ouroboros r an ind cpa kem based on rank metric
play

OUROBOROS-R, an IND-CPA KEM based on Rank Metric NIST First - PowerPoint PPT Presentation

Jan 19, 2023 •7 likes •157 views

Presentation of the rank metric Description of the scheme Security and parameters OUROBOROS-R, an IND-CPA KEM based on Rank Metric NIST First Post-Quantum Cryptography Standardization Conference Carlos AguilarMelchor 2 Nicolas Aragon 1 Slim

  1. Presentation of the rank metric Description of the scheme Security and parameters OUROBOROS-R, an IND-CPA KEM based on Rank Metric NIST First Post-Quantum Cryptography Standardization Conference Carlos AguilarMelchor 2 Nicolas Aragon 1 Slim Bettaieb 5 Loic Bidoux 5 Olivier Blazy 1 Jean-Christophe Deneuville 1 , 4 Philippe Gaborit 1 Adrien Hauteville 1 Gilles Zémor 3 1 University of Limoges, XLIM-DMI, France ; 2 ISAE-SUPAERO, Toulouse, France 3 IMB, University of Bordeaux; 4 INSA-CVL, Bourges, France ; 5 Worldline, France. OUROBOROS-R, an IND-CPA KEM based on Rank Metric

  2. Presentation of the rank metric Description of the scheme Security and parameters 1 Presentation of the rank metric 2 Description of the scheme 3 Security and parameters OUROBOROS-R, an IND-CPA KEM based on Rank Metric

  3. Presentation of the rank metric Description of the scheme Security and parameters Rank Metric We only consider codes with coefficients in F q m . Let β  , . . . , β m be a basis of F q m / F q . To each vector x ∈ F n q m we can associate a matrix M x   x  . . . x n . . ... x = ( x  , . . . , x n ) ∈ F n  ∈ F m × n . . q m ↔ M x =   . . q  x m . . . x mn such that x j = � m i =  x ij β i for each j ∈ [ ..n ] . Definition d R ( x , y ) = Rank ( M x − M y ) and | x | r = Rank M x . OUROBOROS-R, an IND-CPA KEM based on Rank Metric

  4. Presentation of the rank metric Description of the scheme Security and parameters Support of a Word Definition The support of a word is the F q -subspace generated by its coordinates: Supp ( x ) = � x 1 , . . . , x n � F q Number of supports of weight w : Rank Hamming � m � � n � ≈ q w ( m − w ) � 2 n w w q Complexity in the worst case: quadratically exponential for Rank Metric simply exponential for Hamming Metric OUROBOROS-R, an IND-CPA KEM based on Rank Metric

  5. Presentation of the rank metric Description of the scheme Security and parameters LRPC Codes Definition Let H ∈ F ( n − k ) × n a full-rank matrix such that the dimension d of q m � h ij � F q is small. By definition, H is a parity-check matrix of an [ n , k ] q m LRPC code. We say that d is the weight of the matrix H . A LRPC code can decode errors (recover support) of weight r � n − k in polynomial time with a probability of failure d � q − ( n − k − 2 ( r + d )+ 5 ) , q − 2 ( n − k − rd + 2 ) � p f < max → matrices based on random small weight codewords with same support can be turned into a decoding algorithm ! OUROBOROS-R, an IND-CPA KEM based on Rank Metric

  6. Presentation of the rank metric Description of the scheme Security and parameters Difficult problems in rank metric Problem (Rank Syndrome Decoding problem) Given H ∈ F ( n − k ) × n , s ∈ F n − k and an integer r , find e ∈ F n q m such q m q m that: He T = s T | e | r = r Probabilistic reduction to the NP-Complete SD problem [Gaborit-Zémor, IEEE-IT 2016]. OUROBOROS-R, an IND-CPA KEM based on Rank Metric

  7. Presentation of the rank metric Description of the scheme Security and parameters 1 Presentation of the rank metric 2 Description of the scheme 3 Security and parameters OUROBOROS-R, an IND-CPA KEM based on Rank Metric

  8. Presentation of the rank metric Description of the scheme Security and parameters OUROBOROS-R scheme Vectors x of F n q m seen as elements of F q m [ X ] / ( P ) for some polynomial P . Alice Bob seed h seed h ← { 0 , 1 } λ , h ← F n q m ( x , y ) ← S 2 n 1 , w ( F q m ) , s ← x + hy h , s − − − − − − → ( r 1 , r 2 , e r ) ← S 3 n w r ( F q m ) F ← Supp ( x , y ) E ← Supp ( r 1 , r 2 , e r ) s r , s e s r ← r 1 + hr 2 , s e ← sr 2 + e r ← − − − − − − − e c ← s e − ys r E ← QCRS-Recover ( F , e c , w r ) Shared Hash ( E ) Hash ( E ) Secret Figure 1: Informal description of OUROBOROS-R. h and s constitute the public key. h can be recovered by publishing only the λ bits of the seed (instead of the n coordinates of h ). OUROBOROS-R, an IND-CPA KEM based on Rank Metric

  9. Presentation of the rank metric Description of the scheme Security and parameters Why does it work ? e c = s e − ys r = sr 2 + e r − y ( r 1 + hr 2 ) = ( x + hy ) r 2 + e r − y ( r 1 + hr 2 ) = xr 2 − yr 1 + e r 1 ∈ F , coordinates of e c generate a subspace of Supp ( r 1 , r 2 , e r ) × Supp ( x , y ) on which one can apply the QCRS-Recover algorithm to recover E (LRPC decoder). In other words: e c seen as syndrome associated to an LRPC code based on the secret key ( x , y ) → a reasonable decoding algorithm is used to decode a SMALL weight error ! OUROBOROS-R, an IND-CPA KEM based on Rank Metric

  10. Presentation of the rank metric Description of the scheme Security and parameters 1 Presentation of the rank metric 2 Description of the scheme 3 Security and parameters OUROBOROS-R, an IND-CPA KEM based on Rank Metric

  11. Presentation of the rank metric Description of the scheme Security and parameters Semantic Security Theorem Under the assumption of the hardness of the [ 2 n , n ] -Decisional-QCRSD and [ 3 n , n ] -Decisional-QCRSD problems, OUROBOROS-R is IND-CPA in the Random Oracle Model. OUROBOROS-R, an IND-CPA KEM based on Rank Metric

  12. Presentation of the rank metric Description of the scheme Security and parameters Best Known Attacks Combinatorial attacks: try to guess the support of the error or of the codeword. The best algorithm is GRS+(Aragon et al. ISIT 2018). On average: � n ⌉ − m � ( nm )  q r ⌈ km O Quantum Speed Up : Grover’s algorithm directly applies to GRS+ = ⇒ exponent divided by 2. OUROBOROS-R, an IND-CPA KEM based on Rank Metric

  13. Presentation of the rank metric Description of the scheme Security and parameters Examples of parameters All the times are given in ms , performed on an Intel Core i7-4700HQ CPU running at 3.40GHz. Security Key Ciphertext KeyGen Encap Decap Probability Size (bits) Size (bits) Time(ms) Time(ms) Time(ms) of failure < 2 − 36 128 5,408 10,816 0.18 0.29 0.53 < 2 − 36 192 6,456 12,912 0.19 0.33 0.97 < 2 − 42 256 8,896 17,792 0.24 0.40 1.38 OUROBOROS-R, an IND-CPA KEM based on Rank Metric

  14. Presentation of the rank metric Description of the scheme Security and parameters Advantages and Limitations Advantages: Small key size Very fast encryption/decryption time Reduction to decoding a random (QC) code . Well understood decryption failure probability Limitations: Longer ciphertext (compared to LRPC) because of reconciliation ( × 2). Slighlty larger parameters because of security reduction compared to LRPC. RSD problem studied since 27 years. OUROBOROS-R, an IND-CPA KEM based on Rank Metric

  15. Presentation of the rank metric Description of the scheme Security and parameters Questions ! OUROBOROS-R, an IND-CPA KEM based on Rank Metric

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

Two attacks on rank metric code-based Jean-Pierre Tillich schemes: RankSign and an IBE scheme

Two attacks on rank metric code-based Jean-Pierre Tillich schemes: RankSign and an IBE scheme

Two attacks on rank metric code-based schemes: RankSign and an IBE scheme Thomas Debris-Alazard and Two attacks on rank metric code-based Jean-Pierre Tillich schemes: RankSign and an IBE scheme Generalities on Rank-Based Cryptography

668 views • 25 slides
Introduction to rank-based cryptography Philippe Gaborit University of Limoges, France ASCRYPTO

Introduction to rank-based cryptography Philippe Gaborit University of Limoges, France ASCRYPTO

Rank codes : definitions and basic properties Decoding in rank metric Complexity issues : decoding random rank codes Encryption Authentication and signature Introduction to rank-based cryptography Philippe Gaborit University of Limoges,

1.56k views • 115 slides
A new family of maximum rank distance codes or: Maximum rank distance codes and finite semifields

A new family of maximum rank distance codes or: Maximum rank distance codes and finite semifields

A new family of maximum rank distance codes or: Maximum rank distance codes and finite semifields John Sheekey Universiteit Gent, Belgium Alcoma, March 2015 Rank metric codes A rank metric code is a set C M n ( F ) of n n matrices over

963 views • 92 slides
Maximum rank distance codes: constructions, classifications, and applications John Sheekey UCD,

Maximum rank distance codes: constructions, classifications, and applications John Sheekey UCD,

Maximum rank distance codes: constructions, classifications, and applications John Sheekey UCD, Dublin, Ireland Dagstuhl, August 2016 Rank metric codes A rank metric code is a set C M m n ( F q ) of m n matrices ( m n ) over F q

1.02k views • 85 slides
Maximum rank distance codes and finite semifields John Sheekey Universiteit Gent, Belgium

Maximum rank distance codes and finite semifields John Sheekey Universiteit Gent, Belgium

Maximum rank distance codes and finite semifields John Sheekey Universiteit Gent, Belgium Banff, January 2015 Rank metric codes A rank metric code is a set C M n ( F ) of n n matrices over a field F with the distance function d ( X , Y )

830 views • 82 slides
Cryptographic applications of codes in rank metric Pierre Loidreau CELAr and Universit e de

Cryptographic applications of codes in rank metric Pierre Loidreau CELAr and Universit e de

Cryptographic applications of codes in rank metric Cryptographic applications of codes in rank metric Pierre Loidreau CELAr and Universit e de Rennes Pierre.Loidreau@m4x.org June 16th, 2009 Cryptographic applications of codes in rank

498 views • 33 slides
Rank Metric Codes and related Structures Yue Zhou July 5, 2017 The 2nd International Workshop on

Rank Metric Codes and related Structures Yue Zhou July 5, 2017 The 2nd International Workshop on

Rank Metric Codes and related Structures Yue Zhou July 5, 2017 The 2nd International Workshop on Boolean Functions and their Applications (BFA) Outline Introduction Maximum rank distance codes Quadratic bent-Negabent functions Vectorial

2.09k views • 179 slides
2 3 4 5 8 9 MINNEAPOLIS MILWAUKEE MSA RANK #16 MSA RANK #39 CHICAGO MSA RANK #3

2 3 4 5 8 9 MINNEAPOLIS MILWAUKEE MSA RANK #16 MSA RANK #39 CHICAGO MSA RANK #3

2 3 4 5 8 9 MINNEAPOLIS MILWAUKEE MSA RANK #16 MSA RANK #39 CHICAGO MSA RANK #3 INDIANAPOLIS MSA RANK #34 DETROIT MSA RANK #14 COLUMBUS MSA RANK #33 BALTIMORE/ DC CORRIDOR MSA RANK #21 CINCINNATI MSA RANK #28 ATLANTA MSA RANK

726 views • 44 slides
Ouroboros: a simple, secure and efficient key exchange protocol based on coding theory

Ouroboros: a simple, secure and efficient key exchange protocol based on coding theory

Ouroboros: a simple, secure and efficient key exchange protocol based on coding theory Jean-Christophe Deneuville &lt; jean-christophe.deneuville@xlim.fr &gt; June the 26 th , 2017 PQCrypto 17 Utrecht Joint work with: P. Gaborit G. Z

1.54k views • 84 slides
Ramesses : a Rank Metric Encryption Scheme with Short Keys Julien Lavauzelle , Pierre Loidreau,

Ramesses : a Rank Metric Encryption Scheme with Short Keys Julien Lavauzelle , Pierre Loidreau,

Ramesses : a Rank Metric Encryption Scheme with Short Keys Julien Lavauzelle , Pierre Loidreau, Ba-Duc Pham IRMAR, Universit de Rennes 1 Groupe de travail cryptographie base de codes 25/11/2019 Introduction Goal: design a new public-key

1.11k views • 68 slides
Shortest Path Similar Routing 2 A New Metric A new metric path- based metric that can use used

Shortest Path Similar Routing 2 A New Metric A new metric path- based metric that can use used

R outing S tate D istance: A Path-based Metric for Network Analysis Gonca Grsun joint work with joint work with Natali Ruchansky, Evimaria Terzi, Mark Crovella Distance Metrics for Analyzing Routing Shortest Path Similar Routing 2 A New

1.43k views • 48 slides
Metric spaces and computability theory Andr e Nies SDF 60, Vienna Handout version 1/20

Metric spaces and computability theory Andr e Nies SDF 60, Vienna Handout version 1/20

Metric spaces and computability theory Andr e Nies SDF 60, Vienna Handout version 1/20 Abstract We study similarity of Polish metric spaces. We consider the Scott rank, both for Eclassical and for continuous logic. The former is

243 views • 20 slides
Metric Conversions Ladder Method T. Trimpe 2008 http://sciencespot.net/ Metric System The

Metric Conversions Ladder Method T. Trimpe 2008 http://sciencespot.net/ Metric System The

Metric Conversions Ladder Method T. Trimpe 2008 http://sciencespot.net/ Metric System The metric system is based on a base unit that corresponds to a certain kind of measurement Length = meter Volume = liter Weight (Mass) =

293 views • 11 slides
R Packages for Rank-based Estimates John Kloke 1 Joseph McKean 2 1 University of Wisconsin -

R Packages for Rank-based Estimates John Kloke 1 Joseph McKean 2 1 University of Wisconsin -

R Packages for Rank-based Estimates John Kloke 1 Joseph McKean 2 1 University of Wisconsin - Madison 2 Western Michigan University 10 July 2013 Kloke, McKean R Packages for Rank-based Estimates Outline Rank-based (R) estimation for linear

529 views • 20 slides
Ouroboros Wear-leveling: A Two-level Hierarchical Wear-leveling Model for NVRAM Qingyue Liu

Ouroboros Wear-leveling: A Two-level Hierarchical Wear-leveling Model for NVRAM Qingyue Liu

Ouroboros Wear-leveling: A Two-level Hierarchical Wear-leveling Model for NVRAM Qingyue Liu Peter Varman ECE Department, Rice University May 18, 2017 New Challenges for New Technologies RRAM PCM 3DXpoint Advantages Major Drawback:

518 views • 36 slides
1 SVD applications: rank, column, row, and null spaces Rank : the rank of a matrix is equal to:

1 SVD applications: rank, column, row, and null spaces Rank : the rank of a matrix is equal to:

Statistical Modeling and Analysis of Neural Data (NEU 560) Princeton University, Spring 2018 Jonathan Pillow Lecture 3A notes: SVD and Linear Systems 1 SVD applications: rank, column, row, and null spaces Rank : the rank of a matrix is equal to:

462 views • 3 slides
CONNECTING THE MOBILITY WORLD WITH 5G-V2X READY TO ROLL AT GLOBAL LEVEL GO-TO-MARKET TIMELINE

CONNECTING THE MOBILITY WORLD WITH 5G-V2X READY TO ROLL AT GLOBAL LEVEL GO-TO-MARKET TIMELINE

CONNECTING THE MOBILITY WORLD WITH 5G-V2X READY TO ROLL AT GLOBAL LEVEL GO-TO-MARKET TIMELINE VISHNU SUNDARAM VICE PRESIDENT , TELEMATICS BU HARMAN INTERNATIONAL INDUSTRIES 1 Preparations Round the Globe for C-V2X Rollout China C-V2X

249 views • 5 slides
MAINTAINING THE GO CRYPTO LIBRARIES Filippo Valsorda Google @FiloSottile WHO AM I { Go

MAINTAINING THE GO CRYPTO LIBRARIES Filippo Valsorda Google @FiloSottile WHO AM I { Go

QCon NYC 25 JUNE 2019 MAINTAINING THE GO CRYPTO LIBRARIES Filippo Valsorda Google @FiloSottile WHO AM I { Go security coordinator Go crypto/ packages owner and maintainer 00. INTRO SECTION 1 Cryptography is H ard

806 views • 46 slides
Introduction to Public Key Cryptography Toke Meier Carlsen University of the Faroe Islands eID

Introduction to Public Key Cryptography Toke Meier Carlsen University of the Faroe Islands eID

Introduction to Public Key Cryptography Toke Meier Carlsen University of the Faroe Islands eID the Corner Stone of digitalizing 2016-09-07 What is cryptography? What is cryptography? Hello Alice Hello Alice Bobs wants to send messages

400 views • 16 slides
Constrained Environments A. Murat Fiskiran and Ruby B. Lee Princeton Architecture Laboratory for

Constrained Environments A. Murat Fiskiran and Ruby B. Lee Princeton Architecture Laboratory for

Workload Characterization of Elliptic Curve Cryptography and other Network Security Algorithms for Constrained Environments A. Murat Fiskiran and Ruby B. Lee Princeton Architecture Laboratory for Multimedia and Security Princeton University A.

330 views • 15 slides
Incorporating Post-Quantum Cryptography in a microservice architecture Research Project 2 Why

Incorporating Post-Quantum Cryptography in a microservice architecture Research Project 2 Why

R. van der Gaag, D. Weller Incorporating Post-Quantum Cryptography in a microservice architecture Research Project 2 Why think about post-quantum cryptography W. Buchanan et. al concluded Gate-based quantum computers pose a significant

349 views • 18 slides
PRESS RELEASE Trusted Objects expert on lightweight cryptography gives a presentation to the NIST

PRESS RELEASE Trusted Objects expert on lightweight cryptography gives a presentation to the NIST

PRESS RELEASE Trusted Objects expert on lightweight cryptography gives a presentation to the NIST Alexan Alexandre dre Adomn Adomnicai, icai, cryptograph cryptography y expert expert at at Truste Trusted d Obje Objects cts will will

174 views • 3 slides
RNS Modular Computations for Cryptographic Applications Karim Bigou CNRS IRISA CAIRN

RNS Modular Computations for Cryptographic Applications Karim Bigou CNRS IRISA CAIRN

RNS Modular Computations for Cryptographic Applications Karim Bigou CNRS IRISA CAIRN RAIM 2015: April 7 9 Karim Bigou RNS for Asymmetric Cryptography RAIM 2015: April 7 9 1 / 23 Context One objective of our research group:

510 views • 31 slides
Blockchain and Distributed Ledger Technologies: Opportunities, Challenges and Future Work Andrew

Blockchain and Distributed Ledger Technologies: Opportunities, Challenges and Future Work Andrew

Blockchain and Distributed Ledger Technologies: Opportunities, Challenges and Future Work Andrew Regenscheid Cryptographic Technology Group Cryptographic Technology Group Mission: Research, develop, engineer, and standardize cryptographic

321 views • 28 slides

More recommend