LAKE / LOCKER IND-CPA KEM / IND-CCA2 PKE

Based on Rank Metric Codes NIST First Post-Quantum Cryptography Standardization Conference

Nicolas Aragon1 Olivier Blazy1 Jean-Christophe Deneuville1,4 Philippe Gaborit1

Adrien Hauteville1 Olivier Ruatta1 Jean-Pierre Tillich2 Gilles Zémor3

1University of Limoges, XLIM-DMI, France ; 2Inria, Paris, France

3Mathematical Institute of Bordeaux, France

4INSA-CVL, Bourges, France

04/13/2018 LAKE & LOCKER 04/13/2018 1 / 20

Limitations:The decryption failure probability does not decrease quickly.Security is not based on a random quasi-cyclic/ideal code (but considered hard by thecommunity).Decoding in the rank metric is a more recent problem (27 years old).

Advantages and Limitations

Advantages: Very easy to understand (à la Niederreiter). Very small key size. Very fast keygen/encryption/decryption time. The decryption failure probability is well-understood and theoretically bounded.

LAKE & LOCKER 04/13/2018 2 / 20

Advantages and Limitations

Advantages: Very easy to understand (à la Niederreiter). Very small key size. Very fast keygen/encryption/decryption time. The decryption failure probability is well-understood and theoretically bounded.

Limitations: The decryption failure probability does not decrease quickly. Security is not based on a random quasi-cyclic/ideal code (but considered hard by the community). Decoding in the rank metric is a more recent problem (27 years old).

LAKE & LOCKER 04/13/2018 2 / 20

Presentation of the rank metric

1 Presentation of the rank metric

2 Description of the schemes

3 Security and parameters

LAKE & LOCKER 04/13/2018 3 / 20

Let β1, . . . , βm be a basis of Fqm/Fq. To each vector x ∈ Fnqm we can associate a matrix Mx

x = (x1, . . . , xn) ∈ Fnqm ↔Mx =

⎛⎜⎝x11 . . . x1n...

. . ....

xm1 . . . xmn

⎞⎟⎠ ∈ Fm×nq

such that xj =Pm

i=1 xijβi for each j ∈ [1..n].

DefnitiondR(x , y) = Rank(Mx −My ) and |x |R = RankMx .

Presentation of the rank metric

Rank Metric

We only consider codes with coeÿcients in Fqm .

LAKE & LOCKER 04/13/2018 4 / 20

Presentation of the rank metric

Rank Metric

We only consider codes with coeÿcients in Fqm . Let β1, . . . , βm be a basis of Fqm /Fq. To each vector x ∈ Fn

qm we can associate a matrix Mx ⎞⎛ x11 . . . x1n . ..x = (x1, . . . , xn) ∈ Fn

qm ↔ Mx = ⎜⎝ ⎟⎠ ∈ Fm×n

q . . ... .

P

xm1 . . . xmn

m i=1 xij βi for each j ∈ [1..n].such that xj =

Defnition dR(x , y) = Rank(Mx − My ) and |x |R = Rank Mx .

LAKE & LOCKER 04/13/2018 4 / 20

Number of supports of weight w :

Rank Hamming�mw

�q

≈ qw(m−w)

�nw

�6 2n

Complexity in the worst case:quadratically exponential for Rank Metricsimply exponential for Hamming Metric

Presentation of the rank metric

Support of a Word

Defnition The support of a word is the Fq-subspace generated by its coordinates:

Supp(x) = hx1, . . . , xniFq

LAKE & LOCKER 04/13/2018 5 / 20

Complexity in the worst case:quadratically exponential for Rank Metricsimply exponential for Hamming Metric

Presentation of the rank metric

Support of a Word

Defnition The support of a word is the Fq-subspace generated by its coordinates:

Supp(x) = hx1, . . . , xniFq

Number of supports of weight w :

Rank Hamming� � � � nm w(m−w) 6 2n≈ q

w w q

LAKE & LOCKER 04/13/2018 5 / 20

Presentation of the rank metric

Support of a Word

Defnition The support of a word is the Fq-subspace generated by its coordinates:

Supp(x) = hx1, . . . , xniFq

Number of supports of weight w :

Rank Hamming� � � � nm w(m−w) 6 2n≈ q

w w q

Complexity in the worst case: quadratically exponential for Rank Metric simply exponential for Hamming Metric

LAKE & LOCKER 04/13/2018 5 / 20

The decoding algorithm requires a parity-check matrix of weight d .

Presentation of the rank metric

LRPC Codes

Defnition

Let H ∈ F(qnm −k)×n a full-rank matrix such that the dimension d of hhij iFq is small.

By defnition, H is a parity-check matrix of an [n, k]qm LRPC code. We say that d is the weight of the matrix H .

LAKE & LOCKER 04/13/2018 6 / 20

Presentation of the rank metric

LRPC Codes

Defnition

Let H ∈ F(qnm −k)×n a full-rank matrix such that the dimension d of hhij iFq is small.

By defnition, H is a parity-check matrix of an [n, k]qm LRPC code. We say that d is the weight of the matrix H .

The decoding algorithm requires a parity-check matrix of weight d .

LAKE & LOCKER 04/13/2018 6 / 20

Presentation of the rank metric

Notation

From now, all vectors of Fnqm can be viewed as elements of Fqm [X ]/(P) for some polynomial P .

u X u mod P

⎞⎛ ⎜⎜⎜⎝

⎟⎟⎟⎠ Let u ∈ Fn

qm , (u)M denotes the matrix . . . X n−1u mod P

LAKE & LOCKER 04/13/2018 7 / 20

P ∈ Fq[X ] =⇒ the weight of H is d .Ideal LRPC in rank metric ' QC-MDPC in Hamming metric ' NTRU in Euclidean metric.

Presentation of the rank metric

Ideal LRPC Codes

Defnition Let F be a Fq-subspace of dimension d of Fqm , (h1, h2) two vectors of Fn

qm of support F and P ∈ Fq[X ] a polynomial of degree n.� � By defnition, the matrix H = (h1)M|(h2)M is a parity-check matrix of an [2n, n]qm ideal LRPC code C.

LAKE & LOCKER 04/13/2018 8 / 20

Ideal LRPC in rank metric ' QC-MDPC in Hamming metric ' NTRU in Euclidean metric.

Presentation of the rank metric

Ideal LRPC Codes

Defnition Let F be a Fq-subspace of dimension d of Fqm , (h1, h2) two vectors of Fn

qm of support F and P ∈ Fq[X ] a polynomial of degree n.� � By defnition, the matrix H = (h1)M|(h2)M is a parity-check matrix of an [2n, n]qm ideal LRPC code C.

P ∈ Fq[X ] =⇒ the weight of H is d .

LAKE & LOCKER 04/13/2018 8 / 20

Presentation of the rank metric

Ideal LRPC Codes

Defnition Let F be a Fq-subspace of dimension d of Fqm , (h1, h2) two vectors of Fn

qm of support F and P ∈ Fq[X ] a polynomial of degree n.� � By defnition, the matrix H = (h1)M|(h2)M is a parity-check matrix of an [2n, n]qm ideal LRPC code C.

P ∈ Fq[X ] =⇒ the weight of H is d . Ideal LRPC in rank metric ' QC-MDPC in Hamming metric ' NTRU in Euclidean metric.

LAKE & LOCKER 04/13/2018 8 / 20

P irreducible =⇒ resistant against folding attacks [4].

Presentation of the rank metric

I − LRPC Problem

Problem (Ideal LRPC codes indistinguishability)

Given h ∈ Fnqm and P ∈ Fq[X ] of degree n, it is hard to distinguish if h was sampled uniformly

at random or as x−1y mod P , where x and y have the same support of small dimension d .

Since h defnes an ideal code, it is hard to distinguish between a random ideal code and an ideal LRPC code.

LAKE & LOCKER 04/13/2018 9 / 20

Presentation of the rank metric

I − LRPC Problem

Problem (Ideal LRPC codes indistinguishability)

Given h ∈ Fnqm and P ∈ Fq[X ] of degree n, it is hard to distinguish if h was sampled uniformly

at random or as x−1y mod P , where x and y have the same support of small dimension d .

Since h defnes an ideal code, it is hard to distinguish between a random ideal code and an ideal LRPC code. P irreducible =⇒ resistant against folding attacks [4].

LAKE & LOCKER 04/13/2018 9 / 20

Probabilistic reduction to the NP-Complete ISD problem [3].

Presentation of the rank metric

RSD Problem

Problem (Rank Syndrome Decoding problem)

, s ∈ Fn−k

HeT = sT

|e|R = r

Given H ∈ F(qnm −k)×n

qm and an integer r , fnd e ∈ Fnqm such that:

LAKE & LOCKER 04/13/2018 10 / 20

Presentation of the rank metric

RSD Problem

Problem (Rank Syndrome Decoding problem)

, s ∈ Fn−k

HeT = sT

|e|R = r

Given H ∈ F(qnm −k)×n

qm and an integer r , fnd e ∈ Fnqm such that:

Probabilistic reduction to the NP-Complete ISD problem [3].

LAKE & LOCKER 04/13/2018 10 / 20

Presentation of the rank metric

I − RSD problem

Problem (Ideal Rank Syndrome Decoding problem)

Given h ∈ Fn [X ] of degree n, s ∈ Fn−k and an integer r , fnd e = (e1|e2) ∈ F2n qm , P ∈ Fq qm qm

such that: he1 + e2 = s mod P

|e|R = r

LAKE & LOCKER 04/13/2018 11 / 20

Description of the schemes

1

2

3

Presentation of the rank metric

Description of the schemes

Security and parameters

LAKE & LOCKER 04/13/2018 12 / 20

Description of the schemes

LAKE, a Key Encapsulation Mechanism

Our schemes contain a hash function G modeled as a ROM and an irreducible polynomial P ∈ Fq[X ] of degree n.

Alice Bob $

(x , y ) ← Fnqm × Fn

qm s.t. Supp(x) = Supp(y ) of dim d h

h ← x−1y mod P −−−−−→ (e1, e2)

$← Fn qm × Fn

qm s.t. Supp(e1, e2) = E of dim r

xs = xe1 + y e2 mod P s←−−−−− s = e1 + e2h mod P

E ← LRPC.Deco de(x , y , xs, r)

G (E) Shared Secret G (E)

LAKE & LOCKER 04/13/2018 13 / 20

Description of the schemes

LOCKER, a Public Key Encryption

Our schemes contain an hash function G modeled as a ROM and an irreducible polynomial P ∈ Fq[X ] of degree n. KeyGen(1λ):

$(x , y) ← Fq

nm × Fq

nm s.t. Supp(x) = Supp(y) of dim d

h ← x−1y mod P

sk := (x , y ), pk := h

Bob Alice $

(e1, e2) ← Fnqm × Fn

qm s.t. xs = xe1 + ye2 mod PSupp(e1, e2) = E of dim r C ,s E ← LRPC.Decode(x , y , xs, r)s = e1 + e2h mod P −−−−−→ L L M = C G (E )

C = M G (E )

LAKE & LOCKER 04/13/2018 14 / 20

Security and parameters

1 Presentation of the rank metric

2 Description of the schemes

3 Security and parameters

LAKE & LOCKER 04/13/2018 15 / 20

Applying HHK [5] to LOCKER PKE → IND-CCA2 LOCKER KEMIND-CCA2 LOCKER KEM → LOCKER HE

Security and parameters

Semantic Security

Theorem Under the assumption of the hardness of the I − LRPC and the I − RSD problems, LAKE and LOCKER are IND-CPA in the Random Oracle Model.

LAKE & LOCKER 04/13/2018 16 / 20

Security and parameters

Semantic Security

Theorem Under the assumption of the hardness of the I − LRPC and the I − RSD problems, LAKE and LOCKER are IND-CPA in the Random Oracle Model.

Applying HHK [5] to LOCKER PKE → IND-CCA2 LOCKER KEM IND-CCA2 LOCKER KEM → LOCKER HE

LAKE & LOCKER 04/13/2018 16 / 20

Quantum Speed-Up: Grover’s algorithm directly applies to GRS+ =⇒ exponent isdivided by 2 [2].

I− RSD I− LRPC

O�(nm)3q

12

�rlm(n+1)

2n

m−m

��O�(nm)3q

12(ddm

2 e−m−n)�

Security and parameters

Known Attacks

Combinatorial attacks: try to guess the support of the error or of the small-weight codeword. The best algorithm is GRS+ [1]. On average:

I − RSD I − LRPC� l m � � �m(n+1)r −m ddm e−m−n2nO (nm)3q O (nm)3q 2

LAKE & LOCKER 04/13/2018 17 / 20

Security and parameters

Known Attacks

Combinatorial attacks: try to guess the support of the error or of the small-weight codeword. The best algorithm is GRS+ [1]. On average:

I − RSD I − LRPC� l m � � �m(n+1)r −m ddm e−m−n2nO (nm)3q O (nm)3q 2

Quantum Speed-Up: Grover’s algorithm directly applies to GRS+ =⇒ exponent is divided by 2 [2].

I − RSD I − LRPC� � l m �� � �1 m(n+1)r −m (ddm e−m−n)2 2nO (nm)3q O (nm)3q 2

1 2

LAKE & LOCKER 04/13/2018 17 / 20

Security and parameters

Examples of parameters: LAKE

All the times are given in ms, performed on an Intel Core i7-4700HQ CPU running at 3.40GHz.

Security Message/key Size (bits)

KeyGen Time

Encap Time

Decap Time

Probability of failure

128 3,149 0.65 0.13 0.53 < 2−30

192 4,717 0.73 0.13 0.88 < 2−32

256 6,313 0.77 0.15 1.24 < 2−36

LAKE & LOCKER 04/13/2018 18 / 20

Security and parameters

Examples of parameters: LOCKER

All the times are given in ms, performed on an Intel Core i7-4700HQ CPU running at 3.40GHz.

Security PK Size (bits)

CT Size (bits)

Encrypt Time

Decrypt Time

Probability of failure

128 5,893 6,405 0.22 1.04 < 2−64

192 8,383 8,895 0.23 1.08 < 2−64

256 9,523 10,023 0.25 1.58 < 2−64

128 12,367 12,879 0.56 1.99 < 2−128

192 15,049 15,561 0.56 2.03 < 2−128

256 17,113 17,625 0.62 2.76 < 2−128

LAKE & LOCKER 04/13/2018 19 / 20

Security and parameters

Thank you for your attention !Any questions ?

LAKE & LOCKER 04/13/2018 20 / 20

Security and parameters

Nicolas Aragon, Philippe Gaborit, Adrien Hauteville, and Jean-Pierre Tillich. Improvement of Generic Attacks on the Rank Syndrome Decoding Problem. working paper or preprint, October 2017.

Philippe Gaborit, Adrien Hauteville, and Jean-Pierre Tillich. Ranksynd a PRNG based on rank metric. In Post-Quantum Cryptography 2016, pages 18–28, Fukuoka, Japan, February 2016.

Philippe Gaborit and Gilles Zémor. On the hardness of the decoding and the minimum distance problems for rank codes. IEEE Trans. Information Theory, 62(12):7245–7252, 2016.

Adrien Hauteville and Jean-Pierre Tillich. New algorithms for decoding in the rank metric and an attack on the LRPC cryptosystem. In Proc. IEEE Int. Symposium Inf. Theory - ISIT 2015, pages 2747–2751, Hong Kong, China, June 2015.

Dennis Hofheinz, Kathrin Hövelmanns, and Eike Kiltz. A modular analysis of the Fujisaki-Okamoto transformation.

LAKE & LOCKER 04/13/2018 20 / 20

Security and parameters

In Theory of Cryptography Conference, pages 341–371. Springer, 2017.

LAKE & LOCKER 04/13/2018 20 / 20