Adrien Hauteville scite author profile

Code-based cryptography has a long history, almost as long as the history of public-key encryption (PKE). While we can construct almost all primitives from codes such as PKE, signature, group signature etc, it is a long standing open problem to construct an identity-based encryption from codes. We solve this problem by relying on codes with rank metric. The concept of identity-based encryption (IBE), introduced by Shamir in 1984, allows the use of users' identifier information such as email as public key for encryption. There are two problems that makes the design of IBE extremely hard: the requirement that the public key can be an arbitrary string and the possibility to extract decryption keys from the public keys. In fact, it took nearly twenty years for the problem of designing an efficient method to implement an IBE to be solved. The known methods of designing IBE are based on different tools: from elliptic curve pairings by Sakai, Ohgishi and Kasahara and by Boneh and Franklin in 2000 and 2001 respectively; from the quadratic residue problem by Cocks in 2001; and finally from the Learning-with-Error problem by Gentry, Peikert, and Vaikuntanathan in 2008. Among all candidates for post-quantum cryptography, there only exist thus lattice-based IBE. In this paper, we propose a new method, based on the hardness of learning problems with rank metric, to design the first code-based IBE scheme. In order to overcome the two above problems in designing an IBE scheme, we first construct a rank-based PKE, called RankPKE, where the public key space is dense and thus can be obtained from a hash of any identity. We then extract a decryption key from any public key by constructing an trapdoor function which relies on RankSign-a signature scheme from PQCrypto 2014. In order to prove the security of our schemes, we introduced a new problem for rank metric: the Rank Support Learning problem (RSL). A high technical contribution of the paper is devoted to study in details the hardness of the RSL problem.

show abstract

Durandal: A Rank Metric Based Signature Scheme

Aragon¹,

Blazy²,

Gaborit³

et al. 2019

View full text Add to dashboard Cite

A New Algorithm for Solving the Rank Syndrome Decoding Problem

Aragon

Gaborit

Hauteville

et al. 2018

View full text Add to dashboard Cite

In this paper, we propose an improvement of the attack on the Rank Syndrome Decoding (RSD) problem found in [1], usually the best attack considered for evaluating the security of rank based cryptosystems. For H a full-rank (n − k) × n matrix over Fqm and e ∈ F n q m of small norm r, the RSD problem consists in recovering e from s = He T . In our case, the norm of a vector over Fqm is defined by the dimension of the Fq-subspace generated by its coordinates. This problem is very similar to the Syndrome Decoding problem in the Hamming metric (only the metric and the field of the coefficients are different) and the security of several cryptosystems relies on its hardness, like McEliece-based PKE [2], [3] or IBE [4]. Our attack is in O (n − k) 3 m 3 q w (k+1)m n −m operations in Fq whereas the previous best attacks are in O (n − k) 3 m 3 q (w−1) min (k+1)m n ,k+1[1], [5]. In particular in the case m ≤ n, our attack permits to obtain an exponential gain in q m(1−R) for R = k/n the rate of the code.We give examples of broken parameters for recently proposed cryptosystems based on LRPC codes or Gabidulin codes. Our attack does not fully break these cryptosystems but implies larger parameters for the same security levels.

show abstract

Low Rank Parity Check Codes: New Decoding Algorithms and Applications to Cryptography

Aragon

Gaborit

Hauteville

et al. 2019

IEEE Trans. Inform. Theory

View full text Add to dashboard Cite

We introduce a new family of rank metric codes: Low Rank Parity Check codes (LRPC), for which we propose an efficient probabilistic decoding algorithm. This family of codes can be seen as the equivalent of classical LDPC codes for the rank metric. We then use these codes to design cryptosystems à la McEliece: more precisely we propose two schemes for key encapsulation mechanism (KEM) and public key encryption (PKE). Unlike rank metric codes used in previous encryption algorithms -notably Gabidulin codes -LRPC codes have a very weak algebraic structure. Our cryptosystems can be seen as an equivalent of the NTRU cryptosystem (and also to the more recent MDPC [35] cryptosystem) in a rank metric context. The present paper is an extended version of the article introducing LRPC codes, with important new contributions. We have improved the decoder thanks to a new approach which allows for decoding of errors of higher rank weight, namely up to 2 3 (n − k) when the previous decoding algorithm only decodes up to n−k 2 errors. Our codes therefore outperform the classical Gabidulin code decoder which deals with weights up to n−k 2 . This comes at the expense of probabilistic decoding, but the decoding error probability can be made arbitrarily small. The new approach can also be used to decrease the decoding error probability of previous schemes, which is especially useful for cryptography. Finally, we introduce ideal rank codes, which generalize double-circulant rank codes and allow us to avoid known structural attacks based on folding. To conclude, we propose different parameter sizes for our schemes and we obtain a public key of 3337 bits for key exchange and 5893 bits for public key encryption, both for 128 bits of security.Among potential candidates for alternative cryptography, lattice-based and code-based cryptography are strong candidates. Rank-based cryptography relies on the difficulty of decoding error-correcting codes embedded in a rank metric space (often over extension fields of fields of prime order), when code-based cryptography relies on difficult problems related to error-correcting codes embedded in Hamming metric spaces (often over small fields F q ) and when lattice-based cryptography is mainly based on the study of q-ary lattices, which can be seen as codes over rings of type Z/qZ (for large q), embedded in Euclidean metric spaces.The particular appeal of the rank metric is that the practical difficulty of the decoding problems grows very quickly with the size of parameters. In particular, it is possible to reach a complexity of 2 80 for random instances with size only a few thousand bits, while for lattices or codes, at least a hundred thousand bits are needed. Of course with codes and lattices it is possible to decrease the size to a few thousand bits but with additional structure like quasi-cyclicity [7], which comes at the cost of losing reductions to known difficult problems. The rank metric was introduced by Delsarte and Gabidulin [15], along with Gabidulin codes which are a rank-metric equivalent ...

show abstract

scite is a Brooklyn-based organization that helps researchers better discover and understand research articles through Smart Citations–citations that display the context of the citation and describe whether the article provides supporting or contrasting evidence. scite is used by students and researchers from around the world and is funded in part by the National Science Foundation and the National Institute on Drug Abuse of the National Institutes of Health.

Contact Info

customersupport@researchsolutions.com

10624 S. Eastern Ave., Ste. A-614

Henderson, NV 89052, USA

This site is protected by reCAPTCHA and the Google Privacy Policy and Terms of Service apply.

Blog Terms and Conditions API Terms Privacy Policy Contact Cookie Preferences Do Not Sell or Share My Personal Information

Made with 💙 for researchers

Part of the Research Solutions Family.