RankSign: An Efficient Signature Algorithm Based on the Rank Metric

In this paper, we propose an improvement of the attack on the Rank Syndrome Decoding (RSD) problem found in [1], usually the best attack considered for evaluating the security of rank based cryptosystems. For H a full-rank (n − k) × n matrix over Fqm and e ∈ F n q m of small norm r, the RSD problem consists in recovering e from s = He T . In our case, the norm of a vector over Fqm is defined by the dimension of the Fq-subspace generated by its coordinates. This problem is very similar to the Syndrome Decoding problem in the Hamming metric (only the metric and the field of the coefficients are different) and the security of several cryptosystems relies on its hardness, like McEliece-based PKE [2], [3] or IBE [4]. Our attack is in O (n − k) 3 m 3 q w (k+1)m n −m operations in Fq whereas the previous best attacks are in O (n − k) 3 m 3 q (w−1) min (k+1)m n ,k+1[1], [5]. In particular in the case m ≤ n, our attack permits to obtain an exponential gain in q m(1−R) for R = k/n the rate of the code.We give examples of broken parameters for recently proposed cryptosystems based on LRPC codes or Gabidulin codes. Our attack does not fully break these cryptosystems but implies larger parameters for the same security levels.

show abstract

“…• Parameters from LRPC cryptosystem [12] n k m w claimed security complexity of our attack 50 32 50 3 2 81 2 75 112 80 112 4 2 259 2 247…”

Section: Examples Of Broken Parametersmentioning

confidence: 99%

A New Algorithm for Solving the Rank Syndrome Decoding Problem

Aragon

Gaborit

Hauteville

et al. 2018

2018 IEEE International Symposium on Information Theory (ISIT)

Self Cite

View full text Add to dashboard Cite

show abstract

“…In practice it means that it is possible to obtain secure practical parameters for random instances in rank metric of only a few thousand bits related to a hard problem, when at least a hundred thousand bits are needed for Hamming distance or for lattices. Such random instances for rank metric are used for instance, for zero-knowledge authentication in [17], and weakly structured instances are used for the recent LRPC cryptosystem [14] (similar to the NTRU cryptosystem [26] for lattices and the recent MDPC cryptosystem for codes) or for signature [16]. Of course with (Hamming) codes and lattices it is possible to decrease the size of parameters to a few thousand bits with additional structure [4,22], but then the reduction properties to hard problems are lost because they are reduced to decoding problems for special classes of codes whose complexity is not known..…”

Section: Applications To Cryptographymentioning

confidence: 99%

On the Hardness of the Decoding and the Minimum Distance Problems for Rank Codes

Gaborit

Zémor

2016

IEEE Trans. Inform. Theory

Self Cite

View full text Add to dashboard Cite

show abstract

“…However, these improvements ended in failure [12,13]. In 2014, Gaborit et al [14] proposed the RankSign scheme using the rank metric [15] and the LRPC code [16]. This signature scheme also uses the hash-and-sign method and the difference with the CFS scheme is that the RankSign scheme can invert a random syndrome.…”

Section: Introductionmentioning

confidence: 99%

An improved Durandal signature scheme

Song

Huang

et al. 2020

Sci. China Inf. Sci.

View full text Add to dashboard Cite

Constructing secure and effective code-based signature schemes has been an open problem. In this paper, we efficiently reduce the key size of the Durandal signature scheme introduced by Aragon et al. (EUROCRYPT 2019). We prove that the improved scheme is EUF-CMA secure by reducing its security to the advanced product spaces subspaces indistinguishability (PSSI +) problem, the decisional rank syndrome decoding (DRSD) problem, and the affine rank syndrome decoding (ARSD) problem under the random oracle model. Furthermore, our signature scheme is more secure than the Durandal scheme because recovering key attacks are equivalent to solving the rank syndrome decoding (RSD) problem, instead of the rank support learning (RSL) problem in the original Durandal scheme. Our signature scheme takes less time to generate a signature owing to the fact that our signature scheme enjoys smaller security parameters in comparison to the Duradual scheme. We compare the new scheme with existing code-based signature schemes and find that our signature scheme has advantages in terms of the public key size.

show abstract

RankSign: An Efficient Signature Algorithm Based on the Rank Metric

Cited by 35 publications

References 25 publications

A New Algorithm for Solving the Rank Syndrome Decoding Problem

A New Algorithm for Solving the Rank Syndrome Decoding Problem

On the Hardness of the Decoding and the Minimum Distance Problems for Rank Codes

An improved Durandal signature scheme

Contact Info

Product

Resources

About