OUROBOROS-R, an IND-CPA KEM based on Rank Metric NIST First - - PowerPoint PPT Presentation

ouroboros r an ind cpa kem based on rank metric
SMART_READER_LITE
LIVE PREVIEW

OUROBOROS-R, an IND-CPA KEM based on Rank Metric NIST First - - PowerPoint PPT Presentation

Jan 19, 2023 7 likes •159 views

Presentation of the rank metric Description of the scheme Security and parameters OUROBOROS-R, an IND-CPA KEM based on Rank Metric NIST First Post-Quantum Cryptography Standardization Conference Carlos AguilarMelchor 2 Nicolas Aragon 1 Slim

slide-1
SLIDE 1

Presentation of the rank metric Description of the scheme Security and parameters

OUROBOROS-R, an IND-CPA KEM based on Rank Metric

NIST First Post-Quantum Cryptography Standardization Conference Carlos AguilarMelchor2 Nicolas Aragon1 Slim Bettaieb5 Loic Bidoux5 Olivier Blazy1 Jean-Christophe Deneuville1,4 Philippe Gaborit1 Adrien Hauteville1 Gilles Zémor3

1University of Limoges, XLIM-DMI, France ; 2ISAE-SUPAERO, Toulouse, France 3IMB, University of Bordeaux; 4INSA-CVL, Bourges, France ; 5Worldline, France. OUROBOROS-R, an IND-CPA KEM based on Rank Metric

slide-2
SLIDE 2

Presentation of the rank metric Description of the scheme Security and parameters

1 Presentation of the rank metric 2 Description of the scheme 3 Security and parameters

OUROBOROS-R, an IND-CPA KEM based on Rank Metric

slide-3
SLIDE 3

Presentation of the rank metric Description of the scheme Security and parameters

Rank Metric

We only consider codes with coefficients in Fqm. Let β, . . . , βm be a basis of Fqm/Fq. To each vector x ∈ Fn

qm we

can associate a matrix Mx x = (x, . . . , xn) ∈ Fn

qm ↔ Mx =

   x . . . xn . . . ... . . . xm . . . xmn    ∈ Fm×n

q

such that xj = m

i= xijβi for each j ∈ [..n].

Definition dR(x, y) = Rank(Mx − My) and |x|r = Rank Mx.

OUROBOROS-R, an IND-CPA KEM based on Rank Metric

slide-4
SLIDE 4

Presentation of the rank metric Description of the scheme Security and parameters

Support of a Word

Definition The support of a word is the Fq-subspace generated by its coordinates: Supp(x) = x1, . . . , xnFq Number of supports of weight w: Rank Hamming m w

  • q

≈ qw(m−w) n w

  • 2n

Complexity in the worst case: quadratically exponential for Rank Metric simply exponential for Hamming Metric

OUROBOROS-R, an IND-CPA KEM based on Rank Metric

slide-5
SLIDE 5

Presentation of the rank metric Description of the scheme Security and parameters

LRPC Codes

Definition Let H ∈ F(n−k)×n

qm

a full-rank matrix such that the dimension d of hijFq is small. By definition, H is a parity-check matrix of an [n, k]qm LRPC code. We say that d is the weight of the matrix H. A LRPC code can decode errors (recover support) of weight r n−k

d

in polynomial time with a probability of failure pf < max

  • q−(n−k−2(r+d)+5), q−2(n−k−rd+2)

→ matrices based on random small weight codewords with same support can be turned into a decoding algorithm !

OUROBOROS-R, an IND-CPA KEM based on Rank Metric

slide-6
SLIDE 6

Presentation of the rank metric Description of the scheme Security and parameters

Difficult problems in rank metric

Problem (Rank Syndrome Decoding problem) Given H ∈ F(n−k)×n

qm

, s ∈ Fn−k

qm

and an integer r, find e ∈ Fn

qm such

that: HeT = sT |e|r = r Probabilistic reduction to the NP-Complete SD problem [Gaborit-Zémor, IEEE-IT 2016].

OUROBOROS-R, an IND-CPA KEM based on Rank Metric

slide-7
SLIDE 7

Presentation of the rank metric Description of the scheme Security and parameters

1 Presentation of the rank metric 2 Description of the scheme 3 Security and parameters

OUROBOROS-R, an IND-CPA KEM based on Rank Metric

slide-8
SLIDE 8

Presentation of the rank metric Description of the scheme Security and parameters

OUROBOROS-R scheme

Vectors x of Fn

qm seen as elements of Fqm[X]/(P) for some polynomial P.

Alice Bob seedh ← {0, 1}λ, h

seedh

← Fn

qm

(x, y) ← S2n

1,w(Fqm), s ← x + hy

F ← Supp (x, y) ec ← se − ysr E ← QCRS-Recover(F, ec, wr) Hash (E)

h,s

− − − − − − →

sr,se

← − − − − − − − Shared Secret (r1, r2, er) ← S3n

wr (Fqm)

E ← Supp (r1, r2, er) sr ← r1 + hr2, se ← sr2 + er Hash (E)

Figure 1: Informal description of OUROBOROS-R. h and s constitute the public key. h can be recovered by publishing only the λ bits of the seed (instead of the n coordinates of h).

OUROBOROS-R, an IND-CPA KEM based on Rank Metric

slide-9
SLIDE 9

Presentation of the rank metric Description of the scheme Security and parameters

Why does it work ? ec = se − ysr = sr2 + er − y(r1 + hr2) = (x + hy)r2 + er − y(r1 + hr2) = xr2 − yr1 + er 1 ∈ F, coordinates of ec generate a subspace of Supp(r1, r2, er) × Supp(x, y) on which one can apply the QCRS-Recover algorithm to recover E (LRPC decoder). In other words: ec seen as syndrome associated to an LRPC code based on the secret key (x, y) → a reasonable decoding algorithm is used to decode a SMALL weight error !

OUROBOROS-R, an IND-CPA KEM based on Rank Metric

slide-10
SLIDE 10

Presentation of the rank metric Description of the scheme Security and parameters

1 Presentation of the rank metric 2 Description of the scheme 3 Security and parameters

OUROBOROS-R, an IND-CPA KEM based on Rank Metric

slide-11
SLIDE 11

Presentation of the rank metric Description of the scheme Security and parameters

Semantic Security

Theorem Under the assumption of the hardness of the [2n, n]-Decisional-QCRSD and [3n, n]-Decisional-QCRSD problems, OUROBOROS-R is IND-CPA in the Random Oracle Model.

OUROBOROS-R, an IND-CPA KEM based on Rank Metric

slide-12
SLIDE 12

Presentation of the rank metric Description of the scheme Security and parameters

Best Known Attacks

Combinatorial attacks: try to guess the support of the error or

  • f the codeword. The best algorithm is GRS+(Aragon et al.

ISIT 2018). On average: O

  • (nm)qr⌈ km

n ⌉−m

Quantum Speed Up : Grover’s algorithm directly applies to GRS+ = ⇒ exponent divided by 2.

OUROBOROS-R, an IND-CPA KEM based on Rank Metric

slide-13
SLIDE 13

Presentation of the rank metric Description of the scheme Security and parameters

Examples of parameters

All the times are given in ms, performed on an Intel Core i7-4700HQ CPU running at 3.40GHz.

Security Key Ciphertext KeyGen Encap Decap Probability Size (bits) Size (bits) Time(ms) Time(ms) Time(ms)

  • f failure

128 5,408 10,816 0.18 0.29 0.53 < 2−36 192 6,456 12,912 0.19 0.33 0.97 < 2−36 256 8,896 17,792 0.24 0.40 1.38 < 2−42

OUROBOROS-R, an IND-CPA KEM based on Rank Metric

slide-14
SLIDE 14

Presentation of the rank metric Description of the scheme Security and parameters

Advantages and Limitations

Advantages: Small key size Very fast encryption/decryption time Reduction to decoding a random (QC) code. Well understood decryption failure probability Limitations: Longer ciphertext (compared to LRPC) because of reconciliation (×2). Slighlty larger parameters because of security reduction compared to LRPC. RSD problem studied since 27 years.

OUROBOROS-R, an IND-CPA KEM based on Rank Metric

slide-15
SLIDE 15

Presentation of the rank metric Description of the scheme Security and parameters

Questions !

OUROBOROS-R, an IND-CPA KEM based on Rank Metric