-
RankSign: an efficient signature algorithm based on the rank metric
Authors:
Philippe Gaborit,
Olivier Ruatta,
Julien Schrek,
Gilles ZĂ©mor
Abstract:
In this paper we propose a new approach to code-based signatures that makes use in particular of rank metric codes. When the classical approach consists in finding the unique preimage of a syndrome through a decoding algorithm, we propose to introduce the notion of mixed decoding of erasures and errors for building signature schemes. In that case the difficult problem becomes, as is the case in la…
▽ More
In this paper we propose a new approach to code-based signatures that makes use in particular of rank metric codes. When the classical approach consists in finding the unique preimage of a syndrome through a decoding algorithm, we propose to introduce the notion of mixed decoding of erasures and errors for building signature schemes. In that case the difficult problem becomes, as is the case in lattice-based cryptography, finding a preimage of weight above the Gilbert-Varshamov bound (case where many solutions occur) rather than finding a unique preimage of weight below the Gilbert-Varshamov bound. The paper describes RankSign: a new signature algorithm for the rank metric based on a new mixed algorithm for decoding erasures and errors for the recently introduced Low Rank Parity Check (LRPC) codes. We explain how it is possible (depending on choices of parameters) to obtain a full decoding algorithm which is able to find a preimage of reasonable rank weight for any random syndrome with a very strong probability. We study the semantic security of our signature algorithm and show how it is possible to reduce the unforgeability to direct attacks on the public matrix, so that no information leaks through signatures. Finally, we give several examples of parameters for our scheme, some of which with public key of size $11,520$ bits and signature of size $1728$ bits. Moreover the scheme can be very fast for small base fields.
△ Less
Submitted 26 May, 2017; v1 submitted 2 June, 2016;
originally announced June 2016.
-
On the complexity of the Rank Syndrome Decoding problem
Authors:
Philippe Gaborit,
Olivier Ruatta,
Julien Schrek
Abstract:
In this paper we propose two new generic attacks on the Rank Syndrome Decoding (RSD) problem
Let $C$ be a random $[n,k]$ rank code over $GF(q^m)$ and let $y=x+e$ be a received word such that $x \in C$ and the $Rank(e)=r$. The first attack is combinatorial and permits to recover an error $e$ of rank weight $r$ in…
▽ More
In this paper we propose two new generic attacks on the Rank Syndrome Decoding (RSD) problem
Let $C$ be a random $[n,k]$ rank code over $GF(q^m)$ and let $y=x+e$ be a received word such that $x \in C$ and the $Rank(e)=r$. The first attack is combinatorial and permits to recover an error $e$ of rank weight $r$ in $min(O((n-k)^3m^3q^{r\lfloor\frac{km}{n}\rfloor}, O((n-k)^3m^3q^{(r-1)\lfloor\frac{(k+1)m}{n}\rfloor}))$ operations on $GF(q)$. This attack dramatically improves on previous attack by introducing the length $n$ of the code in the exponent of the complexity, which was not the case in previous generic attacks. which can be considered The second attack is based on a algebraic attacks: based on the theory of $q$-polynomials introduced by Ore we propose a new algebraic setting for the RSD problem that permits to consider equations and unknowns in the extension field $GF(q^m)$ rather than in $GF(q)$ as it is usually the case. We consider two approaches to solve the problem in this new setting. Linearization technics show that if $n \ge (k+1)(r+1)-1$ the RSD problem can be solved in polynomial time, more generally we prove that if $\lceil \frac{(r+1)(k+1)-(n+1)}{r} \rceil \le k$, the problem can be solved with an average complexity $O(r^3k^3q^{r\lceil \frac{(r+1)(k+1)-(n+1)}{r} \rceil})$. We also consider solving with \grob bases for which which we discuss theoretical complexity, we also consider consider hybrid solving with \grob bases on practical parameters. As an example of application we use our new attacks on all proposed recent cryptosystems which reparation the GPT cryptosystem, we break all examples of published proposed parameters, some parameters are broken in less than 1 s in certain cases.
△ Less
Submitted 6 January, 2013;
originally announced January 2013.
-
A new zero-knowledge code based identification scheme with reduced communication
Authors:
Carlos Aguilar,
Philippe Gaborit,
Julien Schrek
Abstract:
In this paper we present a new 5-pass identification scheme with asymptotic cheating probability 1/2 based on the syndrome decoding problem. Our protocol is related to the Stern identification scheme but has a reduced communication cost compared to previous code-based zero-knowledge schemes, moreover our scheme permits to obtain a very low size of public key and secret key. The contribution of thi…
▽ More
In this paper we present a new 5-pass identification scheme with asymptotic cheating probability 1/2 based on the syndrome decoding problem. Our protocol is related to the Stern identification scheme but has a reduced communication cost compared to previous code-based zero-knowledge schemes, moreover our scheme permits to obtain a very low size of public key and secret key. The contribution of this paper is twofold, first we propose a variation on the Stern authentication scheme which permits to decrease asymptotically the cheating probability to 1/2 rather than 2/3 (and very close to 1/2 in practice) but with less communication. Our solution is based on deriving new challenges from the secret key through cyclic shifts of the initial public key syndrome; a new proof of soundness for this case is given Secondly we propose a new way to deal with hashed commitments in zero-knowledge schemes based on Stern's scheme, so that in terms of communication, on the average, only one hash value is sent rather than two or three. Overall our new scheme has the good features of having a zero-knowledge security proof based on well known hard problem of coding theory, a small size of secret and public key (a few hundred bits), a small calculation complexity, for an overall communication cost of 19kb for authentication (for a $2^{16}$ security) and a signature of size of 93kb (11.5kB) (for security $2^{80}$), an improvement of 40% compared to previous schemes based on coding theory.
△ Less
Submitted 7 November, 2011;
originally announced November 2011.
