Enhancing Code Based Zero-knowledge Proofs using Rank Metric

The advent of quantum computers is a threat to most currently deployed cryptographic primitives. Among these, zero-knowledge proofs play an important role, due to their numerous applications. The primitives and protocols presented in this work base their security on the difficulty of solving the Rank Syndrome Decoding (RSD) problem. This problem is believed to be hard even in the quantum model. We first present a perfectly binding commitment scheme. Using this scheme, we are able to build an interactive zero-knowledge proof to prove: the knowledge of a valid opening of a committed value, and that the valid openings of three committed values satisfy a given linear relation, and, more generally, any bitwise relation. With the above protocols it becomes possible to prove the relation of two committed values for an arbitrary circuit, with quasi-linear communication complexity and a soundness error of 2/3. To our knowledge, this is the first quantum resistant zero-knowledge protocol for arbitrary circuits based on the RSD problem. An important contribution of this work is the selection of a set of parameters, and an a full implementation, both for our proposal in the rank metric and for the original LPN based one by Jain et. al in the Hamming metric, from which we took the inspiration. Beside demonstrating the practicality of both constructions, we provide evidence of the convenience of rank metric, by reporting performance benchmarks and a detailed comparison

Improvements of Algebraic Attacks for solving the Rank Decoding and MinRank problems

In this paper, we show how to significantly improve algebraic techniques for solving the MinRank problem, which is ubiquitousin multivariate and rank metric code based cryptography. In the case ofthe structured MinRank instances arising in the latter, we build upon arecent breakthrough [11] showing that algebraic attacks outperform thecombinatorial ones that were considered state of the art up until now.Through a slight modification of this approach, we completely avoidGr¨obner bases computations for certain parameters and are left onlywith solving linear systems. This does not only substantially improvethe complexity, but also gives a convincing argument as to why algebraic techniques work in this case. When used against the second roundNIST-PQC candidates ROLLO-I-128/192/256, our new attack has bitcomplexity respectively 71, 87, and 151, to be compared to 117, 144,and 197 as obtained in [11]. The linear systems arise from the nullityof the maximal minors of a certain matrix associated to the algebraicmodeling. We also use a similar approach to improve the algebraic MinRank solvers for the usual MinRank problem. When applied against thesecond round NIST-PQC candidates GeMSS and Rainbow, our attackhas a complexity that is very close to or even slightly better than thoseof the best known attacks so far. Note that these latter attacks did notrely on MinRank techniques since the MinRank approach used to givecomplexities that were far away from classical security levels

An Algebraic Attack on Rank Metric Code-Based Cryptosystems

International audienceThe Rank metric decoding problem is the main problem considered in cryptography based on codes in the rank metric. Very efficient schemes based on this problem or quasi-cyclic versions of it have been proposed recently, such as those in the submissions ROLLO and RQC currently at the second round of the NIST Post-Quantum Cryptography Standardization Process. While combinatorial attacks on this problem have been extensively studied and seem now well understood, the situation is not as satisfactory for algebraic attacks, for which previous work essentially suggested that they were ineffective for cryptographic parameters. In this paper, starting from Ourivski and Johansson's algebraic modelling of the problem into a system of polynomial equations, we show how to augment this system with easily computed equations so that the augmented system is solved much faster via Groebner bases. This happens because the augmented system has solving degree $r$, $r+1$ or $r+2$ depending on the parameters, where $r$ is the rank weight, which we show by extending results from Verbel et al. (PQCrypto 2019) on systems arising from the MinRank problem; with target rank $r$, Verbel et al. lower the solving degree to $r+2$, and even less for some favorable instances that they call superdetermined. We give complexity bounds for this approach as well as practical timings of an implementation using Magma. This improves upon the previously known complexity estimates for both Groebner basis and (non-quantum) combinatorial approaches, and for example leads to an attack in 200 bits on ROLLO-I-256 whose claimed security was 256 bits