ramesses a rank metric encryption scheme with short keys
play

Ramesses : a Rank Metric Encryption Scheme with Short Keys Julien - PowerPoint PPT Presentation

Jul 24, 2023 •410 likes •1.11k views

Ramesses : a Rank Metric Encryption Scheme with Short Keys Julien Lavauzelle , Pierre Loidreau, Ba-Duc Pham IRMAR, Universit de Rennes 1 Groupe de travail cryptographie base de codes 25/11/2019 Introduction Goal: design a new public-key

  1. Ramesses : a Rank Metric Encryption Scheme with Short Keys Julien Lavauzelle , Pierre Loidreau, Ba-Duc Pham IRMAR, Université de Rennes 1 Groupe de travail cryptographie à base de codes 25/11/2019

  2. Introduction Goal: design a new public-key encryption scheme ◮ based on the problem of decoding Gabidulin codes beyond their unique decoding radius , ◮ features very compact keys and short ciphertexts, ◮ admits efficient encryption and decryption algorithms. 1/28 J. Lavauzelle – RAMESSES – GT code-based crypto

  3. Outline 1. Past efforts Augot-Finiasz PKE Faure-Loidreau PKE 2. RAMESSES: new PKE based on rank metric Background The scheme Correctness Security 1/28 J. Lavauzelle – RAMESSES – GT code-based crypto

  4. Outline 1. Past efforts Augot-Finiasz PKE Faure-Loidreau PKE 2. RAMESSES: new PKE based on rank metric Background The scheme Correctness Security 1/28 J. Lavauzelle – RAMESSES – GT code-based crypto

  5. Codes in Hamming metric Linear code C ⊆ F n q , with Hamming metric: d ( a , b ) := |{ i ∈ [ 1 , n ] , a i � = b i }| . Let x = ( x 1 , . . . , x n ) ∈ F n q be pairwise distinct. The Reed-Solomon code of dimension k and evaluation vector x is RS k ( x ) := { ev x ( P ) := ( P ( x 1 ) , . . . , P ( x n )) | P ( X ) ∈ F q [ X ] < k } . 2/28 J. Lavauzelle – RAMESSES – GT code-based crypto

  6. Codes in Hamming metric Linear code C ⊆ F n q , with Hamming metric: d ( a , b ) := |{ i ∈ [ 1 , n ] , a i � = b i }| . Let x = ( x 1 , . . . , x n ) ∈ F n q be pairwise distinct. The Reed-Solomon code of dimension k and evaluation vector x is RS k ( x ) := { ev x ( P ) := ( P ( x 1 ) , . . . , P ( x n )) | P ( X ) ∈ F q [ X ] < k } . Decoding w errors in RS k ( x ) : unique decoding interpolation list dec. w = wt( e ) n √ 0 n − k n − k n − nk 2 easy hard V. Guruswami, A. Vardy, Maximum-likelihood decoding of Reed-Solomon codes is NP-hard, IEEE TIT, 2005. 2/28 J. Lavauzelle – RAMESSES – GT code-based crypto

  7. Augot-Finiasz cryptosystem D. Augot, M. Finiasz, A Public Key Encryption Scheme Based on the Polynomial Reconstruction Problem, EUROCRYPT, 2003. Public parameters: – x ∈ F n q pairwise distinct, locators of RS k ( x ) √ w ′ ≤ n − k − w – n , k , n − nk < w < n − k and . 2 3/28 J. Lavauzelle – RAMESSES – GT code-based crypto

  8. Augot-Finiasz cryptosystem D. Augot, M. Finiasz, A Public Key Encryption Scheme Based on the Polynomial Reconstruction Problem, EUROCRYPT, 2003. Public parameters: – x ∈ F n q pairwise distinct, locators of RS k ( x ) √ w ′ ≤ n − k − w – n , k , n − nk < w < n − k and . 2 KeyGen: � P ∈ F q [ X ] < k − 1 – private key: e ∈ F n q , wt( e ) = w – public key: noisy codeword k pub = ev x ( P + X k − 1 ) + e 3/28 J. Lavauzelle – RAMESSES – GT code-based crypto

  9. Augot-Finiasz cryptosystem Encrypt: plaintext is M ∈ F q [ X ] < k − 1 1. pick α ∈ F q and e ′ ∈ F n q , wt( e ′ ) = w ′ 2. ciphertext y = ev x ( M ) + α k pub + e ′ 4/28 J. Lavauzelle – RAMESSES – GT code-based crypto

  10. Augot-Finiasz cryptosystem Encrypt: plaintext is M ∈ F q [ X ] < k − 1 1. pick α ∈ F q and e ′ ∈ F n q , wt( e ′ ) = w ′ 2. ciphertext y = ev x ( M ) + α k pub + e ′ Decrypt: ciphertext is y ∈ F n q 1. puncture y at supp( e ) := { i ∈ [ 1 , n ] , e i � = 0 } → get y ′ ∈ F n − w q 2. decode w ′ errors from y ′ → get ev x ′ ( M ) + α ev x ′ ( P + X k − 1 ) ∈ F n − w q 3. interpolation + α X k − 1 → recover ( M + α P ) � �� � degree ≤ k − 2 → recover α → recover M 4/28 J. Lavauzelle – RAMESSES – GT code-based crypto

  11. Coron’s attack (1) J.-S. Coron, Cryptanalysis of a Public-Key Encryption Scheme Based on the Polynomial Reconstruction Problem, PKC, 2004. retrieve M from y = ev x ( M ) + α k pub + e ′ . Ciphertext attack: 5/28 J. Lavauzelle – RAMESSES – GT code-based crypto

  12. Coron’s attack (1) J.-S. Coron, Cryptanalysis of a Public-Key Encryption Scheme Based on the Polynomial Reconstruction Problem, PKC, 2004. retrieve M from y = ev x ( M ) + α k pub + e ′ . Ciphertext attack: Let V e ′ ( X ) = � i ∈ supp( e ′ ) ( X − x i ) . V e ′ ( x i )( y i − α k pub , i ) = V e ′ ( x i ) M ( x i ) , ∀ i = 1 , . . . , n 5/28 J. Lavauzelle – RAMESSES – GT code-based crypto

  13. Coron’s attack (1) J.-S. Coron, Cryptanalysis of a Public-Key Encryption Scheme Based on the Polynomial Reconstruction Problem, PKC, 2004. retrieve M from y = ev x ( M ) + α k pub + e ′ . Ciphertext attack: Let V e ′ ( X ) = � i ∈ supp( e ′ ) ( X − x i ) . V e ′ ( x i )( y i − α k pub , i ) = V e ′ ( x i ) M ( x i ) , ∀ i = 1 , . . . , n Consider the system: � V ( x i )( y i − λ k pub , i ) = A ( x i ) , ∀ i = 1 , . . . , n ( S λ ) deg V ≤ w ′ , deg A ≤ k − 1 + w ′ For all λ , ( S λ ) has n equations and u = k + 2 w ′ + 1 unkwowns (overdetermined). ◮ if λ � = α : non trivial solution with proba ≪ 1. ◮ if λ = α : ( V = V e ′ , A = V e ′ M ) is a solution. 5/28 J. Lavauzelle – RAMESSES – GT code-based crypto

  14. Coron’s attack (2) Goal: retrieve α Sketch of Coron’s attack: ◮ If ( S 0 ) has no non-zero solution: ◮ Find a full-rank sub-system ( S ′ λ ) of u equations (and u unknowns). λ ) is a polynomial of degree ≤ w ′ + 1) ◮ Solve det( S ′ ( λ �→ det( S ′ λ ) = 0 ◮ Get λ = α among the solutions. ◮ Otherwise: let ( V , A ) be a solution of ( S 0 ) . ◮ One can prove ( ≃ Berlekamp-Welch) that A V = M + α ( P + X k − 1 ) ∈ F q [ X ] . ◮ Find α as the leading coefficient of A V . 6/28 J. Lavauzelle – RAMESSES – GT code-based crypto

  15. Outline 1. Past efforts Augot-Finiasz PKE Faure-Loidreau PKE 2. RAMESSES: new PKE based on rank metric Background The scheme Correctness Security 6/28 J. Lavauzelle – RAMESSES – GT code-based crypto

  16. Rank metric codes Field extension F q / F 2 , say q = 2 m g = ( g 1 , . . . , g m ) ∈ F m q an ordered basis of F q / F 2 Extension map F n F m × n Ext g : → q 2 x → X = ( x i , j ) where x j = � n i = 1 g i x i , j ∈ F 2 m . By definition, Ext g ( gX ) = X . The rank distance is defined as: d ( x − y ) = rk( x − y ) := rk F 2 (Ext g ( x − y )) 7/28 J. Lavauzelle – RAMESSES – GT code-based crypto

  17. Gabidulin codes Let θ : x �→ x 2 the F 2 -linear Frobenius automorphism. If P ∈ F q [ X ] , then P ( θ ) ∈ End F 2 ( F q ) and dim(ker P ( θ )) ≤ deg P . 8/28 J. Lavauzelle – RAMESSES – GT code-based crypto

  18. Gabidulin codes Let θ : x �→ x 2 the F 2 -linear Frobenius automorphism. If P ∈ F q [ X ] , then P ( θ ) ∈ End F 2 ( F q ) and dim(ker P ( θ )) ≤ deg P . Let g = ( g 1 , . . . , g n ) ∈ F n q be F 2 -linearly independent. The Gabidulin code of dimension k and evaluation vector g is Gab k ( g ) := { P ( g ) := ( P ( θ )( g 1 ) , . . . , P ( θ )( g n )) | P ( X ) ∈ F q [ X ] < k } 8/28 J. Lavauzelle – RAMESSES – GT code-based crypto

  19. Gabidulin codes Let θ : x �→ x 2 the F 2 -linear Frobenius automorphism. If P ∈ F q [ X ] , then P ( θ ) ∈ End F 2 ( F q ) and dim(ker P ( θ )) ≤ deg P . Let g = ( g 1 , . . . , g n ) ∈ F n q be F 2 -linearly independent. The Gabidulin code of dimension k and evaluation vector g is Gab k ( g ) := { P ( g ) := ( P ( θ )( g 1 ) , . . . , P ( θ )( g n )) | P ( X ) ∈ F q [ X ] < k } Decoding errors of rank w in Gab k ( g ) : unique decoding interpolation w = rk( e ) n 0 n − k n − k 2 easy hard (worst case) N. Raviv, A. Wachter-Zeh, Some Gabidulin Codes Cannot Be List Decoded Efficiently at any Radius, IEEE TIT, 2016. 8/28 J. Lavauzelle – RAMESSES – GT code-based crypto

  20. Translation of Augot-Finiasz PKE into rank metric (1) Public parameters: – g ∈ F n q linearly independent over F 2 , < w < n − k and w ′ ≤ n − k − w n − k – k , . 2 2 9/28 J. Lavauzelle – RAMESSES – GT code-based crypto

  21. Translation of Augot-Finiasz PKE into rank metric (1) Public parameters: – g ∈ F n q linearly independent over F 2 , < w < n − k and w ′ ≤ n − k − w n − k – k , . 2 2 KeyGen: � P ∈ F q [ X ] < k − 1 – private key: e ∈ F n q , rk( e ) = w – public key: noisy codeword k pub = ( P + X k − 1 )( g ) + e 9/28 J. Lavauzelle – RAMESSES – GT code-based crypto

  22. Translation of Augot-Finiasz PKE into rank metric (2) Encrypt: plaintext is M ∈ F q [ X ] < k − 1 1. pick α ∈ F q and e ′ ∈ F n q , rk( e ′ ) = w ′ 2. ciphertext y = M ( g ) + α k pub + e ′ 10/28 J. Lavauzelle – RAMESSES – GT code-based crypto

  23. Translation of Augot-Finiasz PKE into rank metric (2) Encrypt: plaintext is M ∈ F q [ X ] < k − 1 1. pick α ∈ F q and e ′ ∈ F n q , rk( e ′ ) = w ′ 2. ciphertext y = M ( g ) + α k pub + e ′ Decrypt: ciphertext is y ∈ F n q 1. “puncture” y at supp( e ) := � n i = 1 F 2 e i → get y ′ ∈ F n − w q 2. decode w ′ errors from y ′ → get M ( g ′ ) + α ( P + X k − 1 )( g ′ ) ∈ F n − w q 3. interpolation + α X k − 1 , then α , then M → recover ( M + α P ) � �� � degree ≤ k − 2 10/28 J. Lavauzelle – RAMESSES – GT code-based crypto

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

OUROBOROS-R, an IND-CPA KEM based on Rank Metric NIST First Post-Quantum Cryptography

OUROBOROS-R, an IND-CPA KEM based on Rank Metric NIST First Post-Quantum Cryptography

Presentation of the rank metric Description of the scheme Security and parameters OUROBOROS-R, an IND-CPA KEM based on Rank Metric NIST First Post-Quantum Cryptography Standardization Conference Carlos AguilarMelchor 2 Nicolas Aragon 1 Slim

157 views • 15 slides
Two attacks on rank metric code-based Jean-Pierre Tillich schemes: RankSign and an IBE scheme

Two attacks on rank metric code-based Jean-Pierre Tillich schemes: RankSign and an IBE scheme

Two attacks on rank metric code-based schemes: RankSign and an IBE scheme Thomas Debris-Alazard and Two attacks on rank metric code-based Jean-Pierre Tillich schemes: RankSign and an IBE scheme Generalities on Rank-Based Cryptography

668 views • 25 slides
Introduction to rank-based cryptography Philippe Gaborit University of Limoges, France ASCRYPTO

Introduction to rank-based cryptography Philippe Gaborit University of Limoges, France ASCRYPTO

Rank codes : definitions and basic properties Decoding in rank metric Complexity issues : decoding random rank codes Encryption Authentication and signature Introduction to rank-based cryptography Philippe Gaborit University of Limoges,

1.56k views • 115 slides
Symmetric Encryption Scheme adapted to Fully Homomorphic Encryption Scheme: New Criteria for

Symmetric Encryption Scheme adapted to Fully Homomorphic Encryption Scheme: New Criteria for

Symmetric Encryption Scheme adapted to Fully Homomorphic Encryption Scheme: New Criteria for Boolean functions Pierrick M AUX cole normale suprieure, INRIA, CNRS, PSL Boolean Functions and their Applications (BFA) Os, Norway Tuesday

1.23k views • 101 slides
A new family of maximum rank distance codes or: Maximum rank distance codes and finite semifields

A new family of maximum rank distance codes or: Maximum rank distance codes and finite semifields

A new family of maximum rank distance codes or: Maximum rank distance codes and finite semifields John Sheekey Universiteit Gent, Belgium Alcoma, March 2015 Rank metric codes A rank metric code is a set C M n ( F ) of n n matrices over

963 views • 92 slides
Password Human beings : Short keys; possibly used to generate longer keys Dictionary

Password Human beings : Short keys; possibly used to generate longer keys Dictionary

Password Human beings : Short keys; possibly used to generate longer keys Dictionary attack: adversary tries more common keys (easy with a large set of users) Trojan horse Countermeasures: slow login, close after several

563 views • 14 slides
Maximum rank distance codes: constructions, classifications, and applications John Sheekey UCD,

Maximum rank distance codes: constructions, classifications, and applications John Sheekey UCD,

Maximum rank distance codes: constructions, classifications, and applications John Sheekey UCD, Dublin, Ireland Dagstuhl, August 2016 Rank metric codes A rank metric code is a set C M m n ( F q ) of m n matrices ( m n ) over F q

1.02k views • 85 slides
Encryption Scheme And Thoughts on Bootstrapping The FHE scheme is joint work with Amit Sahai

Encryption Scheme And Thoughts on Bootstrapping The FHE scheme is joint work with Amit Sahai

A Simple (Leveled) Fully Homomorphic Encryption Scheme And Thoughts on Bootstrapping The FHE scheme is joint work with Amit Sahai (UCLA) and Brent Waters (UT Austin) Supported by IARPA contract number D11PC20202 August 15, 2013 Workshop on

719 views • 32 slides
Maximum rank distance codes and finite semifields John Sheekey Universiteit Gent, Belgium

Maximum rank distance codes and finite semifields John Sheekey Universiteit Gent, Belgium

Maximum rank distance codes and finite semifields John Sheekey Universiteit Gent, Belgium Banff, January 2015 Rank metric codes A rank metric code is a set C M n ( F ) of n n matrices over a field F with the distance function d ( X , Y )

830 views • 82 slides
Unbounded Inner Product Functional Encryption, with Succinct Keys Edouard Dufour Sans and David

Unbounded Inner Product Functional Encryption, with Succinct Keys Edouard Dufour Sans and David

Unbounded Inner Product Functional Encryption, with Succinct Keys Edouard Dufour Sans and David Pointcheval Ecole Normale Sup erieure INRIA June 6, 2019 Table of Contents Background Functional Encryption ABDP Applications of Inner

970 views • 51 slides
Efficient Ring-LWE Encryption on 8-bit AVR Processors . Zhe Liu 1 Hwajeong Seo 2 Sujoy Sinha Roy

Efficient Ring-LWE Encryption on 8-bit AVR Processors . Zhe Liu 1 Hwajeong Seo 2 Sujoy Sinha Roy

Short Overview Ring-LWE Encryption Scheme Our Implementation Implementation Results Conclusion . Efficient Ring-LWE Encryption on 8-bit AVR Processors . Zhe Liu 1 Hwajeong Seo 2 Sujoy Sinha Roy 3 adl 1 Howon Kim 2 Ingrid Verbauwhede 3

1.4k views • 102 slides
Cryptographic applications of codes in rank metric Pierre Loidreau CELAr and Universit e de

Cryptographic applications of codes in rank metric Pierre Loidreau CELAr and Universit e de

Cryptographic applications of codes in rank metric Cryptographic applications of codes in rank metric Pierre Loidreau CELAr and Universit e de Rennes Pierre.Loidreau@m4x.org June 16th, 2009 Cryptographic applications of codes in rank

498 views • 33 slides
Rank Metric Codes and related Structures Yue Zhou July 5, 2017 The 2nd International Workshop on

Rank Metric Codes and related Structures Yue Zhou July 5, 2017 The 2nd International Workshop on

Rank Metric Codes and related Structures Yue Zhou July 5, 2017 The 2nd International Workshop on Boolean Functions and their Applications (BFA) Outline Introduction Maximum rank distance codes Quadratic bent-Negabent functions Vectorial

2.09k views • 179 slides
2 3 4 5 8 9 MINNEAPOLIS MILWAUKEE MSA RANK #16 MSA RANK #39 CHICAGO MSA RANK #3

2 3 4 5 8 9 MINNEAPOLIS MILWAUKEE MSA RANK #16 MSA RANK #39 CHICAGO MSA RANK #3

2 3 4 5 8 9 MINNEAPOLIS MILWAUKEE MSA RANK #16 MSA RANK #39 CHICAGO MSA RANK #3 INDIANAPOLIS MSA RANK #34 DETROIT MSA RANK #14 COLUMBUS MSA RANK #33 BALTIMORE/ DC CORRIDOR MSA RANK #21 CINCINNATI MSA RANK #28 ATLANTA MSA RANK

726 views • 44 slides
Public Key Encryption Systems The encrypter and decrypter have different keys C = E(K E ,P) P

Public Key Encryption Systems The encrypter and decrypter have different keys C = E(K E ,P) P

Public Key Encryption Systems The encrypter and decrypter have different keys C = E(K E ,P) P = D(K D ,C) Often, works the other way, too Lecture 4 Page 1 CS 236 Online History of Public Key Cryptography Invented by Diffie and

618 views • 24 slides
Symbolic Encryption with Pseudorandom Keys Daniele Micciancio (UCSD) Cryptographic Protocols

Symbolic Encryption with Pseudorandom Keys Daniele Micciancio (UCSD) Cryptographic Protocols

Symbolic Encryption with Pseudorandom Keys Daniele Micciancio (UCSD) Cryptographic Protocols Often make use of several basic crypto ops: (Enc) Encryption: E(k,m) (PRG) Pseudorandom generators: G(k) Protocol should be secure for

433 views • 24 slides
2 Update as model change. Hard information: learning P eliminates worlds with P false: from M s to

2 Update as model change. Hard information: learning P eliminates worlds with P false: from M s to

1 LOGICAL DYNAMICS OF INTELLIGENT INTERACTION Johan van Benthem, http://staff.science.uva.nl/~johan Monday 12 Dec 2011, ILLC Amsterdam We motivate the logical dynamics of information-driven agency, and then illustrate the resulting research

190 views • 7 slides
Recent Progress on the Abelian Sector of F-Theory

Recent Progress on the Abelian Sector of F-Theory

Strings 2014, Princeton 25 th of June, 2014 Recent Progress on the Abelian Sector of F-Theory Denis Klevers arXiv:1303.6970 [hep-th]: M. Cve8,

470 views • 44 slides
GUTs, Neutrinos and Flavor Symmetries R. N. Mohapatra WIN2017, UC, Irvine Grand Unified Theories

GUTs, Neutrinos and Flavor Symmetries R. N. Mohapatra WIN2017, UC, Irvine Grand Unified Theories

GUTs, Neutrinos and Flavor Symmetries R. N. Mohapatra WIN2017, UC, Irvine Grand Unified Theories (GUTs): Elegant and ambitious n Unifies all matter and forces n Makes theory more predictive e.g. can predict + more sin 2 W

683 views • 36 slides
Education Disrupted, Education Disrupted, Education Reimagined Education Reimagined Part II

Education Disrupted, Education Disrupted, Education Reimagined Education Reimagined Part II

Education Disrupted, Education Disrupted, Education Reimagined Education Reimagined Part II Part II #EducationReimagined #SGSedu Day 1: From Rapid Response to Future Preparation Conference Session 1: June 23, 09:00 12:45 (GMT +3)

360 views • 17 slides
Key Recovery Attack for ZHFE Daniel Cabarcas 1 Daniel Smith-Tone 2 , 3 Javier A. Verbel 1 1

Key Recovery Attack for ZHFE Daniel Cabarcas 1 Daniel Smith-Tone 2 , 3 Javier A. Verbel 1 1

Key Recovery Attack for ZHFE Daniel Cabarcas 1 Daniel Smith-Tone 2 , 3 Javier A. Verbel 1 1 Universidad Nacional de Colombia, Sede Medell n, Colombia 2 University of Louisville, USA 3 National Institute of Standards and Technology, USA

817 views • 33 slides
Fully Homomorphic Encryption Francisco Vial-Prado ASCrypto - LatinCrypt 19 IMFD Chile, Ecole

Fully Homomorphic Encryption Francisco Vial-Prado ASCrypto - LatinCrypt 19 IMFD Chile, Ecole

Fully Homomorphic Encryption Francisco Vial-Prado ASCrypto - LatinCrypt 19 IMFD Chile, Ecole Polytechnique, Universit e Paris-Saclay Applied Cryptography @ ProtonMail Generic homomorphic encryption Gentrys blueprint Second generation

1.07k views • 63 slides
A Public Key encryption scheme based on the Polynomial Reconstruction problem Daniel Augot

A Public Key encryption scheme based on the Polynomial Reconstruction problem Daniel Augot

A Public Key encryption scheme based on the Polynomial Reconstruction problem Daniel Augot Matthieu Finiasz Eurocrypt 2003 Warsaw Reed-Solomon Codes Definition Reed-Solomon code of length n and dimension k Choose a set of

290 views • 16 slides
Multivariate Public Key Cryptosystems Produced by Quasigroups Simona Samardjiska PhD defence

Multivariate Public Key Cryptosystems Produced by Quasigroups Simona Samardjiska PhD defence

Multivariate Public Key Cryptosystems Produced by Quasigroups Simona Samardjiska PhD defence Trondheim, June 22, 2015 Department of Telematics, Faculty of Information Technology, Mathematics and Electrical Engineering, Norwegian University of

2.51k views • 157 slides

More recommend