ramesses a rank metric encryption scheme with short keys
play

Ramesses : a Rank Metric Encryption Scheme with Short Keys Julien - PowerPoint PPT Presentation

Jul 24, 2023 •410 likes •1.11k views

Ramesses : a Rank Metric Encryption Scheme with Short Keys Julien Lavauzelle , Pierre Loidreau, Ba-Duc Pham IRMAR, Universit de Rennes 1 Groupe de travail cryptographie base de codes 25/11/2019 Introduction Goal: design a new public-key

  1. Ramesses : a Rank Metric Encryption Scheme with Short Keys Julien Lavauzelle , Pierre Loidreau, Ba-Duc Pham IRMAR, Université de Rennes 1 Groupe de travail cryptographie à base de codes 25/11/2019

  2. Introduction Goal: design a new public-key encryption scheme ◮ based on the problem of decoding Gabidulin codes beyond their unique decoding radius , ◮ features very compact keys and short ciphertexts, ◮ admits efficient encryption and decryption algorithms. 1/28 J. Lavauzelle – RAMESSES – GT code-based crypto

  3. Outline 1. Past efforts Augot-Finiasz PKE Faure-Loidreau PKE 2. RAMESSES: new PKE based on rank metric Background The scheme Correctness Security 1/28 J. Lavauzelle – RAMESSES – GT code-based crypto

  4. Outline 1. Past efforts Augot-Finiasz PKE Faure-Loidreau PKE 2. RAMESSES: new PKE based on rank metric Background The scheme Correctness Security 1/28 J. Lavauzelle – RAMESSES – GT code-based crypto

  5. Codes in Hamming metric Linear code C ⊆ F n q , with Hamming metric: d ( a , b ) := |{ i ∈ [ 1 , n ] , a i � = b i }| . Let x = ( x 1 , . . . , x n ) ∈ F n q be pairwise distinct. The Reed-Solomon code of dimension k and evaluation vector x is RS k ( x ) := { ev x ( P ) := ( P ( x 1 ) , . . . , P ( x n )) | P ( X ) ∈ F q [ X ] < k } . 2/28 J. Lavauzelle – RAMESSES – GT code-based crypto

  6. Codes in Hamming metric Linear code C ⊆ F n q , with Hamming metric: d ( a , b ) := |{ i ∈ [ 1 , n ] , a i � = b i }| . Let x = ( x 1 , . . . , x n ) ∈ F n q be pairwise distinct. The Reed-Solomon code of dimension k and evaluation vector x is RS k ( x ) := { ev x ( P ) := ( P ( x 1 ) , . . . , P ( x n )) | P ( X ) ∈ F q [ X ] < k } . Decoding w errors in RS k ( x ) : unique decoding interpolation list dec. w = wt( e ) n √ 0 n − k n − k n − nk 2 easy hard V. Guruswami, A. Vardy, Maximum-likelihood decoding of Reed-Solomon codes is NP-hard, IEEE TIT, 2005. 2/28 J. Lavauzelle – RAMESSES – GT code-based crypto

  7. Augot-Finiasz cryptosystem D. Augot, M. Finiasz, A Public Key Encryption Scheme Based on the Polynomial Reconstruction Problem, EUROCRYPT, 2003. Public parameters: – x ∈ F n q pairwise distinct, locators of RS k ( x ) √ w ′ ≤ n − k − w – n , k , n − nk < w < n − k and . 2 3/28 J. Lavauzelle – RAMESSES – GT code-based crypto

  8. Augot-Finiasz cryptosystem D. Augot, M. Finiasz, A Public Key Encryption Scheme Based on the Polynomial Reconstruction Problem, EUROCRYPT, 2003. Public parameters: – x ∈ F n q pairwise distinct, locators of RS k ( x ) √ w ′ ≤ n − k − w – n , k , n − nk < w < n − k and . 2 KeyGen: � P ∈ F q [ X ] < k − 1 – private key: e ∈ F n q , wt( e ) = w – public key: noisy codeword k pub = ev x ( P + X k − 1 ) + e 3/28 J. Lavauzelle – RAMESSES – GT code-based crypto

  9. Augot-Finiasz cryptosystem Encrypt: plaintext is M ∈ F q [ X ] < k − 1 1. pick α ∈ F q and e ′ ∈ F n q , wt( e ′ ) = w ′ 2. ciphertext y = ev x ( M ) + α k pub + e ′ 4/28 J. Lavauzelle – RAMESSES – GT code-based crypto

  10. Augot-Finiasz cryptosystem Encrypt: plaintext is M ∈ F q [ X ] < k − 1 1. pick α ∈ F q and e ′ ∈ F n q , wt( e ′ ) = w ′ 2. ciphertext y = ev x ( M ) + α k pub + e ′ Decrypt: ciphertext is y ∈ F n q 1. puncture y at supp( e ) := { i ∈ [ 1 , n ] , e i � = 0 } → get y ′ ∈ F n − w q 2. decode w ′ errors from y ′ → get ev x ′ ( M ) + α ev x ′ ( P + X k − 1 ) ∈ F n − w q 3. interpolation + α X k − 1 → recover ( M + α P ) � �� � degree ≤ k − 2 → recover α → recover M 4/28 J. Lavauzelle – RAMESSES – GT code-based crypto

  11. Coron’s attack (1) J.-S. Coron, Cryptanalysis of a Public-Key Encryption Scheme Based on the Polynomial Reconstruction Problem, PKC, 2004. retrieve M from y = ev x ( M ) + α k pub + e ′ . Ciphertext attack: 5/28 J. Lavauzelle – RAMESSES – GT code-based crypto

  12. Coron’s attack (1) J.-S. Coron, Cryptanalysis of a Public-Key Encryption Scheme Based on the Polynomial Reconstruction Problem, PKC, 2004. retrieve M from y = ev x ( M ) + α k pub + e ′ . Ciphertext attack: Let V e ′ ( X ) = � i ∈ supp( e ′ ) ( X − x i ) . V e ′ ( x i )( y i − α k pub , i ) = V e ′ ( x i ) M ( x i ) , ∀ i = 1 , . . . , n 5/28 J. Lavauzelle – RAMESSES – GT code-based crypto

  13. Coron’s attack (1) J.-S. Coron, Cryptanalysis of a Public-Key Encryption Scheme Based on the Polynomial Reconstruction Problem, PKC, 2004. retrieve M from y = ev x ( M ) + α k pub + e ′ . Ciphertext attack: Let V e ′ ( X ) = � i ∈ supp( e ′ ) ( X − x i ) . V e ′ ( x i )( y i − α k pub , i ) = V e ′ ( x i ) M ( x i ) , ∀ i = 1 , . . . , n Consider the system: � V ( x i )( y i − λ k pub , i ) = A ( x i ) , ∀ i = 1 , . . . , n ( S λ ) deg V ≤ w ′ , deg A ≤ k − 1 + w ′ For all λ , ( S λ ) has n equations and u = k + 2 w ′ + 1 unkwowns (overdetermined). ◮ if λ � = α : non trivial solution with proba ≪ 1. ◮ if λ = α : ( V = V e ′ , A = V e ′ M ) is a solution. 5/28 J. Lavauzelle – RAMESSES – GT code-based crypto

  14. Coron’s attack (2) Goal: retrieve α Sketch of Coron’s attack: ◮ If ( S 0 ) has no non-zero solution: ◮ Find a full-rank sub-system ( S ′ λ ) of u equations (and u unknowns). λ ) is a polynomial of degree ≤ w ′ + 1) ◮ Solve det( S ′ ( λ �→ det( S ′ λ ) = 0 ◮ Get λ = α among the solutions. ◮ Otherwise: let ( V , A ) be a solution of ( S 0 ) . ◮ One can prove ( ≃ Berlekamp-Welch) that A V = M + α ( P + X k − 1 ) ∈ F q [ X ] . ◮ Find α as the leading coefficient of A V . 6/28 J. Lavauzelle – RAMESSES – GT code-based crypto

  15. Outline 1. Past efforts Augot-Finiasz PKE Faure-Loidreau PKE 2. RAMESSES: new PKE based on rank metric Background The scheme Correctness Security 6/28 J. Lavauzelle – RAMESSES – GT code-based crypto

  16. Rank metric codes Field extension F q / F 2 , say q = 2 m g = ( g 1 , . . . , g m ) ∈ F m q an ordered basis of F q / F 2 Extension map F n F m × n Ext g : → q 2 x → X = ( x i , j ) where x j = � n i = 1 g i x i , j ∈ F 2 m . By definition, Ext g ( gX ) = X . The rank distance is defined as: d ( x − y ) = rk( x − y ) := rk F 2 (Ext g ( x − y )) 7/28 J. Lavauzelle – RAMESSES – GT code-based crypto

  17. Gabidulin codes Let θ : x �→ x 2 the F 2 -linear Frobenius automorphism. If P ∈ F q [ X ] , then P ( θ ) ∈ End F 2 ( F q ) and dim(ker P ( θ )) ≤ deg P . 8/28 J. Lavauzelle – RAMESSES – GT code-based crypto

  18. Gabidulin codes Let θ : x �→ x 2 the F 2 -linear Frobenius automorphism. If P ∈ F q [ X ] , then P ( θ ) ∈ End F 2 ( F q ) and dim(ker P ( θ )) ≤ deg P . Let g = ( g 1 , . . . , g n ) ∈ F n q be F 2 -linearly independent. The Gabidulin code of dimension k and evaluation vector g is Gab k ( g ) := { P ( g ) := ( P ( θ )( g 1 ) , . . . , P ( θ )( g n )) | P ( X ) ∈ F q [ X ] < k } 8/28 J. Lavauzelle – RAMESSES – GT code-based crypto

  19. Gabidulin codes Let θ : x �→ x 2 the F 2 -linear Frobenius automorphism. If P ∈ F q [ X ] , then P ( θ ) ∈ End F 2 ( F q ) and dim(ker P ( θ )) ≤ deg P . Let g = ( g 1 , . . . , g n ) ∈ F n q be F 2 -linearly independent. The Gabidulin code of dimension k and evaluation vector g is Gab k ( g ) := { P ( g ) := ( P ( θ )( g 1 ) , . . . , P ( θ )( g n )) | P ( X ) ∈ F q [ X ] < k } Decoding errors of rank w in Gab k ( g ) : unique decoding interpolation w = rk( e ) n 0 n − k n − k 2 easy hard (worst case) N. Raviv, A. Wachter-Zeh, Some Gabidulin Codes Cannot Be List Decoded Efficiently at any Radius, IEEE TIT, 2016. 8/28 J. Lavauzelle – RAMESSES – GT code-based crypto

  20. Translation of Augot-Finiasz PKE into rank metric (1) Public parameters: – g ∈ F n q linearly independent over F 2 , < w < n − k and w ′ ≤ n − k − w n − k – k , . 2 2 9/28 J. Lavauzelle – RAMESSES – GT code-based crypto

  21. Translation of Augot-Finiasz PKE into rank metric (1) Public parameters: – g ∈ F n q linearly independent over F 2 , < w < n − k and w ′ ≤ n − k − w n − k – k , . 2 2 KeyGen: � P ∈ F q [ X ] < k − 1 – private key: e ∈ F n q , rk( e ) = w – public key: noisy codeword k pub = ( P + X k − 1 )( g ) + e 9/28 J. Lavauzelle – RAMESSES – GT code-based crypto

  22. Translation of Augot-Finiasz PKE into rank metric (2) Encrypt: plaintext is M ∈ F q [ X ] < k − 1 1. pick α ∈ F q and e ′ ∈ F n q , rk( e ′ ) = w ′ 2. ciphertext y = M ( g ) + α k pub + e ′ 10/28 J. Lavauzelle – RAMESSES – GT code-based crypto

  23. Translation of Augot-Finiasz PKE into rank metric (2) Encrypt: plaintext is M ∈ F q [ X ] < k − 1 1. pick α ∈ F q and e ′ ∈ F n q , rk( e ′ ) = w ′ 2. ciphertext y = M ( g ) + α k pub + e ′ Decrypt: ciphertext is y ∈ F n q 1. “puncture” y at supp( e ) := � n i = 1 F 2 e i → get y ′ ∈ F n − w q 2. decode w ′ errors from y ′ → get M ( g ′ ) + α ( P + X k − 1 )( g ′ ) ∈ F n − w q 3. interpolation + α X k − 1 , then α , then M → recover ( M + α P ) � �� � degree ≤ k − 2 10/28 J. Lavauzelle – RAMESSES – GT code-based crypto

Recommend

OUROBOROS-R, an IND-CPA KEM based on Rank Metric NIST First Post-Quantum Cryptography

OUROBOROS-R, an IND-CPA KEM based on Rank Metric NIST First Post-Quantum Cryptography

Presentation of the rank metric Description of the scheme Security and parameters OUROBOROS-R, an IND-CPA KEM based on Rank Metric NIST First Post-Quantum Cryptography Standardization Conference Carlos AguilarMelchor 2 Nicolas Aragon 1 Slim

157 views • 15 slides
Two attacks on rank metric code-based Jean-Pierre Tillich schemes: RankSign and an IBE scheme

Two attacks on rank metric code-based Jean-Pierre Tillich schemes: RankSign and an IBE scheme

Two attacks on rank metric code-based schemes: RankSign and an IBE scheme Thomas Debris-Alazard and Two attacks on rank metric code-based Jean-Pierre Tillich schemes: RankSign and an IBE scheme Generalities on Rank-Based Cryptography

668 views • 25 slides
Introduction to rank-based cryptography Philippe Gaborit University of Limoges, France ASCRYPTO

Introduction to rank-based cryptography Philippe Gaborit University of Limoges, France ASCRYPTO

Rank codes : definitions and basic properties Decoding in rank metric Complexity issues : decoding random rank codes Encryption Authentication and signature Introduction to rank-based cryptography Philippe Gaborit University of Limoges,

1.56k views • 115 slides
Symmetric Encryption Scheme adapted to Fully Homomorphic Encryption Scheme: New Criteria for

Symmetric Encryption Scheme adapted to Fully Homomorphic Encryption Scheme: New Criteria for

Symmetric Encryption Scheme adapted to Fully Homomorphic Encryption Scheme: New Criteria for Boolean functions Pierrick M AUX cole normale suprieure, INRIA, CNRS, PSL Boolean Functions and their Applications (BFA) Os, Norway Tuesday

1.23k views • 101 slides
A new family of maximum rank distance codes or: Maximum rank distance codes and finite semifields

A new family of maximum rank distance codes or: Maximum rank distance codes and finite semifields

A new family of maximum rank distance codes or: Maximum rank distance codes and finite semifields John Sheekey Universiteit Gent, Belgium Alcoma, March 2015 Rank metric codes A rank metric code is a set C M n ( F ) of n n matrices over

963 views • 92 slides
Password Human beings : Short keys; possibly used to generate longer keys Dictionary

Password Human beings : Short keys; possibly used to generate longer keys Dictionary

Password Human beings : Short keys; possibly used to generate longer keys Dictionary attack: adversary tries more common keys (easy with a large set of users) Trojan horse Countermeasures: slow login, close after several

563 views • 14 slides
Maximum rank distance codes: constructions, classifications, and applications John Sheekey UCD,

Maximum rank distance codes: constructions, classifications, and applications John Sheekey UCD,

Maximum rank distance codes: constructions, classifications, and applications John Sheekey UCD, Dublin, Ireland Dagstuhl, August 2016 Rank metric codes A rank metric code is a set C M m n ( F q ) of m n matrices ( m n ) over F q

1.02k views • 85 slides
Encryption Scheme And Thoughts on Bootstrapping The FHE scheme is joint work with Amit Sahai

Encryption Scheme And Thoughts on Bootstrapping The FHE scheme is joint work with Amit Sahai

A Simple (Leveled) Fully Homomorphic Encryption Scheme And Thoughts on Bootstrapping The FHE scheme is joint work with Amit Sahai (UCLA) and Brent Waters (UT Austin) Supported by IARPA contract number D11PC20202 August 15, 2013 Workshop on

719 views • 32 slides
Maximum rank distance codes and finite semifields John Sheekey Universiteit Gent, Belgium

Maximum rank distance codes and finite semifields John Sheekey Universiteit Gent, Belgium

Maximum rank distance codes and finite semifields John Sheekey Universiteit Gent, Belgium Banff, January 2015 Rank metric codes A rank metric code is a set C M n ( F ) of n n matrices over a field F with the distance function d ( X , Y )

830 views • 82 slides
Unbounded Inner Product Functional Encryption, with Succinct Keys Edouard Dufour Sans and David

Unbounded Inner Product Functional Encryption, with Succinct Keys Edouard Dufour Sans and David

Unbounded Inner Product Functional Encryption, with Succinct Keys Edouard Dufour Sans and David Pointcheval Ecole Normale Sup erieure INRIA June 6, 2019 Table of Contents Background Functional Encryption ABDP Applications of Inner

970 views • 51 slides
Efficient Ring-LWE Encryption on 8-bit AVR Processors . Zhe Liu 1 Hwajeong Seo 2 Sujoy Sinha Roy

Efficient Ring-LWE Encryption on 8-bit AVR Processors . Zhe Liu 1 Hwajeong Seo 2 Sujoy Sinha Roy

Short Overview Ring-LWE Encryption Scheme Our Implementation Implementation Results Conclusion . Efficient Ring-LWE Encryption on 8-bit AVR Processors . Zhe Liu 1 Hwajeong Seo 2 Sujoy Sinha Roy 3 adl 1 Howon Kim 2 Ingrid Verbauwhede 3

1.4k views • 102 slides
Cryptographic applications of codes in rank metric Pierre Loidreau CELAr and Universit e de

Cryptographic applications of codes in rank metric Pierre Loidreau CELAr and Universit e de

Cryptographic applications of codes in rank metric Cryptographic applications of codes in rank metric Pierre Loidreau CELAr and Universit e de Rennes Pierre.Loidreau@m4x.org June 16th, 2009 Cryptographic applications of codes in rank

498 views • 33 slides
Rank Metric Codes and related Structures Yue Zhou July 5, 2017 The 2nd International Workshop on

Rank Metric Codes and related Structures Yue Zhou July 5, 2017 The 2nd International Workshop on

Rank Metric Codes and related Structures Yue Zhou July 5, 2017 The 2nd International Workshop on Boolean Functions and their Applications (BFA) Outline Introduction Maximum rank distance codes Quadratic bent-Negabent functions Vectorial

2.09k views • 179 slides
2 3 4 5 8 9 MINNEAPOLIS MILWAUKEE MSA RANK #16 MSA RANK #39 CHICAGO MSA RANK #3

2 3 4 5 8 9 MINNEAPOLIS MILWAUKEE MSA RANK #16 MSA RANK #39 CHICAGO MSA RANK #3

2 3 4 5 8 9 MINNEAPOLIS MILWAUKEE MSA RANK #16 MSA RANK #39 CHICAGO MSA RANK #3 INDIANAPOLIS MSA RANK #34 DETROIT MSA RANK #14 COLUMBUS MSA RANK #33 BALTIMORE/ DC CORRIDOR MSA RANK #21 CINCINNATI MSA RANK #28 ATLANTA MSA RANK

726 views • 44 slides
Public Key Encryption Systems The encrypter and decrypter have different keys C = E(K E ,P) P

Public Key Encryption Systems The encrypter and decrypter have different keys C = E(K E ,P) P

Public Key Encryption Systems The encrypter and decrypter have different keys C = E(K E ,P) P = D(K D ,C) Often, works the other way, too Lecture 4 Page 1 CS 236 Online History of Public Key Cryptography Invented by Diffie and

618 views • 24 slides
Symbolic Encryption with Pseudorandom Keys Daniele Micciancio (UCSD) Cryptographic Protocols

Symbolic Encryption with Pseudorandom Keys Daniele Micciancio (UCSD) Cryptographic Protocols

Symbolic Encryption with Pseudorandom Keys Daniele Micciancio (UCSD) Cryptographic Protocols Often make use of several basic crypto ops: (Enc) Encryption: E(k,m) (PRG) Pseudorandom generators: G(k) Protocol should be secure for

433 views • 24 slides
New variant of the UOV signa- ture scheme with smaller public keys Ward Beullens KULeuven -

New variant of the UOV signa- ture scheme with smaller public keys Ward Beullens KULeuven -

New variant of the UOV signa- ture scheme with smaller public keys Ward Beullens KULeuven - ESAT 26 June 2017 The UOV signature scheme 2/6 The Unbalanced Oil and Vinegar (UOV) signature scheme has withstood attacks since its formulation in

476 views • 6 slides
Secure Searching of Biomarkers Using Hybrid GSW Encryption Scheme Jung Hee Cheon, Miran Kim,

Secure Searching of Biomarkers Using Hybrid GSW Encryption Scheme Jung Hee Cheon, Miran Kim,

Secure Searching of Biomarkers Using Hybrid GSW Encryption Scheme Secure Searching of Biomarkers Using Hybrid GSW Encryption Scheme Jung Hee Cheon, Miran Kim, Yongsoo Song Seoul National University, South Korea iDASH Privacy &amp; Security

283 views • 12 slides
The LOCAL attack: Cryptanalysis of the authenticated encryption scheme ALE Dmitry Khovratovich

The LOCAL attack: Cryptanalysis of the authenticated encryption scheme ALE Dmitry Khovratovich

The LOCAL attack: Cryptanalysis of the authenticated encryption scheme ALE Dmitry Khovratovich and Christian Rechberger University of Luxembourg and DTU (Denmark) Presented by Yu Sasaki (NTT, Japan) 15 August 2013 Authenticated encryption

556 views • 22 slides
Cryptographically-Enforced Hierarchical scheme An unbounded Access Control with Multiple Keys

Cryptographically-Enforced Hierarchical scheme An unbounded Access Control with Multiple Keys

Preliminaries A bounded asynchronous Cryptographically-Enforced Hierarchical scheme An unbounded Access Control with Multiple Keys asynchronous scheme Concluding remarks Jason Crampton Questions Information Security Group Royal

673 views • 43 slides
SYMMETRIC ENCRYPTION Mihir Bellare UCSD 1 Syntax A symmetric encryption scheme SE = ( K , E , D

SYMMETRIC ENCRYPTION Mihir Bellare UCSD 1 Syntax A symmetric encryption scheme SE = ( K , E , D

SYMMETRIC ENCRYPTION Mihir Bellare UCSD 1 Syntax A symmetric encryption scheme SE = ( K , E , D ) consists of three algorithms: K and E may be randomized, but D must be deterministic. Mihir Bellare UCSD 2 Correct decryption requirement More

1.19k views • 53 slides
Advanced Encryption Standard Lars R. Knudsen June 2014 L.R. Knudsen Advanced Encryption

Advanced Encryption Standard Lars R. Knudsen June 2014 L.R. Knudsen Advanced Encryption

Advanced Encryption Standard Lars R. Knudsen June 2014 L.R. Knudsen Advanced Encryption Standard AES - Advanced Encryption Standard US governmental encryption standard Open (world) competition announced January 97 Blocks: 128 bits Keys:

403 views • 39 slides
Fully Homomorphic Encryption over the Integers with Shorter Public Keys Jean-S ebastien Coron,

Fully Homomorphic Encryption over the Integers with Shorter Public Keys Jean-S ebastien Coron,

Introduction Previous work Our contribution Conclusion Fully Homomorphic Encryption over the Integers with Shorter Public Keys Jean-S ebastien Coron, Avradip Mandal, David Naccache and Mehdi Tibouchi University of Luxembourg &amp; ENS

864 views • 60 slides
A non-Gaussian analysis scheme using rank histograms for ensemble data assimilation Sammy Metref 1

A non-Gaussian analysis scheme using rank histograms for ensemble data assimilation Sammy Metref 1

Non-Gaussian Data Assimilation Multivariate Rank Histogram Filter A few results Outcomes and perspectives A non-Gaussian analysis scheme using rank histograms for ensemble data assimilation Sammy Metref 1 , E.Cosme 1 , C.Snyder 2 and P.Brasseur

430 views • 28 slides

More recommend