is described by Algorithm 7. Concerning its running time, it is given by
, where
is a constant, i.e., an upper bound on the running time of primitive operations.
Algorithm 7 computes the number of full key candidates in . |
- 1:
function rank() - 2:
; - 3:
return - 4:
end function
|
By using Algorithms 7 and 8 returns the full key candidate with rank
r in the given range
[
42]. We remark that Algorithm 8 is deterministic and that the full key candidate returned by it is not necessarily the
highest-scoring full key candidate in the given range. Regarding Algorithm 8’s running time, it is given by
where
,
,
are constants, i.e., upper bounds on the running time consumed by primitive operations.
Algorithm 8 returns the full key candidate with weight in the interval |
- 1:
function getKey() - 2:
if then - 3:
return ⊥ - 4:
end if - 5:
; - 6:
; - 7:
for do - 8:
for do - 9:
if then - 10:
; - 11:
; - 12:
break j; - 13:
end if - 14:
; - 15:
end for - 16:
end for - 17:
; - 18:
for do - 19:
; - 20:
if then - 21:
; - 22:
break j; - 23:
end if - 24:
; - 25:
end for - 26:
return - 27:
end function
|
By calling the
getKey function, Algorithm 9 tries to enumerate and test all full key candidates in the given interval [
42]. Note that
Test is pointer to the testing function (Algorithm 5). Concerning Algorithm 9’s running time, it is given by
, where
e is the number of full key candidates in the range
,
and
are constants and upper bounds on the running time consumed by primitive operations, and
is the running time of the testing function (Algorithm 5).
Algorithm 9 enumerates and tests all full key candidates with weight in the interval |
- 1:
function keySearch() - 2:
; - 3:
; - 4:
while do - 5:
; - 6:
if then - 7:
break; - 8:
end if - 9:
if then - 10:
break; - 11:
end if - 12:
; - 13:
end while - 14:
return ; - 15:
end function
|
Algorithm 10 calls the function
keySearch to search over partitions selected independently with approximately
full key candidates for
[
42]. Regarding Algorithm 10’s running time, this is given by
where
and
are upper bounds on the running time consumed by primitive operations, such as return operations, addition operations, comparison operations. The terms
and
are the running times of steps 5 and 13 of Algorithm 10. Note that this algorithm is similar to
NOKEA in the sense that it also enumerates full key candidates of which total scores belongs to the given range. Furthermore, the technique of partitioning the entire interval helps in improving the overall performance of Algorithm 10 when it is searching over an initial range with a large number of full key candidates.
Given the computational burden of Algorithm 10 lies on the execution of the function
keySearch (at step 7), then any improvement on this search algorithm implies a speed-up on Algorithm 10’s overall performance. The authors of [
42] show how this part may be modified by replacing it for a Grover’s oracle [
43], and so improving Algorithm 10’s overall performance. Algorithm 11 results from adjusting Algorithm 10 and relies on a Grover’s oracle, giving a quadratic speed-up on searches over partitions. The function
returns 1, on the condition that
r is the rank of the real secret key; otherwise, it returns 0. Grover’s algorithm [
43] shows that
r can be found on a quantum computer in only
steps, where
is the time to evaluate
, i.e.,
. Therefore Algorithm 11’s overall running time is given by replacing
in Equation (
6) for
(step 7 of Algorithm 11) plus the running time for Grover’s algorithm with
(steps from 8 to 9 of Algorithm 11).
Algorithm 10 performs a non-optimal enumeration over an interval with roughly e full key candidates. |
- 1:
function KS() - 2:
; - 3:
; - 4:
; - 5:
Find such that is roughly equals to e; - 6:
while do - 7:
; - 8:
if then - 9:
return ; - 10:
end if - 11:
; - 12:
; - 13:
Find such that is roughly equals to ; - 14:
end while - 15:
return ⊥; - 16:
end function
|
Algorithm 11 performs a quantum key enumeration over an interval with roughly e full key candidates. |
- 1:
function QKS() - 2:
; - 3:
; - 4:
; - 5:
Find such that is roughly equals to e; - 6:
while do - 7:
; - 8:
; - 9:
Call Grover’s algorithm with testing function - 10:
if a marked element r is found then - 11:
return ; - 12:
end if - 13:
; - 14:
; - 15:
Find such that is roughly equals to ; - 16:
end while - 17:
return ⊥; - 18:
end function
|