RAMESSES, a Rank Metric Encryption Scheme with Short Keys

11/29/2019 ∙ by Julien Lavauzelle, et al. ∙ 0

We present a rank metric code-based encryption scheme with key and ciphertext sizes comparable to that of isogeny-based cryptography for an equivalent security level. The system also benefits from efficient encryption and decryption algorithms, which rely on linear algebra operations over finite fields of moderate sizes. The security only relies on rank metric decoding problems, and does not require to hide the structure of a code. Based on the current knowledge, those problems cannot be efficiently solved by a quantum computer. Finally, the proposed scheme admits a failure probability that can be precisely controlled and made as low as possible.

READ FULL TEXT VIEW PDF
POST COMMENT

Comments

There are no comments yet.

Authors

page 1

page 2

page 3

page 4

This week in AI

Get the week's most popular data science and artificial intelligence research sent straight to your inbox every Saturday.

1 Introduction

With the growing probability of the existence of a near-future quantum computer, it has become important to propose alternatives to existing public-key encryption schemes and key exchange protocols based on number theory. The recent NIST Post-Quantum Cryptography Standardization process motivates proposals in this sense. Along with lattice-based cryptography, code-based cryptography is the most represented among proposals for encryption schemes or key-encapsulation mechanisms (KEMs). Code-based submissions generically rely on the hardness of decoding problems, either in the Hamming metric or in the rank metric. Hamming metric decoding problems enjoy a long-standing study and few practical improvements for more than fifty years, which ascertain their security. On the opposite, rank metric decoding problems have been studied for less than twenty years [CS96], and their solving complexity is not yet fully stabilized (see the recent results of [BardetBBGNRT09]). Nevertheless, they benefit from much shorter keys and seem very attractive for practical implementation, culminating in submissions for the NIST standardization process [ROLLO17, RQC17]. So as to further reduce the key sizes, designers often use specific structures as quasi-cyclicity (equivalent of Module-LWE for lattices) which could be suspected to introduce additional weaknesses [Loi14].

In this paper we aim at designing a new one-way encryption scheme featuring very compact keys, based on rank metric decoding problems. The long-standing idea finds origins in [faure2006new] which was an extended idea of a proposal in Hamming metric [AugotFiniasz-PKC-PolyReconstruction_2003]. The original rank metric encryption scheme was broken in [GaboritOT18], and a recent repair was proposed in [wachter2018repairing]

. However it implies to choose a specific code and a syndrome coming from a structured vector of moderate rank, which we want to avoid here.

Inspired from [faure2006new], we design a simple one-way encryption scheme with the following strengths.

  • The security of the scheme only relies on decoding problems in rank metric (such as MinRank and Gab-SD) and does not require to hide the structure of a code. These decoding problems have been — and are still being — scrutinized in active research fields.

  • Especially as a KEM, our proposal enables very small parameters for a given security target. Key sizes are competitive with isogeny-based proposals such as SIKE [SIKE17].

  • Even if the decryption algorithm is probabilistic, it is easy to control the failure probability and to make it as small as possible without increasing to much the parameters.

A remaining weakness would be that underlying problems have been less investigated than others. However, our goal here is also to emulate research in this field to be able to ascertain the security of the scheme.

In a first section we introduce necessary notation and definitions. Then we describe the encryption scheme and we propose sets of parameters for security levels 1, 3, 5 of the NIST competition. Keys and ciphertext sizes are not larger than few hundreds of bytes. In the next section, we prove the consistency of the encryption scheme and we analyze its security by showing to which problems the security can be reduced, and by giving the complexity of algorithms solving these problems.

2 Preliminaries

2.1 Notation and definitions

Throughout the paper, we set for some integer , and we let denote the finite field with elements. The field can also be viewed as a vector space of dimension over . The map , , is -linear and is called the Frobenius automorphism. Its inverse is the -fold composition . For convenience, we sometimes write , for .

Let be a basis of over . We define the extension map

where, for all , the vector consists of coordinates of in the basis , i.e.  . In particular, for every , we have .

The rank of , denoted , is defined as the rank over of its extension matrix . Notice that does not depend on the choice of the basis . We also define the row space of with respect to as

Similarly, the column space of is .

We let denote the set of subspaces of of dimension , which contains elements. Each subspace

can be represented by the unique reduced row echelon form (RREF) of any matrix

whose row space generates . We know from [SilbersteinE11, Medvedeva12] that this representation can be computed efficiently (in time ). Recall that a matrix is in reduced row echelon form if the following holds:

  • [label=–]

  • the index of the pivot (i.e. the first non-zero coefficient) of row is strictly larger than the index of the pivot of row ;

  • all pivots are ones;

  • each pivot is the only non-zero entry in its column.

We finally define .

2.2 Rank metric codes

In this paper, we embed with the rank metric: for , the weight of is defined as . We consider -linear codes, i.e. -linear subspaces . Notice that the field extension degree is also the length of the code . The dimension of a code is , and its minimum (rank) distance is . A generator matrix (resp. a parity-check matrix) for is a matrix (resp. ) such that (resp. for every ).

Let us define . Its Moore matrix is defined as

and it is invertible over . Hence is a basis of .

Definition 1 (Gabidulin code [Delsarte78, Gabidulin85])

Let be an ordered basis of . The Gabidulin code of dimension with evaluation vector is the subspace generated by the first rows of .

Gabidulin codes are optimal codes with respect to the rank metric [Delsarte78] and they can be efficiently decoded [Gabidulin85] up to errors. By definition, the submatrix consisting in the first rows of is a generator matrix for . It is also clear that for every , and we have . Hence, one can propose the following definition.

Definition 2 (-degree)

Let and . The -degree of , denoted , is the unique integer such that . Similarly, one defines the -degree of as .

In other words, a vector of -degree can be written

for some non-zero and some -tuple .

Finally, the dual code is also a Gabidulin code for some basis that can be efficiently computed from . In other words, there exists a parity-check matrix for consisting in the first rows of a Moore matrix associated to some , see e.g. [Gabidulin85].

3 The encryption scheme

System parameters.

Integers are public parameters and specified according to the desired security level (see Section 4). We set , and we also make public a basis of . We let denote a fixed parity-check matrix of .

Key generation.

Alice picks uniformly at random a vector of rank . As explained in Algorithm 1, the public key is the syndrome of with respect to the parity-check matrix of , and the private key is .

Input:
Output: a pair of public/private keys
1 Pick
2 Compute such that
Output
Algorithm 1

Encryption.

The set of plaintexts is , as defined in Section 2.1. Encryption is presented in Algorithm 2. Notice that in steps 3-4, the computation of should be understood as a the generation of a uniform random vector such that is the rowspan of .

Input: public key , plaintext
Output: ciphertext
1 Compute any such that
2 Pick
3 Pick
4 Compute
Output such that
Algorithm 2

Decryption.

We present in Algorithm 3 a decryption algorithm which may fail with negligible probability. The failure rate is devoted to be cryptographically small, and is bounded in Section 5.2. We also make use of an -linear map such that . This map can be efficiently computed from the knowledge of the private key . Mathematical properties of this map are given in Section 5.1

Input: private key , ciphertext
Output: plaintext , or failure
1 Compute a solution to the linear system .
2 Compute .
3 Decode as a corrupted -codeword. If success, one gets an error vector of rank .
4 If , output failure.
Otherwise, output .
Algorithm 3

In Algorithm 3, one needs to decode Gabidulin codes up to half their minimum distance, i.e. to decode errors of rank less than . Many such algorithms can be found in the literature since the seminal work of Gabidulin [Gabidulin85]. Some of them are based on solving a so-called key equation, such as [Roth91, ParamonovT91, Gabidulin91, RichterP04, Wachter-ZehAS13]

and others use interpolation, for instance 

[Loidreau05]. Fastest ones run in operations over .

4 Parameters

In Table 1, we propose three sets of parameters for RAMESSES as a KEM, according to the desired level of security. Table 2 proposes a set of parameters for RAMESSES as a PKE. There are generic transformations from PKEs to KEMs, widely used in the NIST competition. Note that the decryption failure can be finely tuned as is explained in Section 5.2. One can notice that the post-quantum security is much larger than half the classical one, which is unusual in code-based systems. Indeed the best current attacks against RAMESSES do not use enumeration techniques, which would benefit from the use of Grover algorithm, but Groebner bases algebraic techniques for which there is no known efficient quantum algorithmic speedup, as explained in Section 5.4.

classical post-quantum public key/ciphertext private key
security (bits) security (bits) size (bytes) size (bytes)
Table 1:

Sets of parameters for RAMESSES as a KEM, with different levels of security. The security is estimated according to the current state of the art of algebraic attacks; the linear algebra constant is set to

. Decryption failure rates are respectively bounded by , and .
classical post-quantum public key/ciphertext private key
security (bits) security (bits) size (bytes) size (bytes)
164 116 27 3 9 256 256 984 554
Table 2: A set of parameters for RAMESSES as a PKE, with decryption failure rate . The security is estimated according to the current state of the art of algebraic attacks; the linear algebra constant is set to .

Claimed security.

The claimed security is computed according to known attacks reported in Section 5.4.

Public key size.

The public key consists in a vector . Thus, its size is bits, or bytes.

Private key size.

For the private key , Alice actually needs to store only the map . From Section 5.1, this map is a monic polynomial over of degree . Hence only coefficients over actually need to be stored, the size of the private key is thus bits, or bytes.

Ciphertext size.

The ciphertext is a vector , hence its size is bits, i.e.  bytes.

5 Analysis

5.1 Mathematical background

Gabidulin codes can be interpreted in the context of skew polynomial rings. Recall that

represents the Frobenius automorphism . The skew polynomial ring , originally studied by Øre [Ore33a, Ore33b], is the ring of univariate polynomials defined by the non-commutative multiplicative rule

In our context, skew polynomials are also called linearized polynomials. One can define the evaluation of a skew polynomial at as follows:

The evaluation vector of at is defined as

Thus, the rows of can be seen as the evaluation vectors over , of the sequence of degree-ordered skew monomials . As a consequence, one can view Gabidulin codes as analogues of Reed-Solomon codes for skew polynomial rings:

For , the polynomial of minimum degree such that is the -interpolating polynomial of and is denoted . By definition .

Finally, given , the set of polynomials satisfying is a left-ideal of . Since skew polynomial rings are principal ideal domains, we can define the minimum vanishing polynomial of as the unique monic skew polynomial which generates . Notice that .

The following lemma will be helpful for the analysis of the scheme consistency.

Lemma 1

Let and . Then we have . Moreover, if , then there exists a non-zero such that .

Proof

Let satisfy . In particular, one can see that . Hence, by -linearity . Thus, every satisfies , leading to .

Assume now that . It implies that . Let be an ordered basis of over . Then there must exists a non-zero such that , otherwise we would have . If we set , then we get by -linearity.∎

5.2 Consistency

In this section we characterize the output of algorithm described in Section 3. As input, receives a vector of rank and a vector such that , where

  • [label=–]

  • vector satisfies ,

  • matrix has -degree ,

  • vector has rank .

First, notice that for some . In the first step of Algorithm 3, a vector solution to is computed. One can see that the set of such solutions is

Therefore, in step of Algorithm 3, we have

We notably used the -linearity of . Also recall that, for any , denotes the -interpolating polynomial of . Then we get:

Moreover, yields since . Therefore, the polynomial has degree at most .

We also know that . Hence, in third step of Algorithm 3, any decoding algorithm for that decodes errors of rank at most will retrieve from . Finally, Algorithm 3 outputs a matrix such that .

As a consequence, decryption fails whenever , where is the original plaintext. First notice that . Then, Lemma 1 shows that if decryption fails, then there exists a non-zero such that . Let us now recall that the set of zeroes of is exactly . Hence we get the following result.

Lemma 2

Let . If, on input where , algorithm does not output , then matrix has been chosen at step , such that .

One can now estimate the probability of failure of .

Lemma 3

Let be any pair of keys generated by , on public parameters . Then, for every ,

Proof

Using Lemma 2, we have

It is easy to check that the probability that a -dimensional random subspace of intersects non-trivially a fixed subspace of dimension is bounded by . This concludes the proof.∎

5.3 Security proof

Let us first introduce two problems to which the security of RAMESSES can be reduced. Problem 1 is an ad hoc problem. The search version of Problem 2 corresponds to decoding errors of rank in a Gabidulin code; this problem is believed hard for between and , and a improvement in solving this problem would be significant in coding theory.

Problem 1 (Syndrome correlation for Gabidulin codes (CorGab))

Let be a fixed parity-check matrix of , and .

  • Input: access to distributions

    1. : , where and ,

    2. : , where and .

  • Goal: distinguish between and .

Problem 2 (Syndrome decoding for Gabidulin codes, Gab-SD)

Let be a fixed parity-check matrix of , and .

  • Input: access to distributions

    1. : , where ,

    2. : , where .

  • Goal: distinguish between and .

We now shortly show the indistinguishability under chosen plaintext attacks (IND-CPA) of RAMESSES with the following sequence of games.

  • Game 0. The real scheme with plaintext .

  • Game 1. We modify Game 0 as follows. In the key generation, the vector is now picked uniformly at random in , without any rank constraint.

  • Game 2. We modify Game 1 as follows. In the encryption algorithm, is replaced by , where is generated uniformly at random in .

  • Game 3. We modify Game 2 as follows. The plaintext is replaced by the plaintext .

  • Game 4. This game is identical to Game 1, except that the plaintext is is replaced by the plaintext .

  • Game 5. The real scheme with plaintext .

One can then prove that the advantage for an adversary to distinguishing the encryption of and satisfies:

Roughly speaking, one actually mimics the security proof given in [AguilarBDGZ18]. The term comes from transitions between games 0 and 1, and games 4 and 5, whereas transitions between games 1 and 2, and games 3 and 4 yield the term. Games 2 and 3 are information-theoretically indistinguishable since is random.

5.4 Existing attacks

In the following, we denote by the desired security parameter, i.e., any attack against the cryptosystem must cost at least operations over .

Exhaustive search attacks.

In order to avoid attacks by exhaustive search, one has the following constraints on the parameters.

  1. , satisfied when .

  2. , satisfied when .

  3. , satisfied when .

Attack by decoding beyond the unique decoding radius of Gabidulin codes.

Let be any solution of of rank . From the consistency analysis one can see that can be used as an alternate private key in the algorithm. The computation of such a vector actually corresponds to the search version of Gab-SD problem.

This problem is easy for (it corresponds to half-minimum-distance decoding) and for (equivalent to interpolation for linearized polynomials). For our concern, we have , and we believe that the search version of Gab-SD is hard in this range of parameters.

A solution consists in enumerating vector spaces of dimension slightly higher than , checking whether they guessed correctly a large part of the solution space, and in such case, interpolating the solution. Roughly speaking, the number of valid choices for the subspace is large, but the complexity of finding one remains exponential in the code length. Precisely, in our settings (, and even) the number of vector spaces to test before finding one solution is on average

where . This quantity is used as a bound for the complexity of solving Gab-SD. By using a straightforward Grover algorithm, we obtain that the number of iterations to be completed on a quantum computer is roughly

Attack via a reduction to a quadratic system over .

Given a vector with , any solution to can be written as for some . Therefore, satisfies

(1)

where . Hence, an attack would consist in searching for and in the previous equation, for some fixed solution to .

Equation (1) can be turned into a quadratic system over (see Appendix 0.A for details). Using results of Bardet et al. [BardetFSS13], the solving complexity would be in , which remains much larger than the complexity of the previous attack.111However, notice that the system to be solved in [BardetFSS13] is assumed random, and such that no specialization of variables can be made. This is unlikely the case for our system, but it requires a finer analysis — which is not the scope of this paper — to understand whether improvements can be made in order to solve the system.

Attack via a reduction to a MinRank instance.

The recovery of a representative of the plaintext , given only a ciphertext and , can be modeled as follows. First, one computes (i) any solution of , and (ii) any solution to . Due to the form of the ciphertext, this leads us to

(2)

where and are unknown to the attacker. Notice that lies in a -vector space of dimension , since . Two kinds of attacks can then be mounted to solve (2).

First, Equation (2) can be written , which means that the problem can be rephrased as decoding an error of rank in the underlying code

Notice that is an -linear code of -dimension at most . One can then write , which yields . A straightforward decoding approach would lead to an attack in time roughly . One could also try to decode in the smallest -linear code containing , and use the additional structure provided by the -linearity. This structure has been widely employed in the recent improvements, see [BardetBBGNRT09]. However, it is unlikely that the -dimension of is small, since the -endomorphism of defined by is not -linear.

Second, one can see Equation (2) as an instance of MinRank, a problem formally introduced by Courtois in [Courtois01] after the cryptanalysis of HFE [KipnisS99].

Problem 3 (MinRank search problem)

Let be a field.

  • Input: and an integer .

  • Goal: Find such that .

Let us denote by an -basis of , the smallest vector space containing . Similarly, can be written in some basis of the -vector space of dimension representing . Applying to Equation (2), we get:

where . Since , one gets an instance of the MinRank problem, with one “base matrix” and “summand matrices” .

There exist several approaches to solve the MinRank problem. In [GoubinC00], Goubin and Courtois gave an algorithm which finds a solution in expected time . In 1999, Kipnis and Shamir [KipnisS99] proposed a multivariate formulation of MinRank which can be solved by computing Groebner bases. Such computations can be run in time , where is the linear algebra constant, and is the degree of regularity of the system [Lazard83]. Faugère, Levy-dit-Vehel and Perret [FaugereLP08] proved that, in the Kapnis-Shamir formalism, any instance can be reduced to a simpler one if . In our case, setting ensures that . Moreover, the authors proved that the degree of regularity is lower than what is expected for random systems, and it seems to be upper bounded by heuristically. This heuristic was confirmed by Verbel et al. [VerbelBCPS19] for superdetermined instances, and by Bardet et al. [BardetBBGNRT09] in the context of decoding low rank errors in random codes. Finally, the latter work also presents instances for which the solving degree decreases to