two attacks on rank metric code based
play

Two attacks on rank metric code-based Jean-Pierre Tillich schemes: - PowerPoint PPT Presentation

Dec 07, 2023 •405 likes •668 views

Two attacks on rank metric code-based schemes: RankSign and an IBE scheme Thomas Debris-Alazard and Two attacks on rank metric code-based Jean-Pierre Tillich schemes: RankSign and an IBE scheme Generalities on Rank-Based Cryptography

  1. Two attacks on rank metric code-based schemes: RankSign and an IBE scheme Thomas Debris-Alazard and Two attacks on rank metric code-based Jean-Pierre Tillich schemes: RankSign and an IBE scheme Generalities on Rank-Based Cryptography LRPC-codes in RankSign Thomas Debris-Alazard and Jean-Pierre Tillich [GMRZ13] Our Attack December 3, 2018 Asiacrypt 2018 - Brisbane 1 / 22

  2. Two attacks on rank metric code-based Results schemes: RankSign and an IBE scheme Thomas Debris-Alazard and Results of the paper: Jean-Pierre Tillich Generalities on • Attack on a code-based “hash-and-sign” scheme RankSign Rank-Based Cryptography [GRSZ14] submitted to the NIST PQC Standardization; LRPC-codes in RankSign − → Can not be thwarted by changing the parameters. [GMRZ13] Our Attack • Attack on the first code-based Identity-Based-Encryption (IBE) [GHPT17] in rank-metric; − → Parameters can be chosen to avoid it. • IBE: moving Rank → Hamming metric no go. 2 / 22

  3. Two attacks on rank metric code-based schemes: RankSign and an IBE scheme Thomas Debris-Alazard and Jean-Pierre 1 Generalities on Rank-Based Cryptography Tillich Generalities on Rank-Based Cryptography LRPC-codes in 2 LRPC-codes in RankSign [GMRZ13] RankSign [GMRZ13] Our Attack 3 Our Attack 3 / 22

  4. Two attacks on rank metric code-based Rank vs Hamming in schemes: RankSign and an IBE scheme Cryptography Thomas Debris-Alazard and Jean-Pierre Tillich Generalities on Rank-Based Cryptography • Advantages: • In rank metric: alphabet size q m has an impact on the metric LRPC-codes in RankSign [GMRZ13] → Useful for security reductions Our Attack • Smaller key sizes than Hamming. • Disadvantage: • Rank metric: security less understood (algebraic attacks) 4 / 22

  5. Two attacks on rank metric code-based Code-Based Cryptography schemes: RankSign and an IBE scheme Thomas F finite field. Debris-Alazard and Jean-Pierre Tillich Syndrome Decoding Problem. Generalities on • Given: a matrix H ∈ F r × n with r ≤ n , a vector s ∈ F r , an Rank-Based Cryptography integer w ; LRPC-codes in RankSign � He ⊺ = s ⊺ [GMRZ13] Our Attack • Goal: find e ∈ F n , weight ( e ) = w Hamming: weight ( · ) = # non-zero components and usually F = F 2 Rank: weight ( · ) = Rank metric and F = F q m − → Probabilistic polynomial reduction (Gaborit & Zémor) to the decoding problem in Hamming metric 5 / 22

  6. Two attacks on rank metric code-based Rank Metric over F q m schemes: RankSign and an IBE scheme Thomas Debris-Alazard and Jean-Pierre Tillich • F q m is a F q -space of dimension m Generalities on Rank-Based Cryptography LRPC-codes in • x = ( x 1 , · · · , x n ) ∈ F n q m , its rank is defined as: RankSign [GMRZ13] Our Attack �� � △ Support of x : � x 1 , · · · , x n � F q = λ i x i : λ i ∈ F q ⊆ F q m i � � rank ( x ) = dim F q � x 1 , · · · , x n � F q 6 / 22

  7. Two attacks on rank metric code-based schemes: RankSign and an IBE scheme Thomas Debris-Alazard and Jean-Pierre 1 Generalities on Rank-Based Cryptography Tillich Generalities on Rank-Based Cryptography LRPC-codes in 2 LRPC-codes in RankSign [GMRZ13] RankSign [GMRZ13] Our Attack 3 Our Attack 7 / 22

  8. Two attacks on rank metric code-based Some History... schemes: RankSign and an IBE scheme Thomas Debris-Alazard and Jean-Pierre Tillich Generalities on • Gabidulin codes: first rank-codes with a polynomial decoder Rank-Based Cryptography → Strong algebraic structure... and a zillion attacks LRPC-codes in RankSign (Overbeck’05...) [GMRZ13] Our Attack • LRPC-codes: decoder introduced in [GMRZ13] → Finding the underlying structure is close to solving the syndrome decoding problem. 8 / 22

  9. Two attacks on rank metric code-based LRPC-codes [GMRZ13] schemes: RankSign and an IBE scheme Thomas • Random Code: Given some random matrix H Rand ∈ F ( n − k ) × n Debris-Alazard q m and Jean-Pierre { c : H Rand c ⊺ = 0 } Tillich Generalities on • LRPC Code: Given H LRPC = ( h i , j ) ∈ F ( n − k ) × n Rank-Based s.t Cryptography q m LRPC-codes in RankSign � � dim � h i , j : i , j � F q = small [GMRZ13] Our Attack then, ⊺ = 0 } { c LRPC : H LRPC c LRPC When H Rand = ( h i , j ) ∈ F ( n − k ) × n is random, typically when q m m < n ( n − k ) : � h i , j : i , j � F q = F q m . 9 / 22

  10. Two attacks on rank metric code-based LRPC-codes in schemes: RankSign and an IBE scheme RankSign[GRSZ14] Thomas Debris-Alazard and Jean-Pierre Tillich LRPC-codes come in RankSign with a decoder [GRSZ14]: Generalities on � H LRPC e ⊺ = s ⊺ Rank-Based Cryptography ∀ s , it computes polynomially e s.t rank ( e ) = w LRPC-codes in RankSign [GMRZ13] • Constraint RankSign: H LRPC = ( h i , j ) ∈ F ( n − k ) × n Our Attack s.t q m � � ( n − k ) dim � h i , j : i , j � F q = n Problem: Rows of H LRPC gives words of low weight... → A masking is needed! 10 / 22

  11. Two attacks on rank metric code-based Masking LRPC-codes in schemes: RankSign and an IBE scheme RankSign Thomas Debris-Alazard and Jean-Pierre Tillich In RankSign [GRSZ14]: Generalities on Rank-Based Cryptography LRPC-codes in • Increase the weight of rows: [ H LRPC | R ] for R random; RankSign [GMRZ13] Our Attack • Change the code: [ H LRPC | R ] P for P invertible in F q . • Change the basis: Q [ H LRPC | R ] P for Q invertible; △ H pub = Q [ H LRPC | R ] P : public key 11 / 22

  12. Two attacks on rank metric code-based schemes: RankSign and an IBE scheme Thomas Debris-Alazard and Jean-Pierre 1 Generalities on Rank-Based Cryptography Tillich Generalities on Rank-Based Cryptography LRPC-codes in 2 LRPC-codes in RankSign [GMRZ13] RankSign [GMRZ13] Our Attack 3 Our Attack 12 / 22

  13. Two attacks on rank metric code-based Idea of the Attack schemes: RankSign and an IBE scheme Thomas Debris-Alazard and Jean-Pierre Tillich Generalities on Rank-Based To look for low weight codewords... where? Cryptography LRPC-codes in RankSign △ [GMRZ13] • Suspect: C ⊥ = { mH pub : m ∈ F q m } ; pub Our Attack = { c : H pub c ⊺ = 0 } . △ • Real Problem: C pub 13 / 22

  14. Two attacks on rank metric code-based Low Rank Codewords in an schemes: RankSign and an IBE scheme LRPC? Thomas Debris-Alazard and H LRPC = ( h i , j ) ∈ F ( n − k ) × n with � h i , j : i , j � F q = F Jean-Pierre q m Tillich c = ( c j ) ∈ F n q m Generalities on Rank-Based n Cryptography H LRPC c ⊺ = 0 ⇐ � ⇒ ∀ i ∈ � 1 , n − k � , h i , j c j = 0 LRPC-codes in RankSign j = 1 [GMRZ13] Our Attack 14 / 22

  15. Two attacks on rank metric code-based Low Rank Codewords in an schemes: RankSign and an IBE scheme LRPC? Thomas Debris-Alazard and H LRPC = ( h i , j ) ∈ F ( n − k ) × n with � h i , j : i , j � F q = F Jean-Pierre q m Tillich c = ( c j ) ∈ F n q m Generalities on Rank-Based n Cryptography H LRPC c ⊺ = 0 ⇐ � ⇒ ∀ i ∈ � 1 , n − k � , h i , j c j = 0 LRPC-codes in RankSign j = 1 [GMRZ13] Our Attack Suppose that � c 1 , · · · , c n � F q = F ′ n h i , j c j ∈ F ′ · F △ = � f ′ f : f ′ ∈ F ′ , f ∈ F � F q � ∀ i ∈ � 1 , n − k � , j = 1 This gives a linear system in F q with • ( n − k ) dim F q ( F · F ′ ) equations; • n dim F q ( F ′ ) unknowns. → We would like # Unknowns > # Equations to ensure the existence of solutions 14 / 22

  16. Two attacks on rank metric ... But How to Choose F ′ ? code-based schemes: RankSign and an IBE scheme Thomas Debris-Alazard and What we want: Jean-Pierre Tillich n dim F q ( F ′ ) > ( n − k ) dim F q ( F · F ′ ) Generalities on Rank-Based Cryptography LRPC-codes in RankSign What we typically have: [GMRZ13] Our Attack n dim F q ( F ′ ) =( n − k ) dim F q ( F · F ′ ) Because, � dim F q ( F · F ′ ) = dim F q ( F ) dim F q ( F ′ ) (typically) ( n − k ) dim ( F ) = n (RankSign). 15 / 22

  17. Two attacks on rank metric The Subspace F · F ′ code-based schemes: RankSign and an IBE scheme △ = � x 1 , · · · , x d � F q ( F = � h i , j : i , j � F q ) F Thomas Debris-Alazard and Let F ′ △ Jean-Pierre = � x 1 , x 2 � F q ⊆ F . Tillich F · F ′ = � x 2 1 , x 1 x 2 , · · · , x 1 x d , x 2 x 1 , x 2 2 , · · · , x 2 x d � F q . Generalities on Rank-Based Cryptography ⇒ dim ( F · F ′ ) ≤ 2 d − 1 LRPC-codes in RankSign Therefore, [GMRZ13] Our Attack # Unknowns − # Equations = n dim F q ( F ′ ) − ( n − k ) dim F q ( F · F ′ ) = 2 n − ( n − k )( 2 d − 1 ) 16 / 22

  18. Two attacks on rank metric The Subspace F · F ′ code-based schemes: RankSign and an IBE scheme △ = � x 1 , · · · , x d � F q ( F = � h i , j : i , j � F q ) F Thomas Debris-Alazard and Let F ′ △ Jean-Pierre = � x 1 , x 2 � F q ⊆ F . Tillich F · F ′ = � x 2 1 , x 1 x 2 , · · · , x 1 x d , x 2 x 1 , x 2 2 , · · · , x 2 x d � F q . Generalities on Rank-Based Cryptography ⇒ dim ( F · F ′ ) ≤ 2 d − 1 LRPC-codes in RankSign Therefore, [GMRZ13] Our Attack # Unknowns − # Equations = n dim F q ( F ′ ) − ( n − k ) dim F q ( F · F ′ ) = 2 n − ( n − k )( 2 d − 1 ) Constraint in RankSign: n = ( n − k ) d which gives: # Unknowns − # Equations = 2 ( n − k ) d − ( n − k )( 2 d − 1 ) = n − k > 0 16 / 22

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

OUROBOROS-R, an IND-CPA KEM based on Rank Metric NIST First Post-Quantum Cryptography

OUROBOROS-R, an IND-CPA KEM based on Rank Metric NIST First Post-Quantum Cryptography

Presentation of the rank metric Description of the scheme Security and parameters OUROBOROS-R, an IND-CPA KEM based on Rank Metric NIST First Post-Quantum Cryptography Standardization Conference Carlos AguilarMelchor 2 Nicolas Aragon 1 Slim

157 views • 15 slides
An Overview on Post-Quantum Cryptography with an Emphasis on Code based Systems Joachim Rosenthal

An Overview on Post-Quantum Cryptography with an Emphasis on Code based Systems Joachim Rosenthal

Basics on Public Key Crypto Systems Research Directions in Post-Quantum Cryptography Variants of McEliece System Distinguisher Attacks McEliece for Rank Metric Codes An Overview on Post-Quantum Cryptography with an Emphasis on Code based

1.05k views • 100 slides
A new family of maximum rank distance codes or: Maximum rank distance codes and finite semifields

A new family of maximum rank distance codes or: Maximum rank distance codes and finite semifields

A new family of maximum rank distance codes or: Maximum rank distance codes and finite semifields John Sheekey Universiteit Gent, Belgium Alcoma, March 2015 Rank metric codes A rank metric code is a set C M n ( F ) of n n matrices over

963 views • 92 slides
Maximum rank distance codes: constructions, classifications, and applications John Sheekey UCD,

Maximum rank distance codes: constructions, classifications, and applications John Sheekey UCD,

Maximum rank distance codes: constructions, classifications, and applications John Sheekey UCD, Dublin, Ireland Dagstuhl, August 2016 Rank metric codes A rank metric code is a set C M m n ( F q ) of m n matrices ( m n ) over F q

1.02k views • 85 slides
Introduction to rank-based cryptography Philippe Gaborit University of Limoges, France ASCRYPTO

Introduction to rank-based cryptography Philippe Gaborit University of Limoges, France ASCRYPTO

Rank codes : definitions and basic properties Decoding in rank metric Complexity issues : decoding random rank codes Encryption Authentication and signature Introduction to rank-based cryptography Philippe Gaborit University of Limoges,

1.56k views • 115 slides
Maximum rank distance codes and finite semifields John Sheekey Universiteit Gent, Belgium

Maximum rank distance codes and finite semifields John Sheekey Universiteit Gent, Belgium

Maximum rank distance codes and finite semifields John Sheekey Universiteit Gent, Belgium Banff, January 2015 Rank metric codes A rank metric code is a set C M n ( F ) of n n matrices over a field F with the distance function d ( X , Y )

830 views • 82 slides
Attacks in code based cryptography: a survey, new results and open problems J.-P. Tillich Inria,

Attacks in code based cryptography: a survey, new results and open problems J.-P. Tillich Inria,

Attacks in code based cryptography: a survey, new results and open problems J.-P. Tillich Inria, team-project SECRET April 9, 2018 introduction 1. Code based cryptography Difficult problem in coding theory Problem 1. [Decoding] Input: n, r,

800 views • 53 slides
Cryptographic applications of codes in rank metric Pierre Loidreau CELAr and Universit e de

Cryptographic applications of codes in rank metric Pierre Loidreau CELAr and Universit e de

Cryptographic applications of codes in rank metric Cryptographic applications of codes in rank metric Pierre Loidreau CELAr and Universit e de Rennes Pierre.Loidreau@m4x.org June 16th, 2009 Cryptographic applications of codes in rank

498 views • 33 slides
Rank Metric Codes and related Structures Yue Zhou July 5, 2017 The 2nd International Workshop on

Rank Metric Codes and related Structures Yue Zhou July 5, 2017 The 2nd International Workshop on

Rank Metric Codes and related Structures Yue Zhou July 5, 2017 The 2nd International Workshop on Boolean Functions and their Applications (BFA) Outline Introduction Maximum rank distance codes Quadratic bent-Negabent functions Vectorial

2.09k views • 179 slides
2 3 4 5 8 9 MINNEAPOLIS MILWAUKEE MSA RANK #16 MSA RANK #39 CHICAGO MSA RANK #3

2 3 4 5 8 9 MINNEAPOLIS MILWAUKEE MSA RANK #16 MSA RANK #39 CHICAGO MSA RANK #3

2 3 4 5 8 9 MINNEAPOLIS MILWAUKEE MSA RANK #16 MSA RANK #39 CHICAGO MSA RANK #3 INDIANAPOLIS MSA RANK #34 DETROIT MSA RANK #14 COLUMBUS MSA RANK #33 BALTIMORE/ DC CORRIDOR MSA RANK #21 CINCINNATI MSA RANK #28 ATLANTA MSA RANK

726 views • 44 slides
McEliece type Cryptosystem based on Gabidulin Codes Joachim Rosenthal University of Z urich

McEliece type Cryptosystem based on Gabidulin Codes Joachim Rosenthal University of Z urich

Traditional McEliece Crypto System Variants of McEliece System Distinguisher Attacks McEliece for Rank Metric Codes McEliece type Cryptosystem based on Gabidulin Codes Joachim Rosenthal University of Z urich ALCOMA, March 19, 2015 joint

763 views • 54 slides
Heat of the Moment: Characterizing the Efficacy of Thermal Camera-Based Attacks Keaton Mowery (UC

Heat of the Moment: Characterizing the Efficacy of Thermal Camera-Based Attacks Keaton Mowery (UC

Heat of the Moment: Characterizing the Efficacy of Thermal Camera-Based Attacks Keaton Mowery (UC San Diego) Sarah Meiklejohn (UC San Diego) Stefan Savage (UC San Diego) 1 Code-based access control 2 Code-based access control 2 Code-based

1.2k views • 102 slides
Ramesses : a Rank Metric Encryption Scheme with Short Keys Julien Lavauzelle , Pierre Loidreau,

Ramesses : a Rank Metric Encryption Scheme with Short Keys Julien Lavauzelle , Pierre Loidreau,

Ramesses : a Rank Metric Encryption Scheme with Short Keys Julien Lavauzelle , Pierre Loidreau, Ba-Duc Pham IRMAR, Universit de Rennes 1 Groupe de travail cryptographie base de codes 25/11/2019 Introduction Goal: design a new public-key

1.11k views • 68 slides
Novel Side-Channel Attacks on Quasi-Cyclic Code-Based Cryptography 2019.08.28 Bo-Yeon Sim 1 ,

Novel Side-Channel Attacks on Quasi-Cyclic Code-Based Cryptography 2019.08.28 Bo-Yeon Sim 1 ,

Novel Side-Channel Attacks on Quasi-Cyclic Code-Based Cryptography 2019.08.28 Bo-Yeon Sim 1 , , Jihoon Kwon 2 , Kyu Young Choi 2 , Jihoon Cho 2 , Aesun Park 3, , and Dong-Guk Han 1,3, 1 Department of Mathematics, Kookmin University,

881 views • 58 slides
Shortest Path Similar Routing 2 A New Metric A new metric path- based metric that can use used

Shortest Path Similar Routing 2 A New Metric A new metric path- based metric that can use used

R outing S tate D istance: A Path-based Metric for Network Analysis Gonca Grsun joint work with joint work with Natali Ruchansky, Evimaria Terzi, Mark Crovella Distance Metrics for Analyzing Routing Shortest Path Similar Routing 2 A New

1.43k views • 48 slides
Countering Code-Injection Attacks With Instruction-Set Randomization Gaurav S. Kc, Angelos D.

Countering Code-Injection Attacks With Instruction-Set Randomization Gaurav S. Kc, Angelos D.

Countering Code-Injection Attacks With Instruction-Set Randomization Gaurav S. Kc, Angelos D. Keromytis Columbia University Vassilis Prevelakis Drexel University 1 Overview of Technique Protect from code-injection attacks create

608 views • 19 slides
List Decoding of Concatenated Codes: Improved Performance Estimates Alexander Barg Andrew

List Decoding of Concatenated Codes: Improved Performance Estimates Alexander Barg Andrew

List Decoding of Concatenated Codes: Improved Performance Estimates Alexander Barg Andrew McGregor ISIT 2004 1/73 List Decoding of Concatenated Codes: Improved Performance Estimates Alexander Barg Andrew McGregor ISIT 2004 1/73 Important

680 views • 52 slides
Lecture 4: MIPS Instruction Set No class on Tuesday Todays topic: MIPS

Lecture 4: MIPS Instruction Set No class on Tuesday Todays topic: MIPS

Lecture 4: MIPS Instruction Set No class on Tuesday Todays topic: MIPS instructions Code examples 1 Instruction Set Understanding the language of the hardware is key to understanding the hardware/software interface

371 views • 24 slides
Making code thread-safe Kyle J. Knoepfel 25 June 2019 LArSoft Workshop 2019 So youre going

Making code thread-safe Kyle J. Knoepfel 25 June 2019 LArSoft Workshop 2019 So youre going

Making code thread-safe Kyle J. Knoepfel 25 June 2019 LArSoft Workshop 2019 So youre going to make your code thread-safe 2 6/25/19 Kyle J. Knoepfel | LArSoft Workshop 2019 So youre going to make your code thread-safe The

1.21k views • 61 slides
Sparse Regression Codes Andrew Barron Ramji Venkataramanan Yale University University of

Sparse Regression Codes Andrew Barron Ramji Venkataramanan Yale University University of

Sparse Regression Codes Andrew Barron Ramji Venkataramanan Yale University University of Cambridge Joint work with Antony Joseph, Sanghee Cho, Cynthia Rush, Adam Greig, Tuhin Sarkar, Sekhar Tatikonda ISIT 2016 . . . . . . . . . . .

755 views • 64 slides
Great Reality Great Reality CS 105 Tour of the Black Holes of Computing Theres more to

Great Reality Great Reality CS 105 Tour of the Black Holes of Computing Theres more to

Great Reality Great Reality CS 105 Tour of the Black Holes of Computing Theres more to performance than asymptotic complexity Constant factors

448 views • 7 slides
An improvement to the Gilbert-Varshamov bound for permutation codes Yiting Yang Department of

An improvement to the Gilbert-Varshamov bound for permutation codes Yiting Yang Department of

An improvement to the Gilbert-Varshamov bound for permutation codes An improvement to the Gilbert-Varshamov bound for permutation codes Yiting Yang Department of Mathematics Tongji University Joint work with Fei Gao and Gennian Ge May 11,

421 views • 41 slides
Algorithmic Complexity II Department of Computer Science University of Maryland, College Park

Algorithmic Complexity II Department of Computer Science University of Maryland, College Park

CMSC 132: Object-Oriented Programming II Algorithmic Complexity II Department of Computer Science University of Maryland, College Park Announcements Regarding Friday before spring break Analyzing Algorithms Goal Find asymptotic

586 views • 14 slides
Compiling for Parallelism &amp; Locality Last time SSA and its uses Today

Compiling for Parallelism &amp; Locality Last time SSA and its uses Today

Compiling for Parallelism &amp; Locality Last time SSA and its uses Today Parallelism and locality Data dependences and loops CS553 Lecture Compiling for Parallelism &amp; Locality 1 The Problem: Mapping programs

660 views • 18 slides

More recommend