Ramesses : a Rank Metric Encryption Scheme with Short Keys Julien - - PowerPoint PPT Presentation

Ramesses: a Rank Metric Encryption Scheme with Short Keys

Julien Lavauzelle, Pierre Loidreau, Ba-Duc Pham

IRMAR, Université de Rennes 1

Groupe de travail cryptographie à base de codes 25/11/2019

Introduction

Goal: design a new public-key encryption scheme ◮ based on the problem of decoding Gabidulin codes beyond their unique decoding radius, ◮ features very compact keys and short ciphertexts, ◮ admits efficient encryption and decryption algorithms.

1/28

• J. Lavauzelle

GT code-based crypto – RAMESSES –

Outline

• 1. Past efforts

Augot-Finiasz PKE Faure-Loidreau PKE

• 2. RAMESSES: new PKE based on rank metric

Background The scheme Correctness Security

1/28

• J. Lavauzelle

GT code-based crypto – RAMESSES –

Outline

• 1. Past efforts

Augot-Finiasz PKE Faure-Loidreau PKE

• 2. RAMESSES: new PKE based on rank metric

Background The scheme Correctness Security

1/28

• J. Lavauzelle

GT code-based crypto – RAMESSES –

Codes in Hamming metric

Linear code C ⊆ Fn

q, with Hamming metric: d(a, b) := |{i ∈ [1, n], ai = bi}|.

Let x = (x1, . . . , xn) ∈ Fn

q be pairwise distinct. The Reed-Solomon code of

dimension k and evaluation vector x is RSk(x) := {evx(P) := (P(x1), . . . , P(xn)) | P(X) ∈ Fq[X]<k}.

2/28

• J. Lavauzelle

GT code-based crypto – RAMESSES –

Codes in Hamming metric

Linear code C ⊆ Fn

q, with Hamming metric: d(a, b) := |{i ∈ [1, n], ai = bi}|.

Let x = (x1, . . . , xn) ∈ Fn

q be pairwise distinct. The Reed-Solomon code of

dimension k and evaluation vector x is RSk(x) := {evx(P) := (P(x1), . . . , P(xn)) | P(X) ∈ Fq[X]<k}. Decoding w errors in RSk(x): w = wt(e) n

n−k 2

n − √ nk n − k

unique decoding list dec. interpolation

easy hard

• V. Guruswami, A. Vardy, Maximum-likelihood decoding of Reed-Solomon codes is

NP-hard, IEEE TIT, 2005.

2/28

• J. Lavauzelle

GT code-based crypto – RAMESSES –

Augot-Finiasz cryptosystem

• D. Augot, M. Finiasz, A Public Key Encryption Scheme Based on the Polynomial

Reconstruction Problem, EUROCRYPT, 2003.

Public parameters: – x ∈ Fn

q pairwise distinct, locators of RSk(x)

– n, k, n − √ nk < w < n − k and w ′ ≤ n−k−w

2

.

3/28

• J. Lavauzelle

GT code-based crypto – RAMESSES –

Augot-Finiasz cryptosystem

• D. Augot, M. Finiasz, A Public Key Encryption Scheme Based on the Polynomial

Reconstruction Problem, EUROCRYPT, 2003.

Public parameters: – x ∈ Fn

q pairwise distinct, locators of RSk(x)

– n, k, n − √ nk < w < n − k and w ′ ≤ n−k−w

2

. KeyGen: – private key: P ∈ Fq[X]<k−1 e ∈ Fn

q, wt(e) = w

– public key: noisy codeword kpub = evx(P + X k−1) + e

3/28

• J. Lavauzelle

GT code-based crypto – RAMESSES –

Augot-Finiasz cryptosystem

Encrypt: plaintext is M ∈ Fq[X]<k−1

• 1. pick α ∈ Fq and e′ ∈ Fn

q, wt(e′) = w ′

• 2. ciphertext y = evx(M) + αkpub + e′

4/28

• J. Lavauzelle

GT code-based crypto – RAMESSES –

Augot-Finiasz cryptosystem

Encrypt: plaintext is M ∈ Fq[X]<k−1

• 1. pick α ∈ Fq and e′ ∈ Fn

q, wt(e′) = w ′

• 2. ciphertext y = evx(M) + αkpub + e′

Decrypt: ciphertext is y ∈ Fn

q

• 1. puncture y at supp(e) := {i ∈ [1, n], ei = 0}

→ get y ′ ∈ Fn−w

q

• 2. decode w ′ errors from y ′

→ get evx′(M) + α evx′(P + X k−1) ∈ Fn−w

q

• 3. interpolation

→ recover (M + αP)

• degree ≤k−2

+αX k−1 → recover α → recover M

4/28

• J. Lavauzelle

GT code-based crypto – RAMESSES –

Coron’s attack (1)

J.-S. Coron, Cryptanalysis of a Public-Key Encryption Scheme Based on the Polynomial Reconstruction Problem, PKC, 2004.

Ciphertext attack: retrieve M from y = evx(M) + αkpub + e′.

5/28

• J. Lavauzelle

GT code-based crypto – RAMESSES –

Coron’s attack (1)

J.-S. Coron, Cryptanalysis of a Public-Key Encryption Scheme Based on the Polynomial Reconstruction Problem, PKC, 2004.

Ciphertext attack: retrieve M from y = evx(M) + αkpub + e′. Let Ve′(X) =

i∈supp(e′)(X − xi).

Ve′(xi)(yi − αkpub,i) = Ve′(xi)M(xi), ∀i = 1, . . . , n

5/28

• J. Lavauzelle

GT code-based crypto – RAMESSES –

Coron’s attack (1)

J.-S. Coron, Cryptanalysis of a Public-Key Encryption Scheme Based on the Polynomial Reconstruction Problem, PKC, 2004.

Ciphertext attack: retrieve M from y = evx(M) + αkpub + e′. Let Ve′(X) =

i∈supp(e′)(X − xi).

Ve′(xi)(yi − αkpub,i) = Ve′(xi)M(xi), ∀i = 1, . . . , n Consider the system: (Sλ) V (xi)(yi − λkpub,i) = A(xi), ∀i = 1, . . . , n deg V ≤ w ′, deg A ≤ k − 1 + w ′ For all λ, (Sλ) has n equations and u = k + 2w ′ + 1 unkwowns (overdetermined). ◮ if λ = α: non trivial solution with proba ≪ 1. ◮ if λ = α: (V = Ve′, A = Ve′M) is a solution.

5/28

• J. Lavauzelle

GT code-based crypto – RAMESSES –

Coron’s attack (2)

Goal: retrieve α Sketch of Coron’s attack: ◮ If (S0) has no non-zero solution:

◮ Find a full-rank sub-system (S′

λ) of u equations (and u unknowns).

◮ Solve det(S′

λ) = 0

(λ → det(S′

λ) is a polynomial of degree ≤ w′ + 1)

◮ Get λ = α among the solutions.

◮ Otherwise: let (V , A) be a solution of (S0).

◮ One can prove (≃ Berlekamp-Welch) that A

V = M + α(P + X k−1) ∈ Fq[X].

◮ Find α as the leading coefficient of A

V . 6/28

• J. Lavauzelle

GT code-based crypto – RAMESSES –

Outline

• 1. Past efforts

Augot-Finiasz PKE Faure-Loidreau PKE

• 2. RAMESSES: new PKE based on rank metric

Background The scheme Correctness Security

6/28

• J. Lavauzelle

GT code-based crypto – RAMESSES –

Rank metric codes

Field extension Fq/F2, say q = 2m g = (g1, . . . , gm) ∈ Fm

q an ordered basis of Fq/F2

Extension map Extg : Fn

q

→ Fm×n

2

x → X = (xi,j) where xj = n

i=1 gixi,j ∈ F2m. By definition, Extg(gX) = X.

The rank distance is defined as: d(x − y) = rk(x − y) := rkF2(Extg(x − y))

7/28

• J. Lavauzelle

GT code-based crypto – RAMESSES –

Gabidulin codes

Let θ : x → x2 the F2-linear Frobenius automorphism. If P ∈ Fq[X], then P(θ) ∈ EndF2(Fq) and dim(ker P(θ)) ≤ deg P.

8/28

• J. Lavauzelle

GT code-based crypto – RAMESSES –

Gabidulin codes

Let θ : x → x2 the F2-linear Frobenius automorphism. If P ∈ Fq[X], then P(θ) ∈ EndF2(Fq) and dim(ker P(θ)) ≤ deg P. Let g = (g1, . . . , gn) ∈ Fn

q be F2-linearly independent. The Gabidulin code of

dimension k and evaluation vector g is Gabk(g) := {P(g) := (P(θ)(g1), . . . , P(θ)(gn)) | P(X) ∈ Fq[X]<k}

8/28

• J. Lavauzelle

GT code-based crypto – RAMESSES –

Gabidulin codes

Let θ : x → x2 the F2-linear Frobenius automorphism. If P ∈ Fq[X], then P(θ) ∈ EndF2(Fq) and dim(ker P(θ)) ≤ deg P. Let g = (g1, . . . , gn) ∈ Fn

q be F2-linearly independent. The Gabidulin code of

dimension k and evaluation vector g is Gabk(g) := {P(g) := (P(θ)(g1), . . . , P(θ)(gn)) | P(X) ∈ Fq[X]<k} Decoding errors of rank w in Gabk(g): w = rk(e) n

n−k 2

n − k

unique decoding interpolation

easy hard (worst case)

• N. Raviv, A. Wachter-Zeh, Some Gabidulin Codes Cannot Be List Decoded

Efficiently at any Radius, IEEE TIT, 2016.

8/28

• J. Lavauzelle

GT code-based crypto – RAMESSES –

Translation of Augot-Finiasz PKE into rank metric (1)

Public parameters: – g ∈ Fn

q linearly independent over F2,

– k,

n−k 2

< w < n − k and w ′ ≤ n−k−w

2

.

9/28

• J. Lavauzelle

GT code-based crypto – RAMESSES –

Translation of Augot-Finiasz PKE into rank metric (1)

Public parameters: – g ∈ Fn

q linearly independent over F2,

– k,

n−k 2

< w < n − k and w ′ ≤ n−k−w

2

. KeyGen: – private key: P ∈ Fq[X]<k−1 e ∈ Fn

q, rk(e) = w

– public key: noisy codeword kpub = (P + X k−1)(g) + e

9/28

• J. Lavauzelle

GT code-based crypto – RAMESSES –

Translation of Augot-Finiasz PKE into rank metric (2)

Encrypt: plaintext is M ∈ Fq[X]<k−1

• 1. pick α ∈ Fq and e′ ∈ Fn

q, rk(e′) = w ′

• 2. ciphertext y = M(g) + αkpub + e′

10/28

• J. Lavauzelle

GT code-based crypto – RAMESSES –

Translation of Augot-Finiasz PKE into rank metric (2)

Encrypt: plaintext is M ∈ Fq[X]<k−1

• 1. pick α ∈ Fq and e′ ∈ Fn

q, rk(e′) = w ′

• 2. ciphertext y = M(g) + αkpub + e′

Decrypt: ciphertext is y ∈ Fn

q

• 1. “puncture” y at supp(e) := n

i=1 F2ei

→ get y ′ ∈ Fn−w

q

• 2. decode w ′ errors from y ′

→ get M(g ′) + α(P + X k−1)(g ′) ∈ Fn−w

q

• 3. interpolation

→ recover (M + αP)

• degree ≤k−2

+αX k−1, then α, then M

10/28

• J. Lavauzelle

GT code-based crypto – RAMESSES –

Translation of Augot-Finiasz PKE into rank metric (3)

Main advantage: polynomial (λ → det(S′

λ)) has degree ≃ 2w′

→ prevents a direct application of Coron’s attack.

11/28

• J. Lavauzelle

GT code-based crypto – RAMESSES –

Translation of Augot-Finiasz PKE into rank metric (3)

Main advantage: polynomial (λ → det(S′

λ)) has degree ≃ 2w′

→ prevents a direct application of Coron’s attack. But... a Berlekamp-Welch-like equation Ve′(y) = Ve′(M(g)) + Ve′(αkpub), where Ve′(e′) = 0, can be rewritten V (y) = A(g) + W (kpub) deg V , deg W ≤ w ′, deg A ≤ k − 1 + w ′

• C. Faure, P. Loidreau, A New Public-Key Cryptosystem Based on the Problem of

Reconstructing p-Polynomials, WCC 2005, .

11/28

• J. Lavauzelle

GT code-based crypto – RAMESSES –

The Faure-Loidreau cryptosystem (1)

• C. Faure, P. Loidreau, A New Public-Key Cryptosystem Based on the Problem of

Reconstructing p-Polynomials, WCC 2005, .

Public parameters: – fields F2, Fq, Fqu, g ∈ Fn

q lineary-independent over F2,

– k,

n−k 2

+ k−u

u−1 < w < n − k

and w ′ ≤ n−k−w

2

.

12/28

• J. Lavauzelle

GT code-based crypto – RAMESSES –

The Faure-Loidreau cryptosystem (1)

• C. Faure, P. Loidreau, A New Public-Key Cryptosystem Based on the Problem of

Reconstructing p-Polynomials, WCC 2005, .

Public parameters: – fields F2, Fq, Fqu, g ∈ Fn

q lineary-independent over F2,

– k,

n−k 2

+ k−u

u−1 < w < n − k

and w ′ ≤ n−k−w

2

. KeyGen: – private key: (P, Q, e) where:

e ∈ Fn

qu and rk(e) = w

P ∈ Fqu [X]<k−u the u coefficients of Q ∈ Fqu [X]<u form a basis of Fqu /Fq

– public key: noisy codeword kpub = (P + X k−uQ)(g) + e ∈ Fn

qu 12/28

• J. Lavauzelle

GT code-based crypto – RAMESSES –

The Faure-Loidreau cryptosystem (2)

Encrypt: plaintext is M ∈ Fq[X]<k−u

• 1. pick a non-zero α ∈ Fqu and e′ ∈ Fn

q, wt(e′) = w ′

• 2. ciphertext y = M(g) + TrFqu /Fq(αkpub) + e′

13/28

• J. Lavauzelle

GT code-based crypto – RAMESSES –

The Faure-Loidreau cryptosystem (2)

Encrypt: plaintext is M ∈ Fq[X]<k−u

• 1. pick a non-zero α ∈ Fqu and e′ ∈ Fn

q, wt(e′) = w ′

• 2. ciphertext y = M(g) + TrFqu /Fq(αkpub) + e′

Decrypt: ciphertext is y ∈ Fn

q

• 1. “puncture” y at supp(e)

→ get y ′ ∈ Fn−w

q

• 2. decode w ′ errors from y ′

→ get M(g ′) + Tr(α(P + X k−uQ)(g ′)) ∈ Fn−w

q

• 3. interpolation + dual basis w.r.t. coefficients of Q

→ get M

13/28

• J. Lavauzelle

GT code-based crypto – RAMESSES –

GOT attack

Advantage: for large enough u, Berlekamp-Welch-like system is unsolvable.

14/28

• J. Lavauzelle

GT code-based crypto – RAMESSES –

GOT attack

Advantage: for large enough u, Berlekamp-Welch-like system is unsolvable. However, kpub is a collection of u noisy codewords from Gabk(g), whose errors e1, . . . , eu ∈ Fn

qm have the same support.

• Ph. Gaborit, A. Otmani, H. Talé Kalachi, Polynomial-time key recovery attack on

the Faure-Loidreau scheme based on Gabidulin codes, DCC, 2018.

14/28

• J. Lavauzelle

GT code-based crypto – RAMESSES –

GOT attack

Advantage: for large enough u, Berlekamp-Welch-like system is unsolvable. However, kpub is a collection of u noisy codewords from Gabk(g), whose errors e1, . . . , eu ∈ Fn

qm have the same support.

• Ph. Gaborit, A. Otmani, H. Talé Kalachi, Polynomial-time key recovery attack on

the Faure-Loidreau scheme based on Gabidulin codes, DCC, 2018.

Decoding u-interleaved errors of rank w in Gabk(g) ⊆ Fn

q:

w = rk(e) n

n−k 2

(n−k)u u+1

n − k

unique decoding interleaved dec. interpolation

easy w.h.p. hard

14/28

• J. Lavauzelle

GT code-based crypto – RAMESSES –

Outline

• 1. Past efforts

Augot-Finiasz PKE Faure-Loidreau PKE

• 2. RAMESSES: new PKE based on rank metric

Background The scheme Correctness Security

14/28

• J. Lavauzelle

GT code-based crypto – RAMESSES –

Idea

◮ Use rank metric to avoid Coron’s attack. ◮ Key generation strictly follows the underlying decoding problem. ◮ Break/avoid Fq-linearity of α → TrFqu /Fq(αkpub). ◮ Keep Fq not too large so as to reduce key/ciphertext sizes. Syndrome decoding for Gabidulin codes (Gab-SD). Fix integers 1 ≤ k ≤ n and w ≥ 1. Let H denote a parity-check matrix of a Gabidulin code Gabk(g) ⊆ Fn

q

◮ Input: H and y ∈ Fn−k

q

such that there exists e ∈ Fn

q of rank w satisfying

y ⊤ = He⊤. ◮ Goal: Find e′ ∈ Fn

q of rank ≤ w such that y ⊤ = He′⊤. 15/28

• J. Lavauzelle

GT code-based crypto – RAMESSES –

Outline

• 1. Past efforts

Augot-Finiasz PKE Faure-Loidreau PKE

• 2. RAMESSES: new PKE based on rank metric

Background The scheme Correctness Security

15/28

• J. Lavauzelle

GT code-based crypto – RAMESSES –

Interpolation degree of matrices

q = 2n (where n is also the code length). g = (g1, . . . , gn) ∈ Fn

q an ordered basis of Fq/F2.

Given a ∈ Fn

q, the minimum-degree polynomial P ∈ Fq[X] such that

P(θ)(g) = a is called the g-interpolating polynomial of a. It is denoted La.

16/28

• J. Lavauzelle

GT code-based crypto – RAMESSES –

Interpolation degree of matrices

q = 2n (where n is also the code length). g = (g1, . . . , gn) ∈ Fn

q an ordered basis of Fq/F2.

Given a ∈ Fn

q, the minimum-degree polynomial P ∈ Fq[X] such that

P(θ)(g) = a is called the g-interpolating polynomial of a. It is denoted La. We call g-degree of A ∈ Fn×n

2

the degree of LgA. We define Mℓ := {A ∈ Fn×n

2

, degg(A) = ℓ} .

16/28

• J. Lavauzelle

GT code-based crypto – RAMESSES –

Interpolation degree of matrices

q = 2n (where n is also the code length). g = (g1, . . . , gn) ∈ Fn

q an ordered basis of Fq/F2.

Given a ∈ Fn

q, the minimum-degree polynomial P ∈ Fq[X] such that

P(θ)(g) = a is called the g-interpolating polynomial of a. It is denoted La. We call g-degree of A ∈ Fn×n

2

the degree of LgA. We define Mℓ := {A ∈ Fn×n

2

, degg(A) = ℓ} . Prop. – Mℓ = Extg(Gabℓ+1(g) \ Gabℓ(g)) – ∀A ∈ Mℓ, Gabk(g)A = Gabk(gA) ⊆ Gabk+ℓ(g) – the matrix of µα : Fq → Fq, x → αx, has g-degree 0.

16/28

• J. Lavauzelle

GT code-based crypto – RAMESSES –

Outline

• 1. Past efforts

Augot-Finiasz PKE Faure-Loidreau PKE

• 2. RAMESSES: new PKE based on rank metric

Background The scheme Correctness Security

16/28

• J. Lavauzelle

GT code-based crypto – RAMESSES –

The scheme: public parameters and key generation

Public parameters: – integers n, k, ℓ > 0, w = n−k

2

+ δ with δ > 0, t = n−k−ℓ−w

2

– basis g of Fq/F2, parity-check matrix H = H′ B

• in Moore form.

17/28

• J. Lavauzelle

GT code-based crypto – RAMESSES –

The scheme: public parameters and key generation

Public parameters: – integers n, k, ℓ > 0, w = n−k

2

+ δ with δ > 0, t = n−k−ℓ−w

2

– basis g of Fq/F2, parity-check matrix H = H′ B

• in Moore form.

KeyGen(1λ) Input: Output: a pair of public/private keys (kpub, kpriv)

• 1. Pick kpriv ←$ {x ∈ Fn

q, x = w}

• 2. Compute kpub ∈ Fn−k

q

such that kpub

⊤ = Hkpriv ⊤

• 3. Output (kpub, kpriv) ∈ Fn−k

q

× Fn

q 17/28

• J. Lavauzelle

GT code-based crypto – RAMESSES –

The scheme: encryption

Plaintexts are t-dimensional subspaces of Fn

• 2. Can be uniquely and efficiently

encoded as rowspans of matrices P in row-reduced echelon forms (RREF). Denote P the set of those matrices.

18/28

• J. Lavauzelle

GT code-based crypto – RAMESSES –

The scheme: encryption

Plaintexts are t-dimensional subspaces of Fn

• 2. Can be uniquely and efficiently

encoded as rowspans of matrices P in row-reduced echelon forms (RREF). Denote P the set of those matrices. Encrypt(kpub, P) Input: public key kpub ∈ Fn−k

q

, plaintext P ∈ P Output: ciphertext y ∈ Fn−k−ℓ

q

• 1. Compute any solution u ∈ Fn

q to Hu⊤ = kpub ⊤.

(hence u = c + kpriv)

18/28

• J. Lavauzelle

GT code-based crypto – RAMESSES –

The scheme: encryption

Plaintexts are t-dimensional subspaces of Fn

• 2. Can be uniquely and efficiently

encoded as rowspans of matrices P in row-reduced echelon forms (RREF). Denote P the set of those matrices. Encrypt(kpub, P) Input: public key kpub ∈ Fn−k

q

, plaintext P ∈ P Output: ciphertext y ∈ Fn−k−ℓ

q

• 1. Compute any solution u ∈ Fn

q to Hu⊤ = kpub ⊤.

(hence u = c + kpriv)

• 2. Pick T ←$ Mℓ.
• 3. Pick S ←$ GLn(F2).

18/28

• J. Lavauzelle

GT code-based crypto – RAMESSES –

The scheme: encryption

Plaintexts are t-dimensional subspaces of Fn

• 2. Can be uniquely and efficiently

encoded as rowspans of matrices P in row-reduced echelon forms (RREF). Denote P the set of those matrices. Encrypt(kpub, P) Input: public key kpub ∈ Fn−k

q

, plaintext P ∈ P Output: ciphertext y ∈ Fn−k−ℓ

q

• 1. Compute any solution u ∈ Fn

q to Hu⊤ = kpub ⊤.

(hence u = c + kpriv)

• 2. Pick T ←$ Mℓ.
• 3. Pick S ←$ GLn(F2).
• 4. Output y ∈ Fn−k−ℓ

q

such that y ⊤ = H′(uT + gSP)⊤

= syndrome of (kprivT + permuted plaintext)

18/28

• J. Lavauzelle

GT code-based crypto – RAMESSES –

The scheme: decryption

Decrypt(kpriv, y) Input: private key kpriv ∈ Fn

q, ciphertext y ∈ Fn−k−ℓ q

Output: plaintext P ∈ P, or failure

• 1. Compute a solution x ∈ Fn

q to the linear system H′x⊤ = y ⊤.

(hence x = c′ + (c + kpriv)T + gSP)

19/28

• J. Lavauzelle

GT code-based crypto – RAMESSES –

The scheme: decryption

Vkpriv(X) ∈ Fq[X] is the minimum-degree polynomial such that Vkpriv(kpriv) = 0. → called vanishing polynomial of kpriv, deg Vkpriv = rk(kpriv) = w. Decrypt(kpriv, y) Input: private key kpriv ∈ Fn

q, ciphertext y ∈ Fn−k−ℓ q

Output: plaintext P ∈ P, or failure

• 1. Compute a solution x ∈ Fn

q to the linear system H′x⊤ = y ⊤.

(hence x = c′ + (c + kpriv)T + gSP)

• 2. Compute z = Vkpriv(x) ∈ Fn

q. 19/28

• J. Lavauzelle

GT code-based crypto – RAMESSES –

The scheme: decryption

Vkpriv(X) ∈ Fq[X] is the minimum-degree polynomial such that Vkpriv(kpriv) = 0. → called vanishing polynomial of kpriv, deg Vkpriv = rk(kpriv) = w. Decrypt(kpriv, y) Input: private key kpriv ∈ Fn

q, ciphertext y ∈ Fn−k−ℓ q

Output: plaintext P ∈ P, or failure

• 1. Compute a solution x ∈ Fn

q to the linear system H′x⊤ = y ⊤.

(hence x = c′ + (c + kpriv)T + gSP)

• 2. Compute z = Vkpriv(x) ∈ Fn

q.

• 3. Decode z as a corrupted Gabk+ℓ+w(g)-codeword. If success, one gets an

error vector a ∈ Fn

q of rank ≤ t. 19/28

• J. Lavauzelle

GT code-based crypto – RAMESSES –

The scheme: decryption

Vkpriv(X) ∈ Fq[X] is the minimum-degree polynomial such that Vkpriv(kpriv) = 0. → called vanishing polynomial of kpriv, deg Vkpriv = rk(kpriv) = w. Decrypt(kpriv, y) Input: private key kpriv ∈ Fn

q, ciphertext y ∈ Fn−k−ℓ q

Output: plaintext P ∈ P, or failure

• 1. Compute a solution x ∈ Fn

q to the linear system H′x⊤ = y ⊤.

(hence x = c′ + (c + kpriv)T + gSP)

• 2. Compute z = Vkpriv(x) ∈ Fn

q.

• 3. Decode z as a corrupted Gabk+ℓ+w(g)-codeword. If success, one gets an

error vector a ∈ Fn

q of rank ≤ t.

• 4. If rk(a) < t, output failure.

Otherwise, output the RREF matrix of Extg(a).

19/28

• J. Lavauzelle

GT code-based crypto – RAMESSES –

Outline

• 1. Past efforts

Augot-Finiasz PKE Faure-Loidreau PKE

• 2. RAMESSES: new PKE based on rank metric

Background The scheme Correctness Security

19/28

• J. Lavauzelle

GT code-based crypto – RAMESSES –

Decrypt

Decrypt(kpriv, u) Input: private key kpriv ∈ Fn

q, ciphertext y ∈ Fn−k−ℓ q

Output: plaintext P ∈ P, or failure

• 1. Compute a solution x ∈ Fn

q to the linear system H′x⊤ = y ⊤.

(hence x = c′ + (c + kpriv)T + gSP)

• 2. Compute z = Vkpriv(x) ∈ Fn

q.

• 3. Decode z as a corrupted Gabk+ℓ+w(g)-codeword. If success, one gets an

error vector a ∈ Fn

q of rank ≤ t.

• 4. If rk(a) < t, output failure.

Otherwise, output the RREF matrix of Extg(a).

20/28

• J. Lavauzelle

GT code-based crypto – RAMESSES –

Consistency

Let x = c′ + (c + kpriv)T + gSP, where c ∈ Gabk(g) and c′ ∈ Gabk+ℓ(g). Claim 1. We have Vkpriv(x) = c′′ + a where c′′ ∈ Gabk+ℓ+w(g) and a := Vkpriv(gSP) has rank ≤ t.

21/28

• J. Lavauzelle

GT code-based crypto – RAMESSES –

Consistency

Let x = c′ + (c + kpriv)T + gSP, where c ∈ Gabk(g) and c′ ∈ Gabk+ℓ(g). Claim 1. We have Vkpriv(x) = c′′ + a where c′′ ∈ Gabk+ℓ+w(g) and a := Vkpriv(gSP) has rank ≤ t. ...proof...

21/28

• J. Lavauzelle

GT code-based crypto – RAMESSES –

Consistency

Let x = c′ + (c + kpriv)T + gSP, where c ∈ Gabk(g) and c′ ∈ Gabk+ℓ(g). Claim 1. We have Vkpriv(x) = c′′ + a where c′′ ∈ Gabk+ℓ+w(g) and a := Vkpriv(gSP) has rank ≤ t. ...proof... Claim 2. The rowspan of a = Vkpriv(gSP) is contained in the rowspan of P. Claim 3. If a = Vkpriv(gSP) has rank < t, then there exists x ∈ ColSp(SP) such that Vkpriv(x) = 0.

21/28

• J. Lavauzelle

GT code-based crypto – RAMESSES –

Consistency

Let x = c′ + (c + kpriv)T + gSP, where c ∈ Gabk(g) and c′ ∈ Gabk+ℓ(g). Claim 1. We have Vkpriv(x) = c′′ + a where c′′ ∈ Gabk+ℓ+w(g) and a := Vkpriv(gSP) has rank ≤ t. ...proof... Claim 2. The rowspan of a = Vkpriv(gSP) is contained in the rowspan of P. Claim 3. If a = Vkpriv(gSP) has rank < t, then there exists x ∈ ColSp(SP) such that Vkpriv(x) = 0. ...proof...

21/28

• J. Lavauzelle

GT code-based crypto – RAMESSES –

Consistency

Let x = c′ + (c + kpriv)T + gSP, where c ∈ Gabk(g) and c′ ∈ Gabk+ℓ(g). Claim 1. We have Vkpriv(x) = c′′ + a where c′′ ∈ Gabk+ℓ+w(g) and a := Vkpriv(gSP) has rank ≤ t. ...proof... Claim 2. The rowspan of a = Vkpriv(gSP) is contained in the rowspan of P. Claim 3. If a = Vkpriv(gSP) has rank < t, then there exists x ∈ ColSp(SP) such that Vkpriv(x) = 0. ...proof...

• Thm. If decryption fails, then ColSpg(kpriv) ∩ ColSp(SP) = {0}.

21/28

• J. Lavauzelle

GT code-based crypto – RAMESSES –

Failures

• Thm. If decryption fails, then ColSpg(kpriv) ∩ ColSp(SP) = {0}.

For any fixed P encrypted into u, PrS,T,y

• Decrypt(u) fails
• = PrS(ColSpg(kpriv) ∩ ColSp(SP) = {0})

≤ 2−(n−t−w) .

22/28

• J. Lavauzelle

GT code-based crypto – RAMESSES –

Outline

• 1. Past efforts

Augot-Finiasz PKE Faure-Loidreau PKE

• 2. RAMESSES: new PKE based on rank metric

Background The scheme Correctness Security

22/28

• J. Lavauzelle

GT code-based crypto – RAMESSES –

Formal problem

Ramesses problem. Define Sw := {x ∈ Fn

q, rk(x) = w}.

◮ Input: Parity-check matrices H and H′ of Gabk(g) and Gabk+ℓ(g). ◮ Goal: Distinguish between the two following distributions:

• 1. D1: (Hx⊤, H′T ⊤x⊤), where x ←$ Sw and T ←$ Mℓ,
• 2. D2: (Hx⊤, z⊤), where x ←$ Sw and z ←$ Fn−k−ℓ

q

.

Trivial observation: solving Gab-SD search problem = ⇒ solving Ramesses problem.

23/28

• J. Lavauzelle

GT code-based crypto – RAMESSES –

Security against key recovery attacks

Key recovery attack = solve Gab-SD search problem. y = c + e, rk(e) = w := n−k

2

+ δ

24/28

• J. Lavauzelle

GT code-based crypto – RAMESSES –

Security against key recovery attacks

Key recovery attack = solve Gab-SD search problem. y = c + e, rk(e) = w := n−k

2

+ δ Combinatorial approach: erase-and-decode.

• 1. Choose an m-dimensional subspace W ⊆ Fn

2, where to “project” y.

• 2. If 2 × dim(supp(e) ∩ W ) + (n − m) ≤ n − k, then one can use an

error-and-erasure decoding algorithm to retrieve c.

• 3. Otherwise goto 1.

Best setting for m leads to an attack in time N = O(2δ(n+k−2δ))

24/28

• J. Lavauzelle

GT code-based crypto – RAMESSES –

Security against key recovery attacks

Key recovery attack = solve Gab-SD search problem. y = c + e, rk(e) = w := n−k

2

+ δ Combinatorial approach: erase-and-decode.

• 1. Choose an m-dimensional subspace W ⊆ Fn

2, where to “project” y.

• 2. If 2 × dim(supp(e) ∩ W ) + (n − m) ≤ n − k, then one can use an

error-and-erasure decoding algorithm to retrieve c.

• 3. Otherwise goto 1.

Best setting for m leads to an attack in time N = O(2δ(n+k−2δ)) Note: there is a bilinear modelling for Gab-SD. Assuming random-like behaviour, a solution is found in time O(20.561n2).

24/28

• J. Lavauzelle

GT code-based crypto – RAMESSES –

Security against ciphertext attacks

Any pair (x, y) ∈ (Fn

q)2 of solutions to Hy ⊤ = kpub ⊤ and H′x⊤ = u⊤ satisfies

x − yT − c = p′, rk(p′) ≤ t, for some c ∈ Gabk+ℓ(g).

25/28

• J. Lavauzelle

GT code-based crypto – RAMESSES –

Security against ciphertext attacks

Any pair (x, y) ∈ (Fn

q)2 of solutions to Hy ⊤ = kpub ⊤ and H′x⊤ = u⊤ satisfies

x − yT − c = p′, rk(p′) ≤ t, for some c ∈ Gabk+ℓ(g). Fix – (X, Y , P′) = (Extg(x), Extg(y), Extg(p′)) – T = {T 1, . . . , T n(ℓ+1)} ⊆ Fn×n

2

such that Mℓ ⊆ T – C = {C 1, . . . , C n(ℓ+k)} ⊆ Fn×n

2

a basis of Extg(Gabk+ℓ(g)) Minrank modelling: find ti, ci ∈ F2 such that rk  X −

n(ℓ+1)

• i=1

tiY T i −

n(ℓ+k)

• i=1

ciC i   = rk(P′) ≤ t

25/28

• J. Lavauzelle

GT code-based crypto – RAMESSES –

Security against ciphertext attacks

Kipnis-Shamir modelling of Minrank → bilinear system.

26/28

• J. Lavauzelle

GT code-based crypto – RAMESSES –

Security against ciphertext attacks

Kipnis-Shamir modelling of Minrank → bilinear system. Solving complexity: O

• M + D − 1

D ω where: – M = t(n − t) + n(k + 2ℓ − 1)

• # summand matrices

, – D is the “solving degree” of the system. Due to recent progress: → we set D = t for tuning our parameters.

26/28

• J. Lavauzelle

GT code-based crypto – RAMESSES –

Parameters

Deliberately “aggressive” parameters

n k w ℓ t

• class. sec.

PQ sec. public key private key ciphertext (bits) (bits) size (B) size (B) size (B) 64 32 19 3 5 141 126 256 152 232 80 40 23 3 7 202 158 400 230 370 96 48 27 3 9 265 190 576 324 540 Parameters (n, k, w, ℓ) (64, 32, 19, 3) (80, 40, 23, 3) (96, 48, 27, 3) Decoding failure rate ≤ 2−40 ≤ 2−50 ≤ 2−60

27/28

• J. Lavauzelle

GT code-based crypto – RAMESSES –

Questions?

28/28

• J. Lavauzelle

GT code-based crypto – RAMESSES –