LAKE LOCKER IND-CPA KEM IND-CCA2 PKE Based on Rank … · LAKE / LOCKER IND-CPA KEM / IND-CCA2 PKE...
Transcript of LAKE LOCKER IND-CPA KEM IND-CCA2 PKE Based on Rank … · LAKE / LOCKER IND-CPA KEM / IND-CCA2 PKE...
LAKE / LOCKER IND-CPA KEM / IND-CCA2 PKE
Based on Rank Metric Codes NIST First Post-Quantum Cryptography Standardization Conference
Nicolas Aragon1 Olivier Blazy1 Jean-Christophe Deneuville1,4 Philippe Gaborit1
Adrien Hauteville1 Olivier Ruatta1 Jean-Pierre Tillich2 Gilles Zémor3
1University of Limoges, XLIM-DMI, France ; 2Inria, Paris, France
3Mathematical Institute of Bordeaux, France
4INSA-CVL, Bourges, France
04/13/2018 LAKE & LOCKER 04/13/2018 1 / 20
Limitations:The decryption failure probability does not decrease quickly.Security is not based on a random quasi-cyclic/ideal code (but considered hard by thecommunity).Decoding in the rank metric is a more recent problem (27 years old).
Advantages and Limitations
Advantages: Very easy to understand (à la Niederreiter). Very small key size. Very fast keygen/encryption/decryption time. The decryption failure probability is well-understood and theoretically bounded.
LAKE & LOCKER 04/13/2018 2 / 20
Advantages and Limitations
Advantages: Very easy to understand (à la Niederreiter). Very small key size. Very fast keygen/encryption/decryption time. The decryption failure probability is well-understood and theoretically bounded.
Limitations: The decryption failure probability does not decrease quickly. Security is not based on a random quasi-cyclic/ideal code (but considered hard by the community). Decoding in the rank metric is a more recent problem (27 years old).
LAKE & LOCKER 04/13/2018 2 / 20
Presentation of the rank metric
1 Presentation of the rank metric
2 Description of the schemes
3 Security and parameters
LAKE & LOCKER 04/13/2018 3 / 20
Let β1, . . . , βm be a basis of Fqm/Fq. To each vector x ∈ Fnqm we can associate a matrix Mx
x = (x1, . . . , xn) ∈ Fnqm ↔Mx =
⎛⎜⎝x11 . . . x1n...
. . ....
xm1 . . . xmn
⎞⎟⎠ ∈ Fm×nq
such that xj =Pm
i=1 xijβi for each j ∈ [1..n].
DefnitiondR(x , y) = Rank(Mx −My ) and |x |R = RankMx .
Presentation of the rank metric
Rank Metric
We only consider codes with coeÿcients in Fqm .
LAKE & LOCKER 04/13/2018 4 / 20
Presentation of the rank metric
Rank Metric
We only consider codes with coeÿcients in Fqm . Let β1, . . . , βm be a basis of Fqm /Fq. To each vector x ∈ Fn
qm we can associate a matrix Mx ⎞⎛ x11 . . . x1n . ..x = (x1, . . . , xn) ∈ Fn
qm ↔ Mx = ⎜⎝ ⎟⎠ ∈ Fm×n
q . . ... .
P
xm1 . . . xmn
m i=1 xij βi for each j ∈ [1..n].such that xj =
Defnition dR(x , y) = Rank(Mx − My ) and |x |R = Rank Mx .
LAKE & LOCKER 04/13/2018 4 / 20
Number of supports of weight w :
Rank Hamming�mw
�q
≈ qw(m−w)
�nw
�6 2n
Complexity in the worst case:quadratically exponential for Rank Metricsimply exponential for Hamming Metric
Presentation of the rank metric
Support of a Word
Defnition The support of a word is the Fq-subspace generated by its coordinates:
Supp(x) = hx1, . . . , xniFq
LAKE & LOCKER 04/13/2018 5 / 20
Complexity in the worst case:quadratically exponential for Rank Metricsimply exponential for Hamming Metric
Presentation of the rank metric
Support of a Word
Defnition The support of a word is the Fq-subspace generated by its coordinates:
Supp(x) = hx1, . . . , xniFq
Number of supports of weight w :
Rank Hamming� � � � nm w(m−w) 6 2n≈ q
w w q
LAKE & LOCKER 04/13/2018 5 / 20
Presentation of the rank metric
Support of a Word
Defnition The support of a word is the Fq-subspace generated by its coordinates:
Supp(x) = hx1, . . . , xniFq
Number of supports of weight w :
Rank Hamming� � � � nm w(m−w) 6 2n≈ q
w w q
Complexity in the worst case: quadratically exponential for Rank Metric simply exponential for Hamming Metric
LAKE & LOCKER 04/13/2018 5 / 20
The decoding algorithm requires a parity-check matrix of weight d .
Presentation of the rank metric
LRPC Codes
Defnition
Let H ∈ F(qnm −k)×n a full-rank matrix such that the dimension d of hhij iFq is small.
By defnition, H is a parity-check matrix of an [n, k]qm LRPC code. We say that d is the weight of the matrix H .
LAKE & LOCKER 04/13/2018 6 / 20
Presentation of the rank metric
LRPC Codes
Defnition
Let H ∈ F(qnm −k)×n a full-rank matrix such that the dimension d of hhij iFq is small.
By defnition, H is a parity-check matrix of an [n, k]qm LRPC code. We say that d is the weight of the matrix H .
The decoding algorithm requires a parity-check matrix of weight d .
LAKE & LOCKER 04/13/2018 6 / 20
Presentation of the rank metric
Notation
From now, all vectors of Fnqm can be viewed as elements of Fqm [X ]/(P) for some polynomial P .
u X u mod P
⎞⎛ ⎜⎜⎜⎝
⎟⎟⎟⎠ Let u ∈ Fn
qm , (u)M denotes the matrix . . . X n−1u mod P
LAKE & LOCKER 04/13/2018 7 / 20
P ∈ Fq[X ] =⇒ the weight of H is d .Ideal LRPC in rank metric ' QC-MDPC in Hamming metric ' NTRU in Euclidean metric.
Presentation of the rank metric
Ideal LRPC Codes
Defnition Let F be a Fq-subspace of dimension d of Fqm , (h1, h2) two vectors of Fn
qm of support F and P ∈ Fq[X ] a polynomial of degree n.� � By defnition, the matrix H = (h1)M|(h2)M is a parity-check matrix of an [2n, n]qm ideal LRPC code C.
LAKE & LOCKER 04/13/2018 8 / 20
Ideal LRPC in rank metric ' QC-MDPC in Hamming metric ' NTRU in Euclidean metric.
Presentation of the rank metric
Ideal LRPC Codes
Defnition Let F be a Fq-subspace of dimension d of Fqm , (h1, h2) two vectors of Fn
qm of support F and P ∈ Fq[X ] a polynomial of degree n.� � By defnition, the matrix H = (h1)M|(h2)M is a parity-check matrix of an [2n, n]qm ideal LRPC code C.
P ∈ Fq[X ] =⇒ the weight of H is d .
LAKE & LOCKER 04/13/2018 8 / 20
Presentation of the rank metric
Ideal LRPC Codes
Defnition Let F be a Fq-subspace of dimension d of Fqm , (h1, h2) two vectors of Fn
qm of support F and P ∈ Fq[X ] a polynomial of degree n.� � By defnition, the matrix H = (h1)M|(h2)M is a parity-check matrix of an [2n, n]qm ideal LRPC code C.
P ∈ Fq[X ] =⇒ the weight of H is d . Ideal LRPC in rank metric ' QC-MDPC in Hamming metric ' NTRU in Euclidean metric.
LAKE & LOCKER 04/13/2018 8 / 20
P irreducible =⇒ resistant against folding attacks [4].
Presentation of the rank metric
I − LRPC Problem
Problem (Ideal LRPC codes indistinguishability)
Given h ∈ Fnqm and P ∈ Fq[X ] of degree n, it is hard to distinguish if h was sampled uniformly
at random or as x−1y mod P , where x and y have the same support of small dimension d .
Since h defnes an ideal code, it is hard to distinguish between a random ideal code and an ideal LRPC code.
LAKE & LOCKER 04/13/2018 9 / 20
Presentation of the rank metric
I − LRPC Problem
Problem (Ideal LRPC codes indistinguishability)
Given h ∈ Fnqm and P ∈ Fq[X ] of degree n, it is hard to distinguish if h was sampled uniformly
at random or as x−1y mod P , where x and y have the same support of small dimension d .
Since h defnes an ideal code, it is hard to distinguish between a random ideal code and an ideal LRPC code. P irreducible =⇒ resistant against folding attacks [4].
LAKE & LOCKER 04/13/2018 9 / 20
Probabilistic reduction to the NP-Complete ISD problem [3].
Presentation of the rank metric
RSD Problem
Problem (Rank Syndrome Decoding problem)
, s ∈ Fn−k
HeT = sT
|e|R = r
Given H ∈ F(qnm −k)×n
qm and an integer r , fnd e ∈ Fnqm such that:
LAKE & LOCKER 04/13/2018 10 / 20
Presentation of the rank metric
RSD Problem
Problem (Rank Syndrome Decoding problem)
, s ∈ Fn−k
HeT = sT
|e|R = r
Given H ∈ F(qnm −k)×n
qm and an integer r , fnd e ∈ Fnqm such that:
Probabilistic reduction to the NP-Complete ISD problem [3].
LAKE & LOCKER 04/13/2018 10 / 20
Presentation of the rank metric
I − RSD problem
Problem (Ideal Rank Syndrome Decoding problem)
Given h ∈ Fn [X ] of degree n, s ∈ Fn−k and an integer r , fnd e = (e1|e2) ∈ F2n qm , P ∈ Fq qm qm
such that: he1 + e2 = s mod P
|e|R = r
LAKE & LOCKER 04/13/2018 11 / 20
Description of the schemes
1
2
3
Presentation of the rank metric
Description of the schemes
Security and parameters
LAKE & LOCKER 04/13/2018 12 / 20
Description of the schemes
LAKE, a Key Encapsulation Mechanism
Our schemes contain a hash function G modeled as a ROM and an irreducible polynomial P ∈ Fq[X ] of degree n.
Alice Bob $
(x , y ) ← Fnqm × Fn
qm s.t. Supp(x) = Supp(y ) of dim d h
h ← x−1y mod P −−−−−→ (e1, e2)
$← Fn qm × Fn
qm s.t. Supp(e1, e2) = E of dim r
xs = xe1 + y e2 mod P s←−−−−− s = e1 + e2h mod P
E ← LRPC.Deco de(x , y , xs, r)
G (E) Shared Secret G (E)
LAKE & LOCKER 04/13/2018 13 / 20
Description of the schemes
LOCKER, a Public Key Encryption
Our schemes contain an hash function G modeled as a ROM and an irreducible polynomial P ∈ Fq[X ] of degree n. KeyGen(1λ):
$(x , y) ← Fq
nm × Fq
nm s.t. Supp(x) = Supp(y) of dim d
h ← x−1y mod P
sk := (x , y ), pk := h
Bob Alice $
(e1, e2) ← Fnqm × Fn
qm s.t. xs = xe1 + ye2 mod PSupp(e1, e2) = E of dim r C ,s E ← LRPC.Decode(x , y , xs, r)s = e1 + e2h mod P −−−−−→ L L M = C G (E )
C = M G (E )
LAKE & LOCKER 04/13/2018 14 / 20
Security and parameters
1 Presentation of the rank metric
2 Description of the schemes
3 Security and parameters
LAKE & LOCKER 04/13/2018 15 / 20
Applying HHK [5] to LOCKER PKE → IND-CCA2 LOCKER KEMIND-CCA2 LOCKER KEM → LOCKER HE
Security and parameters
Semantic Security
Theorem Under the assumption of the hardness of the I − LRPC and the I − RSD problems, LAKE and LOCKER are IND-CPA in the Random Oracle Model.
LAKE & LOCKER 04/13/2018 16 / 20
Security and parameters
Semantic Security
Theorem Under the assumption of the hardness of the I − LRPC and the I − RSD problems, LAKE and LOCKER are IND-CPA in the Random Oracle Model.
Applying HHK [5] to LOCKER PKE → IND-CCA2 LOCKER KEM IND-CCA2 LOCKER KEM → LOCKER HE
LAKE & LOCKER 04/13/2018 16 / 20
Quantum Speed-Up: Grover’s algorithm directly applies to GRS+ =⇒ exponent isdivided by 2 [2].
I− RSD I− LRPC
O�(nm)3q
12
�rlm(n+1)
2n
m−m
��O�(nm)3q
12(ddm
2 e−m−n)�
Security and parameters
Known Attacks
Combinatorial attacks: try to guess the support of the error or of the small-weight codeword. The best algorithm is GRS+ [1]. On average:
I − RSD I − LRPC� l m � � �m(n+1)r −m ddm e−m−n2nO (nm)3q O (nm)3q 2
LAKE & LOCKER 04/13/2018 17 / 20
Security and parameters
Known Attacks
Combinatorial attacks: try to guess the support of the error or of the small-weight codeword. The best algorithm is GRS+ [1]. On average:
I − RSD I − LRPC� l m � � �m(n+1)r −m ddm e−m−n2nO (nm)3q O (nm)3q 2
Quantum Speed-Up: Grover’s algorithm directly applies to GRS+ =⇒ exponent is divided by 2 [2].
I − RSD I − LRPC� � l m �� � �1 m(n+1)r −m (ddm e−m−n)2 2nO (nm)3q O (nm)3q 2
1 2
LAKE & LOCKER 04/13/2018 17 / 20
Security and parameters
Examples of parameters: LAKE
All the times are given in ms, performed on an Intel Core i7-4700HQ CPU running at 3.40GHz.
Security Message/key Size (bits)
KeyGen Time
Encap Time
Decap Time
Probability of failure
128 3,149 0.65 0.13 0.53 < 2−30
192 4,717 0.73 0.13 0.88 < 2−32
256 6,313 0.77 0.15 1.24 < 2−36
LAKE & LOCKER 04/13/2018 18 / 20
Security and parameters
Examples of parameters: LOCKER
All the times are given in ms, performed on an Intel Core i7-4700HQ CPU running at 3.40GHz.
Security PK Size (bits)
CT Size (bits)
Encrypt Time
Decrypt Time
Probability of failure
128 5,893 6,405 0.22 1.04 < 2−64
192 8,383 8,895 0.23 1.08 < 2−64
256 9,523 10,023 0.25 1.58 < 2−64
128 12,367 12,879 0.56 1.99 < 2−128
192 15,049 15,561 0.56 2.03 < 2−128
256 17,113 17,625 0.62 2.76 < 2−128
LAKE & LOCKER 04/13/2018 19 / 20
Security and parameters
Thank you for your attention !Any questions ?
LAKE & LOCKER 04/13/2018 20 / 20
Security and parameters
Nicolas Aragon, Philippe Gaborit, Adrien Hauteville, and Jean-Pierre Tillich. Improvement of Generic Attacks on the Rank Syndrome Decoding Problem. working paper or preprint, October 2017.
Philippe Gaborit, Adrien Hauteville, and Jean-Pierre Tillich. Ranksynd a PRNG based on rank metric. In Post-Quantum Cryptography 2016, pages 18–28, Fukuoka, Japan, February 2016.
Philippe Gaborit and Gilles Zémor. On the hardness of the decoding and the minimum distance problems for rank codes. IEEE Trans. Information Theory, 62(12):7245–7252, 2016.
Adrien Hauteville and Jean-Pierre Tillich. New algorithms for decoding in the rank metric and an attack on the LRPC cryptosystem. In Proc. IEEE Int. Symposium Inf. Theory - ISIT 2015, pages 2747–2751, Hong Kong, China, June 2015.
Dennis Hofheinz, Kathrin Hövelmanns, and Eike Kiltz. A modular analysis of the Fujisaki-Okamoto transformation.
LAKE & LOCKER 04/13/2018 20 / 20
Security and parameters
In Theory of Cryptography Conference, pages 341–371. Springer, 2017.
LAKE & LOCKER 04/13/2018 20 / 20