New results for rank based cryptography

Transcription

1 New results for rank based cryptography Philippe Gaborit University of Limoges, France (based on works with O. Ruatta,J. Schrek and G. Zémor) Telecom Sud Paris 6 juin 2014

2 Summary 1 Post-Quantum Cryptography

3 Motivations Post-quantum cryptography

4 General problems Motivations Cryptography needs different difficult problems factorization discrete log SVP for lattices syndrome decoding problem For code-based cryptography, the security of cryptosystems is usually related to the problem of syndrome decoding for a special metric.

5 PQ Crypto Motivations Consider the simple linear system problem : H a random (n k) n matrix over GF (q) Knowing s GF (q) n k is it possible to recover a given x GF (q) n such that H.x t = s? Easy problem : fix n k columns of H, one gets a (n k) (n k) submatrix A of H A invertible with good probability, x = A 1 s.

6 Motivations How to make this problem difficult? (1) add a constraint to x : x of small weight for a particular metric metric = Hamming distance code-based cryptography metric = Euclidean distance lattice-based cryptography metric = Rank distance rank-based cryptography only difference : the metric considered, and its associated properties!! (2) consider rather a multivariable non linear system : quadratic, cubic etc... Mutivariate cryptography

7 Motivations General interest of post-quantum cryptogrphy a priori resistant to a quantum computer usually faster than number-theory based cryptography easier to protect against side-channel attacks size of keys may be larger

8 Lattice-based cryptography Motivations Knapsack 78, NTRU 96, GGH 97 Regev 04 LWE difficult problem : finding short vectors in lattices cryptanalysis : LLL algorithm with heuristics FHE, better security reduction?, reasonable size of keys

9 Code-based cryptography Motivations McEliece 78, Stern 93,CFS 01, G. 05, MDPC 13 difficult problem : syndrome decoding problem cryptanalysis : ISD, closed formulae faster than lattices?, reasonable size of keys with cyclicity, security reduction?

10 Multivariate cryptography Motivations Matsumoto-Imai 88, HFE 95, SFlash 96, Rainbow 05, QUAD difficult problem : solving a multivariable system cryptanalysis : Groebner basis many instation broken (Crypto 07), security reduction?, unreasonable size of keys

11 Rank Codes : definition and basic properties

12 Rank metric codes The rank metric is defined in finite extensions. GF (q) a finite field with q a power of a prime. GF (q m ) an extension of degree m of GF (q). B = (b 1,..., b m ) a basis of GF (q m ) over GF (q). GF (q m ) can be seen as a vector space on GF (q). C a linear code over GF (q m ) of dimension k and length n. G a k n generator matrix of the code C. H a (n k) n parity check matrix of C, G.H t = 0. H a dual matrix, x GF (q m ) n syndrome of x = H.x t GF (q m ) n k

13 Rank metric Words of the code C are n-uplets with coordinates in GF (q m ). v = (v 1,..., v n ) with v j GF (q m ). Any coordinate v j = m i=1 v ijb i with v ij GF (q). v(v 1,..., v n ) V = v 11 v v 1n v 21 v v 2n v m1 v m2... v mn

14 Definition (Rank weight of word) v has rank r = Rank(v) iff the rank of V = (v ij ) ij is r. equivalently Rank(v) = r <=> v j V r GF (q m ) n with dim(v r )=r. the determinant of V does not depend on the basis Definition (Rank distance) Let x, y GF (q m ) n, the rank distance between x and y is defined by d R (x, y) = Rank(x y).

15 Definition (Minimum distance) Let C be a [n, k] rank code over GF (q m ), the minimum rank distance d of C is d = min{d R (x, y) x, y C, x y} ; Theorem (Unique decoding) Let C[n, k, d] be a rank code over GF (q m ). Let e an error vector with r = Rank(e) d 1 2, and c C : if y = c + e then there exists a unique element c C such that d(y, c ) = r. Therefore c = c. proof : same as for Hamming, distance property.

16 Rank isometry Notion of isometry : weight preservation Hamming distance : n n permutation matrices Rank distance : n n invertible matrices over GF (q) proof : multiplying a codeword x GF (q m ) n by an n n invertible matrix over the base field GF(q) does not change the rank (see x as a m n matrix over GF (q)). remark : for any x GF (q m ) n : Rank(x) w H (x) : potential linear combinations on the x i may only decrease the rank weight.

17 Support analogy An important insight between Rank and Hamming distances tool : support analogy support of a word of GF (q) n in Hamming metric x(x 1, x2,, x n ) : set of positions x i 0 support of a word of GF (q) n in rank metric x(x 1, x2,, x n ) : the subspace over GF (q), E GF (q m ) generated by {x 1,, x n } in both cases if the order of size of the support is small, knowing the support of x and syndrome s = H.x t permits to recover the complete coordinates of x.

18 Sphere packing bound Counting the number of possible supports for length n and dimension t Hamming : number of sets with t elements in sets of n elements : Newton binomial ( n t) ( 2 n ) Rank : number of subspaces of dimension t over GF (q) in the space of dimension n GF (q m ) : Gaussian binomial [ ] n t q ( qtn )

19 Sphere packing bound Theorem (Sphere packing bound) Let C[n, k, d] be a rank code over GF (q m ) n, the parameters n, k, d and d satisfy : q mk B(n, m, q, d 1 2 ) qnm Theorem (Singleton bound) Let C[n, k, d] be a rank code over GF (q m ) n, the parameters n, k and d satisfy : d 1 + (n k)m n The rank Gilbert-Varshamov (GVR) bound for a C[n, k] rank code over GF (q m ) n with dual matrix H corresponds to the average value of the minimum distance of a random [n, k] rank code. asymptotically : in the case m = n : GVR(n,k,m,q) n 1 k n

20

21 Low Rank Parity Check codes - LRPC Families of decodable codes in rank metric There exists 3 main families of decodable codes in rank metric Gabidulin codes (1985) (analog of Reed-Solomon codes with rank metric and q-polynomials) simple matrix construction (2008) LRPC codes (2013) These codes have different properties, a lot of attention was given to rank metric and especially to subspace metric with the development of Network coding in the years 2000 s.

22 LRPC codes Low Rank Parity Check codes - LRPC LDPC : dual with low weight (ie : small support) equivalent for rank metric : dual with small rank support Definition (GMRZ13) A Low Rank Parity Check (LRPC) code of rank d, length n and dimension k over F q m is a code such that the code has for parity check matrix, a (n k) n matrix H(h ij ) such that the vector space F of F q m generated by its coefficients h ij has dimension at most d. We call this dimension the weight of H. In other terms : all coefficients h ij of H belong to the same low vector space F < F 1, F 2,, F d > of F q m of dimension d.

23 Decoding LRPC codes Low Rank Parity Check codes - LRPC Idea : as usual recover the support and then deduce the coordinates values. Let e(e 1,..., e n ) be an error vector of weight r, ie : e i : e i E, and dim(e)=r. Suppose H.e t = s = (s 1,..., s n k ) t. e i E < E 1,..., E r >, h ij F < F 1, F 2,, F d > s k < E 1 F 1,.., E r F d > if n k is large enough, it is possible to recover the product space < E 1 F 1,.., E r F d >

24 Decoding LRPC codes Low Rank Parity Check codes - LRPC Syndrome s(s 1,.., s n k ) : S =< s 1,.., s n k > < E 1 F 1,.., E r F d > Suppose S =< E.F > possible to recover E. Let S i = F 1 i.s, since S =< E.F >=< F i E 1, F i E 2,.., F i E r,... > E S i E = S 1 S 2 S d

25 General decoding of LRPC codes Low Rank Parity Check codes - LRPC Let y = xg + e 1 Syndrome space computation Compute the syndrome vector H.y t = s(s 1,, s n k ) and the syndrome space S =< s 1,, s n k >. 2 Recovering the support E of the error S i = F 1 i S, E = S 1 S 2 S d, 3 Recovering the error vector e Write e i (1 i n) in the error support as e i = n i=1 e ije j, solve the system H.e t = s. 4 Recovering the message x Recover x from the system xg = y e.

26 Decoding of LRPC Low Rank Parity Check codes - LRPC Conditions of success - S =< F.E > rd n-k. - possibility that dim(s) n k probabilistic decoding with error failure in q (n k rd) - if d = 2 can decode up to (n k)/2 errors. Complexity of decoding : very fast symbolic matrix inversion O(m(n k) 2 ) write the system with unknowns : e E = (e 11,..., e nr ) : rn unknowns in GF (q), the syndrome s is written in the symbolic basis {E 1 F 1,..., E r F d }, H is written in h ij = h ijk F k, nr m(n k) matrix in GF (q), can do precomputation. Decoding Complexity O(m(n k) 2 ) op. in GF (q) Comparison with Gabidulin codes : probabilistic, decoding failure, but as fast.

27 Low Rank Parity Check codes - LRPC Complexity issues : decoding random rankcodes

28 Rank syndrome decoding Semantic complexity Combinatorial attacks Algebraic attacks For cryptography we are interested in difficult problems, in the case of rank metric the problem is : Definition (Rank Syndrome Decoding problem (RSD)) Instance : a (n k) n matrix H over GF (q m ), a syndrome s in GF (q m ) n k and an integer w Question : does there exist x GF(q m ) n such that H.x t = s and w R (x) w? Definition (Syndrome Decoding problem (SD)) Instance : an r n matrix H = [h 1, h 2,..., h n ] over a field GF (q), a column vector s GF (q) r, an integer w Question : does there exist x = (x 1,..., x n ) GF (q) n of Hamming weight at most w such that H t x = n i=1 x ih i = s?

29 Semantic complexity Combinatorial attacks Algebraic attacks Problem SD proven NP-complete by Berlekamp et al. in Computational complexity of RSD : solved in 2014 (G.,Zemor 2014) Definition (embedding strategy) Let m n and Q = q m. Let α = (α 1,... α n ) be an n-tuple of elements of GF (Q). Define the embedding of GF (q) n into GF (Q) n ψ α : GF (q) n GF (Q) n x = (x 1,..., x n ) x = (x 1 α 1,... x n α n ) and for any GF (q)-linear code C in GF (q) n, define C = C(C, α) as the GF (Q)-linear code generated by ψ α (C), i.e. the set of GF (Q)-linear combinations of elements of ψ α (C).

30 A randomized reduction Semantic complexity Combinatorial attacks Algebraic attacks General idea of the embedding : Theorem (1, 0, 0, 1, 0, 1) (α 1, 0, 0, α 4, 0, α 5 ) Let C be a random code over GF(q) and α random, then for convenient m, with a very strong probability :. d H (C) = d R (C) Theorem If there exists a polynomial time algorithms which solves RSD then P=RP.

31 Best known attacks Semantic complexity Combinatorial attacks Algebraic attacks There are two types of attacks on the RSD problem : Combinatorial attacks Algebraic attacks Depending on type of parameters, the efficiency varies a lot.

32 Combinatorial attacks Semantic complexity Combinatorial attacks Algebraic attacks first attack Chabaud-Stern 96 : basis enumeration improvements A.Ourivski and T.Johannson 02 Basis enumeration : (k + r) 3 q (r 1)(m r)+2 (amelioration on polynomial part of Chabaud-Stern 96) Coordinates enumeration : (k + r) 3 r 3 q (r 1)(k+1) last improvement : G. et al. 12 (k+1)m (r 1) Support attack : O(q n )

33 Semantic complexity Combinatorial attacks Algebraic attacks Basis enumeration Hamming/Rank attacks Attack in rank metric to recover the support - a naive approach would consist in trying ALL possible supports : all set of coordinates of weight w Of course one never does that!!! Attack in rank metric to recover the support The analog of this attack in rank metric : try all possible supports, ie all vector space of dimension r : q (m r).r such basis, then solve a system. it is the Chabaud-Stern ( 96) attack - improved by OJ 02 By analogy with the Hamming : it is clearly not optimal In particular the exponent complexity does not depend on n

34 Improvement : ISD for rank metric Semantic complexity Combinatorial attacks Algebraic attacks Information Set Decoding for Hamming distance (simple original approach) : H.x t = s - syndrome size : n k n k equations - take n k random columns, if they contain the error support, one can solve a system Analog for rank metric : - syndrome size : n k (n k)m equations in F q - consider a random space E of F m q of dimension r which contain E one can solve if nr (n k)m as for ISD for Hamming metric : improve the complexity since easier to find.

35 Support attack Semantic complexity Combinatorial attacks Algebraic attacks Detail : Increasing of searched support : r r avec r n m(n k). e = βu with β a basis of rank r and U a r n matrix. Operations : More support to test : q (r 1)(m r) q (r 1)(m r ) Better probability to find : 1 q(r m) q (r 1)(m r) q (r 1)(m r) Complexity : min(o((n k) 3 m 3 q r km n ), O((n k) 3 m 3 q (r 1) (k+1)m n ))

36 Support attack Semantic complexity Combinatorial attacks Algebraic attacks Conclusion on the first attack Improvement on previous attacks based on HU t β t = Hy t. exponential omplexity in the general case Complexité : min(o((n k) 3 m 3 q r km n ), O((n k) 3 m 3 q (r 1) (k+1)m n )) Comparison with previous complexities : basis enumeration : (k + r) 3 q (r 1)(m r)+2 coordinates enumeration : (k + r) 3 r 3 q (r 1)(k+1) Remark : when n = m same expoential complexity that OJ 02

37 Algebraic attacks for rank metric Semantic complexity Combinatorial attacks Algebraic attacks General idea : translate the problem in equations then try to resolve with grobner basis Main difficulty : translate in equations the fact that coordinates belong to a same subspace of dimension r in GF (q m )? Levy-Perret 06 : Taking error support as unknown quadratic setting Kipnis-Shamir 99 ( FLP 08) and others..) : Kernel attack, (r + 1) (r + 1) minors degree r + 1 G. et al. 12 : annulator polynomial degree q r

38 Attack with q-polynomials Semantic complexity Combinatorial attacks Algebraic attacks Definition (q-polynomials) A q-polynomial is a polynomal of the form P(x) = r i=0 p ix qi with p r 0 et p i F q m. Linearity : P(αx + βy) = αp(x) + βp(y) with x, y F q m and α, β F q. B basis of r vectors of F q m,!p unitary q-polynomial such that b B, P(b) = 0 (Ore 33). One can then define a subspace of dimension r with a polynomial of q-degree r.

39 Attack with q-polynomial Semantic complexity Combinatorial attacks Algebraic attacks Reformulation : c + e = y with c a word of C, e a word of weight r and y known. There exists a polynomial P of q-degree r such that P(c y) = 0 moreover there exists x such that c = xg, which gives : ( r p i (xg 1 y 1 ) qi,..., i=0 r p i (xg n y n ) qi ) with x F q m k, G j the j-ith column of G and y F q m n known. i=0

40 Attack with q-polynomials Semantic complexity Combinatorial attacks Algebraic attacks Advantages : less unknowns, sparse equations Disadvantages : higher degree equations q r + 1 Three methods to solve : Linearization Grobner basis Hybrid approach : partial enumeration of unknowns

41 Semantic complexity Combinatorial attacks Algebraic attacks Conclusion on attacks Combinatorial : quadratic in the exponent, usually the best ones but depend on q Algebraic : very high when r increases but do not depend on q

42 Semantic complexity Combinatorial attacks Algebraic attacks best attacks : exponential with quadratic complexity in the exponent. Comparison of this problem with other problems for a 2 n complexity with best known attacks : problem size of key semantic security factorization Ω(n 3 ) no discrete log (large car.) Ω(n 3 ) no ECDL Ω(n) no SVP ideal lattices Ω(n) no SD cyclic-codes Ω(n) no SD Ω(n 2 ) yes SVP Ω(n 2 ) yes RSD Ω(n 1.5 ) yes

43 The GPT cryptosystem and its variations LRPC codes for cryptography ENCRYPTION IN RANK METRIC

44 The GPT cryptosystem and its variations LRPC codes for cryptography - Gabidulin et al. 91 : first encryption scheme based on rank metric - adaptation of McELiece scheme, many variations : Parameters B {b 1,, b m } a basis of GF (q m ) over GF (q) Private key G generates a Gabidulin code Gab(m, k), r = m k 2 S a random k t 1 matrix in GF (q m ) P a random matrix in GL m+t1 (GF (q)) S a random invertible k k matrix in GF (q m ) Public key G pub = S(G Z)P

45 The GPT cryptosystem and its variations LRPC codes for cryptography y = xg pub + e, Rank(e) r Decryption - Compute yp 1 = x(g Z) + ep 1 - Puncture the last t 1 columns and decode

46 The GPT cryptosystem and its variations LRPC codes for cryptography Other variations :G Gabidulin matrix, H : dual matrix Masking public matrix authors Scrambling matrix SG + X GPT 91 Right scrambling S(G ( Z)P ) Gabi. Ouriv. 01 H Subcodes Ber. Loi. 02 ( A ) G1 0 Rank Reducible [OGHA03],[BL04] A G 2

47 Overbeck s structural attack The GPT cryptosystem and its variations LRPC codes for cryptography Overbeck 06 general idea : if one consider G=Gab[n,k] and one applies the frobenius : x x q to each coordinate of G then G q and G have k 1 rows in common! starting from G pub = S(G Z)P, one can prove there is a rank default in : G pub. G qn k 1 pub the matrix is a k(n k) (n + t 1 ) matrix, first n columns part : rank n 1 and not n! Overbeck uses this point to break parameters of all presented

48 Reparation The GPT cryptosystem and its variations LRPC codes for cryptography and after : reparations an new type of masking resistant to Overbeke attack 2 families of parameters : - Loidreau (PQC 10) - Haitham Rashwan, Ernst M. Gabidulin, Bahram Honary ISIT 09, 10 [GRS12] new attacks break all proposed parameters

49 Results Post-Quantum Cryptography The GPT cryptosystem and its variations LRPC codes for cryptography P. Loidreau (PQC 10) Code [n, k, r] m OJ1 OJ2 Over ES L LH HGb [64, 12, 6] non hours [76, 12, 6] non s Haitham Rashwan, Ernst M. Gabidulin, Bahram Honary ISIT 09, 10 Code [n, k, r] m Over ES L LH HGb [28, 14, 3] non days [28, 14, 4] non 2 65 not finished [20, 10, 4] non days [20, 12, 4] non 2 60 not finsihed

50 Conclusion on GPT-like systems The GPT cryptosystem and its variations LRPC codes for cryptography All actual proposed parameters are actually broken New masking still proposed Probably possible to find resistant parameters with public key size 15,000 bits Inherent potential vulnerability structure due to hidden structure of Gabidulin codes Faure-Loidreau cryptosystem??? reconstruction

51 The NTRU-like family The GPT cryptosystem and its variations LRPC codes for cryptography NTRU MDPC LRPC double circulant matrix (A B) (I H) A and B : cyclic with 0 and 1, over Z/qZ (small weight) (q=256), N 300 double circulant matrix (A B) (I H) A and B : cyclic with 0 and 1, 45 1, (small weight) N 4500 double circulant matrix (A B) (I H) A and B : cyclic with small weight (small rank)

52 LRPC codes for cryptography The GPT cryptosystem and its variations LRPC codes for cryptography We saw that LRPC codes with H [n-k,n] over F of rank d could decode error of rank r with probability q n k rd+1 : McEliece setting : Public key : G LRPC code : [n, k] of weight d which can decode up to errors of weight r Public key : G = MG Secret key : M c= mg +e, e of rank r Decryption Decode H.c t in e, then recover m. Smaller size of key : double circulant LRPC codes : H=(I A), A circulant matrix

53 Application to cryptography The GPT cryptosystem and its variations LRPC codes for cryptography Attacks on the system - message attack : decode a word of weight r for a [n, k] random code - structural attack : recover the LRPC structure a [n, n k] LRPC matrix of weight d contains a word with n d first zero positions. Searching for a word of weight d in a [n n d, n k n d ] code. Attack on the double circulant structure as for lattices or codes (with Hamming distance) no specific more efficient attack exists exponentially better than decoding random codes.

54 Parameters The GPT cryptosystem and its variations LRPC codes for cryptography n k m q d r failure public key security

55 Conclusion for LRPC The GPT cryptosystem and its variations LRPC codes for cryptography LRPC : new family of rank codes with an efficient probabilistic decoding algorithm Application to cryptography in the spirit of NTRU and MDPC (decryption failure, more controlled) Very small size of keys, comparable to RSA More studies need to be done but very good potentiality

56 The GPT cryptosystem and its variations LRPC codes for cryptography Authentication

57 Chen s protocol Chen ZK authentication protocol : attack and repair Signature in rank metric In 95 K. Chen proposed a rank metric authentication scheme, in the spirit of the Stern SD protocol for Hamming distance and Shamir s PKP protocol. Unfortunately the ZK proof is false... a good toy example to understand some subtilities of rank metric. [G. et al. (2011)]

58 Philippe Gaborit University of Limoges, France Figure: (based onrank-sd works with New O. results protocol Ruatta,J. for Schrek rank based and cryptography G. Zémor) Post-Quantum Cryptography Chen ZK authentication protocol : attack and repair Signature in rank metric 1 [Commitment step] The prover P chooses x V n, P GL n (GF(q and Q GL m (q). He sends c 1, c 2, c 3 such that : c 1 = hash(q P Hx t ), c 2 = hash(q xp), c 3 = hash(q (x + s)p 2 [Challenge step] The verifier V sends b {0, 1, 2} to P. 3 [Answer step] there are three possibilities : if b = 0, P reveals x and (Q P) if b = 1, P reveals x + s and (Q P) if b = 2, P reveals Q xp and Q sp 4 [Verification step] there are three possibilities : if b = 0, V checks c 1 and c 2. if b = 1, V checks c 1 and c 3. if b = 2, V checks c 2 and c 3 and that rank(q sp) = r.

59 Chen ZK authentication protocol : attack and repair Signature in rank metric Public matrix H : (n k) k m = 2691 bits Public key i : (n k)m = 299 bits Secret key s : r(m + n) = 360 bits Average number of bits exchanged in one round : 2 hash + one word of GF(q m ) 820 bits.

60 Chen ZK authentication protocol : attack and repair Signature in rank metric Signature with rank metric

61 Different approaches for signature Chen ZK authentication protocol : attack and repair Signature in rank metric Signatures by inversion unique inversion : RSA,CFS several inversions : NTRUSign, GGH, GPV Signature by proof of knowledge by construction : Schnorr, DSA, Lyubashevski (lattices 2012) generic : Fiat-Shamir paradigm one-time signatures : KKS 97, Lyubashevski 07

62 A first approach Chen ZK authentication protocol : attack and repair Signature in rank metric In rank metric it is possible to use the FS paradigm with our new protocol leads to small public keys : 2500b, signature length 60, 000b Can we do better?

63 CFS Post-Quantum Cryptography Chen ZK authentication protocol : attack and repair Signature in rank metric In 2001 Courtois Finiasz and Sendrier proposed a RSA-like signature for codes. SUppose one gets a decoding algorithm (inverse of a syndrome) unlike RSA, is it possible to consider a random codeword and invert it?? in general no : the density of invertible codewords is exponentially low... for a Goppa [2 m, 2 m tm, 2t + 1] the density is 1 t! CFS 01 : consider extreme parameters where t is low ( 10) and repeat until it works! leads to flat hidden matrices : [2 16, 154], signature shorts, very large size of keys : several MB, rather lengthy - more than RSA -(but can be parallelized)

64 New approach for rank metric [Gaborit,Ruatta,Schrek,Zemor 2013] Chen ZK authentication protocol : attack and repair Signature in rank metric Inversion case : there are two approaches : CFS : you are below GV and search for an invertible solution GPV, NTRUSign, GGH : beyond Gauss : construct one special solution which approximates a syndrome leads to better parameters (be careful to information leaking!) is it possible to do that with codes? in Hamming binary seems difficult, in rank? Not usual point of view for codes where one prefers a unique solution!

65 Chen ZK authentication protocol : attack and repair Signature in rank metric Consider the set of x of rank r and the set of reachable syndrome H.x t for H length n. for rank metric : support and coordinates are disjoint suppose we fix T of dimension t, if possible to consider r = r + t just like that then one multiplies the number of decodable syndromes by q tn improvement of density of decodable syndromes. Different choices of T different choices for preimage but unicity of decoding for a given T

66 General idea Chen ZK authentication protocol : attack and repair Signature in rank metric Fix a subspace T of GF (q m ) so that we want T E What is T? T corresponds to the notion of erasure (generalized) Hamming y = (y 1, y 2,..., y n ) = (c 1, c 2 + e 2, c 3,, c 4,,..., c n + e n ) Rank y = (y 1, y 2,..., y n ) = (c 1 + e 1, c 2 + e 2,..., c n + e n ), e i E, but T E

67 Chen ZK authentication protocol : attack and repair Signature in rank metric Theorem (Errors/erasures decoding of LRPC codes) Let H be a dual n k n matrix associated to a LRPC code with small space F of dimension d, over an extension field GF (q m ) over a small field of size q. Let r n k d, and let T be a random subspace of dimension t, such that (r + t).(2d 1) m. Let s be a syndrome such that there exists a unique support E, with T E of dimension r = t + r such that there exists a word e of support E such that H.e t = s. Then knowing T it is possible to retrieve the support E of e with a probability 1/q.

68 idea of the proof Chen ZK authentication protocol : attack and repair Signature in rank metric Similar to LRPC : E = {E 1,..., E r }, F = {F 1,..., F d } H.e t = s s < E.F > from n k s i one recovers S =< E.F > then E = F1 1 S... F 1 S d

69 LRPC with erasure Chen ZK authentication protocol : attack and repair Signature in rank metric Input T =< T 1,, T t >, H a matrix of LRPC, a syndrome s = H.e t, with support E and dim(e) = t + n k d and T E Result : the error vector e. 1 Syndrome computations a) Compute B = {F 1 T 1,, F d T t } of the product space < F.T >. b) Compute the subspace S =< B {s 1,, s n k } >. 2 Recovering the support E of the error Define S i = F 1 i S, compute E = S 1 S 2 S d, and compute a basis {E 1, E 2,, E r } of E. 3 Recovering the error vector e Write e i = n i=1 e ije j, and solve a linear system.

70 Chen ZK authentication protocol : attack and repair Signature in rank metric Seems magical and seems to have errors for free. Price to pay? small price : one cannot take t independently of n one needs in practice in the optimal case : n k n d best results : d = 2 anyway

71 Density Post-Quantum Cryptography Chen ZK authentication protocol : attack and repair Signature in rank metric Lemma Let T a subspace of dimension t of GF (q m ) then the number of distinct subspaces E of dimension r = t + r of GF (q m ) such that T E is : Π r 1 1 i=0 (qm t i q i+1 1 )

72 Chen ZK authentication protocol : attack and repair Signature in rank metric Corollary (Density of decodable syndromes ) The density of unique support decodable syndromes of rank weight r = t + r for a fixed random partial support T of dimension t is : Π r 1 i=0 ( qm t i 1 q i+1 1 ).min(qnr, q rd(n k) ) q (n k)m. density 1 almost independent on q. q = 2, m = 45, n = 40, k = 20, t = 5, r = 10, decodes up to r = t + r = 15 for a fixed random partial support T of dimension 5. GVR bound (m=45) [40, 20] is 13, Singleton bound = 20, decoding radius = 15, and

73 RankSign + signature algorithm Chen ZK authentication protocol : attack and repair Signature in rank metric 1 Secret key : H :LRPC, r = t + n k 2 errors, R random in GF (q m ), invertible in GF (q m ), P invertible in GF (q). 2 Public key : the matrix H = A(R H)P, a small integer value l. 3 Signature of a message M : a) initialization : seed {0, 1} l, pick (e 1,, e t ) GF (q m ) t b) syndrome : s hash(m seed) GF (q m ) n k c) decode by H, s = A 1.s T R.(e 1,, e t ) T with T =< e 1,, e t > and r errors d) if the decoding works (e t+1,, e n+t ) of weight r = t + r, signature=((e 1,, e n+t ).(P T ) 1, seed), else return to a). 4 Verification : Verify that Rank(e) = r = t + r and H.e T = s = hash(m seed).

74 Structural attacks Chen ZK authentication protocol : attack and repair Signature in rank metric Overbeck attack : irrelevant Attack on the dual matrix : r = t + d Attack on isometry matrix P : recover some positions of P

75 Approximation beyond GVR Chen ZK authentication protocol : attack and repair Signature in rank metric Approximate - Rank Syndrome Decoding problem (App-RSD) Let H be a (n k) n matrix over GF (q m ) with k n, s GF (q m ) n k and let r be an integer. The problem is to find a solution of rank r such that rank(x) = r and Hx t = s. if r min((n k), m(n k) n ) (Singleton bound) then the problemis polynomial in general, best attack : Complexity for finding one word Number of words

76 Information leaking Chen ZK authentication protocol : attack and repair Signature in rank metric Main problem for signature (see NTRUSign) : information leaking Theorem For any algorithm that leads to a forged signature using N q/2 authentic signatures, there is an algorithm with the same complexity that leads to a forgery using only the public key as input and without any authentic signatures.

77 Chen ZK authentication protocol : attack and repair Signature in rank metric idea of proof : under the random oracle model, there exists a polynomial time algorithm that takes as input the public matrix H and produces couples (m, σ), where m is a message and σ a valid signature for m, with the same distribution as those output by the authentic signature algorithm. Therefore whatever forgery can be achieved from the knowledge of H and a list of valid signed messages, can be simulated and reproduced with the public matrix H as only input.

78 Parameters Chen ZK authentication protocol : attack and repair Signature in rank metric n n-k m q d t r r GV Sg pk sign LP Dual DS DA > >

79 Chen ZK authentication protocol : attack and repair Signature in rank metric GENERAL CONCLUSION

80 Chen ZK authentication protocol : attack and repair Signature in rank metric Rank distance is interesting since small parameters strong resistance until recently only one family of decodable codes LRPC codes -weak structure-, similar to NTRU or MDPC offer many advantages very good potential with very good parameters but needs more scrutiny

81 Open problems Chen ZK authentication protocol : attack and repair Signature in rank metric deterministic reduction to SD rather than only probabilistic? Is it possible to have worst case - average case reduction? Left over hash lemma? Attacks improvements on rank ISD? Better algebraic settings? Implementations? homomorphic - FHE (be crazy!)

82 Chen ZK authentication protocol : attack and repair Signature in rank metric THANK YOU