Two attacks on rank metric code-based schemes: RankSign and an Identity-Based-Encryption scheme

RankSign [GRSZ14a] is a code-based signature scheme proposed to the NIST competition for quantum-safe cryptography [AGHRZ17] and, moreover, is a fundamental building block of a new Identity-Based-Encryption (IBE) [GHPT17a]. This signature scheme is based on the rank metric and enjoys remarkably small key sizes, about 10KBytes for an intended level of security of 128 bits. Unfortunately we will show that all the parameters proposed for this scheme in [AGHRZ17] can be broken by an algebraic attack that exploits the fact that the augmented LRPC codes used in this scheme have very low weight codewords. Therefore, without RankSign the IBE cannot be instantiated at this time. As a second contribution we will show that the problem is deeper than finding a new signature in rank-based cryptography, we also found an attack on the generic problem upon which its security reduction relies. However, contrarily to the RankSign scheme, it seems that the parameters of the IBE scheme could be chosen in order to avoid our attack. Finally, we have also shown that if one replaces the rank metric in the [GHPT17a] IBE scheme by the Hamming metric, then a devastating attack can be found

From Skew-Cyclic Codes to Asymmetric Quantum Codes

We introduce an additive but not $\mathbb{F}_4$-linear map $S$ from $\mathbb{F}_4^{n}$ to $\mathbb{F}_4^{2n}$ and exhibit some of its interesting structural properties. If $C$ is a linear $[n,k,d]_4$-code, then $S(C)$ is an additive $(2n,2^{2k},2d)_4$-code. If $C$ is an additive cyclic code then $S(C)$ is an additive quasi-cyclic code of index $2$. Moreover, if $C$ is a module $\theta$-cyclic code, a recently introduced type of code which will be explained below, then $S(C)$ is equivalent to an additive cyclic code if $n$ is odd and to an additive quasi-cyclic code of index $2$ if $n$ is even. Given any $(n,M,d)_4$-code $C$, the code $S(C)$ is self-orthogonal under the trace Hermitian inner product. Since the mapping $S$ preserves nestedness, it can be used as a tool in constructing additive asymmetric quantum codes.Comment: 16 pages, 3 tables, submitted to Advances in Mathematics of Communication

An IND-CCA-Secure Code-Based EncryptionScheme Using Rank Metric

The use of rank instead of Hamming metric has been proposed to address the main drawback of code-based cryptography: large key sizes. There exist several Key Encapsulation Mechanisms (KEM) and Public Key Encryption (PKE) schemes using rank metric including some submissions to the NIST call for standardization of Post-Quantum Cryptography. In this work, we present an IND-CCA PKE scheme based on the McEliece adaptation to rank metric proposed by Loidreau at PQC 2017. This IND-CCA PKE scheme based on rank metric does not use a hybrid construction KEM + symmetric encryption. Instead, we take advantage of the bigger message space obtained by the different parameters chosen in rank metric, being able to exchange multiple keys in one ciphertext. Our proposal is designed considering some specific properties of the random error generated during the encryption. We prove our proposal IND-CCA-secure in the QROM by using a security notion called disjoint simulatability introduced by Saito et al. in Eurocrypt 2018. Moreover, we provide security bounds by using the semi-oracles introduced by Ambainis et al

Good Random Matrices over Finite Fields

The random matrix uniformly distributed over the set of all m-by-n matrices over a finite field plays an important role in many branches of information theory. In this paper a generalization of this random matrix, called k-good random matrices, is studied. It is shown that a k-good random m-by-n matrix with a distribution of minimum support size is uniformly distributed over a maximum-rank-distance (MRD) code of minimum rank distance min{m,n}-k+1, and vice versa. Further examples of k-good random matrices are derived from homogeneous weights on matrix modules. Several applications of k-good random matrices are given, establishing links with some well-known combinatorial problems. Finally, the related combinatorial concept of a k-dense set of m-by-n matrices is studied, identifying such sets as blocking sets with respect to (m-k)-dimensional flats in a certain m-by-n matrix geometry and determining their minimum size in special cases.Comment: 25 pages, publishe

Two attacks on rank metric code-based schemes: RankSign and an IBE scheme

International audienceRankSign [29] is a code-based signature scheme proposed to the NIST competition for quantum-safe cryptography [5] and, moreover , is a fundamental building block of a new Identity-Based-Encryption (IBE) [25]. This signature scheme is based on the rank metric and enjoys remarkably small key sizes, about 10KBytes for an intended level of security of 128 bits. Unfortunately we will show that all the parameters proposed for this scheme in [5] can be broken by an algebraic attack that exploits the fact that the augmented LRPC codes used in this scheme have very low weight codewords. Therefore, without RankSign the IBE cannot be instantiated at this time. As a second contribution we will show that the problem is deeper than finding a new signature in rank-based cryptography, we also found an attack on the generic problem upon which its security reduction relies. However, contrarily to the RankSign scheme, it seems that the parameters of the IBE scheme could be chosen in order to avoid our attack. Finally, we have also shown that if one replaces the rank metric in the [25] IBE scheme by the Hamming metric, then a devastating attack can be found

An Algebraic Approach for Decoding Spread Codes

In this paper we study spread codes: a family of constant-dimension codes for random linear network coding. In other words, the codewords are full-rank matrices of size (k x n) with entries in a finite field F_q. Spread codes are a family of optimal codes with maximal minimum distance. We give a minimum-distance decoding algorithm which requires O((n-k)k^3) operations over an extension field F_{q^k}. Our algorithm is more efficient than the previous ones in the literature, when the dimension k of the codewords is small with respect to n. The decoding algorithm takes advantage of the algebraic structure of the code, and it uses original results on minors of a matrix and on the factorization of polynomials over finite fields

Asymptotic bounds for the sizes of constant dimension codes and an improved lower bound

We study asymptotic lower and upper bounds for the sizes of constant dimension codes with respect to the subspace or injection distance, which is used in random linear network coding. In this context we review known upper bounds and show relations between them. A slightly improved version of the so-called linkage construction is presented which is e.g. used to construct constant dimension codes with subspace distance $d=4$, dimension $k=3$ of the codewords for all field sizes $q$, and sufficiently large dimensions $v$ of the ambient space, that exceed the MRD bound, for codes containing a lifted MRD code, by Etzion and Silberstein.Comment: 30 pages, 3 table

Enhancing Code Based Zero-knowledge Proofs using Rank Metric

The advent of quantum computers is a threat to most currently deployed cryptographic primitives. Among these, zero-knowledge proofs play an important role, due to their numerous applications. The primitives and protocols presented in this work base their security on the difficulty of solving the Rank Syndrome Decoding (RSD) problem. This problem is believed to be hard even in the quantum model. We first present a perfectly binding commitment scheme. Using this scheme, we are able to build an interactive zero-knowledge proof to prove: the knowledge of a valid opening of a committed value, and that the valid openings of three committed values satisfy a given linear relation, and, more generally, any bitwise relation. With the above protocols it becomes possible to prove the relation of two committed values for an arbitrary circuit, with quasi-linear communication complexity and a soundness error of 2/3. To our knowledge, this is the first quantum resistant zero-knowledge protocol for arbitrary circuits based on the RSD problem. An important contribution of this work is the selection of a set of parameters, and an a full implementation, both for our proposal in the rank metric and for the original LPN based one by Jain et. al in the Hamming metric, from which we took the inspiration. Beside demonstrating the practicality of both constructions, we provide evidence of the convenience of rank metric, by reporting performance benchmarks and a detailed comparison