-
On the Independence Assumption in Quasi-Cyclic Code-Based Cryptography
Authors:
Maxime Bombar,
Nicolas Resch,
Emiel Wiedijk
Abstract:
Cryptography based on the presumed hardness of decoding codes -- i.e., code-based cryptography -- has recently seen increased interest due to its plausible security against quantum attackers. Notably, of the four proposals for the NIST post-quantum standardization process that were advanced to their fourth round for further review, two were code-based. The most efficient proposals -- including HQC…
▽ More
Cryptography based on the presumed hardness of decoding codes -- i.e., code-based cryptography -- has recently seen increased interest due to its plausible security against quantum attackers. Notably, of the four proposals for the NIST post-quantum standardization process that were advanced to their fourth round for further review, two were code-based. The most efficient proposals -- including HQC and BIKE, the NIST submissions alluded to above -- in fact rely on the presumed hardness of decoding structured codes. Of particular relevance to our work, HQC is based on quasi-cyclic codes, which are codes generated by matrices consisting of two cyclic blocks.
In particular, the security analysis of HQC requires a precise understanding of the Decryption Failure Rate (DFR), whose analysis relies on the following heuristic: given random ``sparse'' vectors $e_1,e_2$ (say, each coordinate is i.i.d. Bernoulli) multiplied by fixed ``sparse'' quasi-cyclic matrices $A_1,A_2$, the weight of resulting vector $e_1A_1+e_2A_2$ is very concentrated around its expectation. In the documentation, the authors model the distribution of $e_1A_1+e_2A_2$ as a vector with independent coordinates (and correct marginal distribution). However, we uncover cases where this modeling fails. While this does not invalidate the (empirically verified) heuristic that the weight of $e_1A_1+e_2A_2$ is concentrated, it does suggest that the behavior of the noise is a bit more subtle than previously predicted. Lastly, we also discuss implications of our result for potential worst-case to average-case reductions for quasi-cyclic codes.
△ Less
Submitted 5 January, 2025;
originally announced January 2025.
-
Correlated Pseudorandomness from the Hardness of Quasi-Abelian Decoding
Authors:
Maxime Bombar,
Geoffroy Couteau,
Alain Couvreur,
Clément Ducros
Abstract:
Secure computation often benefits from the use of correlated randomness to achieve fast, non-cryptographic online protocols. A recent paradigm put forth by Boyle $\textit{et al.}$ (CCS 2018, Crypto 2019) showed how pseudorandom correlation generators (PCG) can be used to generate large amounts of useful forms of correlated (pseudo)randomness, using minimal interactions followed solely by local com…
▽ More
Secure computation often benefits from the use of correlated randomness to achieve fast, non-cryptographic online protocols. A recent paradigm put forth by Boyle $\textit{et al.}$ (CCS 2018, Crypto 2019) showed how pseudorandom correlation generators (PCG) can be used to generate large amounts of useful forms of correlated (pseudo)randomness, using minimal interactions followed solely by local computations, yielding silent secure two-party computation protocols (protocols where the preprocessing phase requires almost no communication). An additional property called programmability allows to extend this to build N-party protocols. However, known constructions for programmable PCG's can only produce OLE's over large fields, and use rather new splittable Ring-LPN assumption.
In this work, we overcome both limitations. To this end, we introduce the quasi-abelian syndrome decoding problem (QA-SD), a family of assumptions which generalises the well-established quasi-cyclic syndrome decoding assumption. Building upon QA-SD, we construct new programmable PCG's for OLE's over any field $\mathbb{F}_q$ with $q>2$. Our analysis also sheds light on the security of the ring-LPN assumption used in Boyle $\textit{et al.}$ (Crypto 2020). Using our new PCG's, we obtain the first efficient N-party silent secure computation protocols for computing general arithmetic circuit over $\mathbb{F}_q$ for any $q>2$.
△ Less
Submitted 6 June, 2023;
originally announced June 2023.
-
On Codes and Learning With Errors over Function Fields
Authors:
Maxime Bombar,
Alain Couvreur,
Thomas Debris-Alazard
Abstract:
It is a long standing open problem to find search to decision reductions for structured versions of the decoding problem of linear codes. Such results in the lattice-based setting have been carried out using number fields: Polynomial-LWE, Ring-LWE, Module-LWE and so on. We propose a function field version of the LWE problem. This new framework leads to another point of view on structured codes, e.…
▽ More
It is a long standing open problem to find search to decision reductions for structured versions of the decoding problem of linear codes. Such results in the lattice-based setting have been carried out using number fields: Polynomial-LWE, Ring-LWE, Module-LWE and so on. We propose a function field version of the LWE problem. This new framework leads to another point of view on structured codes, e.g. quasi-cyclic codes, strengthening the connection between lattice-based and code-based cryptography. In particular, we obtain the first search to decision reduction for structured codes. Following the historical constructions in lattice-based cryptography, we instantiate our construction with function fields analogues of cyclotomic fields, namely Carlitz extensions, leading to search to decision reductions on various versions of Ring-LPN, which have applications to secure multi party computation and to an authentication protocol.
△ Less
Submitted 28 February, 2022;
originally announced February 2022.
-
Right-hand side decoding of Gabidulin code and applications
Authors:
Maxime Bombar,
Alain Couvreur
Abstract:
We discuss the decoding of Gabidulin and interleaved Gabidulin codes. We give the full presentation of a decoding algorithm for Gabidulin codes, which as Loidreau's seminal algorithm consists in localizing errors in the spirit of Berlekamp-Welch algorithm for Reed-Solomon codes. On the other hand, this algorithm consists in acting on codewords on the right while Loidreau's algorithm considers an a…
▽ More
We discuss the decoding of Gabidulin and interleaved Gabidulin codes. We give the full presentation of a decoding algorithm for Gabidulin codes, which as Loidreau's seminal algorithm consists in localizing errors in the spirit of Berlekamp-Welch algorithm for Reed-Solomon codes. On the other hand, this algorithm consists in acting on codewords on the right while Loidreau's algorithm considers an action on the left. This right-hand side decoder was already introduced by the authors in a previous work for cryptanalytic applications. We give here a generalised version which applies to the case of non-full length Gabidulin codes. Finally, we show that this algorithm turns out to provide a very clear and natural approach for the decoding of interleaved Gabidulin codes.
△ Less
Submitted 4 March, 2022; v1 submitted 14 December, 2021;
originally announced December 2021.
-
Decoding supercodes of Gabidulin codes and applications to cryptanalysis
Authors:
Maxime Bombar,
Alain Couvreur
Abstract:
This article discusses the decoding of Gabidulin codes and shows how to extend the usual decoder to any supercode of a Gabidulin code at the cost of a significant decrease of the decoding radius. Using this decoder, we provide polynomial time attacks on the rank-metric encryption schemes RAMESSES and LIGA.
This article discusses the decoding of Gabidulin codes and shows how to extend the usual decoder to any supercode of a Gabidulin code at the cost of a significant decrease of the decoding radius. Using this decoder, we provide polynomial time attacks on the rank-metric encryption schemes RAMESSES and LIGA.
△ Less
Submitted 19 November, 2021; v1 submitted 3 March, 2021;
originally announced March 2021.
-
Delocalisation of one-dimensional marginals of product measures and the capacity of LTI discrete channels
Authors:
Maxime Bombar,
Alexander Fish
Abstract:
We consider discrete linear time invariant (LTI) channels satisfying the phase independence (PI) assumption. We show that under the PI assumption the capacity of LTI channels is positive. The main technical tool that we use to establish the positivity of the capacity is the delocalisation theorem for one-dimensional marginals of the product measure due to Ball and Nazarov. We also prove two deloca…
▽ More
We consider discrete linear time invariant (LTI) channels satisfying the phase independence (PI) assumption. We show that under the PI assumption the capacity of LTI channels is positive. The main technical tool that we use to establish the positivity of the capacity is the delocalisation theorem for one-dimensional marginals of the product measure due to Ball and Nazarov. We also prove two delocalisation results that can be seen as extensions of Ball-Nazarov Theorem.
△ Less
Submitted 3 September, 2018;
originally announced September 2018.
