A new rank metric codes based cryptosystem

A new rank metric codes based cryptosystem


Pierre Loidreau

DGA MI and IRMAR, Université de Rennes 1

PQCrypto 2017, June 26th


Motivations

Post-Quantum cryptography

Multivariate cryptographyHash-based cryptographyIsogenies based cryptographyDecoding based cryptography

Lattices

Codes

⇒ Rank metric codes based

Smaller keys for a given security targetAnother alternative to Hamming metric or Euclidian metricbased primitives.


1 Why rank metric ?

2 Gabidulin codes and GPT encryption scheme

3 An evolution of Gabidulin codes based cryptography

4 Conclusion and perspectives


Why rank metric ?

1 Why rank metric ?





Why rank metric ?

In theory

Code-Based Encryption: solving general decoding problems inthe metric is hard

In Hamming metric: Dec-Bounded Distance Decoding isNP-complete, [BMvT78]

Rank metric decoding related to two dicult problems:

MinRank, NP-completeDec-Rank Syndrome Decoding in ZPP ⇒ ZPP=NP, [GZ15]


Why rank metric ?

In practice

Consider a random [n,Rn]-code over F2n ,

Decoding errors of rank δn, [GRS16]: 2calgo(δ)n2+Ω(log(n))

Decoding errors of Hamming weight δn: 2calgo(δ)n+o(1)

Dec. Complex. Ham. Met. Gen. Mat. Rank Met. Gen. Mat.2128 [2400, 2006, 58]2 ≈ 100 KB [48, 39, 4]248 ≈ 2.2 KB

2256 [4150, 3307, 132]2 ≈ 350 KB [70, 50, 5]270 ≈ 8.7 KB

Table: Decoding complexity on classical computer, [CTS16]

⇒ Rank metric provides better security/size tradeo⇒ In PQ-world, exponential complexity is square-rooted, [GHT16]


Why rank metric ?

Rank metric, [Gab85]

Denition

γ1, . . . , γm, a basis of F2m/F2,

e = (e1, . . . , en) ∈ (F2m)n, ei 7→ (ei1, . . . , ein),

∀e ∈ (F2m)n , Rk(e)

def= Rk

e11 · · · e1n...

. . ....

em1 · · · emn

[n, k , d ]r code: C ⊂ Fn

2m , k-dimensional, d = minc6=0∈C Rk(c)

Singleton property d − 1 ≤ n − k (if n ≤ m)

Rk(e) = t ⇔ ∃V ⊂ F2m , s.t. dim2(V) = t and ei ∈ V, ∀i


Why rank metric ?

Example

e =

1 1 0 1 01 0 1 0 11 0 1 0 10 1 1 1 11 1 0 1 0

In F25 we have e = (α, β, α+ β, β, α+ β)

Hamming weight: 5

Rank: 2


Why rank metric ?

Rank metric codes based encryption

Key generation

Private-key

C a [n, k, d ]r t-rank error decodable code over F2m

L : Fn2m 7→ Fn

2m , s.t.

L is vector-space isomorphism

L is a rank isometry

Public-key: Cpub = L−1(C).Process

Encryption: y = c ∈ Cpub + e, where Rk(e) ≤ t

Decryption: L(y) = L(c) ∈ C + L(e)Decode⇒ c


Gabidulin codes and GPT encryption scheme

1 Why rank metric ?






Gabidulin codes, [Gab85]

Denition (Gabidulin codes)

Let g = (g1, . . . , gn) ∈ (F2m)n, F2-l.i., [i ]

def= 2i

Gabk(g) = 〈G〉, where G =

g1 · · · gn...

. . ....

g[k−1]1 · · · g

[k−1]n

Properties of Gabk(g)

Optimal [n, k, d ]r codes for rank metric: n − k = d − 1P-time quadratic decoding up to t = b(n − k)/2c, [Gab85]

Suciently scrambled ⇒ McEliece-like cryptosystems.



Rise and fall of GPT encryption -

[GPT91, Ksh07, RGH10, OKN16]

Linear rank preserving isometries of Fn2m : P ∈ Mn(F2)

Since Gabk(g)P = Gabk(gP) ⇒ Necessity of scrambling

But1 For any published reparation, always possible to write

Gpub = S1(X1 | G1︸︷︷︸Gabk (g1)

)P∗, P∗ ∈ Mn(F2)

2 ⇒ Stability through g 7→ g [i ],

(Gpub)[i ] = S

[i ]1

(X

[i ]1 | G

[i ]1

)P∗

3 ⇒ Apply Overbeck's like attacks



How to strengthen ?

Find less structured codes for rank metric

Use of subeld subcodes ? Not sucient !,[GL08]

Find a new way to mask the structure

SimpleEcientConvincing


An evolution of Gabidulin codes based cryptography

1 Why rank metric ?






A novel idea: LRPC codes, [GMRZ13]

Let V ⊂ F2m a λ dimensional F2-subspace

Let L ⊂ Fn2m , [n, k , d ]r -code with parity-check H of low rank:

H ∈ V(n−k)×n ⊂ F(n−k)×n2m

Decoding y = c+ e, e ∈ En where dim2(E) ≤ t1 Since e ∈ En ⇒ yHt = eHt ⊂ (E · V)n−k

2 (E · V) def= 〈αβ, α ∈ E , β ∈ V〉 ⇒ dim2(E · V) ≤ tλ

3 If tλ ≤ n − k, knowing V ⇒ recovers E from (E · V)

⇒ LRPC based encryption was designed



Mixing the ideas

Weaknesses and strengths

Gabidulin codes:

Advantages: ecient deterministic decodingDrawbacks: too much structured

LRPC codes:

Advantages: not structuredDrawbacks: probabilistic decoding with failure 2−(n−k−λt)

Questions about attacks on MDPC's.

⇒ use rank multiplication to scramble structure of Gabidulin codes



The new encryption scheme

Proposition

Let V ⊂ F2m with dim2(V) = λ, and let P ∈ Mn(V), then

∀x ∈ Fn2m , Rk(xP) ≤ λRk(x)

Private-key:

Gabk(g)V = 〈α1, . . . , αλ〉2, λ-dimensionalP ∈ Mn(V)

Public-key: Cpub = Gabk(g)P−1

Encryption: y = c ∈ Cpub + e, where Rk(e) ≤ b(n − k)/(2λ)cDecryption: yP = cP ∈ C + eP, where Rk(eP) ≤ b(n − k)/2c



Security arguments

Indistinguishability of the public-code:

V not 2-stable ⇒ Gabk(g)P−1 6= Gabk(gP

−1):

Cpub and C[i ]pub, behave independently

Complexity evaluation: Harder than enumerating λ− 1dimensional subspaces in F2m :

> 2m(λ−1)−(λ−1)2

⇒ it is a OWE (One-Way Encryption)

If λ(n − k) ≥ n, (Couvreur, Coggia)



How to choose the parameters

For a given security parameter s:

Choose m, λ ≥ 2, s.t. 2m(λ−1)−(λ−1)2 > 2s

Choose k, n s.t. solving BDR(b(n − k)/2λc) > 2s

Check that λ(n − k) ≥ n



Proposition of parameters

Param. Dec. PQ K. Rec. Key

m = n = 50, k = 32, λ = 3, t = 3 ≈ 281 ≈ 249 ≈ 296 3.6 KB

m = 96, n = 64, k = 40, λ = 3, t = 4 ≈ 2139 ≈ 280 ≈ 2188 11.5 KB

m = n = 112, k = 80, λ = 4, t = 4 ≈ 2259 ≈ 2139 ≈ 2327 36 KB

Key-size for McEliece with Goppa codes: ≈ 850 KB for 128bits PQ-security, [AB315]

Key-size factor gain: ≈ 23


Conclusion and perspectives

1 Why rank metric ?






Perspectives

Reducing key-size by some structural property

Thorough study of the security of the system

Designing additional cryptographic services



Why do we believe in the design

Choice of V: Similar to subcodes in Hamming metric

For adequate parameters: Distinguishing the public-key isdicult.

Versatility of the parameters



References I

Initial recommendations of long-term secure post-quantumsystems.Technical report, 2015.http://pqcrypto.eu.org/docs/initial-recommendations.pdf.

E. Berlekamp, R. J. McEliece, and H. van Tilborg.On the inherent intractability of certain coding problems.IEEE Trans. Inform. Theory, 24(3):384386, May 1978.

R. Canto-Torres and N. Sendrier.Analysis of information set decoding for a sub-linear errorweight.In Post-Quantum Cryptography 2016, Lecture Notes inComput. Sci., pages 144161, Fukuoka, Japan, February 2016.



References II

E. M. Gabidulin.Theory of codes with maximum rank distance.Probl. Inf. Transm., 21(1):316, 1985.

P. Gaborit, A. Hauteville, and J.-P. Tillich.Ranksynd a PRNG based on rank metric.In Post-Quantum Cryptography 2016, pages 1828, February2016.

E. M. Gabidulin and P. Loidreau.Properties of subspace subcodes of Gabidulin codes.Adv. in Math. of Comm., 2(2):147157, 2008.



References III

P. Gaborit, G. Murat, O. Ruatta, and G. Zémor.Low rank parity check codes and their application tocryptography.In Proceedings of the Workshop on Coding and Cryptography

WCC'2013, Bergen, Norway, 2013.Available onwww.selmer.uib.no/WCC2013/pdfs/Gaborit.pdf.

E. M. Gabidulin, A. V. Paramonov, and O. V. Tretjakov.Ideals over a non-commutative ring and their applications tocryptography.In Advances in Cryptology - EUROCRYPT'91, number 547 inLecture Notes in Comput. Sci., pages 482489, Brighton, April1991.



References IV

P. Gaborit, O. Ruatta, and J. Schrek.On the complexity of the rank syndrome decoding problem.IEEE Trans. Information Theory, 62(2):10061019, 2016.

P. Gaborit and G. Zémor.On the hardness of the decoding and the minimum distanceproblems for rank codes.IEEE Trans. Inform. Theory, 62(12):72457252, 2015.

A. Kshevetskiy.Security of GPT-like public-key cryptosystems based on linearrank codes.In 3rd International Workshop on Signal Design and Its

Applications in Communications, IWSDA 2007, 2007.



References V

A. May and I. Ozerov.On Computing Nearest Neighbors with Applications toDecoding of Binary Linear Codes.In E. Oswald and M. Fischlin, editors, Advances in Cryptology -

EUROCRYPT 2015, volume 9056, pages 203228, 2015.

A. Otmani, H. T. Kalashi, and S. Ndjeya.Improved cryptanalysis of rank metric schemes based onGabidulin codes.http://arxiv.org/abs/1602.08549v1, 2016.

H. Rashwan, E. M. Gabidulin, and B. Honary.A smart approach for GPT cryptosystem based on rank codes.In Proc. IEEE Int. Symposium Inf. Theory - ISIT, pages24632467, 2010.

Documents

A new rank metric codes based cryptosystem