two attacks on rank metric code based
play

Two attacks on rank metric code-based Jean-Pierre Tillich schemes: - PowerPoint PPT Presentation

Dec 07, 2023 •405 likes •668 views

Two attacks on rank metric code-based schemes: RankSign and an IBE scheme Thomas Debris-Alazard and Two attacks on rank metric code-based Jean-Pierre Tillich schemes: RankSign and an IBE scheme Generalities on Rank-Based Cryptography

  1. Two attacks on rank metric code-based schemes: RankSign and an IBE scheme Thomas Debris-Alazard and Two attacks on rank metric code-based Jean-Pierre Tillich schemes: RankSign and an IBE scheme Generalities on Rank-Based Cryptography LRPC-codes in RankSign Thomas Debris-Alazard and Jean-Pierre Tillich [GMRZ13] Our Attack December 3, 2018 Asiacrypt 2018 - Brisbane 1 / 22

  2. Two attacks on rank metric code-based Results schemes: RankSign and an IBE scheme Thomas Debris-Alazard and Results of the paper: Jean-Pierre Tillich Generalities on • Attack on a code-based “hash-and-sign” scheme RankSign Rank-Based Cryptography [GRSZ14] submitted to the NIST PQC Standardization; LRPC-codes in RankSign − → Can not be thwarted by changing the parameters. [GMRZ13] Our Attack • Attack on the first code-based Identity-Based-Encryption (IBE) [GHPT17] in rank-metric; − → Parameters can be chosen to avoid it. • IBE: moving Rank → Hamming metric no go. 2 / 22

  3. Two attacks on rank metric code-based schemes: RankSign and an IBE scheme Thomas Debris-Alazard and Jean-Pierre 1 Generalities on Rank-Based Cryptography Tillich Generalities on Rank-Based Cryptography LRPC-codes in 2 LRPC-codes in RankSign [GMRZ13] RankSign [GMRZ13] Our Attack 3 Our Attack 3 / 22

  4. Two attacks on rank metric code-based Rank vs Hamming in schemes: RankSign and an IBE scheme Cryptography Thomas Debris-Alazard and Jean-Pierre Tillich Generalities on Rank-Based Cryptography • Advantages: • In rank metric: alphabet size q m has an impact on the metric LRPC-codes in RankSign [GMRZ13] → Useful for security reductions Our Attack • Smaller key sizes than Hamming. • Disadvantage: • Rank metric: security less understood (algebraic attacks) 4 / 22

  5. Two attacks on rank metric code-based Code-Based Cryptography schemes: RankSign and an IBE scheme Thomas F finite field. Debris-Alazard and Jean-Pierre Tillich Syndrome Decoding Problem. Generalities on • Given: a matrix H ∈ F r × n with r ≤ n , a vector s ∈ F r , an Rank-Based Cryptography integer w ; LRPC-codes in RankSign � He ⊺ = s ⊺ [GMRZ13] Our Attack • Goal: find e ∈ F n , weight ( e ) = w Hamming: weight ( · ) = # non-zero components and usually F = F 2 Rank: weight ( · ) = Rank metric and F = F q m − → Probabilistic polynomial reduction (Gaborit & Zémor) to the decoding problem in Hamming metric 5 / 22

  6. Two attacks on rank metric code-based Rank Metric over F q m schemes: RankSign and an IBE scheme Thomas Debris-Alazard and Jean-Pierre Tillich • F q m is a F q -space of dimension m Generalities on Rank-Based Cryptography LRPC-codes in • x = ( x 1 , · · · , x n ) ∈ F n q m , its rank is defined as: RankSign [GMRZ13] Our Attack �� � △ Support of x : � x 1 , · · · , x n � F q = λ i x i : λ i ∈ F q ⊆ F q m i � � rank ( x ) = dim F q � x 1 , · · · , x n � F q 6 / 22

  7. Two attacks on rank metric code-based schemes: RankSign and an IBE scheme Thomas Debris-Alazard and Jean-Pierre 1 Generalities on Rank-Based Cryptography Tillich Generalities on Rank-Based Cryptography LRPC-codes in 2 LRPC-codes in RankSign [GMRZ13] RankSign [GMRZ13] Our Attack 3 Our Attack 7 / 22

  8. Two attacks on rank metric code-based Some History... schemes: RankSign and an IBE scheme Thomas Debris-Alazard and Jean-Pierre Tillich Generalities on • Gabidulin codes: first rank-codes with a polynomial decoder Rank-Based Cryptography → Strong algebraic structure... and a zillion attacks LRPC-codes in RankSign (Overbeck’05...) [GMRZ13] Our Attack • LRPC-codes: decoder introduced in [GMRZ13] → Finding the underlying structure is close to solving the syndrome decoding problem. 8 / 22

  9. Two attacks on rank metric code-based LRPC-codes [GMRZ13] schemes: RankSign and an IBE scheme Thomas • Random Code: Given some random matrix H Rand ∈ F ( n − k ) × n Debris-Alazard q m and Jean-Pierre { c : H Rand c ⊺ = 0 } Tillich Generalities on • LRPC Code: Given H LRPC = ( h i , j ) ∈ F ( n − k ) × n Rank-Based s.t Cryptography q m LRPC-codes in RankSign � � dim � h i , j : i , j � F q = small [GMRZ13] Our Attack then, ⊺ = 0 } { c LRPC : H LRPC c LRPC When H Rand = ( h i , j ) ∈ F ( n − k ) × n is random, typically when q m m < n ( n − k ) : � h i , j : i , j � F q = F q m . 9 / 22

  10. Two attacks on rank metric code-based LRPC-codes in schemes: RankSign and an IBE scheme RankSign[GRSZ14] Thomas Debris-Alazard and Jean-Pierre Tillich LRPC-codes come in RankSign with a decoder [GRSZ14]: Generalities on � H LRPC e ⊺ = s ⊺ Rank-Based Cryptography ∀ s , it computes polynomially e s.t rank ( e ) = w LRPC-codes in RankSign [GMRZ13] • Constraint RankSign: H LRPC = ( h i , j ) ∈ F ( n − k ) × n Our Attack s.t q m � � ( n − k ) dim � h i , j : i , j � F q = n Problem: Rows of H LRPC gives words of low weight... → A masking is needed! 10 / 22

  11. Two attacks on rank metric code-based Masking LRPC-codes in schemes: RankSign and an IBE scheme RankSign Thomas Debris-Alazard and Jean-Pierre Tillich In RankSign [GRSZ14]: Generalities on Rank-Based Cryptography LRPC-codes in • Increase the weight of rows: [ H LRPC | R ] for R random; RankSign [GMRZ13] Our Attack • Change the code: [ H LRPC | R ] P for P invertible in F q . • Change the basis: Q [ H LRPC | R ] P for Q invertible; △ H pub = Q [ H LRPC | R ] P : public key 11 / 22

  12. Two attacks on rank metric code-based schemes: RankSign and an IBE scheme Thomas Debris-Alazard and Jean-Pierre 1 Generalities on Rank-Based Cryptography Tillich Generalities on Rank-Based Cryptography LRPC-codes in 2 LRPC-codes in RankSign [GMRZ13] RankSign [GMRZ13] Our Attack 3 Our Attack 12 / 22

  13. Two attacks on rank metric code-based Idea of the Attack schemes: RankSign and an IBE scheme Thomas Debris-Alazard and Jean-Pierre Tillich Generalities on Rank-Based To look for low weight codewords... where? Cryptography LRPC-codes in RankSign △ [GMRZ13] • Suspect: C ⊥ = { mH pub : m ∈ F q m } ; pub Our Attack = { c : H pub c ⊺ = 0 } . △ • Real Problem: C pub 13 / 22

  14. Two attacks on rank metric code-based Low Rank Codewords in an schemes: RankSign and an IBE scheme LRPC? Thomas Debris-Alazard and H LRPC = ( h i , j ) ∈ F ( n − k ) × n with � h i , j : i , j � F q = F Jean-Pierre q m Tillich c = ( c j ) ∈ F n q m Generalities on Rank-Based n Cryptography H LRPC c ⊺ = 0 ⇐ � ⇒ ∀ i ∈ � 1 , n − k � , h i , j c j = 0 LRPC-codes in RankSign j = 1 [GMRZ13] Our Attack 14 / 22

  15. Two attacks on rank metric code-based Low Rank Codewords in an schemes: RankSign and an IBE scheme LRPC? Thomas Debris-Alazard and H LRPC = ( h i , j ) ∈ F ( n − k ) × n with � h i , j : i , j � F q = F Jean-Pierre q m Tillich c = ( c j ) ∈ F n q m Generalities on Rank-Based n Cryptography H LRPC c ⊺ = 0 ⇐ � ⇒ ∀ i ∈ � 1 , n − k � , h i , j c j = 0 LRPC-codes in RankSign j = 1 [GMRZ13] Our Attack Suppose that � c 1 , · · · , c n � F q = F ′ n h i , j c j ∈ F ′ · F △ = � f ′ f : f ′ ∈ F ′ , f ∈ F � F q � ∀ i ∈ � 1 , n − k � , j = 1 This gives a linear system in F q with • ( n − k ) dim F q ( F · F ′ ) equations; • n dim F q ( F ′ ) unknowns. → We would like # Unknowns > # Equations to ensure the existence of solutions 14 / 22

  16. Two attacks on rank metric ... But How to Choose F ′ ? code-based schemes: RankSign and an IBE scheme Thomas Debris-Alazard and What we want: Jean-Pierre Tillich n dim F q ( F ′ ) > ( n − k ) dim F q ( F · F ′ ) Generalities on Rank-Based Cryptography LRPC-codes in RankSign What we typically have: [GMRZ13] Our Attack n dim F q ( F ′ ) =( n − k ) dim F q ( F · F ′ ) Because, � dim F q ( F · F ′ ) = dim F q ( F ) dim F q ( F ′ ) (typically) ( n − k ) dim ( F ) = n (RankSign). 15 / 22

  17. Two attacks on rank metric The Subspace F · F ′ code-based schemes: RankSign and an IBE scheme △ = � x 1 , · · · , x d � F q ( F = � h i , j : i , j � F q ) F Thomas Debris-Alazard and Let F ′ △ Jean-Pierre = � x 1 , x 2 � F q ⊆ F . Tillich F · F ′ = � x 2 1 , x 1 x 2 , · · · , x 1 x d , x 2 x 1 , x 2 2 , · · · , x 2 x d � F q . Generalities on Rank-Based Cryptography ⇒ dim ( F · F ′ ) ≤ 2 d − 1 LRPC-codes in RankSign Therefore, [GMRZ13] Our Attack # Unknowns − # Equations = n dim F q ( F ′ ) − ( n − k ) dim F q ( F · F ′ ) = 2 n − ( n − k )( 2 d − 1 ) 16 / 22

  18. Two attacks on rank metric The Subspace F · F ′ code-based schemes: RankSign and an IBE scheme △ = � x 1 , · · · , x d � F q ( F = � h i , j : i , j � F q ) F Thomas Debris-Alazard and Let F ′ △ Jean-Pierre = � x 1 , x 2 � F q ⊆ F . Tillich F · F ′ = � x 2 1 , x 1 x 2 , · · · , x 1 x d , x 2 x 1 , x 2 2 , · · · , x 2 x d � F q . Generalities on Rank-Based Cryptography ⇒ dim ( F · F ′ ) ≤ 2 d − 1 LRPC-codes in RankSign Therefore, [GMRZ13] Our Attack # Unknowns − # Equations = n dim F q ( F ′ ) − ( n − k ) dim F q ( F · F ′ ) = 2 n − ( n − k )( 2 d − 1 ) Constraint in RankSign: n = ( n − k ) d which gives: # Unknowns − # Equations = 2 ( n − k ) d − ( n − k )( 2 d − 1 ) = n − k > 0 16 / 22

Recommend

OUROBOROS-R, an IND-CPA KEM based on Rank Metric NIST First Post-Quantum Cryptography

OUROBOROS-R, an IND-CPA KEM based on Rank Metric NIST First Post-Quantum Cryptography

Presentation of the rank metric Description of the scheme Security and parameters OUROBOROS-R, an IND-CPA KEM based on Rank Metric NIST First Post-Quantum Cryptography Standardization Conference Carlos AguilarMelchor 2 Nicolas Aragon 1 Slim

157 views • 15 slides
An Overview on Post-Quantum Cryptography with an Emphasis on Code based Systems Joachim Rosenthal

An Overview on Post-Quantum Cryptography with an Emphasis on Code based Systems Joachim Rosenthal

Basics on Public Key Crypto Systems Research Directions in Post-Quantum Cryptography Variants of McEliece System Distinguisher Attacks McEliece for Rank Metric Codes An Overview on Post-Quantum Cryptography with an Emphasis on Code based

1.05k views • 100 slides
A new family of maximum rank distance codes or: Maximum rank distance codes and finite semifields

A new family of maximum rank distance codes or: Maximum rank distance codes and finite semifields

A new family of maximum rank distance codes or: Maximum rank distance codes and finite semifields John Sheekey Universiteit Gent, Belgium Alcoma, March 2015 Rank metric codes A rank metric code is a set C M n ( F ) of n n matrices over

963 views • 92 slides
Maximum rank distance codes: constructions, classifications, and applications John Sheekey UCD,

Maximum rank distance codes: constructions, classifications, and applications John Sheekey UCD,

Maximum rank distance codes: constructions, classifications, and applications John Sheekey UCD, Dublin, Ireland Dagstuhl, August 2016 Rank metric codes A rank metric code is a set C M m n ( F q ) of m n matrices ( m n ) over F q

1.02k views • 85 slides
Introduction to rank-based cryptography Philippe Gaborit University of Limoges, France ASCRYPTO

Introduction to rank-based cryptography Philippe Gaborit University of Limoges, France ASCRYPTO

Rank codes : definitions and basic properties Decoding in rank metric Complexity issues : decoding random rank codes Encryption Authentication and signature Introduction to rank-based cryptography Philippe Gaborit University of Limoges,

1.56k views • 115 slides
Maximum rank distance codes and finite semifields John Sheekey Universiteit Gent, Belgium

Maximum rank distance codes and finite semifields John Sheekey Universiteit Gent, Belgium

Maximum rank distance codes and finite semifields John Sheekey Universiteit Gent, Belgium Banff, January 2015 Rank metric codes A rank metric code is a set C M n ( F ) of n n matrices over a field F with the distance function d ( X , Y )

830 views • 82 slides
Attacks in code based cryptography: a survey, new results and open problems J.-P. Tillich Inria,

Attacks in code based cryptography: a survey, new results and open problems J.-P. Tillich Inria,

Attacks in code based cryptography: a survey, new results and open problems J.-P. Tillich Inria, team-project SECRET April 9, 2018 introduction 1. Code based cryptography Difficult problem in coding theory Problem 1. [Decoding] Input: n, r,

800 views • 53 slides
Cryptographic applications of codes in rank metric Pierre Loidreau CELAr and Universit e de

Cryptographic applications of codes in rank metric Pierre Loidreau CELAr and Universit e de

Cryptographic applications of codes in rank metric Cryptographic applications of codes in rank metric Pierre Loidreau CELAr and Universit e de Rennes Pierre.Loidreau@m4x.org June 16th, 2009 Cryptographic applications of codes in rank

498 views • 33 slides
Rank Metric Codes and related Structures Yue Zhou July 5, 2017 The 2nd International Workshop on

Rank Metric Codes and related Structures Yue Zhou July 5, 2017 The 2nd International Workshop on

Rank Metric Codes and related Structures Yue Zhou July 5, 2017 The 2nd International Workshop on Boolean Functions and their Applications (BFA) Outline Introduction Maximum rank distance codes Quadratic bent-Negabent functions Vectorial

2.09k views • 179 slides
2 3 4 5 8 9 MINNEAPOLIS MILWAUKEE MSA RANK #16 MSA RANK #39 CHICAGO MSA RANK #3

2 3 4 5 8 9 MINNEAPOLIS MILWAUKEE MSA RANK #16 MSA RANK #39 CHICAGO MSA RANK #3

2 3 4 5 8 9 MINNEAPOLIS MILWAUKEE MSA RANK #16 MSA RANK #39 CHICAGO MSA RANK #3 INDIANAPOLIS MSA RANK #34 DETROIT MSA RANK #14 COLUMBUS MSA RANK #33 BALTIMORE/ DC CORRIDOR MSA RANK #21 CINCINNATI MSA RANK #28 ATLANTA MSA RANK

726 views • 44 slides
McEliece type Cryptosystem based on Gabidulin Codes Joachim Rosenthal University of Z urich

McEliece type Cryptosystem based on Gabidulin Codes Joachim Rosenthal University of Z urich

Traditional McEliece Crypto System Variants of McEliece System Distinguisher Attacks McEliece for Rank Metric Codes McEliece type Cryptosystem based on Gabidulin Codes Joachim Rosenthal University of Z urich ALCOMA, March 19, 2015 joint

763 views • 54 slides
Heat of the Moment: Characterizing the Efficacy of Thermal Camera-Based Attacks Keaton Mowery (UC

Heat of the Moment: Characterizing the Efficacy of Thermal Camera-Based Attacks Keaton Mowery (UC

Heat of the Moment: Characterizing the Efficacy of Thermal Camera-Based Attacks Keaton Mowery (UC San Diego) Sarah Meiklejohn (UC San Diego) Stefan Savage (UC San Diego) 1 Code-based access control 2 Code-based access control 2 Code-based

1.2k views • 102 slides
Ramesses : a Rank Metric Encryption Scheme with Short Keys Julien Lavauzelle , Pierre Loidreau,

Ramesses : a Rank Metric Encryption Scheme with Short Keys Julien Lavauzelle , Pierre Loidreau,

Ramesses : a Rank Metric Encryption Scheme with Short Keys Julien Lavauzelle , Pierre Loidreau, Ba-Duc Pham IRMAR, Universit de Rennes 1 Groupe de travail cryptographie base de codes 25/11/2019 Introduction Goal: design a new public-key

1.11k views • 68 slides
Novel Side-Channel Attacks on Quasi-Cyclic Code-Based Cryptography 2019.08.28 Bo-Yeon Sim 1 ,

Novel Side-Channel Attacks on Quasi-Cyclic Code-Based Cryptography 2019.08.28 Bo-Yeon Sim 1 ,

Novel Side-Channel Attacks on Quasi-Cyclic Code-Based Cryptography 2019.08.28 Bo-Yeon Sim 1 , , Jihoon Kwon 2 , Kyu Young Choi 2 , Jihoon Cho 2 , Aesun Park 3, , and Dong-Guk Han 1,3, 1 Department of Mathematics, Kookmin University,

881 views • 58 slides
Shortest Path Similar Routing 2 A New Metric A new metric path- based metric that can use used

Shortest Path Similar Routing 2 A New Metric A new metric path- based metric that can use used

R outing S tate D istance: A Path-based Metric for Network Analysis Gonca Grsun joint work with joint work with Natali Ruchansky, Evimaria Terzi, Mark Crovella Distance Metrics for Analyzing Routing Shortest Path Similar Routing 2 A New

1.43k views • 48 slides
Countering Code-Injection Attacks With Instruction-Set Randomization Gaurav S. Kc, Angelos D.

Countering Code-Injection Attacks With Instruction-Set Randomization Gaurav S. Kc, Angelos D.

Countering Code-Injection Attacks With Instruction-Set Randomization Gaurav S. Kc, Angelos D. Keromytis Columbia University Vassilis Prevelakis Drexel University 1 Overview of Technique Protect from code-injection attacks create

608 views • 19 slides
Weird machines: a model for code-reuse attacks Sergey Bratus Rebecca Shapiro Anna Shubina

Weird machines: a model for code-reuse attacks Sergey Bratus Rebecca Shapiro Anna Shubina

Weird machines: a model for code-reuse attacks Sergey Bratus Rebecca Shapiro Anna Shubina Dartmouth T rust Lab Outline Code re-use: unexpected computation, programming models Containing computation: Coarse intent-based ABI-level

487 views • 27 slides
Code-Injection Attacks in Browsers Supporting Policies Elias Athanasopoulos , Vasilis Pappas, and

Code-Injection Attacks in Browsers Supporting Policies Elias Athanasopoulos , Vasilis Pappas, and

Code-Injection Attacks in Browsers Supporting Policies Elias Athanasopoulos , Vasilis Pappas, and Evangelos P. Markatos FORTH-ICS What is all about? New code-injection attacks or return-to-libc attacks in the web

666 views • 48 slides
Dealing with cache based attacks in cryptography Speculating on cache attacks Simo Sorce Sr.

Dealing with cache based attacks in cryptography Speculating on cache attacks Simo Sorce Sr.

Dealing with cache based attacks in cryptography Speculating on cache attacks Simo Sorce Sr. Principal Software Engineer 2019/02/19 What are cache based attacks ? In cryptography In cryptographic operations, leaking the internal state of a

338 views • 8 slides
Metric spaces and computability theory Andr e Nies SDF 60, Vienna Handout version 1/20

Metric spaces and computability theory Andr e Nies SDF 60, Vienna Handout version 1/20

Metric spaces and computability theory Andr e Nies SDF 60, Vienna Handout version 1/20 Abstract We study similarity of Polish metric spaces. We consider the Scott rank, both for Eclassical and for continuous logic. The former is

243 views • 20 slides
Metric Conversions Ladder Method T. Trimpe 2008 http://sciencespot.net/ Metric System The

Metric Conversions Ladder Method T. Trimpe 2008 http://sciencespot.net/ Metric System The

Metric Conversions Ladder Method T. Trimpe 2008 http://sciencespot.net/ Metric System The metric system is based on a base unit that corresponds to a certain kind of measurement Length = meter Volume = liter Weight (Mass) =

293 views • 11 slides
McNie NIST Submission Jon-Lark Kim Sogang University, S. Korea PQCRYPTO Workshop, Taipei June

McNie NIST Submission Jon-Lark Kim Sogang University, S. Korea PQCRYPTO Workshop, Taipei June

McNie NIST Submission Jon-Lark Kim Sogang University, S. Korea PQCRYPTO Workshop, Taipei June 29 2018 Outline McNie: a new code-based cryptography 1 General algorithm specification 2 Key generation Encryption Decryption Rank metric

457 views • 25 slides
R Packages for Rank-based Estimates John Kloke 1 Joseph McKean 2 1 University of Wisconsin -

R Packages for Rank-based Estimates John Kloke 1 Joseph McKean 2 1 University of Wisconsin -

R Packages for Rank-based Estimates John Kloke 1 Joseph McKean 2 1 University of Wisconsin - Madison 2 Western Michigan University 10 July 2013 Kloke, McKean R Packages for Rank-based Estimates Outline Rank-based (R) estimation for linear

529 views • 20 slides
Crap4J Nigel talking crap as usual .... Code Complexity Metric McCabes Cyclomatic

Crap4J Nigel talking crap as usual .... Code Complexity Metric McCabes Cyclomatic

Crap4J Nigel talking crap as usual .... Code Complexity Metric McCabes Cyclomatic Complexity measures number of paths through the source code Measured using static analysis Studies have shown CC &gt;10 has higher risk of defects

884 views • 11 slides

More recommend