-
Linearized Polynomial Chinese remainder codes
Authors:
Philippe Gaborit,
Camille Garnier,
Olivier Ruatta
Abstract:
In this paper, we introduce a new family of codes relevent for rank and sum-rank metrics. These codes are based on an effective Chinese remainders theorem for linearized polynomials over finite fields. We propose a decoding algorithm for some instances of these codes.
In this paper, we introduce a new family of codes relevent for rank and sum-rank metrics. These codes are based on an effective Chinese remainders theorem for linearized polynomials over finite fields. We propose a decoding algorithm for some instances of these codes.
△ Less
Submitted 21 May, 2025;
originally announced May 2025.
-
On the Generalization of Kitaev Codes as Generalized Bicycle Codes
Authors:
François Arnault,
Philippe Gaborit,
Nicolas Saussay
Abstract:
Surface codes have historically been the dominant choice for quantum error correction due to their superior error threshold performance. However, recently, a new class of Generalized Bicycle (GB) codes, constructed from binary circulant matrices with three non-zero elements per row, achieved comparable performance with fewer physical qubits and higher encoding efficiency.
In this article, we foc…
▽ More
Surface codes have historically been the dominant choice for quantum error correction due to their superior error threshold performance. However, recently, a new class of Generalized Bicycle (GB) codes, constructed from binary circulant matrices with three non-zero elements per row, achieved comparable performance with fewer physical qubits and higher encoding efficiency.
In this article, we focus on a subclass of GB codes, which are constructed from pairs of binary circulant matrices with two non-zero elements per row.
We introduce a family of codes that generalizes both standard and optimized Kitaev codes for which we have a lower bound on their minimum distance, ensuring performance better than standard Kitaev codes. These codes exhibit parameters of the form $ [| 2n , 2, \geq \sqrt{n} |] $ where $ n$ is a factor of $ 1 + d^2 $. For code lengths below 200, our analysis yields $21$ codes, including $7$ codes from Pryadko and Wang's database, and unveils $14$ new codes with enhanced minimum distance compared to standard Kitaev codes. Among these, $3$ surpass all previously known weight-4 GB codes for distances $4$, $8$, and $12$.
△ Less
Submitted 25 April, 2025;
originally announced April 2025.
-
A Variant of the Bravyi-Terhal Bound for Arbitrary Boundary Conditions
Authors:
François Arnault,
Philippe Gaborit,
Wouter Rozendaal,
Nicolas Saussay,
Gilles Zémor
Abstract:
We present a modified version of the Bravyi-Terhal bound that applies to quantum codes defined by local parity-check constraints on a $D$-dimensional lattice quotient. Specifically, we consider a quotient $\mathbb{Z}^D/Λ$ of $\mathbb{Z}^D$ of cardinality $n$, where $Λ$ is some $D$-dimensional sublattice of $\mathbb{Z}^D$: we suppose that every vertex of this quotient indexes $m$ qubits of a stabil…
▽ More
We present a modified version of the Bravyi-Terhal bound that applies to quantum codes defined by local parity-check constraints on a $D$-dimensional lattice quotient. Specifically, we consider a quotient $\mathbb{Z}^D/Λ$ of $\mathbb{Z}^D$ of cardinality $n$, where $Λ$ is some $D$-dimensional sublattice of $\mathbb{Z}^D$: we suppose that every vertex of this quotient indexes $m$ qubits of a stabilizer code $C$, which therefore has length $nm$. We prove that if all stabilizer generators act on qubits whose indices lie within a ball of radius $ρ$, then the minimum distance $d$ of the code satisfies $d \leq m\sqrt{γ_D}(\sqrt{D} + 4ρ)n^\frac{D-1}{D}$ whenever $n^{1/D} \geq 8ρ\sqrt{γ_D}$, where $γ_D$ is the $D$-dimensional Hermite constant. We apply this bound to derive an upper bound on the minimum distance of Abelian Two-Block Group Algebra (2BGA) codes whose parity-check matrices have the form $[\mathbf{A} \, \vert \, \mathbf{B}]$ with each submatrix representing an element of a group algebra over a finite abelian group.
△ Less
Submitted 10 February, 2025; v1 submitted 7 February, 2025;
originally announced February 2025.
-
Upper Bounds on the Minimum Distance of Structured LDPC Codes
Authors:
François Arnault,
Philippe Gaborit,
Wouter Rozendaal,
Nicolas Saussay,
Gilles Zémor
Abstract:
We investigate the minimum distance of structured binary Low-Density Parity-Check (LDPC) codes whose parity-check matrices are of the form $[\mathbf{C} \vert \mathbf{M}]$ where $\mathbf{C}$ is circulant and of column weight $2$, and $\mathbf{M}$ has fixed column weight $r \geq 3$ and row weight at least $1$. These codes are of interest because they are LDPC codes which come with a natural linear-t…
▽ More
We investigate the minimum distance of structured binary Low-Density Parity-Check (LDPC) codes whose parity-check matrices are of the form $[\mathbf{C} \vert \mathbf{M}]$ where $\mathbf{C}$ is circulant and of column weight $2$, and $\mathbf{M}$ has fixed column weight $r \geq 3$ and row weight at least $1$. These codes are of interest because they are LDPC codes which come with a natural linear-time encoding algorithm. We show that the minimum distance of these codes is in $O(n^{\frac{r-2}{r-1} + ε})$, where $n$ is the code length and $ε> 0$ is arbitrarily small. This improves the previously known upper bound in $O(n^{\frac{r-1}{r}})$ on the minimum distance of such codes.
△ Less
Submitted 31 January, 2025;
originally announced January 2025.
-
MinRank Gabidulin encryption scheme on matrix codes
Authors:
Nicolas Aragon,
Alain Couvreur,
Victor Dyseryn,
Philippe Gaborit,
Adrien Vinçotte
Abstract:
The McEliece scheme is a generic frame which allows to use any error correcting code of which there exists an efficient decoding algorithm to design an encryption scheme by hiding the generator matrix code. Similarly, the Niederreiter frame is the dual version of the McEliece scheme, and achieves smaller ciphertexts. We propose a generalization of the McEliece frame and the Niederreiter frame to m…
▽ More
The McEliece scheme is a generic frame which allows to use any error correcting code of which there exists an efficient decoding algorithm to design an encryption scheme by hiding the generator matrix code. Similarly, the Niederreiter frame is the dual version of the McEliece scheme, and achieves smaller ciphertexts. We propose a generalization of the McEliece frame and the Niederreiter frame to matrix codes and the MinRank problem, that we apply to Gabidulin matrix codes (Gabidulin rank codes considered as matrix codes). The masking we consider consists in starting from a rank code C, to consider a matrix version of C and to concatenate a certain number of rows and columns to the matrix codes version of the rank code C and then apply to an isometry for matric codes. The security of the schemes relies on the MinRank problem to decrypt a ciphertext, and the structural security of the scheme relies on a new problem EGMC-Indistinguishability problem that we introduce and that we study in detail. The main structural attack that we propose consists in trying to recover the masked linearity over the extension field which is lost during the masking process. Overall, starting from Gabidulin codes we obtain a very appealing tradeoff between the size of ciphertext and the size of the public key. For 128b of security we propose parameters ranging from ciphertext of size 65 B (and public keys of size 98 kB) to ciphertext of size 138B (and public key of size 41 kB). Our new approach permits to achieve better trade-off between ciphertexts and public key than the classical McEliece scheme. Our new approach permits to obtain an alternative scheme to the classic McEliece scheme, to obtain very small ciphertexts, with moreover smaller public keys than in the classic McEliece scheme. For 256 bits of security, we can obtain ciphertext as low as 119B, or public key as low as 87kB.
△ Less
Submitted 17 October, 2024; v1 submitted 26 May, 2024;
originally announced May 2024.
-
Injective Rank Metric Trapdoor Functions with Homogeneous Errors
Authors:
Étienne Burle,
Philippe Gaborit,
Younes Hatri,
Ayoub Otmani
Abstract:
In rank-metric cryptography, a vector from a finite dimensional linear space over a finite field is viewed as the linear space spanned by its entries. The rank decoding problem which is the analogue of the problem of decoding a random linear code consists in recovering a basis of a random noise vector that was used to perturb a set of random linear equations sharing a secret solution. Assuming the…
▽ More
In rank-metric cryptography, a vector from a finite dimensional linear space over a finite field is viewed as the linear space spanned by its entries. The rank decoding problem which is the analogue of the problem of decoding a random linear code consists in recovering a basis of a random noise vector that was used to perturb a set of random linear equations sharing a secret solution. Assuming the intractability of this problem, we introduce a new construction of injective one-way trapdoor functions. Our solution departs from the frequent way of building public key primitives from error-correcting codes where, to establish the security, ad hoc assumptions about a hidden structure are made. Our method produces a hard-to-distinguish linear code together with low weight vectors which constitute the secret that helps recover the inputs.The key idea is to focus on trapdoor functions that take sufficiently enough input vectors sharing the same support. Applying then the error correcting algorithm designed for Low Rank Parity Check (LRPC) codes, we obtain an inverting algorithm that recovers the inputs with overwhelming probability.
△ Less
Submitted 13 October, 2023;
originally announced October 2023.
-
RYDE: A Digital Signature Scheme based on Rank-Syndrome-Decoding Problem with MPCitH Paradigm
Authors:
Loïc Bidoux,
Jesús-Javier Chi-Domínguez,
Thibauld Feneuil,
Philippe Gaborit,
Antoine Joux,
Matthieu Rivain,
Adrien Vinçotte
Abstract:
We present a signature scheme based on the Syndrome-Decoding problem in rank metric. It is a construction from multi-party computation (MPC), using a MPC protocol which is a slight improvement of the linearized-polynomial protocol used in [Fen22], allowing to obtain a zero-knowledge proof thanks to the MPCitH paradigm. We design two different zero-knowledge proofs exploiting this paradigm: the fir…
▽ More
We present a signature scheme based on the Syndrome-Decoding problem in rank metric. It is a construction from multi-party computation (MPC), using a MPC protocol which is a slight improvement of the linearized-polynomial protocol used in [Fen22], allowing to obtain a zero-knowledge proof thanks to the MPCitH paradigm. We design two different zero-knowledge proofs exploiting this paradigm: the first, which reaches the lower communication costs, relies on additive secret sharings and uses the hypercube technique [AMGH+22]; and the second relies on low-threshold linear secret sharings as proposed in [FR22]. These proofs of knowledge are transformed into signature schemes thanks to the Fiat-Shamir heuristic [FS86].
△ Less
Submitted 6 December, 2023; v1 submitted 17 July, 2023;
originally announced July 2023.
-
MIRA: a Digital Signature Scheme based on the MinRank problem and the MPC-in-the-Head paradigm
Authors:
Nicolas Aragon,
Loïc Bidoux,
Jesús-Javier Chi-Domínguez,
Thibauld Feneuil,
Philippe Gaborit,
Romaric Neveu,
Matthieu Rivain
Abstract:
We exploit the idea of [Fen22] which proposes to build an efficient signature scheme based on a zero-knowledge proof of knowledge of a solution of a MinRank instance. The scheme uses the MPCitH paradigm, which is an efficient way to build ZK proofs. We combine this idea with another idea, the hypercube technique introduced in [AMGH+22], which leads to more efficient MPCitH-based scheme. This new a…
▽ More
We exploit the idea of [Fen22] which proposes to build an efficient signature scheme based on a zero-knowledge proof of knowledge of a solution of a MinRank instance. The scheme uses the MPCitH paradigm, which is an efficient way to build ZK proofs. We combine this idea with another idea, the hypercube technique introduced in [AMGH+22], which leads to more efficient MPCitH-based scheme. This new approach is more efficient than classical MPCitH, as it allows to reduce the number of party computation. This gives us a first scheme called MIRA-Additive. We then present an other scheme, based on low-threshold secret sharings, called MIRA-Threshold, which is a faster scheme, at the price of larger signatures. The construction of MPCitH using threshold secret sharing is detailed in [FR22]. These two constructions allows us to be faster than classical MPCitH, with a size of signature around 5.6kB with MIRA-Additive, and 8.3kB with MIRA-Threshold. We detail here the constructions and optimizations of the schemes, as well as their security proofs.
△ Less
Submitted 17 July, 2023;
originally announced July 2023.
-
Generalized LRPC codes
Authors:
Ermes Franch,
Philippe Gaborit,
Chunlei Li
Abstract:
In this paper we generalize the notion of low-rank parity check (LRPC) codes by introducing a bilinear product over F^m q based on a generic 3-tensor in Fq^mxmxm, where Fq is the finite field with q elements. The generalized LRPC codes are Fq -linear codes in general and a particular choice of the 3-tensor corresponds to the original Fqm -linear LRPC codes. For the generalized LRPC codes, we propo…
▽ More
In this paper we generalize the notion of low-rank parity check (LRPC) codes by introducing a bilinear product over F^m q based on a generic 3-tensor in Fq^mxmxm, where Fq is the finite field with q elements. The generalized LRPC codes are Fq -linear codes in general and a particular choice of the 3-tensor corresponds to the original Fqm -linear LRPC codes. For the generalized LRPC codes, we propose two probabilistic polynomial-time decoding algorithms by adapting the decoding method for LRPC codes and also show that the proposed algorithms have a decoding failure rate similar to that of decoding LRPC codes
△ Less
Submitted 3 May, 2023;
originally announced May 2023.
-
Revisiting Algebraic Attacks on MinRank and on the Rank Decoding Problem
Authors:
Magali Bardet,
Pierre Briaud,
Maxime Bros,
Philippe Gaborit,
Jean-Pierre Tillich
Abstract:
The Rank Decoding problem (RD) is at the core of rank-based cryptography. This problem can also be seen as a structured version of MinRank, which is ubiquitous in multivariate cryptography. Recently, \cite{BBBGNRT20,BBCGPSTV20} proposed attacks based on two new algebraic modelings, namely the MaxMinors modeling which is specific to RD and the Support-Minors modeling which applies to MinRank in gen…
▽ More
The Rank Decoding problem (RD) is at the core of rank-based cryptography. This problem can also be seen as a structured version of MinRank, which is ubiquitous in multivariate cryptography. Recently, \cite{BBBGNRT20,BBCGPSTV20} proposed attacks based on two new algebraic modelings, namely the MaxMinors modeling which is specific to RD and the Support-Minors modeling which applies to MinRank in general. Both improved significantly the complexity of algebraic attacks on these two problems. In the case of RD and contrarily to what was believed up to now, these new attacks were shown to be able to outperform combinatorial attacks and this even for very small field sizes.
However, we prove here that the analysis performed in \cite{BBCGPSTV20} for one of these attacks which consists in mixing the MaxMinors modeling with the Support-Minors modeling to solve RD is too optimistic and leads to underestimate the overall complexity. This is done by exhibiting linear dependencies between these equations and by considering an $\fqm$ version of these modelings which turns out to be instrumental for getting a better understanding of both systems. Moreover, by working over $\Fqm$ rather than over $\ff{q}$, we are able to drastically reduce the number of variables in the system and we (i) still keep enough algebraic equations to be able to solve the system, (ii) are able to analyze rigorously the complexity of our approach. This new approach may improve the older MaxMinors approach on RD from \cite{BBBGNRT20,BBCGPSTV20} for certain parameters. We also introduce a new hybrid approach on the Support-Minors system whose impact is much more general since it applies to any MinRank problem. This technique improves significantly the complexity of the Support-Minors approach for small to moderate field sizes.
△ Less
Submitted 14 June, 2023; v1 submitted 10 August, 2022;
originally announced August 2022.
-
RQC revisited and more cryptanalysis for Rank-based Cryptography
Authors:
Loïc Bidoux,
Pierre Briaud,
Maxime Bros,
Philippe Gaborit
Abstract:
We propose two main contributions: first, we revisit the encryption scheme Rank Quasi-Cyclic (RQC) by introducing new efficient variations, in particular, a new class of codes, the Augmented Gabidulin codes; second, we propose new attacks against the Rank Support Learning (RSL), the Non-Homogeneous Rank Decoding (NHRSD), and the Non-Homogeneous Rank Support Learning (NHRSL) problems. RSL is primor…
▽ More
We propose two main contributions: first, we revisit the encryption scheme Rank Quasi-Cyclic (RQC) by introducing new efficient variations, in particular, a new class of codes, the Augmented Gabidulin codes; second, we propose new attacks against the Rank Support Learning (RSL), the Non-Homogeneous Rank Decoding (NHRSD), and the Non-Homogeneous Rank Support Learning (NHRSL) problems. RSL is primordial for all recent rank-based cryptosystems such as Durandal (Aragon et al., EUROCRYPT 2019) or LRPC with multiple syndromes (arXiv:2206.11961), moreover, NHRSD and NHRSL, together with RSL, are at the core of our new schemes. The new attacks we propose are of both types: combinatorial and algebraic. For all these attacks, we provide a precise analysis of their complexity. Overall, when all of these new improvements for the RQC scheme are put together, and their security evaluated with our different attacks, they enable one to gain 50% in parameter sizes compared to the previous RQC version. More precisely, we give very competitive parameters, around 11 KBytes, for RQC schemes with unstructured public key matrices. This is currently the only scheme with such short parameters whose security relies solely on pure random instances without any masking assumptions, contrary to McEliece-like schemes. At last, when considering the case of Non-Homogeneous errors, our scheme permits to reach even smaller parameters.
△ Less
Submitted 4 July, 2022;
originally announced July 2022.
-
LRPC codes with multiple syndromes: near ideal-size KEMs without ideals
Authors:
Carlos Aguilar-Melchor,
Nicolas Aragon,
Victor Dyseryn,
Philippe Gaborit,
Gilles Zémor
Abstract:
We introduce a new rank-based key encapsulation mechanism (KEM) with public key and ciphertext sizes around 3.5 Kbytes each, for 128 bits of security, without using ideal structures. Such structures allow to compress objects, but give reductions to specific problems whose security is potentially weaker than for unstructured problems. To the best of our knowledge, our scheme improves in size all th…
▽ More
We introduce a new rank-based key encapsulation mechanism (KEM) with public key and ciphertext sizes around 3.5 Kbytes each, for 128 bits of security, without using ideal structures. Such structures allow to compress objects, but give reductions to specific problems whose security is potentially weaker than for unstructured problems. To the best of our knowledge, our scheme improves in size all the existing unstructured post-quantum lattice or code-based algorithms such as FrodoKEM or Classic McEliece. Our technique, whose efficiency relies on properties of rank metric, is to build upon existing Low Rank Parity Check (LRPC) code-based KEMs and to send multiple syndromes in one ciphertext, allowing to reduce the parameters and still obtain an acceptable decoding failure rate. Our system relies on the hardness of the Rank Support Learning problem, a well-known variant of the Rank Syndrome Decoding problem. The gain on parameters is enough to significantly close the gap between ideal and non-ideal constructions. It enables to choose an error weight close to the rank Gilbert-Varshamov bound, which is a relatively harder zone for algebraic attacks. We also give a version of our KEM that keeps an ideal structure and permits to roughly divide the bandwidth by two compared to previous versions of LRPC KEMs submitted to the NIST with a Decoding Failure Rate (DFR) of $2^{-128}$.
△ Less
Submitted 23 June, 2022;
originally announced June 2022.
-
Compact Post-Quantum Signatures from Proofs of Knowledge leveraging Structure for the PKP, SD and RSD Problems
Authors:
Loïc Bidoux,
Philippe Gaborit
Abstract:
The MPC-in-the-head introduced in [IKOS07] has established itself as an important paradigm to design efficient digital signatures. It has been leveraged in the Picnic scheme [CDG+ 20] that reached the third round of the NIST PQC Standardization process. It has also been used in [Beu20] to introduce the Proof of Knowledge (PoK) with Helper paradigm. This construction permits to design shorter signa…
▽ More
The MPC-in-the-head introduced in [IKOS07] has established itself as an important paradigm to design efficient digital signatures. It has been leveraged in the Picnic scheme [CDG+ 20] that reached the third round of the NIST PQC Standardization process. It has also been used in [Beu20] to introduce the Proof of Knowledge (PoK) with Helper paradigm. This construction permits to design shorter signatures but induces a non negligible performance overhead as it uses cut-and-choose. In this paper, we introduce the PoK leveraging structure paradigm along with its associated challenge space amplification technique. Our new approach to design PoK brings some improvements over the PoK with Helper one. Indeed, we show how one can substitute the Helper in these constructions by leveraging the underlying structure of the considered problem. This approach does not suffer from the performance overhead inherent to the PoK with Helper paradigm hence offers different trade-offs between security, signature sizes and performances. We also present four new post-quantum signature schemes. The first one is based on a new PoK with Helper for the Syndrome Decoding problem. It relies on ideas from [BGKM22] and [FJR21] and improve the latter using a new technique that can be seen as performing some cut-and-choose with a meet in the middle approach. The three other signatures are based on our new PoK leveraging structure approach and as such illustrate its versatility. We provide new PoK related to the Permuted Kernel Problem (PKP), Syndrome Decoding (SD) problem and Rank Syndrome Decoding (RSD) problem. In practice, these PoK lead to comparable or shorter signatures than existing ones. Indeed, considering (public key + signature), we get sizes below 9kB for our signature related to the PKP problem, below 15kB for our signature related to the SD problem and below 7kB for our signature related to the RSD problem.
△ Less
Submitted 17 October, 2022; v1 submitted 6 April, 2022;
originally announced April 2022.
-
Code-based Signatures from New Proofs of Knowledge for the Syndrome Decoding Problem
Authors:
Loïc Bidoux,
Philippe Gaborit,
Mukul Kulkarni,
Victor Mateu
Abstract:
In this paper, we study code-based signatures constructed from Proof of Knowledge (PoK). This line of work can be traced back to Stern who introduces the first efficient PoK for the syndrome decoding problem in 1993. Afterward, different variations were proposed in order to reduce signature's size. In practice, obtaining a smaller signature size relies on the interaction of two main considerations…
▽ More
In this paper, we study code-based signatures constructed from Proof of Knowledge (PoK). This line of work can be traced back to Stern who introduces the first efficient PoK for the syndrome decoding problem in 1993. Afterward, different variations were proposed in order to reduce signature's size. In practice, obtaining a smaller signature size relies on the interaction of two main considerations: (i) the underlying protocol and its soundness error and (ii) the type of optimizations which are compatible with a given protocol. Over the years, different variations were proposed to improve the Stern scheme such as the Veron scheme (with public key a noisy codeword rather than a syndrome), the AGS scheme which is a 5-pass protocol with cheating probability asymptotically equal to 1/2 and more recently the FJR approach which permits to decrease the cheating probability to 1/N but induces a performance overhead. Overall the length of the signature depends on a trade-off between: the scheme in itself, the possible optimizations and the cost of the implementation. The recent approaches which increase the cost of the implementation opens the door to many different type of trade-offs. In this paper we propose three new schemes and different trade-offs, which are all interesting in themselves, since depending on potential future optimizations a scheme may eventually become more efficient than another. All the schemes we propose use a trusted helper: a first scheme permits to get a 1/2 cheating probability, a second scheme permits to decrease the cheating probability in 1/N but with a different approach than the recent FJR scheme and at last a third scheme propose a Veron-like adaptation of the FJR scheme in which the public key is a noisy codeword rather than a syndrome. We provide an extensive comparison table which lists various trade-offs between our schemes and previous ones.
△ Less
Submitted 14 January, 2022;
originally announced January 2022.
-
Quasi-Cyclic Stern Proof of Knowledge
Authors:
Loïc Bidoux,
Philippe Gaborit,
Mukul Kulkarni,
Nicolas Sendrier
Abstract:
The ongoing NIST standardization process has shown that Proof of Knowledge (PoK) based signatures have become an important type of possible post-quantum signatures. Regarding code-based cryptography, the original approach for PoK based signatures is the Stern protocol which allows to prove the knowledge of a small weight vector solving a given instance of the Syndrome Decoding (SD) problem over F2…
▽ More
The ongoing NIST standardization process has shown that Proof of Knowledge (PoK) based signatures have become an important type of possible post-quantum signatures. Regarding code-based cryptography, the original approach for PoK based signatures is the Stern protocol which allows to prove the knowledge of a small weight vector solving a given instance of the Syndrome Decoding (SD) problem over F2. It features a soundness error equal to 2/3. This protocol was improved a few years later by Véron who proposed a variation of the scheme based on the General Syndrome Decoding (GSD) problem which leads to better results in term of communication. A few years later, the AGS protocol introduced a variation of the Véron protocol based on Quasi-Cyclic (QC) matrices. The AGS protocol permits to obtain an asymptotic soundness error of 1/2 and an improvement in term of communications. In the present paper, we introduce the Quasi-Cyclic Stern PoK which constitutes an adaptation of the AGS scheme in a SD context, as well as several new optimizations for code-based PoK. Our main optimization on the size of the signature can't be applied to GSD based protocols such as AGS and therefore motivated the design of our new protocol. In addition, we also provide a special soundness proof that is compatible with the use of the Fiat-Shamir transform for 5-round protocols. This approach is valid for our protocol but also for the AGS protocol which was lacking such a proof. We compare our results with existing signatures including the recent code-based signatures based on PoK leveraging the MPC in the head paradigm. In practice, our new protocol is as fast as AGS while reducing its associated signature length by 20%. As a consequence, it constitutes an interesting trade-off between signature length and execution time for the design of a code-based signature relying only on the difficulty of the SD problem.
△ Less
Submitted 4 February, 2022; v1 submitted 11 October, 2021;
originally announced October 2021.
-
On the hardness of code equivalence problems in rank metric
Authors:
Alain Couvreur,
Thomas Debris-Alazard,
Philippe Gaborit
Abstract:
In the recent years, the notion of rank metric in the context of coding theory has known many interesting developments in terms of applications such as space time coding, network coding or public key cryptography. These applications raised the interest of the community for theoretical properties of this type of codes, such as the hardness of decoding in rank metric. Among classical problems associ…
▽ More
In the recent years, the notion of rank metric in the context of coding theory has known many interesting developments in terms of applications such as space time coding, network coding or public key cryptography. These applications raised the interest of the community for theoretical properties of this type of codes, such as the hardness of decoding in rank metric. Among classical problems associated to codes for a given metric, the notion of code equivalence (to decide if two codes are isometric) has always been of the greatest interest, for its cryptographic applications or its deep connexions to the graph isomorphism problem.
In this article, we discuss the hardness of the code equivalence problem in rank metric for $\mathbb{F}_{q^m}$-linear and general rank metric codes. In the $\mathbb{F}_{q^m}$-linear case, we reduce the underlying problem to another one called {\em Matrix Codes Right Equivalence Problem}. We prove the latter problem to be either in $\mathcal{P}$ or in $\mathcal{ZPP}$ depending of the ground field size. This is obtained by designing an algorithm whose principal routines are linear algebra and factoring polynomials over finite fields. It turns out that the most difficult instances involve codes with non trivial {\em stabilizer algebras}. The resolution of the latter case will involve tools related to finite dimensional algebras and Wedderburn--Artin theory. It is interesting to note that 30 years ago, an important trend in theoretical computer science consisted to design algorithms making effective major results of this theory. These algorithmic results turn out to be particularly useful in the present article.
Finally, for general matrix codes, we prove that the equivalence problem (both left and right) is at least as hard as the well--studied {\em Monomial Equivalence Problem} for codes endowed with the Hamming metric.
△ Less
Submitted 10 June, 2021; v1 submitted 9 November, 2020;
originally announced November 2020.
-
HQC-RMRS, an instantiation of the HQC encryption framework with a more efficient auxiliary error-correcting code
Authors:
Nicolas Aragon,
Philippe Gaborit,
Gilles Zémor
Abstract:
The HQC encryption framework is a general code-based encryption scheme for which decryption returns a noisy version of the plaintext. Any instantiation of the scheme will therefore use an error-correcting procedure relying on a fixed auxiliary code. Unlike the McEliece encryption framework whose security is directly related to how well one can hide the structure of an error-correcting code, the se…
▽ More
The HQC encryption framework is a general code-based encryption scheme for which decryption returns a noisy version of the plaintext. Any instantiation of the scheme will therefore use an error-correcting procedure relying on a fixed auxiliary code. Unlike the McEliece encryption framework whose security is directly related to how well one can hide the structure of an error-correcting code, the security reduction of the HQC encryption framework is independent of the nature of the auxiliary decoding procedure which is publicly available. What is expected from it is that the decoding algorithm is both efficient and has a decoding failure rate which can be easily modelized and analyzed. The original error-correction procedure proposed for the HQC framework was to use tensor products of BCH codes and repetition codes. In this paper we consider another code family for removing the error vector deriving from the general framework: the concatenation of Reed-Muller and Reed-Solomon codes. We denote this instantiation of the HQC framework by HQC-RMRS. These codes yield better decoding results than the BCH and repetition codes: overall we gain roughly 17\% in the size of the key and the ciphertext, while keeping a simple modelization of the decoding error rate. The paper also presents a simplified and more precise analysis of the distribution of the error vector output by the HQC protocol.
△ Less
Submitted 21 May, 2020;
originally announced May 2020.
-
Improvements of Algebraic Attacks for solving the Rank Decoding and MinRank problems
Authors:
Magali Bardet,
Maxime Bros,
Daniel Cabarcas,
Philippe Gaborit,
Ray Perlner,
Daniel Smith-Tone,
Jean-Pierre Tillich,
Javier Verbel
Abstract:
Rank Decoding (RD) is the main underlying problem in rank-based cryptography. Based on this problem and quasi-cyclic versions of it, very efficient schemes have been proposed recently, such as those in the ROLLO and RQC submissions, which have reached the second round of the NIST Post-Quantum competition. Two main approaches have been studied to solve RD: combinatorial ones and algebraic ones. Whi…
▽ More
Rank Decoding (RD) is the main underlying problem in rank-based cryptography. Based on this problem and quasi-cyclic versions of it, very efficient schemes have been proposed recently, such as those in the ROLLO and RQC submissions, which have reached the second round of the NIST Post-Quantum competition. Two main approaches have been studied to solve RD: combinatorial ones and algebraic ones. While the former has been studied extensively, a better understanding of the latter was recently obtained by Bardet et al. (EUROCRYPT20) where it appeared that algebraic attacks can often be more efficient than combinatorial ones for cryptographic parameters. This paper gives substantial improvements upon this attack in terms both of complexity and of the assumptions required by the cryptanalysis. We present attacks for ROLLO-I-128, 192, and 256 with bit complexity respectively in 70, 86, and 158, to be compared to 117, 144, and 197 for the aforementionned previous attack. Moreover, unlike this previous attack, ours does not need generic Gröbner basis algorithms since it only requires to solve a linear system. For a case called overdetermined, this modeling allows us to avoid Gröbner basis computations by going directly to solving a linear system. For the other case, called underdetermined, we also improve the results from the previous attack by combining the Ourivski-Johansson modeling together with a new modeling for a generic MinRank instance; the latter modeling allows us to refine the analysis of MinRank's complexity given in the paper by Verbel et al. (PQC19). Finally, since the proposed parameters of ROLLO and RQC are completely broken by our new attack, we give examples of new parameters for ROLLO and RQC that make them resistant to our attacks. These new parameters show that these systems remain attractive, with a loss of only about 50\% in terms of key size for ROLLO-I.
△ Less
Submitted 9 February, 2021; v1 submitted 14 February, 2020;
originally announced February 2020.
-
An Algebraic Attack on Rank Metric Code-Based Cryptosystems
Authors:
Magali Bardet,
Pierre Briaud,
Maxime Bros,
Philippe Gaborit,
Vincent Neiger,
Olivier Ruatta,
Jean-Pierre Tillich
Abstract:
The Rank metric decoding problem is the main problem considered in cryptography based on codes in the rank metric. Very efficient schemes based on this problem or quasi-cyclic versions of it have been proposed recently, such as those in the submissions ROLLO and RQC currently at the second round of the NIST Post-Quantum Cryptography Standardization Process. While combinatorial attacks on this prob…
▽ More
The Rank metric decoding problem is the main problem considered in cryptography based on codes in the rank metric. Very efficient schemes based on this problem or quasi-cyclic versions of it have been proposed recently, such as those in the submissions ROLLO and RQC currently at the second round of the NIST Post-Quantum Cryptography Standardization Process. While combinatorial attacks on this problem have been extensively studied and seem now well understood, the situation is not as satisfactory for algebraic attacks, for which previous work essentially suggested that they were ineffective for cryptographic parameters. In this paper, starting from Ourivski and Johansson's algebraic modelling of the problem into a system of polynomial equations, we show how to augment this system with easily computed equations so that the augmented system is solved much faster via Groebner bases. This happens because the augmented system has solving degree $r$, $r+1$ or $r+2$ depending on the parameters, where $r$ is the rank weight, which we show by extending results from Verbel et al. (PQCrypto 2019) on systems arising from the MinRank problem; with target rank $r$, Verbel et al. lower the solving degree to $r+2$, and even less for some favorable instances that they call superdetermined. We give complexity bounds for this approach as well as practical timings of an implementation using Magma. This improves upon the previously known complexity estimates for both Groebner basis and (non-quantum) combinatorial approaches, and for example leads to an attack in 200 bits on ROLLO-I-256 whose claimed security was 256 bits.
△ Less
Submitted 23 February, 2020; v1 submitted 2 October, 2019;
originally announced October 2019.
-
Low Rank Parity Check Codes: New Decoding Algorithms and Applications to Cryptography
Authors:
Nicolas Aragon,
Philippe Gaborit,
Adrien Hauteville,
Olivier Ruatta,
Gilles Zémor
Abstract:
We introduce a new family of rank metric codes: Low Rank Parity Check codes (LRPC), for which we propose an efficient probabilistic decoding algorithm. This family of codes can be seen as the equivalent of classical LDPC codes for the rank metric. We then use these codes to design cryptosystems à la McEliece: more precisely we propose two schemes for key encapsulation mechanism (KEM) and public ke…
▽ More
We introduce a new family of rank metric codes: Low Rank Parity Check codes (LRPC), for which we propose an efficient probabilistic decoding algorithm. This family of codes can be seen as the equivalent of classical LDPC codes for the rank metric. We then use these codes to design cryptosystems à la McEliece: more precisely we propose two schemes for key encapsulation mechanism (KEM) and public key encryption (PKE). Unlike rank metric codes used in
previous encryption algorithms -notably Gabidulin codes - LRPC codes have a very weak algebraic structure. Our cryptosystems can be seen as an equivalent of the NTRU cryptosystem (and also to the more recent MDPC \cite{MTSB12} cryptosystem) in a rank metric context. The present paper is an extended version of the article introducing LRPC codes, with important new contributions. We have improved the decoder thanks to a new approach which allows for decoding of errors of higher rank weight, namely up to $\frac{2}{3}(n-k)$ when the previous decoding algorithm only decodes up to $\frac{n-k}{2}$ errors. Our codes therefore outperform the classical Gabidulin code decoder which deals with weights up to $\frac{n-k}{2}$. This comes at the expense of probabilistic decoding, but the decoding error probability can be made arbitrarily small. The new approach can also be used to decrease the decoding error probability of previous schemes, which is especially useful for cryptography. Finally, we introduce ideal rank codes, which generalize double-circulant rank codes and allow us to avoid known structural attacks based on folding. To conclude, we propose different parameter sizes for our schemes and we obtain a public key of 3337 bits for key exchange and 5893 bits for public key encryption, both for 128 bits of security.
△ Less
Submitted 31 March, 2019;
originally announced April 2019.
-
Improved Veron Identification and Signature Schemes in the Rank Metric
Authors:
Emanuele Bellini,
Florian Caullery,
Philippe Gaborit,
Marc Manzano,
Victor Mateu
Abstract:
It is notably challenging to design an efficient and secure signature scheme based on error-correcting codes. An approach to build such signature schemes is to derive it from an identification protocol through the Fiat-Shamir transform. All such protocols based on codes must be run several rounds, since each run of the protocol allows a cheating probability of either 2/3 or 1/2. The resulting sign…
▽ More
It is notably challenging to design an efficient and secure signature scheme based on error-correcting codes. An approach to build such signature schemes is to derive it from an identification protocol through the Fiat-Shamir transform. All such protocols based on codes must be run several rounds, since each run of the protocol allows a cheating probability of either 2/3 or 1/2. The resulting signature size is proportional to the number of rounds, thus making the 1/2 cheating probability version more attractive. We present a signature scheme based on double circulant codes in the rank metric, derived from an identification protocol with cheating probability of 2/3. We reduced this probability to 1/2 to obtain the smallest signature among signature schemes based on the Fiat-Shamir paradigm, around 22 KBytes for 128 bit security level. Furthermore, among all code-based signature schemes, our proposal has the lowest value of signature plus public key size, and the smallest secret and public key sizes. We provide a security proof in the Random Oracle Model, implementation performances, and a comparison with the parameters of the most important code-based signature schemes.
△ Less
Submitted 19 April, 2019; v1 submitted 25 March, 2019;
originally announced March 2019.
-
Efficient Encryption from Random Quasi-Cyclic Codes
Authors:
Carlos Aguilar,
Olivier Blazy,
Jean-Christophe Deneuville,
Philippe Gaborit,
Gilles Zémor
Abstract:
We propose a framework for constructing efficient code-based encryption schemes from codes that do not hide any structure in their public matrix. The framework is in the spirit of the schemes first proposed by Alekhnovich in 2003 and based on the difficulty of decoding random linear codes from random errors of low weight. We depart somewhat from Aleknovich's approach and propose an encryption sche…
▽ More
We propose a framework for constructing efficient code-based encryption schemes from codes that do not hide any structure in their public matrix. The framework is in the spirit of the schemes first proposed by Alekhnovich in 2003 and based on the difficulty of decoding random linear codes from random errors of low weight. We depart somewhat from Aleknovich's approach and propose an encryption scheme based on the difficulty of decoding random quasi-cyclic codes. We propose two new cryptosystems instantiated within our framework: the Hamming Quasi-Cyclic cryptosystem (HQC), based on the Hamming metric, and the Rank Quasi-Cyclic cryptosystem (RQC), based on the rank metric. We give a security proof, which reduces the IND-CPA security of our systems to a decisional version of the well known problem of decoding random families of quasi-cyclic codes for the Hamming and rank metrics (the respective QCSD and RQCSD problems). We also provide an analysis of the decryption failure probability of our scheme in the Hamming metric case: for the rank metric there is no decryption failure. Our schemes benefit from a very fast decryption algorithm together with small key sizes of only a few thousand bits. The cryptosystems are very efficient for low encryption rates and are very well suited to key exchange and authentication. Asymptotically, for λthe security parameter, the public key sizes are respectively in $O(λ^{2})$ for HQC and in $O(λ^{4/3})$ for RQC. Practical parameter compares well to systems based on ring-LPN or the recent MDPC system.
△ Less
Submitted 16 December, 2016;
originally announced December 2016.
-
Polynomial-Time Key Recovery Attack on the Faure-Loidreau Scheme based on Gabidulin Codes
Authors:
Philippe Gaborit,
Ayoub Otmani,
Hervé Talé Kalachi
Abstract:
Encryption schemes based on the rank metric lead to small public key sizes of order of few thousands bytes which represents a very attractive feature compared to Hamming metric-based encryption schemes where public key sizes are of order of hundreds of thousands bytes even with additional structures like the cyclicity. The main tool for building public key encryption schemes in rank metric is the…
▽ More
Encryption schemes based on the rank metric lead to small public key sizes of order of few thousands bytes which represents a very attractive feature compared to Hamming metric-based encryption schemes where public key sizes are of order of hundreds of thousands bytes even with additional structures like the cyclicity. The main tool for building public key encryption schemes in rank metric is the McEliece encryption setting used with the family of Gabidulin codes. Since the original scheme proposed in 1991 by Gabidulin, Paramonov and Tretjakov, many systems have been proposed based on different masking techniques for Gabidulin codes. Nevertheless, over the years all these systems were attacked essentially by the use of an attack proposed by Overbeck.
In 2005 Faure and Loidreau designed a rank-metric encryption scheme which was not in the McEliece setting. The scheme is very efficient, with small public keys of size a few kiloBytes and with security closely related to the linearized polynomial reconstruction problem which corresponds to the decoding problem of Gabidulin codes. The structure of the scheme differs considerably from the classical McEliece setting and until our work, the scheme had never been attacked. We show in this article that this scheme like other schemes based on Gabidulin codes, is also vulnerable to a polynomial-time attack that recovers the private key by applying Overbeck's attack on an appropriate public code. As an example we break concrete proposed $80$ bits security parameters in a few seconds.
△ Less
Submitted 14 April, 2017; v1 submitted 24 June, 2016;
originally announced June 2016.
-
RankSign: an efficient signature algorithm based on the rank metric
Authors:
Philippe Gaborit,
Olivier Ruatta,
Julien Schrek,
Gilles Zémor
Abstract:
In this paper we propose a new approach to code-based signatures that makes use in particular of rank metric codes. When the classical approach consists in finding the unique preimage of a syndrome through a decoding algorithm, we propose to introduce the notion of mixed decoding of erasures and errors for building signature schemes. In that case the difficult problem becomes, as is the case in la…
▽ More
In this paper we propose a new approach to code-based signatures that makes use in particular of rank metric codes. When the classical approach consists in finding the unique preimage of a syndrome through a decoding algorithm, we propose to introduce the notion of mixed decoding of erasures and errors for building signature schemes. In that case the difficult problem becomes, as is the case in lattice-based cryptography, finding a preimage of weight above the Gilbert-Varshamov bound (case where many solutions occur) rather than finding a unique preimage of weight below the Gilbert-Varshamov bound. The paper describes RankSign: a new signature algorithm for the rank metric based on a new mixed algorithm for decoding erasures and errors for the recently introduced Low Rank Parity Check (LRPC) codes. We explain how it is possible (depending on choices of parameters) to obtain a full decoding algorithm which is able to find a preimage of reasonable rank weight for any random syndrome with a very strong probability. We study the semantic security of our signature algorithm and show how it is possible to reduce the unforgeability to direct attacks on the public matrix, so that no information leaks through signatures. Finally, we give several examples of parameters for our scheme, some of which with public key of size $11,520$ bits and signature of size $1728$ bits. Moreover the scheme can be very fast for small base fields.
△ Less
Submitted 26 May, 2017; v1 submitted 2 June, 2016;
originally announced June 2016.
-
RankSynd a PRNG Based on Rank Metric
Authors:
Philippe Gaborit,
Adrien Hauteville,
Jean-Pierre Tillich
Abstract:
In this paper, we consider a pseudo-random generator based on the difficulty of the syndrome decoding problem for rank metric codes. We also study the resistance of this problem against a quantum computer. Our results show that with rank metric it is possible to obtain fast PRNG with small public data, without considering additional structure for public matrices like quasi-cyclicity for Hamming di…
▽ More
In this paper, we consider a pseudo-random generator based on the difficulty of the syndrome decoding problem for rank metric codes. We also study the resistance of this problem against a quantum computer. Our results show that with rank metric it is possible to obtain fast PRNG with small public data, without considering additional structure for public matrices like quasi-cyclicity for Hamming distance.
△ Less
Submitted 16 March, 2016;
originally announced March 2016.
-
Scheduling rules to minimize total tardiness in a parallel machine problem with setup and calendar constraints
Authors:
Jacques Lamothe,
François Marmier,
Matthieu Dupuy,
Paul Gaborit,
Lionel Dupont
Abstract:
Quality control lead times are one of most significant causes of loss of time in the pharmaceutical and cosmetics industries. This is partly due to the organization of laboratories that feature parallel multipurpose machines for chromatographic analyses. The testing process requires long setup times and operators are needed to launch the process. The various controls are non-preemptive and are cha…
▽ More
Quality control lead times are one of most significant causes of loss of time in the pharmaceutical and cosmetics industries. This is partly due to the organization of laboratories that feature parallel multipurpose machines for chromatographic analyses. The testing process requires long setup times and operators are needed to launch the process. The various controls are non-preemptive and are characterized by a release date, a due date and available routings. These quality processes lead to significant delays, and we therefore evaluate the total tardiness criterion. Previous heuristics were defined for the total tardiness criterion, parallel machines, and setup such as ATC (Apparent Tardiness Cost) and ATCS (ATC with setups). We propose new rules and a simulated annealing procedure in order to minimize total tardiness.
△ Less
Submitted 7 September, 2015;
originally announced September 2015.
-
Distinguisher-Based Attacks on Public-Key Cryptosystems Using Reed-Solomon Codes
Authors:
Alain Couvreur,
Philippe Gaborit,
Valérie Gauthier-Umaña,
Ayoub Otmani,
Jean-Pierre Tillich
Abstract:
Because of their interesting algebraic properties, several authors promote the use of generalized Reed-Solomon codes in cryptography. Niederreiter was the first to suggest an instantiation of his cryptosystem with them but Sidelnikov and Shestakov showed that this choice is insecure. Wieschebrink proposed a variant of the McEliece cryptosystem which consists in concatenating a few random columns t…
▽ More
Because of their interesting algebraic properties, several authors promote the use of generalized Reed-Solomon codes in cryptography. Niederreiter was the first to suggest an instantiation of his cryptosystem with them but Sidelnikov and Shestakov showed that this choice is insecure. Wieschebrink proposed a variant of the McEliece cryptosystem which consists in concatenating a few random columns to a generator matrix of a secretly chosen generalized Reed-Solomon code. More recently, new schemes appeared which are the homomorphic encryption scheme proposed by Bogdanov and Lee, and a variation of the McEliece cryptosystem proposed by Baldi et \textit{al.} which hides the generalized Reed-Solomon code by means of matrices of very low rank.
In this work, we show how to mount key-recovery attacks against these public-key encryption schemes. We use the concept of distinguisher which aims at detecting a behavior different from the one that one would expect from a random code. All the distinguishers we have built are based on the notion of component-wise product of codes. It results in a powerful tool that is able to recover the secret structure of codes when they are derived from generalized Reed-Solomon codes. Lastly, we give an alternative to Sidelnikov and Shestakov attack by building a filtration which enables to completely recover the support and the non-zero scalars defining the secret generalized Reed-Solomon code.
△ Less
Submitted 28 March, 2014; v1 submitted 24 July, 2013;
originally announced July 2013.
-
On the complexity of the Rank Syndrome Decoding problem
Authors:
Philippe Gaborit,
Olivier Ruatta,
Julien Schrek
Abstract:
In this paper we propose two new generic attacks on the Rank Syndrome Decoding (RSD) problem
Let $C$ be a random $[n,k]$ rank code over $GF(q^m)$ and let $y=x+e$ be a received word such that $x \in C$ and the $Rank(e)=r$. The first attack is combinatorial and permits to recover an error $e$ of rank weight $r$ in…
▽ More
In this paper we propose two new generic attacks on the Rank Syndrome Decoding (RSD) problem
Let $C$ be a random $[n,k]$ rank code over $GF(q^m)$ and let $y=x+e$ be a received word such that $x \in C$ and the $Rank(e)=r$. The first attack is combinatorial and permits to recover an error $e$ of rank weight $r$ in $min(O((n-k)^3m^3q^{r\lfloor\frac{km}{n}\rfloor}, O((n-k)^3m^3q^{(r-1)\lfloor\frac{(k+1)m}{n}\rfloor}))$ operations on $GF(q)$. This attack dramatically improves on previous attack by introducing the length $n$ of the code in the exponent of the complexity, which was not the case in previous generic attacks. which can be considered The second attack is based on a algebraic attacks: based on the theory of $q$-polynomials introduced by Ore we propose a new algebraic setting for the RSD problem that permits to consider equations and unknowns in the extension field $GF(q^m)$ rather than in $GF(q)$ as it is usually the case. We consider two approaches to solve the problem in this new setting. Linearization technics show that if $n \ge (k+1)(r+1)-1$ the RSD problem can be solved in polynomial time, more generally we prove that if $\lceil \frac{(r+1)(k+1)-(n+1)}{r} \rceil \le k$, the problem can be solved with an average complexity $O(r^3k^3q^{r\lceil \frac{(r+1)(k+1)-(n+1)}{r} \rceil})$. We also consider solving with \grob bases for which which we discuss theoretical complexity, we also consider consider hybrid solving with \grob bases on practical parameters. As an example of application we use our new attacks on all proposed recent cryptosystems which reparation the GPT cryptosystem, we break all examples of published proposed parameters, some parameters are broken in less than 1 s in certain cases.
△ Less
Submitted 6 January, 2013;
originally announced January 2013.
-
A new zero-knowledge code based identification scheme with reduced communication
Authors:
Carlos Aguilar,
Philippe Gaborit,
Julien Schrek
Abstract:
In this paper we present a new 5-pass identification scheme with asymptotic cheating probability 1/2 based on the syndrome decoding problem. Our protocol is related to the Stern identification scheme but has a reduced communication cost compared to previous code-based zero-knowledge schemes, moreover our scheme permits to obtain a very low size of public key and secret key. The contribution of thi…
▽ More
In this paper we present a new 5-pass identification scheme with asymptotic cheating probability 1/2 based on the syndrome decoding problem. Our protocol is related to the Stern identification scheme but has a reduced communication cost compared to previous code-based zero-knowledge schemes, moreover our scheme permits to obtain a very low size of public key and secret key. The contribution of this paper is twofold, first we propose a variation on the Stern authentication scheme which permits to decrease asymptotically the cheating probability to 1/2 rather than 2/3 (and very close to 1/2 in practice) but with less communication. Our solution is based on deriving new challenges from the secret key through cyclic shifts of the initial public key syndrome; a new proof of soundness for this case is given Secondly we propose a new way to deal with hashed commitments in zero-knowledge schemes based on Stern's scheme, so that in terms of communication, on the average, only one hash value is sent rather than two or three. Overall our new scheme has the good features of having a zero-knowledge security proof based on well known hard problem of coding theory, a small size of secret and public key (a few hundred bits), a small calculation complexity, for an overall communication cost of 19kb for authentication (for a $2^{16}$ security) and a signature of size of 93kb (11.5kB) (for security $2^{80}$), an improvement of 40% compared to previous schemes based on coding theory.
△ Less
Submitted 7 November, 2011;
originally announced November 2011.
-
Classification of extremal and $s$-extremal binary self-dual codes of length 38
Authors:
Carlos Aguilar-Melchor,
Philippe Gaborit,
Jon-Lark Kim,
Lin Sok,
Patrick Solé
Abstract:
In this paper we classify all extremal and $s$-extremal binary self-dual codes of length 38. There are exactly 2744 extremal $[38,19,8]$ self-dual codes, two $s$-extremal $[38,19,6]$ codes, and 1730 $s$-extremal $[38,19,8]$ codes. We obtain our results from the use of a recursive algorithm used in the recent classification of all extremal self-dual codes of length 36, and from a generalization of…
▽ More
In this paper we classify all extremal and $s$-extremal binary self-dual codes of length 38. There are exactly 2744 extremal $[38,19,8]$ self-dual codes, two $s$-extremal $[38,19,6]$ codes, and 1730 $s$-extremal $[38,19,8]$ codes. We obtain our results from the use of a recursive algorithm used in the recent classification of all extremal self-dual codes of length 36, and from a generalization of this recursive algorithm for the shadow. The classification of $s$-extremal $[38,19,6]$ codes permits to achieve the classification of all $s$-extremal codes with d=6.
△ Less
Submitted 1 November, 2011;
originally announced November 2011.
-
A new class of codes for Boolean masking of cryptographic computations
Authors:
Claude Carlet,
Philippe Gaborit,
Jon-Lark Kim,
Patrick Solé
Abstract:
We introduce a new class of rate one-half binary codes: {\bf complementary information set codes.} A binary linear code of length $2n$ and dimension $n$ is called a complementary information set code (CIS code for short) if it has two disjoint information sets. This class of codes contains self-dual codes as a subclass. It is connected to graph correlation immune Boolean functions of use in the se…
▽ More
We introduce a new class of rate one-half binary codes: {\bf complementary information set codes.} A binary linear code of length $2n$ and dimension $n$ is called a complementary information set code (CIS code for short) if it has two disjoint information sets. This class of codes contains self-dual codes as a subclass. It is connected to graph correlation immune Boolean functions of use in the security of hardware implementations of cryptographic primitives. Such codes permit to improve the cost of masking cryptographic algorithms against side channel attacks. In this paper we investigate this new class of codes: we give optimal or best known CIS codes of length $<132.$ We derive general constructions based on cyclic codes and on double circulant codes. We derive a Varshamov-Gilbert bound for long CIS codes, and show that they can all be classified in small lengths $\le 12$ by the building up construction. Some nonlinear permutations are constructed by using $\Z_4$-codes, based on the notion of dual distance of an unrestricted code.
△ Less
Submitted 4 April, 2012; v1 submitted 6 October, 2011;
originally announced October 2011.
-
Improved identity-based identification using correcting codes
Authors:
Pierre-Louis Cayrel,
Philippe Gaborit,
David Galindo,
Marc Girault
Abstract:
In this paper, a new identity-based identification scheme based on error-correcting codes is proposed. Two well known code-based schemes are combined : the signature scheme by Courtois, Finiasz and Sendrier and an identification scheme by Stern. A proof of security for the scheme in the Random Oracle Model is given.
In this paper, a new identity-based identification scheme based on error-correcting codes is proposed. Two well known code-based schemes are combined : the signature scheme by Courtois, Finiasz and Sendrier and an identification scheme by Stern. A proof of security for the scheme in the Random Oracle Model is given.
△ Less
Submitted 28 February, 2009;
originally announced March 2009.
-
Asymptotic improvement of the Gilbert-Varshamov bound for linear codes
Authors:
Philippe Gaborit,
Gilles Zemor
Abstract:
The Gilbert-Varshamov bound states that the maximum size A_2(n,d) of a binary code of length n and minimum distance d satisfies A_2(n,d) >= 2^n/V(n,d-1) where V(n,d) stands for the volume of a Hamming ball of radius d. Recently Jiang and Vardy showed that for binary non-linear codes this bound can be improved to A_2(n,d) >= cn2^n/V(n,d-1) for c a constant and d/n <= 0.499. In this paper we show…
▽ More
The Gilbert-Varshamov bound states that the maximum size A_2(n,d) of a binary code of length n and minimum distance d satisfies A_2(n,d) >= 2^n/V(n,d-1) where V(n,d) stands for the volume of a Hamming ball of radius d. Recently Jiang and Vardy showed that for binary non-linear codes this bound can be improved to A_2(n,d) >= cn2^n/V(n,d-1) for c a constant and d/n <= 0.499. In this paper we show that certain asymptotic families of linear binary [n,n/2] random double circulant codes satisfy the same improved Gilbert-Varshamov bound.
△ Less
Submitted 30 August, 2007;
originally announced August 2007.
