New results for rank based cryptography

Similar documents
arxiv: v1 [cs.cr] 6 Jan 2013

McEliece type Cryptosystem based on Gabidulin Codes

Low Rank Parity Check codes and their application to cryptography

Cryptographic applications of codes in rank metric

A new zero-knowledge code based identification scheme with reduced communication

Code-based Cryptography

An Overview to Code based Cryptography

Introduction to Quantum Safe Cryptography. ENISA September 2018

Noisy Diffie-Hellman protocols

Attacks in code based cryptography: a survey, new results and open problems

Multivariate Public Key Cryptography or Why is there a rainbow hidden behind fields full of oil and vinegar?

Errors, Eavesdroppers, and Enormous Matrices

Algebraic Decoding of Rank Metric Codes

Cryptographie basée sur les codes correcteurs d erreurs et arithmétique

Code Based Cryptography

Code Based Cryptology at TU/e

Constructive aspects of code-based cryptography

A Key Recovery Attack on MDPC with CCA Security Using Decoding Errors

Hidden Field Equations

Side-channel analysis in code-based cryptography

Error-correcting Pairs for a Public-key Cryptosystem

Decoding One Out of Many

Improving the efficiency of Generalized Birthday Attacks against certain structured cryptosystems

Cryptanalysis of the TTM Cryptosystem

An Overview on Post-Quantum Cryptography with an Emphasis. an Emphasis on Code based Systems

Simple Matrix Scheme for Encryption (ABC)

Quantum-resistant cryptography

CRYPTANALYSE EN TEMPS POLYNOMIAL DU SCHÉMA DE MCELIECE BASÉ SUR LES CODES

On the Complexity of the Hybrid Approach on HFEv-

Code-Based Cryptography McEliece Cryptosystem

Error-correcting codes and applications

How to improve information set decoding exploiting that = 0 mod 2

Post-Quantum Cryptography

The failure of McEliece PKC based on Reed-Muller codes.

Code-based cryptography

Key Recovery on Hidden Monomial Multivariate Schemes

Improved Cryptanalysis of HFEv- via Projection

Notes 10: Public-key cryptography

Cryptographical Security in the Quantum Random Oracle Model

A Smart Approach for GPT Cryptosystem Based on Rank Codes

1 Number Theory Basics

Lossy Trapdoor Functions and Their Applications

Algorithmic Number Theory and Public-key Cryptography

Cryptanalysis of the McEliece Public Key Cryptosystem Based on Polar Codes

Ideal Lattices and Ring-LWE: Overview and Open Problems. Chris Peikert Georgia Institute of Technology. ICERM 23 April 2015

An Algebraic Approach to NTRU (q = 2 n ) via Witt Vectors and Overdetermined Systems of Nonlinear Equations

Lecture 1: Introduction to Public key cryptography

Vector spaces. EE 387, Notes 8, Handout #12

Open problems in lattice-based cryptography

Channel Coding for Secure Transmissions

Division Property: a New Attack Against Block Ciphers

High-speed cryptography, part 3: more cryptosystems. Daniel J. Bernstein University of Illinois at Chicago & Technische Universiteit Eindhoven

A Public Key Encryption Scheme Based on the Polynomial Reconstruction Problem

Post-quantum cryptography Why? Kristian Gjøsteen Department of Mathematical Sciences, NTNU Finse, May 2017

Post-Quantum Cryptography

McEliece in the world of Escher

Cryptanalysis of Patarin s 2-Round Public Key System with S Boxes (2R)

Little Dragon Two: An efficient Multivariate Public Key Cryptosystem

Toward Secure Implementation of McEliece Decryption

Gröbner Bases in Public-Key Cryptography

MATH 291T CODING THEORY

A Polynomial-Time Key-Recovery Attack on MQQ Cryptosystems

MATH 291T CODING THEORY

Cryptanalysis of the HFE Public Key Cryptosystem by Relinearization

Efficient Encryption from Random Quasi-Cyclic Codes

Enhanced public key security for the McEliece cryptosystem

A distinguisher for high-rate McEliece Cryptosystems

Hexi McEliece Public Key Cryptosystem

A New Code-based Signature Scheme with Shorter Public Key

Rank Analysis of Cubic Multivariate Cryptosystems

On the Use of Structured Codes in Code Based Cryptography 1. Nicolas Sendrier

arxiv: v4 [cs.cr] 30 Nov 2017

New Directions in Multivariate Public Key Cryptography

Practical Analysis of Key Recovery Attack against Search-LWE Problem

Notes on Alekhnovich s cryptosystems

The Support Splitting Algorithm and its Application to Code-based Cryptography

An Efficient Lattice-based Secret Sharing Construction

Analysis of Hidden Field Equations Cryptosystem over Odd-Characteristic Fields

MATH32031: Coding Theory Part 15: Summary

Cryptanalysis of the Oil & Vinegar Signature Scheme

How to Encrypt with the LPN Problem

Attacking and defending the McEliece cryptosystem

A Fuzzy Sketch with Trapdoor

Reducing Key Length of the McEliece Cryptosystem

Code-based post-quantum cryptography. D. J. Bernstein University of Illinois at Chicago

Cryptanalysis of the Wu}Dawson Public Key Cryptosystem

Strengthening McEliece Cryptosystem

Poly Dragon: An efficient Multivariate Public Key Cryptosystem

MaTRU: A New NTRU-Based Cryptosystem

Inoculating Multivariate Schemes Against Differential Attacks

arxiv: v2 [cs.cr] 14 Feb 2018

Cryptographic Protocols Notes 2

Cryptography. Course 1: Remainder: RSA. Jean-Sébastien Coron. September 21, Université du Luxembourg

Post-Quantum Cryptography & Privacy. Andreas Hülsing

ELEC 519A Selected Topics in Digital Communications: Information Theory. Hamming Codes and Bounds on Codes

8 Elliptic Curve Cryptography

Gabidulin Codes that are Generalized. Reed Solomon Codes

Introduction to Modern Cryptography. Benny Chor

Efficient One-Time Signatures from Quasi-Cyclic Codes: A Full Treatment

Side Channel Analysis and Protection for McEliece Implementations

Transcription:

New results for rank based cryptography Philippe Gaborit University of Limoges, France (based on works with O. Ruatta,J. Schrek and G. Zémor) Telecom Sud Paris 6 juin 2014

Summary 1 Post-Quantum Cryptography 2 3 4 5 6

Motivations Post-quantum cryptography

General problems Motivations Cryptography needs different difficult problems factorization discrete log SVP for lattices syndrome decoding problem For code-based cryptography, the security of cryptosystems is usually related to the problem of syndrome decoding for a special metric.

PQ Crypto Motivations Consider the simple linear system problem : H a random (n k) n matrix over GF (q) Knowing s GF (q) n k is it possible to recover a given x GF (q) n such that H.x t = s? Easy problem : fix n k columns of H, one gets a (n k) (n k) submatrix A of H A invertible with good probability, x = A 1 s.

Motivations How to make this problem difficult? (1) add a constraint to x : x of small weight for a particular metric metric = Hamming distance code-based cryptography metric = Euclidean distance lattice-based cryptography metric = Rank distance rank-based cryptography only difference : the metric considered, and its associated properties!! (2) consider rather a multivariable non linear system : quadratic, cubic etc... Mutivariate cryptography

Motivations General interest of post-quantum cryptogrphy a priori resistant to a quantum computer usually faster than number-theory based cryptography easier to protect against side-channel attacks size of keys may be larger

Lattice-based cryptography Motivations Knapsack 78, NTRU 96, GGH 97 Regev 04 LWE difficult problem : finding short vectors in lattices cryptanalysis : LLL algorithm with heuristics FHE, better security reduction?, reasonable size of keys

Code-based cryptography Motivations McEliece 78, Stern 93,CFS 01, G. 05, MDPC 13 difficult problem : syndrome decoding problem cryptanalysis : ISD, closed formulae faster than lattices?, reasonable size of keys with cyclicity, security reduction?

Multivariate cryptography Motivations Matsumoto-Imai 88, HFE 95, SFlash 96, Rainbow 05, QUAD 06... difficult problem : solving a multivariable system cryptanalysis : Groebner basis many instation broken (Crypto 07), security reduction?, unreasonable size of keys

Rank Codes : definition and basic properties

Rank metric codes The rank metric is defined in finite extensions. GF (q) a finite field with q a power of a prime. GF (q m ) an extension of degree m of GF (q). B = (b 1,..., b m ) a basis of GF (q m ) over GF (q). GF (q m ) can be seen as a vector space on GF (q). C a linear code over GF (q m ) of dimension k and length n. G a k n generator matrix of the code C. H a (n k) n parity check matrix of C, G.H t = 0. H a dual matrix, x GF (q m ) n syndrome of x = H.x t GF (q m ) n k

Rank metric Words of the code C are n-uplets with coordinates in GF (q m ). v = (v 1,..., v n ) with v j GF (q m ). Any coordinate v j = m i=1 v ijb i with v ij GF (q). v(v 1,..., v n ) V = v 11 v 12... v 1n v 21 v 22... v 2n............ v m1 v m2... v mn

Definition (Rank weight of word) v has rank r = Rank(v) iff the rank of V = (v ij ) ij is r. equivalently Rank(v) = r <=> v j V r GF (q m ) n with dim(v r )=r. the determinant of V does not depend on the basis Definition (Rank distance) Let x, y GF (q m ) n, the rank distance between x and y is defined by d R (x, y) = Rank(x y).

Definition (Minimum distance) Let C be a [n, k] rank code over GF (q m ), the minimum rank distance d of C is d = min{d R (x, y) x, y C, x y} ; Theorem (Unique decoding) Let C[n, k, d] be a rank code over GF (q m ). Let e an error vector with r = Rank(e) d 1 2, and c C : if y = c + e then there exists a unique element c C such that d(y, c ) = r. Therefore c = c. proof : same as for Hamming, distance property.

Rank isometry Notion of isometry : weight preservation Hamming distance : n n permutation matrices Rank distance : n n invertible matrices over GF (q) proof : multiplying a codeword x GF (q m ) n by an n n invertible matrix over the base field GF(q) does not change the rank (see x as a m n matrix over GF (q)). remark : for any x GF (q m ) n : Rank(x) w H (x) : potential linear combinations on the x i may only decrease the rank weight.

Support analogy An important insight between Rank and Hamming distances tool : support analogy support of a word of GF (q) n in Hamming metric x(x 1, x2,, x n ) : set of positions x i 0 support of a word of GF (q) n in rank metric x(x 1, x2,, x n ) : the subspace over GF (q), E GF (q m ) generated by {x 1,, x n } in both cases if the order of size of the support is small, knowing the support of x and syndrome s = H.x t permits to recover the complete coordinates of x.

Sphere packing bound Counting the number of possible supports for length n and dimension t Hamming : number of sets with t elements in sets of n elements : Newton binomial ( n t) ( 2 n ) Rank : number of subspaces of dimension t over GF (q) in the space of dimension n GF (q m ) : Gaussian binomial [ ] n t q ( qtn )

Sphere packing bound Theorem (Sphere packing bound) Let C[n, k, d] be a rank code over GF (q m ) n, the parameters n, k, d and d satisfy : q mk B(n, m, q, d 1 2 ) qnm Theorem (Singleton bound) Let C[n, k, d] be a rank code over GF (q m ) n, the parameters n, k and d satisfy : d 1 + (n k)m n The rank Gilbert-Varshamov (GVR) bound for a C[n, k] rank code over GF (q m ) n with dual matrix H corresponds to the average value of the minimum distance of a random [n, k] rank code. asymptotically : in the case m = n : GVR(n,k,m,q) n 1 k n

Low Rank Parity Check codes - LRPC Families of decodable codes in rank metric There exists 3 main families of decodable codes in rank metric Gabidulin codes (1985) (analog of Reed-Solomon codes with rank metric and q-polynomials) simple matrix construction (2008) LRPC codes (2013) These codes have different properties, a lot of attention was given to rank metric and especially to subspace metric with the development of Network coding in the years 2000 s.

LRPC codes Low Rank Parity Check codes - LRPC LDPC : dual with low weight (ie : small support) equivalent for rank metric : dual with small rank support Definition (GMRZ13) A Low Rank Parity Check (LRPC) code of rank d, length n and dimension k over F q m is a code such that the code has for parity check matrix, a (n k) n matrix H(h ij ) such that the vector space F of F q m generated by its coefficients h ij has dimension at most d. We call this dimension the weight of H. In other terms : all coefficients h ij of H belong to the same low vector space F < F 1, F 2,, F d > of F q m of dimension d.

Decoding LRPC codes Low Rank Parity Check codes - LRPC Idea : as usual recover the support and then deduce the coordinates values. Let e(e 1,..., e n ) be an error vector of weight r, ie : e i : e i E, and dim(e)=r. Suppose H.e t = s = (s 1,..., s n k ) t. e i E < E 1,..., E r >, h ij F < F 1, F 2,, F d > s k < E 1 F 1,.., E r F d > if n k is large enough, it is possible to recover the product space < E 1 F 1,.., E r F d >

Decoding LRPC codes Low Rank Parity Check codes - LRPC Syndrome s(s 1,.., s n k ) : S =< s 1,.., s n k > < E 1 F 1,.., E r F d > Suppose S =< E.F > possible to recover E. Let S i = F 1 i.s, since S =< E.F >=< F i E 1, F i E 2,.., F i E r,... > E S i E = S 1 S 2 S d

General decoding of LRPC codes Low Rank Parity Check codes - LRPC Let y = xg + e 1 Syndrome space computation Compute the syndrome vector H.y t = s(s 1,, s n k ) and the syndrome space S =< s 1,, s n k >. 2 Recovering the support E of the error S i = F 1 i S, E = S 1 S 2 S d, 3 Recovering the error vector e Write e i (1 i n) in the error support as e i = n i=1 e ije j, solve the system H.e t = s. 4 Recovering the message x Recover x from the system xg = y e.

Decoding of LRPC Low Rank Parity Check codes - LRPC Conditions of success - S =< F.E > rd n-k. - possibility that dim(s) n k probabilistic decoding with error failure in q (n k rd) - if d = 2 can decode up to (n k)/2 errors. Complexity of decoding : very fast symbolic matrix inversion O(m(n k) 2 ) write the system with unknowns : e E = (e 11,..., e nr ) : rn unknowns in GF (q), the syndrome s is written in the symbolic basis {E 1 F 1,..., E r F d }, H is written in h ij = h ijk F k, nr m(n k) matrix in GF (q), can do precomputation. Decoding Complexity O(m(n k) 2 ) op. in GF (q) Comparison with Gabidulin codes : probabilistic, decoding failure, but as fast.

Low Rank Parity Check codes - LRPC Complexity issues : decoding random rankcodes

Rank syndrome decoding Semantic complexity Combinatorial attacks Algebraic attacks For cryptography we are interested in difficult problems, in the case of rank metric the problem is : Definition (Rank Syndrome Decoding problem (RSD)) Instance : a (n k) n matrix H over GF (q m ), a syndrome s in GF (q m ) n k and an integer w Question : does there exist x GF(q m ) n such that H.x t = s and w R (x) w? Definition (Syndrome Decoding problem (SD)) Instance : an r n matrix H = [h 1, h 2,..., h n ] over a field GF (q), a column vector s GF (q) r, an integer w Question : does there exist x = (x 1,..., x n ) GF (q) n of Hamming weight at most w such that H t x = n i=1 x ih i = s?

Semantic complexity Combinatorial attacks Algebraic attacks Problem SD proven NP-complete by Berlekamp et al. in 1978. Computational complexity of RSD : solved in 2014 (G.,Zemor 2014) Definition (embedding strategy) Let m n and Q = q m. Let α = (α 1,... α n ) be an n-tuple of elements of GF (Q). Define the embedding of GF (q) n into GF (Q) n ψ α : GF (q) n GF (Q) n x = (x 1,..., x n ) x = (x 1 α 1,... x n α n ) and for any GF (q)-linear code C in GF (q) n, define C = C(C, α) as the GF (Q)-linear code generated by ψ α (C), i.e. the set of GF (Q)-linear combinations of elements of ψ α (C).

A randomized reduction Semantic complexity Combinatorial attacks Algebraic attacks General idea of the embedding : Theorem (1, 0, 0, 1, 0, 1) (α 1, 0, 0, α 4, 0, α 5 ) Let C be a random code over GF(q) and α random, then for convenient m, with a very strong probability :. d H (C) = d R (C) Theorem If there exists a polynomial time algorithms which solves RSD then P=RP.

Best known attacks Semantic complexity Combinatorial attacks Algebraic attacks There are two types of attacks on the RSD problem : Combinatorial attacks Algebraic attacks Depending on type of parameters, the efficiency varies a lot.

Combinatorial attacks Semantic complexity Combinatorial attacks Algebraic attacks first attack Chabaud-Stern 96 : basis enumeration improvements A.Ourivski and T.Johannson 02 Basis enumeration : (k + r) 3 q (r 1)(m r)+2 (amelioration on polynomial part of Chabaud-Stern 96) Coordinates enumeration : (k + r) 3 r 3 q (r 1)(k+1) last improvement : G. et al. 12 (k+1)m (r 1) Support attack : O(q n )

Semantic complexity Combinatorial attacks Algebraic attacks Basis enumeration Hamming/Rank attacks Attack in rank metric to recover the support - a naive approach would consist in trying ALL possible supports : all set of coordinates of weight w Of course one never does that!!! Attack in rank metric to recover the support The analog of this attack in rank metric : try all possible supports, ie all vector space of dimension r : q (m r).r such basis, then solve a system. it is the Chabaud-Stern ( 96) attack - improved by OJ 02 By analogy with the Hamming : it is clearly not optimal In particular the exponent complexity does not depend on n

Improvement : ISD for rank metric Semantic complexity Combinatorial attacks Algebraic attacks Information Set Decoding for Hamming distance (simple original approach) : H.x t = s - syndrome size : n k n k equations - take n k random columns, if they contain the error support, one can solve a system Analog for rank metric : - syndrome size : n k (n k)m equations in F q - consider a random space E of F m q of dimension r which contain E one can solve if nr (n k)m as for ISD for Hamming metric : improve the complexity since easier to find.

Support attack Semantic complexity Combinatorial attacks Algebraic attacks Detail : Increasing of searched support : r r avec r n m(n k). e = βu with β a basis of rank r and U a r n matrix. Operations : More support to test : q (r 1)(m r) q (r 1)(m r ) Better probability to find : 1 q(r m) q (r 1)(m r) q (r 1)(m r) Complexity : min(o((n k) 3 m 3 q r km n ), O((n k) 3 m 3 q (r 1) (k+1)m n ))

Support attack Semantic complexity Combinatorial attacks Algebraic attacks Conclusion on the first attack Improvement on previous attacks based on HU t β t = Hy t. exponential omplexity in the general case Complexité : min(o((n k) 3 m 3 q r km n ), O((n k) 3 m 3 q (r 1) (k+1)m n )) Comparison with previous complexities : basis enumeration : (k + r) 3 q (r 1)(m r)+2 coordinates enumeration : (k + r) 3 r 3 q (r 1)(k+1) Remark : when n = m same expoential complexity that OJ 02

Algebraic attacks for rank metric Semantic complexity Combinatorial attacks Algebraic attacks General idea : translate the problem in equations then try to resolve with grobner basis Main difficulty : translate in equations the fact that coordinates belong to a same subspace of dimension r in GF (q m )? Levy-Perret 06 : Taking error support as unknown quadratic setting Kipnis-Shamir 99 ( FLP 08) and others..) : Kernel attack, (r + 1) (r + 1) minors degree r + 1 G. et al. 12 : annulator polynomial degree q r

Attack with q-polynomials Semantic complexity Combinatorial attacks Algebraic attacks Definition (q-polynomials) A q-polynomial is a polynomal of the form P(x) = r i=0 p ix qi with p r 0 et p i F q m. Linearity : P(αx + βy) = αp(x) + βp(y) with x, y F q m and α, β F q. B basis of r vectors of F q m,!p unitary q-polynomial such that b B, P(b) = 0 (Ore 33). One can then define a subspace of dimension r with a polynomial of q-degree r.

Attack with q-polynomial Semantic complexity Combinatorial attacks Algebraic attacks Reformulation : c + e = y with c a word of C, e a word of weight r and y known. There exists a polynomial P of q-degree r such that P(c y) = 0 moreover there exists x such that c = xg, which gives : ( r p i (xg 1 y 1 ) qi,..., i=0 r p i (xg n y n ) qi ) with x F q m k, G j the j-ith column of G and y F q m n known. i=0

Attack with q-polynomials Semantic complexity Combinatorial attacks Algebraic attacks Advantages : less unknowns, sparse equations Disadvantages : higher degree equations q r + 1 Three methods to solve : Linearization Grobner basis Hybrid approach : partial enumeration of unknowns

Semantic complexity Combinatorial attacks Algebraic attacks Conclusion on attacks Combinatorial : quadratic in the exponent, usually the best ones but depend on q Algebraic : very high when r increases but do not depend on q

Semantic complexity Combinatorial attacks Algebraic attacks best attacks : exponential with quadratic complexity in the exponent. Comparison of this problem with other problems for a 2 n complexity with best known attacks : problem size of key semantic security factorization Ω(n 3 ) no discrete log (large car.) Ω(n 3 ) no ECDL Ω(n) no SVP ideal lattices Ω(n) no SD cyclic-codes Ω(n) no SD Ω(n 2 ) yes SVP Ω(n 2 ) yes RSD Ω(n 1.5 ) yes

The GPT cryptosystem and its variations LRPC codes for cryptography ENCRYPTION IN RANK METRIC

The GPT cryptosystem and its variations LRPC codes for cryptography - Gabidulin et al. 91 : first encryption scheme based on rank metric - adaptation of McELiece scheme, many variations : Parameters B {b 1,, b m } a basis of GF (q m ) over GF (q) Private key G generates a Gabidulin code Gab(m, k), r = m k 2 S a random k t 1 matrix in GF (q m ) P a random matrix in GL m+t1 (GF (q)) S a random invertible k k matrix in GF (q m ) Public key G pub = S(G Z)P

The GPT cryptosystem and its variations LRPC codes for cryptography y = xg pub + e, Rank(e) r Decryption - Compute yp 1 = x(g Z) + ep 1 - Puncture the last t 1 columns and decode

The GPT cryptosystem and its variations LRPC codes for cryptography Other variations :G Gabidulin matrix, H : dual matrix Masking public matrix authors Scrambling matrix SG + X GPT 91 Right scrambling S(G ( Z)P ) Gabi. Ouriv. 01 H Subcodes Ber. Loi. 02 ( A ) G1 0 Rank Reducible [OGHA03],[BL04] A G 2

Overbeck s structural attack The GPT cryptosystem and its variations LRPC codes for cryptography Overbeck 06 general idea : if one consider G=Gab[n,k] and one applies the frobenius : x x q to each coordinate of G then G q and G have k 1 rows in common! starting from G pub = S(G Z)P, one can prove there is a rank default in : G pub. G qn k 1 pub the matrix is a k(n k) (n + t 1 ) matrix, first n columns part : rank n 1 and not n! Overbeck uses this point to break parameters of all presented

Reparation The GPT cryptosystem and its variations LRPC codes for cryptography - 2008 and after : reparations an new type of masking resistant to Overbeke attack 2 families of parameters : - Loidreau (PQC 10) - Haitham Rashwan, Ernst M. Gabidulin, Bahram Honary ISIT 09, 10 [GRS12] new attacks break all proposed parameters

Results Post-Quantum Cryptography The GPT cryptosystem and its variations LRPC codes for cryptography P. Loidreau (PQC 10) Code [n, k, r] m OJ1 OJ2 Over ES L LH HGb [64, 12, 6] 24 2 104 2 85 2 80 2 50 non 2 48 2 hours [76, 12, 6] 24 2 104 2 85 2 80 2 49 non 2 36 1 s Haitham Rashwan, Ernst M. Gabidulin, Bahram Honary ISIT 09, 10 Code [n, k, r] m Over ES L LH HGb [28, 14, 3] 24 2 80 2 55 non 2 49 2 days [28, 14, 4] 24 2 80 2 70 non 2 65 not finished [20, 10, 4] 24 2 80 2 56 non 2 51 5 days [20, 12, 4] 24 2 80 2 60 non 2 60 not finsihed

Conclusion on GPT-like systems The GPT cryptosystem and its variations LRPC codes for cryptography All actual proposed parameters are actually broken New masking still proposed Probably possible to find resistant parameters with public key size 15,000 bits Inherent potential vulnerability structure due to hidden structure of Gabidulin codes Faure-Loidreau cryptosystem??? reconstruction

The NTRU-like family The GPT cryptosystem and its variations LRPC codes for cryptography NTRU MDPC LRPC double circulant matrix (A B) (I H) A and B : cyclic with 0 and 1, over Z/qZ (small weight) (q=256), N 300 double circulant matrix (A B) (I H) A and B : cyclic with 0 and 1, 45 1, (small weight) N 4500 double circulant matrix (A B) (I H) A and B : cyclic with small weight (small rank)

LRPC codes for cryptography The GPT cryptosystem and its variations LRPC codes for cryptography We saw that LRPC codes with H [n-k,n] over F of rank d could decode error of rank r with probability q n k rd+1 : McEliece setting : Public key : G LRPC code : [n, k] of weight d which can decode up to errors of weight r Public key : G = MG Secret key : M c= mg +e, e of rank r Decryption Decode H.c t in e, then recover m. Smaller size of key : double circulant LRPC codes : H=(I A), A circulant matrix

Application to cryptography The GPT cryptosystem and its variations LRPC codes for cryptography Attacks on the system - message attack : decode a word of weight r for a [n, k] random code - structural attack : recover the LRPC structure a [n, n k] LRPC matrix of weight d contains a word with n d first zero positions. Searching for a word of weight d in a [n n d, n k n d ] code. Attack on the double circulant structure as for lattices or codes (with Hamming distance) no specific more efficient attack exists exponentially better than decoding random codes.

Parameters The GPT cryptosystem and its variations LRPC codes for cryptography n k m q d r failure public key security 82 41 41 2 5 4-22 1681 80 106 53 53 2 6 5-24 2809 128 74 37 23 2 4 4 4-88 3404 110

Conclusion for LRPC The GPT cryptosystem and its variations LRPC codes for cryptography LRPC : new family of rank codes with an efficient probabilistic decoding algorithm Application to cryptography in the spirit of NTRU and MDPC (decryption failure, more controlled) Very small size of keys, comparable to RSA More studies need to be done but very good potentiality

The GPT cryptosystem and its variations LRPC codes for cryptography Authentication

Chen s protocol Chen ZK authentication protocol : attack and repair Signature in rank metric In 95 K. Chen proposed a rank metric authentication scheme, in the spirit of the Stern SD protocol for Hamming distance and Shamir s PKP protocol. Unfortunately the ZK proof is false... a good toy example to understand some subtilities of rank metric. [G. et al. (2011)]

Philippe Gaborit University of Limoges, France Figure: (based onrank-sd works with New O. results protocol Ruatta,J. for Schrek rank based and cryptography G. Zémor) Post-Quantum Cryptography Chen ZK authentication protocol : attack and repair Signature in rank metric 1 [Commitment step] The prover P chooses x V n, P GL n (GF(q and Q GL m (q). He sends c 1, c 2, c 3 such that : c 1 = hash(q P Hx t ), c 2 = hash(q xp), c 3 = hash(q (x + s)p 2 [Challenge step] The verifier V sends b {0, 1, 2} to P. 3 [Answer step] there are three possibilities : if b = 0, P reveals x and (Q P) if b = 1, P reveals x + s and (Q P) if b = 2, P reveals Q xp and Q sp 4 [Verification step] there are three possibilities : if b = 0, V checks c 1 and c 2. if b = 1, V checks c 1 and c 3. if b = 2, V checks c 2 and c 3 and that rank(q sp) = r.

Chen ZK authentication protocol : attack and repair Signature in rank metric Public matrix H : (n k) k m = 2691 bits Public key i : (n k)m = 299 bits Secret key s : r(m + n) = 360 bits Average number of bits exchanged in one round : 2 hash + one word of GF(q m ) 820 bits.

Chen ZK authentication protocol : attack and repair Signature in rank metric Signature with rank metric

Different approaches for signature Chen ZK authentication protocol : attack and repair Signature in rank metric Signatures by inversion unique inversion : RSA,CFS several inversions : NTRUSign, GGH, GPV Signature by proof of knowledge by construction : Schnorr, DSA, Lyubashevski (lattices 2012) generic : Fiat-Shamir paradigm one-time signatures : KKS 97, Lyubashevski 07

A first approach Chen ZK authentication protocol : attack and repair Signature in rank metric In rank metric it is possible to use the FS paradigm with our new protocol leads to small public keys : 2500b, signature length 60, 000b Can we do better?

CFS Post-Quantum Cryptography Chen ZK authentication protocol : attack and repair Signature in rank metric In 2001 Courtois Finiasz and Sendrier proposed a RSA-like signature for codes. SUppose one gets a decoding algorithm (inverse of a syndrome) unlike RSA, is it possible to consider a random codeword and invert it?? in general no : the density of invertible codewords is exponentially low... for a Goppa [2 m, 2 m tm, 2t + 1] the density is 1 t! CFS 01 : consider extreme parameters where t is low ( 10) and repeat until it works! leads to flat hidden matrices : [2 16, 154], signature shorts, very large size of keys : several MB, rather lengthy - more than RSA -(but can be parallelized)

New approach for rank metric [Gaborit,Ruatta,Schrek,Zemor 2013] Chen ZK authentication protocol : attack and repair Signature in rank metric Inversion case : there are two approaches : CFS : you are below GV and search for an invertible solution GPV, NTRUSign, GGH : beyond Gauss : construct one special solution which approximates a syndrome leads to better parameters (be careful to information leaking!) is it possible to do that with codes? in Hamming binary seems difficult, in rank? Not usual point of view for codes where one prefers a unique solution!

Chen ZK authentication protocol : attack and repair Signature in rank metric Consider the set of x of rank r and the set of reachable syndrome H.x t for H length n. for rank metric : support and coordinates are disjoint suppose we fix T of dimension t, if possible to consider r = r + t just like that then one multiplies the number of decodable syndromes by q tn improvement of density of decodable syndromes. Different choices of T different choices for preimage but unicity of decoding for a given T

General idea Chen ZK authentication protocol : attack and repair Signature in rank metric Fix a subspace T of GF (q m ) so that we want T E What is T? T corresponds to the notion of erasure (generalized) Hamming y = (y 1, y 2,..., y n ) = (c 1, c 2 + e 2, c 3,, c 4,,..., c n + e n ) Rank y = (y 1, y 2,..., y n ) = (c 1 + e 1, c 2 + e 2,..., c n + e n ), e i E, but T E

Chen ZK authentication protocol : attack and repair Signature in rank metric Theorem (Errors/erasures decoding of LRPC codes) Let H be a dual n k n matrix associated to a LRPC code with small space F of dimension d, over an extension field GF (q m ) over a small field of size q. Let r n k d, and let T be a random subspace of dimension t, such that (r + t).(2d 1) m. Let s be a syndrome such that there exists a unique support E, with T E of dimension r = t + r such that there exists a word e of support E such that H.e t = s. Then knowing T it is possible to retrieve the support E of e with a probability 1/q.

idea of the proof Chen ZK authentication protocol : attack and repair Signature in rank metric Similar to LRPC : E = {E 1,..., E r }, F = {F 1,..., F d } H.e t = s s < E.F > from n k s i one recovers S =< E.F > then E = F1 1 S... F 1 S d

LRPC with erasure Chen ZK authentication protocol : attack and repair Signature in rank metric Input T =< T 1,, T t >, H a matrix of LRPC, a syndrome s = H.e t, with support E and dim(e) = t + n k d and T E Result : the error vector e. 1 Syndrome computations a) Compute B = {F 1 T 1,, F d T t } of the product space < F.T >. b) Compute the subspace S =< B {s 1,, s n k } >. 2 Recovering the support E of the error Define S i = F 1 i S, compute E = S 1 S 2 S d, and compute a basis {E 1, E 2,, E r } of E. 3 Recovering the error vector e Write e i = n i=1 e ije j, and solve a linear system.

Chen ZK authentication protocol : attack and repair Signature in rank metric Seems magical and seems to have errors for free. Price to pay? small price : one cannot take t independently of n one needs in practice in the optimal case : n k n d best results : d = 2 anyway

Density Post-Quantum Cryptography Chen ZK authentication protocol : attack and repair Signature in rank metric Lemma Let T a subspace of dimension t of GF (q m ) then the number of distinct subspaces E of dimension r = t + r of GF (q m ) such that T E is : Π r 1 1 i=0 (qm t i q i+1 1 )

Chen ZK authentication protocol : attack and repair Signature in rank metric Corollary (Density of decodable syndromes ) The density of unique support decodable syndromes of rank weight r = t + r for a fixed random partial support T of dimension t is : Π r 1 i=0 ( qm t i 1 q i+1 1 ).min(qnr, q rd(n k) ) q (n k)m. density 1 almost independent on q. q = 2, m = 45, n = 40, k = 20, t = 5, r = 10, decodes up to r = t + r = 15 for a fixed random partial support T of dimension 5. GVR bound (m=45) [40, 20] is 13, Singleton bound = 20, decoding radius = 15, and 13 15 20.

RankSign + signature algorithm Chen ZK authentication protocol : attack and repair Signature in rank metric 1 Secret key : H :LRPC, r = t + n k 2 errors, R random in GF (q m ), invertible in GF (q m ), P invertible in GF (q). 2 Public key : the matrix H = A(R H)P, a small integer value l. 3 Signature of a message M : a) initialization : seed {0, 1} l, pick (e 1,, e t ) GF (q m ) t b) syndrome : s hash(m seed) GF (q m ) n k c) decode by H, s = A 1.s T R.(e 1,, e t ) T with T =< e 1,, e t > and r errors d) if the decoding works (e t+1,, e n+t ) of weight r = t + r, signature=((e 1,, e n+t ).(P T ) 1, seed), else return to a). 4 Verification : Verify that Rank(e) = r = t + r and H.e T = s = hash(m seed).

Structural attacks Chen ZK authentication protocol : attack and repair Signature in rank metric Overbeck attack : irrelevant Attack on the dual matrix : r = t + d Attack on isometry matrix P : recover some positions of P

Approximation beyond GVR Chen ZK authentication protocol : attack and repair Signature in rank metric Approximate - Rank Syndrome Decoding problem (App-RSD) Let H be a (n k) n matrix over GF (q m ) with k n, s GF (q m ) n k and let r be an integer. The problem is to find a solution of rank r such that rank(x) = r and Hx t = s. if r min((n k), m(n k) n ) (Singleton bound) then the problemis polynomial in general, best attack : Complexity for finding one word Number of words

Information leaking Chen ZK authentication protocol : attack and repair Signature in rank metric Main problem for signature (see NTRUSign) : information leaking Theorem For any algorithm that leads to a forged signature using N q/2 authentic signatures, there is an algorithm with the same complexity that leads to a forgery using only the public key as input and without any authentic signatures.

Chen ZK authentication protocol : attack and repair Signature in rank metric idea of proof : under the random oracle model, there exists a polynomial time algorithm that takes as input the public matrix H and produces couples (m, σ), where m is a message and σ a valid signature for m, with the same distribution as those output by the authentic signature algorithm. Therefore whatever forgery can be achieved from the knowledge of H and a list of valid signed messages, can be simulated and reproduced with the public matrix H as only input.

Parameters Chen ZK authentication protocol : attack and repair Signature in rank metric n n-k m q d t r r GV Sg pk sign LP Dual DS DA 16 8 18 2 40 2 2 4 6 5 8 57600 8640 130 1096 400 776 16 8 18 2 8 2 2 4 6 5 8 11520 1728 110 233 80 168 16 8 18 2 16 2 2 4 6 5 8 23040 3456 120 448 160 320 20 10 24 2 8 2 3 5 8 6 10 24960 3008 190 370 104 226 27 9 20 2 6 3 2 3 5 4 7 23328 1470 170 187 120 129 48 12 40 2 4 4 5 3 8 6 10 78720 2976 > 600 340 164 114 50 10 42 2 4 5 2 2 7 5 9 70560 2800 > 600 240 180 104

Chen ZK authentication protocol : attack and repair Signature in rank metric GENERAL CONCLUSION

Chen ZK authentication protocol : attack and repair Signature in rank metric Rank distance is interesting since small parameters strong resistance until recently only one family of decodable codes LRPC codes -weak structure-, similar to NTRU or MDPC offer many advantages very good potential with very good parameters but needs more scrutiny

Open problems Chen ZK authentication protocol : attack and repair Signature in rank metric deterministic reduction to SD rather than only probabilistic? Is it possible to have worst case - average case reduction? Left over hash lemma? Attacks improvements on rank ISD? Better algebraic settings? Implementations? homomorphic - FHE (be crazy!)

Chen ZK authentication protocol : attack and repair Signature in rank metric THANK YOU

2024 © sciencedocbox.com Privacy Policy | Terms of Service | Feedback