Presentation of the rank metric Description of the scheme Security and parameters OUROBOROS-R, an IND-CPA KEM based on Rank Metric NIST First Post-Quantum Cryptography Standardization Conference Carlos AguilarMelchor 2 Nicolas Aragon 1 Slim Bettaieb 5 Loic Bidoux 5 Olivier Blazy 1 Jean-Christophe Deneuville 1 , 4 Philippe Gaborit 1 Adrien Hauteville 1 Gilles Zémor 3 1 University of Limoges, XLIM-DMI, France ; 2 ISAE-SUPAERO, Toulouse, France 3 IMB, University of Bordeaux; 4 INSA-CVL, Bourges, France ; 5 Worldline, France. OUROBOROS-R, an IND-CPA KEM based on Rank Metric
Presentation of the rank metric Description of the scheme Security and parameters 1 Presentation of the rank metric 2 Description of the scheme 3 Security and parameters OUROBOROS-R, an IND-CPA KEM based on Rank Metric
Presentation of the rank metric Description of the scheme Security and parameters Rank Metric We only consider codes with coefficients in F q m . Let β , . . . , β m be a basis of F q m / F q . To each vector x ∈ F n q m we can associate a matrix M x x . . . x n . . ... x = ( x , . . . , x n ) ∈ F n ∈ F m × n . . q m ↔ M x = . . q x m . . . x mn such that x j = � m i = x ij β i for each j ∈ [ ..n ] . Definition d R ( x , y ) = Rank ( M x − M y ) and | x | r = Rank M x . OUROBOROS-R, an IND-CPA KEM based on Rank Metric
Presentation of the rank metric Description of the scheme Security and parameters Support of a Word Definition The support of a word is the F q -subspace generated by its coordinates: Supp ( x ) = � x 1 , . . . , x n � F q Number of supports of weight w : Rank Hamming � m � � n � ≈ q w ( m − w ) � 2 n w w q Complexity in the worst case: quadratically exponential for Rank Metric simply exponential for Hamming Metric OUROBOROS-R, an IND-CPA KEM based on Rank Metric
Presentation of the rank metric Description of the scheme Security and parameters LRPC Codes Definition Let H ∈ F ( n − k ) × n a full-rank matrix such that the dimension d of q m � h ij � F q is small. By definition, H is a parity-check matrix of an [ n , k ] q m LRPC code. We say that d is the weight of the matrix H . A LRPC code can decode errors (recover support) of weight r � n − k in polynomial time with a probability of failure d � q − ( n − k − 2 ( r + d )+ 5 ) , q − 2 ( n − k − rd + 2 ) � p f < max → matrices based on random small weight codewords with same support can be turned into a decoding algorithm ! OUROBOROS-R, an IND-CPA KEM based on Rank Metric
Presentation of the rank metric Description of the scheme Security and parameters Difficult problems in rank metric Problem (Rank Syndrome Decoding problem) Given H ∈ F ( n − k ) × n , s ∈ F n − k and an integer r , find e ∈ F n q m such q m q m that: He T = s T | e | r = r Probabilistic reduction to the NP-Complete SD problem [Gaborit-Zémor, IEEE-IT 2016]. OUROBOROS-R, an IND-CPA KEM based on Rank Metric
Presentation of the rank metric Description of the scheme Security and parameters 1 Presentation of the rank metric 2 Description of the scheme 3 Security and parameters OUROBOROS-R, an IND-CPA KEM based on Rank Metric
Presentation of the rank metric Description of the scheme Security and parameters OUROBOROS-R scheme Vectors x of F n q m seen as elements of F q m [ X ] / ( P ) for some polynomial P . Alice Bob seed h seed h ← { 0 , 1 } λ , h ← F n q m ( x , y ) ← S 2 n 1 , w ( F q m ) , s ← x + hy h , s − − − − − − → ( r 1 , r 2 , e r ) ← S 3 n w r ( F q m ) F ← Supp ( x , y ) E ← Supp ( r 1 , r 2 , e r ) s r , s e s r ← r 1 + hr 2 , s e ← sr 2 + e r ← − − − − − − − e c ← s e − ys r E ← QCRS-Recover ( F , e c , w r ) Shared Hash ( E ) Hash ( E ) Secret Figure 1: Informal description of OUROBOROS-R. h and s constitute the public key. h can be recovered by publishing only the λ bits of the seed (instead of the n coordinates of h ). OUROBOROS-R, an IND-CPA KEM based on Rank Metric
Presentation of the rank metric Description of the scheme Security and parameters Why does it work ? e c = s e − ys r = sr 2 + e r − y ( r 1 + hr 2 ) = ( x + hy ) r 2 + e r − y ( r 1 + hr 2 ) = xr 2 − yr 1 + e r 1 ∈ F , coordinates of e c generate a subspace of Supp ( r 1 , r 2 , e r ) × Supp ( x , y ) on which one can apply the QCRS-Recover algorithm to recover E (LRPC decoder). In other words: e c seen as syndrome associated to an LRPC code based on the secret key ( x , y ) → a reasonable decoding algorithm is used to decode a SMALL weight error ! OUROBOROS-R, an IND-CPA KEM based on Rank Metric
Presentation of the rank metric Description of the scheme Security and parameters 1 Presentation of the rank metric 2 Description of the scheme 3 Security and parameters OUROBOROS-R, an IND-CPA KEM based on Rank Metric
Presentation of the rank metric Description of the scheme Security and parameters Semantic Security Theorem Under the assumption of the hardness of the [ 2 n , n ] -Decisional-QCRSD and [ 3 n , n ] -Decisional-QCRSD problems, OUROBOROS-R is IND-CPA in the Random Oracle Model. OUROBOROS-R, an IND-CPA KEM based on Rank Metric
Presentation of the rank metric Description of the scheme Security and parameters Best Known Attacks Combinatorial attacks: try to guess the support of the error or of the codeword. The best algorithm is GRS+(Aragon et al. ISIT 2018). On average: � n ⌉ − m � ( nm ) q r ⌈ km O Quantum Speed Up : Grover’s algorithm directly applies to GRS+ = ⇒ exponent divided by 2. OUROBOROS-R, an IND-CPA KEM based on Rank Metric
Presentation of the rank metric Description of the scheme Security and parameters Examples of parameters All the times are given in ms , performed on an Intel Core i7-4700HQ CPU running at 3.40GHz. Security Key Ciphertext KeyGen Encap Decap Probability Size (bits) Size (bits) Time(ms) Time(ms) Time(ms) of failure < 2 − 36 128 5,408 10,816 0.18 0.29 0.53 < 2 − 36 192 6,456 12,912 0.19 0.33 0.97 < 2 − 42 256 8,896 17,792 0.24 0.40 1.38 OUROBOROS-R, an IND-CPA KEM based on Rank Metric
Presentation of the rank metric Description of the scheme Security and parameters Advantages and Limitations Advantages: Small key size Very fast encryption/decryption time Reduction to decoding a random (QC) code . Well understood decryption failure probability Limitations: Longer ciphertext (compared to LRPC) because of reconciliation ( × 2). Slighlty larger parameters because of security reduction compared to LRPC. RSD problem studied since 27 years. OUROBOROS-R, an IND-CPA KEM based on Rank Metric
Presentation of the rank metric Description of the scheme Security and parameters Questions ! OUROBOROS-R, an IND-CPA KEM based on Rank Metric
Recommend
More recommend
