Upload
others
View
3
Download
0
Embed Size (px)
Citation preview
A new rank metric codes based cryptosystem
A new rank metric codes based cryptosystem
Pierre Loidreau
DGA MI and IRMAR, Université de Rennes 1
PQCrypto 2017, June 26th
A new rank metric codes based cryptosystem
Motivations
Post-Quantum cryptography
Multivariate cryptographyHash-based cryptographyIsogenies based cryptographyDecoding based cryptography
Lattices
Codes
⇒ Rank metric codes based
Smaller keys for a given security targetAnother alternative to Hamming metric or Euclidian metricbased primitives.
A new rank metric codes based cryptosystem
1 Why rank metric ?
2 Gabidulin codes and GPT encryption scheme
3 An evolution of Gabidulin codes based cryptography
4 Conclusion and perspectives
A new rank metric codes based cryptosystem
Why rank metric ?
1 Why rank metric ?
2 Gabidulin codes and GPT encryption scheme
3 An evolution of Gabidulin codes based cryptography
4 Conclusion and perspectives
A new rank metric codes based cryptosystem
Why rank metric ?
In theory
Code-Based Encryption: solving general decoding problems inthe metric is hard
In Hamming metric: Dec-Bounded Distance Decoding isNP-complete, [BMvT78]
Rank metric decoding related to two dicult problems:
MinRank, NP-completeDec-Rank Syndrome Decoding in ZPP ⇒ ZPP=NP, [GZ15]
A new rank metric codes based cryptosystem
Why rank metric ?
In practice
Consider a random [n,Rn]-code over F2n ,
Decoding errors of rank δn, [GRS16]: 2calgo(δ)n2+Ω(log(n))
Decoding errors of Hamming weight δn: 2calgo(δ)n+o(1)
Dec. Complex. Ham. Met. Gen. Mat. Rank Met. Gen. Mat.2128 [2400, 2006, 58]2 ≈ 100 KB [48, 39, 4]248 ≈ 2.2 KB
2256 [4150, 3307, 132]2 ≈ 350 KB [70, 50, 5]270 ≈ 8.7 KB
Table: Decoding complexity on classical computer, [CTS16]
⇒ Rank metric provides better security/size tradeo⇒ In PQ-world, exponential complexity is square-rooted, [GHT16]
A new rank metric codes based cryptosystem
Why rank metric ?
Rank metric, [Gab85]
Denition
γ1, . . . , γm, a basis of F2m/F2,
e = (e1, . . . , en) ∈ (F2m)n, ei 7→ (ei1, . . . , ein),
∀e ∈ (F2m)n , Rk(e)
def= Rk
e11 · · · e1n...
. . ....
em1 · · · emn
[n, k , d ]r code: C ⊂ Fn
2m , k-dimensional, d = minc6=0∈C Rk(c)
Singleton property d − 1 ≤ n − k (if n ≤ m)
Rk(e) = t ⇔ ∃V ⊂ F2m , s.t. dim2(V) = t and ei ∈ V, ∀i
A new rank metric codes based cryptosystem
Why rank metric ?
Example
e =
1 1 0 1 01 0 1 0 11 0 1 0 10 1 1 1 11 1 0 1 0
In F25 we have e = (α, β, α+ β, β, α+ β)
Hamming weight: 5
Rank: 2
A new rank metric codes based cryptosystem
Why rank metric ?
Rank metric codes based encryption
Key generation
Private-key
C a [n, k, d ]r t-rank error decodable code over F2m
L : Fn2m 7→ Fn
2m , s.t.
L is vector-space isomorphism
L is a rank isometry
Public-key: Cpub = L−1(C).Process
Encryption: y = c ∈ Cpub + e, where Rk(e) ≤ t
Decryption: L(y) = L(c) ∈ C + L(e)Decode⇒ c
A new rank metric codes based cryptosystem
Gabidulin codes and GPT encryption scheme
1 Why rank metric ?
2 Gabidulin codes and GPT encryption scheme
3 An evolution of Gabidulin codes based cryptography
4 Conclusion and perspectives
A new rank metric codes based cryptosystem
Gabidulin codes and GPT encryption scheme
Gabidulin codes, [Gab85]
Denition (Gabidulin codes)
Let g = (g1, . . . , gn) ∈ (F2m)n, F2-l.i., [i ]
def= 2i
Gabk(g) = 〈G〉, where G =
g1 · · · gn...
. . ....
g[k−1]1 · · · g
[k−1]n
Properties of Gabk(g)
Optimal [n, k, d ]r codes for rank metric: n − k = d − 1P-time quadratic decoding up to t = b(n − k)/2c, [Gab85]
Suciently scrambled ⇒ McEliece-like cryptosystems.
A new rank metric codes based cryptosystem
Gabidulin codes and GPT encryption scheme
Rise and fall of GPT encryption -
[GPT91, Ksh07, RGH10, OKN16]
Linear rank preserving isometries of Fn2m : P ∈ Mn(F2)
Since Gabk(g)P = Gabk(gP) ⇒ Necessity of scrambling
But1 For any published reparation, always possible to write
Gpub = S1(X1 | G1︸︷︷︸Gabk (g1)
)P∗, P∗ ∈ Mn(F2)
2 ⇒ Stability through g 7→ g [i ],
(Gpub)[i ] = S
[i ]1
(X
[i ]1 | G
[i ]1
)P∗
3 ⇒ Apply Overbeck's like attacks
A new rank metric codes based cryptosystem
Gabidulin codes and GPT encryption scheme
How to strengthen ?
Find less structured codes for rank metric
Use of subeld subcodes ? Not sucient !,[GL08]
Find a new way to mask the structure
SimpleEcientConvincing
A new rank metric codes based cryptosystem
An evolution of Gabidulin codes based cryptography
1 Why rank metric ?
2 Gabidulin codes and GPT encryption scheme
3 An evolution of Gabidulin codes based cryptography
4 Conclusion and perspectives
A new rank metric codes based cryptosystem
An evolution of Gabidulin codes based cryptography
A novel idea: LRPC codes, [GMRZ13]
Let V ⊂ F2m a λ dimensional F2-subspace
Let L ⊂ Fn2m , [n, k , d ]r -code with parity-check H of low rank:
H ∈ V(n−k)×n ⊂ F(n−k)×n2m
Decoding y = c+ e, e ∈ En where dim2(E) ≤ t1 Since e ∈ En ⇒ yHt = eHt ⊂ (E · V)n−k
2 (E · V) def= 〈αβ, α ∈ E , β ∈ V〉 ⇒ dim2(E · V) ≤ tλ
3 If tλ ≤ n − k, knowing V ⇒ recovers E from (E · V)
⇒ LRPC based encryption was designed
A new rank metric codes based cryptosystem
An evolution of Gabidulin codes based cryptography
Mixing the ideas
Weaknesses and strengths
Gabidulin codes:
Advantages: ecient deterministic decodingDrawbacks: too much structured
LRPC codes:
Advantages: not structuredDrawbacks: probabilistic decoding with failure 2−(n−k−λt)
Questions about attacks on MDPC's.
⇒ use rank multiplication to scramble structure of Gabidulin codes
A new rank metric codes based cryptosystem
An evolution of Gabidulin codes based cryptography
The new encryption scheme
Proposition
Let V ⊂ F2m with dim2(V) = λ, and let P ∈ Mn(V), then
∀x ∈ Fn2m , Rk(xP) ≤ λRk(x)
Private-key:
Gabk(g)V = 〈α1, . . . , αλ〉2, λ-dimensionalP ∈ Mn(V)
Public-key: Cpub = Gabk(g)P−1
Encryption: y = c ∈ Cpub + e, where Rk(e) ≤ b(n − k)/(2λ)cDecryption: yP = cP ∈ C + eP, where Rk(eP) ≤ b(n − k)/2c
A new rank metric codes based cryptosystem
An evolution of Gabidulin codes based cryptography
Security arguments
Indistinguishability of the public-code:
V not 2-stable ⇒ Gabk(g)P−1 6= Gabk(gP
−1):
Cpub and C[i ]pub, behave independently
Complexity evaluation: Harder than enumerating λ− 1dimensional subspaces in F2m :
> 2m(λ−1)−(λ−1)2
⇒ it is a OWE (One-Way Encryption)
If λ(n − k) ≥ n, (Couvreur, Coggia)
A new rank metric codes based cryptosystem
An evolution of Gabidulin codes based cryptography
How to choose the parameters
For a given security parameter s:
Choose m, λ ≥ 2, s.t. 2m(λ−1)−(λ−1)2 > 2s
Choose k, n s.t. solving BDR(b(n − k)/2λc) > 2s
Check that λ(n − k) ≥ n
A new rank metric codes based cryptosystem
An evolution of Gabidulin codes based cryptography
Proposition of parameters
Param. Dec. PQ K. Rec. Key
m = n = 50, k = 32, λ = 3, t = 3 ≈ 281 ≈ 249 ≈ 296 3.6 KB
m = 96, n = 64, k = 40, λ = 3, t = 4 ≈ 2139 ≈ 280 ≈ 2188 11.5 KB
m = n = 112, k = 80, λ = 4, t = 4 ≈ 2259 ≈ 2139 ≈ 2327 36 KB
Key-size for McEliece with Goppa codes: ≈ 850 KB for 128bits PQ-security, [AB315]
Key-size factor gain: ≈ 23
A new rank metric codes based cryptosystem
Conclusion and perspectives
1 Why rank metric ?
2 Gabidulin codes and GPT encryption scheme
3 An evolution of Gabidulin codes based cryptography
4 Conclusion and perspectives
A new rank metric codes based cryptosystem
Conclusion and perspectives
Perspectives
Reducing key-size by some structural property
Thorough study of the security of the system
Designing additional cryptographic services
A new rank metric codes based cryptosystem
Conclusion and perspectives
Why do we believe in the design
Choice of V: Similar to subcodes in Hamming metric
For adequate parameters: Distinguishing the public-key isdicult.
Versatility of the parameters
A new rank metric codes based cryptosystem
Conclusion and perspectives
References I
Initial recommendations of long-term secure post-quantumsystems.Technical report, 2015.http://pqcrypto.eu.org/docs/initial-recommendations.pdf.
E. Berlekamp, R. J. McEliece, and H. van Tilborg.On the inherent intractability of certain coding problems.IEEE Trans. Inform. Theory, 24(3):384386, May 1978.
R. Canto-Torres and N. Sendrier.Analysis of information set decoding for a sub-linear errorweight.In Post-Quantum Cryptography 2016, Lecture Notes inComput. Sci., pages 144161, Fukuoka, Japan, February 2016.
A new rank metric codes based cryptosystem
Conclusion and perspectives
References II
E. M. Gabidulin.Theory of codes with maximum rank distance.Probl. Inf. Transm., 21(1):316, 1985.
P. Gaborit, A. Hauteville, and J.-P. Tillich.Ranksynd a PRNG based on rank metric.In Post-Quantum Cryptography 2016, pages 1828, February2016.
E. M. Gabidulin and P. Loidreau.Properties of subspace subcodes of Gabidulin codes.Adv. in Math. of Comm., 2(2):147157, 2008.
A new rank metric codes based cryptosystem
Conclusion and perspectives
References III
P. Gaborit, G. Murat, O. Ruatta, and G. Zémor.Low rank parity check codes and their application tocryptography.In Proceedings of the Workshop on Coding and Cryptography
WCC'2013, Bergen, Norway, 2013.Available onwww.selmer.uib.no/WCC2013/pdfs/Gaborit.pdf.
E. M. Gabidulin, A. V. Paramonov, and O. V. Tretjakov.Ideals over a non-commutative ring and their applications tocryptography.In Advances in Cryptology - EUROCRYPT'91, number 547 inLecture Notes in Comput. Sci., pages 482489, Brighton, April1991.
A new rank metric codes based cryptosystem
Conclusion and perspectives
References IV
P. Gaborit, O. Ruatta, and J. Schrek.On the complexity of the rank syndrome decoding problem.IEEE Trans. Information Theory, 62(2):10061019, 2016.
P. Gaborit and G. Zémor.On the hardness of the decoding and the minimum distanceproblems for rank codes.IEEE Trans. Inform. Theory, 62(12):72457252, 2015.
A. Kshevetskiy.Security of GPT-like public-key cryptosystems based on linearrank codes.In 3rd International Workshop on Signal Design and Its
Applications in Communications, IWSDA 2007, 2007.
A new rank metric codes based cryptosystem
Conclusion and perspectives
References V
A. May and I. Ozerov.On Computing Nearest Neighbors with Applications toDecoding of Binary Linear Codes.In E. Oswald and M. Fischlin, editors, Advances in Cryptology -
EUROCRYPT 2015, volume 9056, pages 203228, 2015.
A. Otmani, H. T. Kalashi, and S. Ndjeya.Improved cryptanalysis of rank metric schemes based onGabidulin codes.http://arxiv.org/abs/1602.08549v1, 2016.
H. Rashwan, E. M. Gabidulin, and B. Honary.A smart approach for GPT cryptosystem based on rank codes.In Proc. IEEE Int. Symposium Inf. Theory - ISIT, pages24632467, 2010.