McNie NIST Submission Jon-Lark Kim Sogang University, S. Korea - PowerPoint PPT Presentation

McNie NIST Submission Jon-Lark Kim Sogang University, S. Korea PQCRYPTO Workshop, Taipei June 29 2018

Outline McNie: a new code-based cryptography 1 General algorithm specification 2 Key generation Encryption Decryption Rank metric codes 3 Definition Using 3-QC-LRPC codes Using 4-QC-LRPC codes Suggested parameters 4 5 Connection between Ouroboros-R and McNie Kim, J.-L. McNie NIST Submission 05/31/2018 2 / 25

McEliece: the first code-based cryptography The McEliece cryptosystem and its variants are well known code-based public key cryptosystems: c = m G + e public key G = AG ′ P , where m is a message, c is a ciphertext, G ′ is a secret generator matrix for a code which can correct errors e , A is a secret invertible matrix, P is a secret permutation matrix. However, McEliece cryptosystems with many algebraic codes with good structures have been broken due to their structures except for Goppa codes. Kim, J.-L. McNie NIST Submission 05/31/2018 3 / 25

McNie: a new code-based cryptography Our McNie is a new code-based public key cryptosystem which is less vulnerable against currently known structural attacks. McNie is one of the 64 algorithms which passed round 1 of 2017 NIST Competition for Post-Quantum Cryptography. We can use Hamming weight or rank weight in general. Kim, J.-L. McNie NIST Submission 05/31/2018 4 / 25

McNie- Key generation Consider Hamming weight or rank weight. Secret key: ( H , P , S , Φ H ) H : a parity check matrix for an [ n , k ] code C over F q m P : an n × n permutation matrix S : an ( n − k ) × ( n − k ) invertible matrix over F q m Φ H : an efficient decoding algorithm for C which corrects errors of weight up to r Public key: ( G ′ , F ) G ′ : Generator matrix for a random [ n , l ] code over F q m F = G ′ P − 1 H T S Kim, J.-L. McNie NIST Submission 05/31/2018 5 / 25

McNie- Encryption Message: m ∈ F l q m Randomly generate e ∈ F n q m of weight r Enc ( m ) = ( c 1 , c 2 ) c 1 = m G ′ + e c 2 = m F = m G ′ P − 1 H T S Kim, J.-L. McNie NIST Submission 05/31/2018 6 / 25

McNie- Decryption Received vector: c = ( c 1 , c 2 ) Compute c 1 P − 1 H T − c 2 S − 1 s ′ = ( m G ′ + e ) P − 1 H T = − ( m G ′ P − 1 H T S ) S − 1 e P − 1 H T = e ′ Φ H ( s ′ ) = e P − 1 = e ′ P = e Solve the system m G ′ = c 1 − e to recover m . Kim, J.-L. McNie NIST Submission 05/31/2018 7 / 25

Apply McNie to rank metric codes Let { α 1 , α 2 , . . . , α m } be a basis for F q m over F q . c 11 c 1 n � · · · � m � c = ( c 1 , . . . , c n ) ∈ F n . . q m ⇔ ¯ c = ... , c j = c ij α i . . . . c m 1 c mn i = 1 · · · rank weight : w R ( c ) = Rank (¯ c ) rank distance : d R ( c , c ′ ) = Rank (¯ c − ¯ c ′ ) A rank metric code is an [ n , k ] code over F q m equipped with the rank metric. A family of rank metric codes used in McNie: A Low Rank Parity Check (LRPC) code of rank d is an [ n , k ] code over F q m that has for its parity check matrix an ( n − k ) × n matrix H = ( h ij ) such that the sub-vector space of F q m generated by its coefficients h ij has dimension at most d . Kim, J.-L. McNie NIST Submission 05/31/2018 8 / 25

Using 3-quasi-cyclic LRPC codes We use circulant matrices and construct quasi-cyclic LRPC codes over F q m in order to reduce key size. Let n be a multiple of 3 and block size blk = n 3 . Generate h 1 , h 2 , h 3 ∈ F blk q m s.t. dim Supp ( h 1 , h 2 , h 3 ) = d Generate g 1 , g 2 ∈ F blk q m . Let H i , G j be circulant matrices whose first row are h i and g j , resp. � � I blk 0 G 1 H 3 ] , G ′ = Let H = [ H 1 H 2 0 I blk G 2 3 ) − 1 which is also a circulant matrix. Take P = I n and S = ( H T 1 + G 1 H T F = G ′ P − 1 H T S has the following form : � � I n F = 3 , F ′ where F ′ = ( H T 2 + G 2 H T 3 )( H 1 + H 3 G T 1 ) − 1 . Kim, J.-L. McNie NIST Submission 05/31/2018 9 / 25

Using 4-quasi-cyclic LRPC codes Let n be divisible by 4 and block size blk = n 4 . Generate h 1 , h 2 , . . . , h 8 ∈ F blk q m s.t. dim Supp ( h 1 , h 2 , . . . , h 8 ) = d . Generate vectors g 1 , g 2 , g 3 ∈ F blk q m . � � � H 1 I blk 0 0 G 1 � H 2 H 3 H 4 , G ′ = Let H = 0 I blk 0 G 2 H 5 H 6 H 7 H 8 0 0 I blk G 3 � S 1 S 2 � Take P = I n and ¯ S = , where S 1 , S 2 , S 3 , S 4 are blk × blk circulant S 3 S 4 matrices. � F 1 F 2 � ¯ F = G ′ P − 1 H T S = F 3 F 4 F 5 F 6 � � I blk 0 Reduce ¯ F in column echelon form F = ¯ FE = , where 0 I blk F ′ F ′′ � � � ( F − 1 F 1 − F − 1 F 3 ) − 1 F − 1 ( F − 1 F 3 − F − 1 F 1 ) − 1 F − 1 � E 1 E 2 E = = 2 4 2 4 2 4 . E 3 E 4 − F − 1 − F − 1 F 3 E 1 F 1 E 2 4 2 Kim, J.-L. McNie NIST Submission 05/31/2018 10 / 25

Suggested parameters Parameter n k l blk d r m q Category ❡♥❝r②♣t✴✸◗❴✶✷✽❴✶ 93 62 62 31 3 5 37 2 1 ❡♥❝r②♣t✴✸◗❴✶✷✽❴✷ 105 70 70 35 3 5 37 2 1 ❡♥❝r②♣t✴✸◗❴✶✾✷❴✶ 111 74 74 37 3 7 41 2 3 ❡♥❝r②♣t✴✸◗❴✶✾✷❴✷ 123 82 82 41 3 7 41 2 3 111 74 74 37 3 7 59 2 5 ❡♥❝r②♣t✴✸◗❴✷✺✻❴✶ ❡♥❝r②♣t✴✸◗❴✷✺✻❴✷ 141 94 94 47 3 9 47 2 5 Table: Suggested parameters using 3-quasi-cyclic LRPC codes Parameter n k l blk d r m q Category ❡♥❝r②♣t✴✹◗❴✶✷✽❴✶ 60 30 45 15 3 5 37 2 1 ❡♥❝r②♣t✴✹◗❴✶✷✽❴✷ 72 36 54 18 3 5 37 2 1 ❡♥❝r②♣t✴✹◗❴✶✾✷❴✶ 76 38 57 19 3 7 41 2 3 84 42 63 21 3 7 41 2 3 ❡♥❝r②♣t✴✹◗❴✶✾✷❴✷ ❡♥❝r②♣t✴✹◗❴✷✺✻❴✶ 76 38 57 19 3 7 53 2 5 ❡♥❝r②♣t✴✹◗❴✷✺✻❴✷ 88 44 66 22 3 8 47 2 5 Table: Suggested parameters using 4-quasi-cyclic LRPC codes Kim, J.-L. McNie NIST Submission 05/31/2018 11 / 25

Key sizes for suggested parameters Decryption Public Key Private Key Message Ciphertext Parameter failure 1 failure 2 Size (bytes) Size (bytes) Size (bytes) Size (bytes) ❡♥❝r②♣t✴✸◗❴✶✷✽❴✶ -17 -34 431 194 314 579 -20 -34 486 218 358 653 ❡♥❝r②♣t✴✸◗❴✶✷✽❴✷ ❡♥❝r②♣t✴✸◗❴✶✾✷❴✶ -17 -26 569 247 454 764 ❡♥❝r②♣t✴✸◗❴✶✾✷❴✷ -20 -26 631 274 505 846 ❡♥❝r②♣t✴✸◗❴✷✺✻❴✶ -17 -62 819 337 636 1097 ❡♥❝r②♣t✴✸◗❴✷✺✻❴✷ -20 -22 829 348 699 1110 Table: Key sizes for the suggested parameters for McNie using 3-QC-LRPC codes Decryption Public Key Private Key Message Ciphertext Parameter failure 1 failure 2 Size (bytes) Size (bytes) Size (bytes) Size (bytes) ❡♥❝r②♣t✴✹◗❴✶✷✽❴✶ -16 -34 347 340 215 422 ❡♥❝r②♣t✴✹◗❴✶✷✽❴✷ -21 -34 417 401 264 505 ❡♥❝r②♣t✴✹◗❴✶✾✷❴✶ -18 -26 487 465 336 590 ❡♥❝r②♣t✴✹◗❴✶✾✷❴✷ -21 -26 539 512 373 651 ❡♥❝r②♣t✴✹◗❴✷✺✻❴✶ -18 -50 630 584 432 761 -20 -30 647 601 461 781 ❡♥❝r②♣t✴✹◗❴✷✺✻❴✷ Table: Key sizes for the suggested parameters for McNie using 4-QC-LRPC codes Kim, J.-L. McNie NIST Submission 05/31/2018 12 / 25

McNie vs other cryptosystems Security McNie DC-LRPC DC-MDPC QD-Goppa Goppa Level 3-quasi 4-quasi [3] [6] [7] [2] 128 3441 2775 2809 9857 32768 1537536 192 4551 3895 - - 45056 4185415 256 6549 5035 - 32771 65536 7667855 Table: Key-size (bits) comparison with other code-based cryptosystems McNie Security Level NTRU RSA ECC ECC AWC 3-quasi 4-quasi 128 3441 2775 4939 3072 256 277280 192 4551 3895 6523 7680 384 936618 256 6549 5035 8173 15360 512 1595434 Table: Comparison of key sizes (bits) Kim, J.-L. McNie NIST Submission 05/31/2018 13 / 25

Recent attack on McNie based on 3,4-QC LRPC codes by P . Gaborit Let m = ( m 1 , m 2 , . . . , m l ) From c 2 = m F , we obtain n − k linear relations of the m i ’s. Hence, all the m i ’s can be expressed in terms of some fixed l − ( n − k ) coordinates. We can rewrite c 1 as c 1 = m ′ G ′′ + e where G ′′ is of dimension l − ( n − k ) . So we attack a code of dimension l − ( n − k ) instead of a code of dimmension l . Kim, J.-L. McNie NIST Submission 05/31/2018 14 / 25

Improvement on generic attacks on RSD(Rank Syndrome Decoding) by Aragon, Gaborit, Hauteville, Tillich [1] The attack is an adaptation of the ISD attack to RSD. This improvement uses the F q m -linearity of the code. The main idea is to consider the code C ′ = C + F q m e . The problem is then reduced to finding a weight r codeword in C ′ . Instead of looking for the support E of the error e , we can look for a multiple α E , α ∈ F ∗ q m , of the support. This attack has complexity O ( n − k ) 3 m 3 q r ( k + 1 ) m − m . n Kim, J.-L. McNie NIST Submission 05/31/2018 15 / 25