![Page 1: OUROBOROS-R, an IND-CPA KEM based on Rank Metric ......OUROBOROS-R, an IND-CPA KEM based on Rank Metric - NIST First Post-Quantum Cryptography Standardization Conference Author Carlos](https://reader034.vdocuments.mx/reader034/viewer/2022042922/5f6c7954eb452a356429055c/html5/thumbnails/1.jpg)
Presentation of the rank metric Description of the scheme Security and parameters
OUROBOROS-R, an IND-CPA KEM based onRank Metric
NIST First Post-Quantum Cryptography StandardizationConference
Carlos AguilarMelchor2 Nicolas Aragon1 Slim Bettaieb5
Loic Bidoux5 Olivier Blazy1 Jean-Christophe Deneuville1,4
Philippe Gaborit1 Adrien Hauteville1 Gilles Zémor3
1University of Limoges, XLIM-DMI, France ; 2ISAE-SUPAERO, Toulouse, France
3IMB, University of Bordeaux; 4INSA-CVL, Bourges, France ; 5Worldline, France.
OUROBOROS-R, an IND-CPA KEM based on Rank Metric
![Page 2: OUROBOROS-R, an IND-CPA KEM based on Rank Metric ......OUROBOROS-R, an IND-CPA KEM based on Rank Metric - NIST First Post-Quantum Cryptography Standardization Conference Author Carlos](https://reader034.vdocuments.mx/reader034/viewer/2022042922/5f6c7954eb452a356429055c/html5/thumbnails/2.jpg)
Presentation of the rank metric Description of the scheme Security and parameters
1 Presentation of the rank metric
2 Description of the scheme
3 Security and parameters
OUROBOROS-R, an IND-CPA KEM based on Rank Metric
![Page 3: OUROBOROS-R, an IND-CPA KEM based on Rank Metric ......OUROBOROS-R, an IND-CPA KEM based on Rank Metric - NIST First Post-Quantum Cryptography Standardization Conference Author Carlos](https://reader034.vdocuments.mx/reader034/viewer/2022042922/5f6c7954eb452a356429055c/html5/thumbnails/3.jpg)
Presentation of the rank metric Description of the scheme Security and parameters
Rank Metric
We only consider codes with coefficients in Fqm .Let β, . . . , βm be a basis of Fqm/Fq. To each vector x ∈ Fn
qm wecan associate a matrix Mx
x = (x, . . . , xn) ∈ Fnqm ↔Mx =
x . . . xn...
. . ....
xm . . . xmn
∈ Fm×nq
such that xj =∑m
i= xijβi for each j ∈ [..n].
Definition
dR(x , y) = Rank(Mx −My ) and |x |r = RankMx .
OUROBOROS-R, an IND-CPA KEM based on Rank Metric
![Page 4: OUROBOROS-R, an IND-CPA KEM based on Rank Metric ......OUROBOROS-R, an IND-CPA KEM based on Rank Metric - NIST First Post-Quantum Cryptography Standardization Conference Author Carlos](https://reader034.vdocuments.mx/reader034/viewer/2022042922/5f6c7954eb452a356429055c/html5/thumbnails/4.jpg)
Presentation of the rank metric Description of the scheme Security and parameters
Support of a Word
Definition
The support of a word is the Fq-subspace generated by itscoordinates:
Supp(x) = 〈x1, . . . , xn〉Fq
Number of supports of weight w :
Rank Hamming[mw
]q
≈ qw(m−w)
(nw
)6 2n
Complexity in the worst case:quadratically exponential for Rank Metricsimply exponential for Hamming Metric
OUROBOROS-R, an IND-CPA KEM based on Rank Metric
![Page 5: OUROBOROS-R, an IND-CPA KEM based on Rank Metric ......OUROBOROS-R, an IND-CPA KEM based on Rank Metric - NIST First Post-Quantum Cryptography Standardization Conference Author Carlos](https://reader034.vdocuments.mx/reader034/viewer/2022042922/5f6c7954eb452a356429055c/html5/thumbnails/5.jpg)
Presentation of the rank metric Description of the scheme Security and parameters
LRPC Codes
Definition
Let H ∈ F(n−k)×nqm a full-rank matrix such that the dimension d of
〈hij〉Fq is small.By definition, H is a parity-check matrix of an [n, k]qm LRPC code.We say that d is the weight of the matrix H .
A LRPC code can decode errors (recover support) of weightr 6 n−k
d in polynomial time with a probability of failure
pf < max(q−(n−k−2(r+d)+5), q−2(n−k−rd+2)
)→ matrices based on random small weight codewords with samesupport can be turned into a decoding algorithm !
OUROBOROS-R, an IND-CPA KEM based on Rank Metric
![Page 6: OUROBOROS-R, an IND-CPA KEM based on Rank Metric ......OUROBOROS-R, an IND-CPA KEM based on Rank Metric - NIST First Post-Quantum Cryptography Standardization Conference Author Carlos](https://reader034.vdocuments.mx/reader034/viewer/2022042922/5f6c7954eb452a356429055c/html5/thumbnails/6.jpg)
Presentation of the rank metric Description of the scheme Security and parameters
Difficult problems in rank metric
Problem (Rank Syndrome Decoding problem)
Given H ∈ F(n−k)×nqm , s ∈ Fn−k
qm and an integer r , find e ∈ Fnqm such
that:HeT = sT
|e|r = r
Probabilistic reduction to the NP-Complete SD problem[Gaborit-Zémor, IEEE-IT 2016].
OUROBOROS-R, an IND-CPA KEM based on Rank Metric
![Page 7: OUROBOROS-R, an IND-CPA KEM based on Rank Metric ......OUROBOROS-R, an IND-CPA KEM based on Rank Metric - NIST First Post-Quantum Cryptography Standardization Conference Author Carlos](https://reader034.vdocuments.mx/reader034/viewer/2022042922/5f6c7954eb452a356429055c/html5/thumbnails/7.jpg)
Presentation of the rank metric Description of the scheme Security and parameters
1 Presentation of the rank metric
2 Description of the scheme
3 Security and parameters
OUROBOROS-R, an IND-CPA KEM based on Rank Metric
![Page 8: OUROBOROS-R, an IND-CPA KEM based on Rank Metric ......OUROBOROS-R, an IND-CPA KEM based on Rank Metric - NIST First Post-Quantum Cryptography Standardization Conference Author Carlos](https://reader034.vdocuments.mx/reader034/viewer/2022042922/5f6c7954eb452a356429055c/html5/thumbnails/8.jpg)
Presentation of the rank metric Description of the scheme Security and parameters
OUROBOROS-R scheme
Vectors x of Fnqm seen as elements of Fqm [X ]/(P) for some polynomial P.
Alice Bob
seedh ← {0, 1}λ, h seedh← Fnqm
(x, y)← S2n1,w (Fqm), s← x + hy
F← Supp (x, y)
ec ← se − ysrE← QCRS-Recover(F, ec,wr )
Hash (E)
h,s−−−−−−→
sr,se←−−−−−−−
SharedSecret
(r1, r2, er)← S3nwr(Fqm)
E← Supp (r1, r2, er)sr ← r1 + hr2, se ← sr2 + er
Hash (E)
Figure 1: Informal description of OUROBOROS-R. h and s constitute thepublic key. h can be recovered by publishing only the λ bits of the seed(instead of the n coordinates of h).
OUROBOROS-R, an IND-CPA KEM based on Rank Metric
![Page 9: OUROBOROS-R, an IND-CPA KEM based on Rank Metric ......OUROBOROS-R, an IND-CPA KEM based on Rank Metric - NIST First Post-Quantum Cryptography Standardization Conference Author Carlos](https://reader034.vdocuments.mx/reader034/viewer/2022042922/5f6c7954eb452a356429055c/html5/thumbnails/9.jpg)
Presentation of the rank metric Description of the scheme Security and parameters
Why does it work ?
ec = se − ysr = sr2 + er − y(r1 + hr2)
= (x + hy)r2 + er − y(r1 + hr2) = xr2 − yr1 + er
1 ∈ F, coordinates of ec generate a subspace ofSupp(r1, r2, er)× Supp(x, y) on which one can apply theQCRS-Recover algorithm to recover E (LRPC decoder).
In other words: ec seen as syndrome associated to an LRPC codebased on the secret key (x , y)→ a reasonable decoding algorithm is used to decode a SMALLweight error !
OUROBOROS-R, an IND-CPA KEM based on Rank Metric
![Page 10: OUROBOROS-R, an IND-CPA KEM based on Rank Metric ......OUROBOROS-R, an IND-CPA KEM based on Rank Metric - NIST First Post-Quantum Cryptography Standardization Conference Author Carlos](https://reader034.vdocuments.mx/reader034/viewer/2022042922/5f6c7954eb452a356429055c/html5/thumbnails/10.jpg)
Presentation of the rank metric Description of the scheme Security and parameters
1 Presentation of the rank metric
2 Description of the scheme
3 Security and parameters
OUROBOROS-R, an IND-CPA KEM based on Rank Metric
![Page 11: OUROBOROS-R, an IND-CPA KEM based on Rank Metric ......OUROBOROS-R, an IND-CPA KEM based on Rank Metric - NIST First Post-Quantum Cryptography Standardization Conference Author Carlos](https://reader034.vdocuments.mx/reader034/viewer/2022042922/5f6c7954eb452a356429055c/html5/thumbnails/11.jpg)
Presentation of the rank metric Description of the scheme Security and parameters
Semantic Security
Theorem
Under the assumption of the hardness of the[2n, n]-Decisional-QCRSD and [3n, n]-Decisional-QCRSD problems,OUROBOROS-R is IND-CPA in the Random Oracle Model.
OUROBOROS-R, an IND-CPA KEM based on Rank Metric
![Page 12: OUROBOROS-R, an IND-CPA KEM based on Rank Metric ......OUROBOROS-R, an IND-CPA KEM based on Rank Metric - NIST First Post-Quantum Cryptography Standardization Conference Author Carlos](https://reader034.vdocuments.mx/reader034/viewer/2022042922/5f6c7954eb452a356429055c/html5/thumbnails/12.jpg)
Presentation of the rank metric Description of the scheme Security and parameters
Best Known Attacks
Combinatorial attacks: try to guess the support of the error orof the codeword. The best algorithm is GRS+(Aragon et al.ISIT 2018). On average:
O((nm)qrd
kmn e−m
)Quantum Speed Up : Grover’s algorithm directly applies toGRS+ =⇒ exponent divided by 2.
OUROBOROS-R, an IND-CPA KEM based on Rank Metric
![Page 13: OUROBOROS-R, an IND-CPA KEM based on Rank Metric ......OUROBOROS-R, an IND-CPA KEM based on Rank Metric - NIST First Post-Quantum Cryptography Standardization Conference Author Carlos](https://reader034.vdocuments.mx/reader034/viewer/2022042922/5f6c7954eb452a356429055c/html5/thumbnails/13.jpg)
Presentation of the rank metric Description of the scheme Security and parameters
Examples of parameters
All the times are given in ms, performed on an Intel Corei7-4700HQ CPU running at 3.40GHz.
Security Key Ciphertext KeyGen Encap Decap ProbabilitySize (bits) Size (bits) Time(ms) Time(ms) Time(ms) of failure
128 5,408 10,816 0.18 0.29 0.53 < 2−36
192 6,456 12,912 0.19 0.33 0.97 < 2−36
256 8,896 17,792 0.24 0.40 1.38 < 2−42
OUROBOROS-R, an IND-CPA KEM based on Rank Metric
![Page 14: OUROBOROS-R, an IND-CPA KEM based on Rank Metric ......OUROBOROS-R, an IND-CPA KEM based on Rank Metric - NIST First Post-Quantum Cryptography Standardization Conference Author Carlos](https://reader034.vdocuments.mx/reader034/viewer/2022042922/5f6c7954eb452a356429055c/html5/thumbnails/14.jpg)
Presentation of the rank metric Description of the scheme Security and parameters
Advantages and Limitations
Advantages:Small key sizeVery fast encryption/decryption timeReduction to decoding a random (QC) code.Well understood decryption failure probability
Limitations:Longer ciphertext (compared to LRPC) because ofreconciliation (×2).Slighlty larger parameters because of security reductioncompared to LRPC.RSD problem studied since 27 years.
OUROBOROS-R, an IND-CPA KEM based on Rank Metric
![Page 15: OUROBOROS-R, an IND-CPA KEM based on Rank Metric ......OUROBOROS-R, an IND-CPA KEM based on Rank Metric - NIST First Post-Quantum Cryptography Standardization Conference Author Carlos](https://reader034.vdocuments.mx/reader034/viewer/2022042922/5f6c7954eb452a356429055c/html5/thumbnails/15.jpg)
Presentation of the rank metric Description of the scheme Security and parameters
Questions !
OUROBOROS-R, an IND-CPA KEM based on Rank Metric