![Page 1: Ouroboros: a simple, secure and efficient key exchange ... · Ouroboros: a simple, secure and e cient key exchange protocol based on coding theory Jean-Christophe Deneuville](https://reader030.vdocuments.net/reader030/viewer/2022041111/5f155a0ffdabdb63057afc9a/html5/thumbnails/1.jpg)
Ouroboros: a simple, secure and efficient key exchange protocol basedon coding theory
Jean-Christophe Deneuville<[email protected]>
June the 26th, 2017PQCrypto’17
Utrecht
Joint work with:
P. Gaborit G. ZemorUniversity of Limoges University of Bordeaux
![Page 2: Ouroboros: a simple, secure and efficient key exchange ... · Ouroboros: a simple, secure and e cient key exchange protocol based on coding theory Jean-Christophe Deneuville](https://reader030.vdocuments.net/reader030/viewer/2022041111/5f155a0ffdabdb63057afc9a/html5/thumbnails/2.jpg)
Motivations
[ME78]
Key Sizes
80’s↓
00’s[Nie86] Other variations
Most of them broken
[Ale03]
[Gab05]
[Gab91]
[ABDGZ16]
HQC
RQC
[Ove07]Attacks
Bottom Line
LackaProof
LackEfficiency
Security reductionto a standardproblem (randomcodes)
RankMetric
Groupaction
[MB09] dyadic[BCGO09] alternant
[BBC08]QC-LDPC
Ntru-like[MTSB13]QC-MDPC
[GMRZ13]QC-LRPCNtru-like
RSBCHGoppaRM
![Page 3: Ouroboros: a simple, secure and efficient key exchange ... · Ouroboros: a simple, secure and e cient key exchange protocol based on coding theory Jean-Christophe Deneuville](https://reader030.vdocuments.net/reader030/viewer/2022041111/5f155a0ffdabdb63057afc9a/html5/thumbnails/3.jpg)
Motivations
[ME78]
Key Sizes
80’s↓
00’s
[Nie86]
Other variationsMost of them broken
[Ale03]
[Gab05]
[Gab91]
[ABDGZ16]
HQC
RQC
[Ove07]Attacks
Bottom Line
LackaProof
LackEfficiency
Security reductionto a standardproblem (randomcodes)
RankMetric
Groupaction
[MB09] dyadic[BCGO09] alternant
[BBC08]QC-LDPC
Ntru-like[MTSB13]QC-MDPC
[GMRZ13]QC-LRPCNtru-like
RSBCHGoppaRM
![Page 4: Ouroboros: a simple, secure and efficient key exchange ... · Ouroboros: a simple, secure and e cient key exchange protocol based on coding theory Jean-Christophe Deneuville](https://reader030.vdocuments.net/reader030/viewer/2022041111/5f155a0ffdabdb63057afc9a/html5/thumbnails/4.jpg)
Motivations
[ME78]
Key Sizes
80’s↓
00’s[Nie86]
Other variationsMost of them broken
[Ale03]
[Gab05]
[Gab91]
[ABDGZ16]
HQC
RQC
[Ove07]Attacks
Bottom Line
LackaProof
LackEfficiency
Security reductionto a standardproblem (randomcodes)
RankMetric
Groupaction
[MB09] dyadic[BCGO09] alternant
[BBC08]QC-LDPC
Ntru-like[MTSB13]QC-MDPC
[GMRZ13]QC-LRPCNtru-like
RSBCHGoppaRM
![Page 5: Ouroboros: a simple, secure and efficient key exchange ... · Ouroboros: a simple, secure and e cient key exchange protocol based on coding theory Jean-Christophe Deneuville](https://reader030.vdocuments.net/reader030/viewer/2022041111/5f155a0ffdabdb63057afc9a/html5/thumbnails/5.jpg)
Motivations
[ME78]
Key Sizes
80’s↓
00’s[Nie86]
Other variationsMost of them broken
[Ale03]
[Gab05]
[Gab91]
[ABDGZ16]
HQC
RQC
[Ove07]Attacks
Bottom Line
LackaProof
LackEfficiency
Security reductionto a standardproblem (randomcodes)
RankMetric
Groupaction
[MB09] dyadic[BCGO09] alternant
[BBC08]QC-LDPC
Ntru-like[MTSB13]QC-MDPC
[GMRZ13]QC-LRPCNtru-like
RSBCHGoppaRM
![Page 6: Ouroboros: a simple, secure and efficient key exchange ... · Ouroboros: a simple, secure and e cient key exchange protocol based on coding theory Jean-Christophe Deneuville](https://reader030.vdocuments.net/reader030/viewer/2022041111/5f155a0ffdabdb63057afc9a/html5/thumbnails/6.jpg)
Motivations
[ME78]
Key Sizes
80’s↓
00’s[Nie86] Other variations
Most of them broken
[Ale03]
[Gab05]
[Gab91]
[ABDGZ16]
HQC
RQC
[Ove07]Attacks
Bottom Line
LackaProof
LackEfficiency
Security proof
RankMetric
Groupaction
[MB09] dyadic[BCGO09] alternant
[BBC08]QC-LDPC
Ntru-like[MTSB13]QC-MDPC
[GMRZ13]QC-LRPCNtru-like
RSBCHGoppaRM
![Page 7: Ouroboros: a simple, secure and efficient key exchange ... · Ouroboros: a simple, secure and e cient key exchange protocol based on coding theory Jean-Christophe Deneuville](https://reader030.vdocuments.net/reader030/viewer/2022041111/5f155a0ffdabdb63057afc9a/html5/thumbnails/7.jpg)
Motivations
[ME78]
Key Sizes
80’s↓
00’s[Nie86] Other variations
Most of them broken
[Ale03]
[Gab05]
[Gab91]
[ABDGZ16]
HQC
RQC
[Ove07]Attacks
Bottom Line
LackaProof
LackEfficiency
Security proof
RankMetric
Groupaction
[MB09] dyadic[BCGO09] alternant
[BBC08]QC-LDPC
Ntru-like[MTSB13]QC-MDPC
[GMRZ13]QC-LRPCNtru-like
RSBCHGoppaRM
![Page 8: Ouroboros: a simple, secure and efficient key exchange ... · Ouroboros: a simple, secure and e cient key exchange protocol based on coding theory Jean-Christophe Deneuville](https://reader030.vdocuments.net/reader030/viewer/2022041111/5f155a0ffdabdb63057afc9a/html5/thumbnails/8.jpg)
Motivations
[ME78]
Key Sizes
80’s↓
00’s[Nie86] Other variations
Most of them broken
[Ale03]
[Gab05]
[Gab91]
[ABDGZ16]
HQC
RQC
[Ove07]Attacks
Bottom Line
LackaProof
LackEfficiency
Security proof
RankMetric
Groupaction
[MB09] dyadic[BCGO09] alternant
[BBC08]QC-LDPC
Ntru-like[MTSB13]QC-MDPC
[GMRZ13]QC-LRPCNtru-like
RSBCHGoppaRM
![Page 9: Ouroboros: a simple, secure and efficient key exchange ... · Ouroboros: a simple, secure and e cient key exchange protocol based on coding theory Jean-Christophe Deneuville](https://reader030.vdocuments.net/reader030/viewer/2022041111/5f155a0ffdabdb63057afc9a/html5/thumbnails/9.jpg)
Motivations
[ME78]
Key Sizes
80’s↓
00’s[Nie86] Other variations
Most of them broken
[Ale03]
[Gab05]
[Gab91]
[ABDGZ16]
HQC
RQC
[Ove07]Attacks
Bottom Line
LackaProof
LackEfficiency
Security proof
RankMetric
Groupaction
[MB09] dyadic[BCGO09] alternant
[BBC08]QC-LDPC
Ntru-like[MTSB13]QC-MDPC
[GMRZ13]QC-LRPCNtru-like
RSBCHGoppaRM
![Page 10: Ouroboros: a simple, secure and efficient key exchange ... · Ouroboros: a simple, secure and e cient key exchange protocol based on coding theory Jean-Christophe Deneuville](https://reader030.vdocuments.net/reader030/viewer/2022041111/5f155a0ffdabdb63057afc9a/html5/thumbnails/10.jpg)
Motivations
[ME78]
Key Sizes
80’s↓
00’s[Nie86] Other variations
Most of them broken
[Ale03]
[Gab05]
[Gab91]
[ABDGZ16]
HQC
RQC
[Ove07]Attacks
Bottom Line
LackaProof
LackEfficiency
Security proof
RankMetric
Groupaction
[MB09] dyadic[BCGO09] alternant
[BBC08]QC-LDPC
Ntru-like[MTSB13]QC-MDPC
[GMRZ13]QC-LRPCNtru-like
RSBCHGoppaRM
![Page 11: Ouroboros: a simple, secure and efficient key exchange ... · Ouroboros: a simple, secure and e cient key exchange protocol based on coding theory Jean-Christophe Deneuville](https://reader030.vdocuments.net/reader030/viewer/2022041111/5f155a0ffdabdb63057afc9a/html5/thumbnails/11.jpg)
Motivations
[ME78]
Key Sizes
80’s↓
00’s[Nie86] Other variations
Most of them broken
[Ale03]
[Gab05]
[Gab91]
[ABDGZ16]
HQC
RQC
[Ove07]Attacks
Bottom Line
LackaProof
LackEfficiency
Security proof
RankMetric
Groupaction
[MB09] dyadic[BCGO09] alternant
[BBC08]QC-LDPC
Ntru-like[MTSB13]QC-MDPC
[GMRZ13]QC-LRPCNtru-like
RSBCHGoppaRM
![Page 12: Ouroboros: a simple, secure and efficient key exchange ... · Ouroboros: a simple, secure and e cient key exchange protocol based on coding theory Jean-Christophe Deneuville](https://reader030.vdocuments.net/reader030/viewer/2022041111/5f155a0ffdabdb63057afc9a/html5/thumbnails/12.jpg)
Motivations
[ME78]
Key Sizes
80’s↓
00’s[Nie86] Other variations
Most of them broken
[Ale03]
[Gab05]
[Gab91]
[ABDGZ16]
HQC
RQC
[Ove07]Attacks
Bottom Line
LackaProof
LackEfficiency
Security proof
RankMetric
Groupaction
[MB09] dyadic[BCGO09] alternant
[BBC08]QC-LDPC
Ntru-like[MTSB13]QC-MDPC
[GMRZ13]QC-LRPCNtru-like
RSBCHGoppaRM
![Page 13: Ouroboros: a simple, secure and efficient key exchange ... · Ouroboros: a simple, secure and e cient key exchange protocol based on coding theory Jean-Christophe Deneuville](https://reader030.vdocuments.net/reader030/viewer/2022041111/5f155a0ffdabdb63057afc9a/html5/thumbnails/13.jpg)
Motivations
[ME78]
Key Sizes
80’s↓
00’s[Nie86] Other variations
Most of them broken
[Ale03]
[Gab05]
[Gab91]
[ABDGZ16]
HQC
RQC
[Ove07]Attacks
Bottom Line
LackaProof
LackEfficiency
Security proof
RankMetric
Groupaction
[MB09] dyadic[BCGO09] alternant
[BBC08]QC-LDPC
Ntru-like[MTSB13]QC-MDPC
[GMRZ13]QC-LRPCNtru-like
RSBCHGoppaRM
![Page 14: Ouroboros: a simple, secure and efficient key exchange ... · Ouroboros: a simple, secure and e cient key exchange protocol based on coding theory Jean-Christophe Deneuville](https://reader030.vdocuments.net/reader030/viewer/2022041111/5f155a0ffdabdb63057afc9a/html5/thumbnails/14.jpg)
Motivations
[ME78]
Key Sizes
80’s↓
00’s[Nie86] Other variations
Most of them broken
[Ale03]
[Gab05]
[Gab91]
[ABDGZ16]
HQC
RQC
[Ove07]Attacks
Bottom Line
LackaProof
LackEfficiency
Security proof
RankMetric
Groupaction
[MB09] dyadic[BCGO09] alternant
[BBC08]QC-LDPC
Ntru-like[MTSB13]QC-MDPC
[GMRZ13]QC-LRPCNtru-like
RSBCHGoppaRM
![Page 15: Ouroboros: a simple, secure and efficient key exchange ... · Ouroboros: a simple, secure and e cient key exchange protocol based on coding theory Jean-Christophe Deneuville](https://reader030.vdocuments.net/reader030/viewer/2022041111/5f155a0ffdabdb63057afc9a/html5/thumbnails/15.jpg)
Motivations
[ME78]
Key Sizes
80’s↓
00’s[Nie86] Other variations
Most of them broken
[Ale03]
[Gab05]
[Gab91]
[ABDGZ16]
HQC
RQC
[Ove07]Attacks
Bottom Line
LackaProof
LackEfficiency
Security proof
RankMetric
Groupaction
[MB09] dyadic[BCGO09] alternant
[BBC08]QC-LDPC
Ntru-like[MTSB13]QC-MDPC
[GMRZ13]QC-LRPCNtru-like
RSBCHGoppaRM
![Page 16: Ouroboros: a simple, secure and efficient key exchange ... · Ouroboros: a simple, secure and e cient key exchange protocol based on coding theory Jean-Christophe Deneuville](https://reader030.vdocuments.net/reader030/viewer/2022041111/5f155a0ffdabdb63057afc9a/html5/thumbnails/16.jpg)
Motivations
[ME78]
Key Sizes
80’s↓
00’s[Nie86] Other variations
Most of them broken
[Ale03]
[Gab05]
[Gab91]
[ABDGZ16]
HQC
RQC
[Ove07]Attacks
Bottom Line
LackaProof
LackEfficiency
Security proof
RankMetric
Groupaction
[MB09] dyadic[BCGO09] alternant
[BBC08]QC-LDPC
Ntru-like[MTSB13]QC-MDPC
[GMRZ13]QC-LRPCNtru-like
RSBCHGoppaRM
![Page 17: Ouroboros: a simple, secure and efficient key exchange ... · Ouroboros: a simple, secure and e cient key exchange protocol based on coding theory Jean-Christophe Deneuville](https://reader030.vdocuments.net/reader030/viewer/2022041111/5f155a0ffdabdb63057afc9a/html5/thumbnails/17.jpg)
Motivations
[ME78]
Key Sizes
80’s↓
00’s[Nie86] Other variations
Most of them broken
[Ale03]
[Gab05]
[Gab91]
[ABDGZ16]
HQC
RQC
[Ove07]Attacks
Bottom Line
LackaProof
LackEfficiency
Security proof
RankMetric
Groupaction
[MB09] dyadic[BCGO09] alternant
[BBC08]QC-LDPC
Ntru-like[MTSB13]QC-MDPC
[GMRZ13]QC-LRPCNtru-like
RSBCHGoppaRM
![Page 18: Ouroboros: a simple, secure and efficient key exchange ... · Ouroboros: a simple, secure and e cient key exchange protocol based on coding theory Jean-Christophe Deneuville](https://reader030.vdocuments.net/reader030/viewer/2022041111/5f155a0ffdabdb63057afc9a/html5/thumbnails/18.jpg)
Motivations
[ME78]
Key Sizes
80’s↓
00’s[Nie86] Other variations
Most of them broken
[Ale03]
[Gab05]
[Gab91]
[ABDGZ16]
HQC
RQC
[Ove07]Attacks
Bottom Line
LackaProof
LackEfficiency
Security proof
RankMetric
Groupaction
[MB09] dyadic[BCGO09] alternant
[BBC08]QC-LDPC
Ntru-like[MTSB13]QC-MDPC
[GMRZ13]QC-LRPCNtru-like
RSBCHGoppaRM
![Page 19: Ouroboros: a simple, secure and efficient key exchange ... · Ouroboros: a simple, secure and e cient key exchange protocol based on coding theory Jean-Christophe Deneuville](https://reader030.vdocuments.net/reader030/viewer/2022041111/5f155a0ffdabdb63057afc9a/html5/thumbnails/19.jpg)
Motivations
[ME78]
Key Sizes
80’s↓
00’s[Nie86] Other variations
Most of them broken
[Ale03]
[Gab05]
[Gab91]
[ABDGZ16]
HQC
RQC
[Ove07]Attacks
Bottom Line
Proof
Efficiency
Security proof
RankMetric
Groupaction
[MB09] dyadic[BCGO09] alternant
[BBC08]QC-LDPC
Ntru-like[MTSB13]QC-MDPC
[GMRZ13]QC-LRPCNtru-like
RSBCHGoppaRM
![Page 20: Ouroboros: a simple, secure and efficient key exchange ... · Ouroboros: a simple, secure and e cient key exchange protocol based on coding theory Jean-Christophe Deneuville](https://reader030.vdocuments.net/reader030/viewer/2022041111/5f155a0ffdabdb63057afc9a/html5/thumbnails/20.jpg)
Reminders on HQC Presentation of the Ouroboros protocol Security Parameters Conclusion
Outline
1 Reminders on HQC
2 Presentation of the Ouroboros protocol
3 Security
4 Parameters
J.-C. Deneuville Ouroboros: simple, secure, efficient code-based key exchange June the 26th, 2017 3 / 21
![Page 21: Ouroboros: a simple, secure and efficient key exchange ... · Ouroboros: a simple, secure and e cient key exchange protocol based on coding theory Jean-Christophe Deneuville](https://reader030.vdocuments.net/reader030/viewer/2022041111/5f155a0ffdabdb63057afc9a/html5/thumbnails/21.jpg)
Reminders on HQC Presentation of the Ouroboros protocol Security Parameters Conclusion
HQC Encryption Scheme [ABD+16]
Encryption scheme in Hamming metric, using Quasi-Cyclic Codes
Notation: Secret data - Public data - One-time Randomness
G is the generator matrix of some public code C.
Alice Bob
seedh$← {0, 1}λ, h
seedh← Fn2
x, y$← Snw (F2), s← x + hy
µ← C.Decode (ρ− vy)
seedh,s−−−−−−−−−→
v,ρ←−−−−−−−
r1, r2$← Snw (F2), ε
$← Sncw (F2)v← r1 + hr2, ρ← µG + sr2 + ε
J.-C. Deneuville Ouroboros: simple, secure, efficient code-based key exchange June the 26th, 2017 4 / 21
![Page 22: Ouroboros: a simple, secure and efficient key exchange ... · Ouroboros: a simple, secure and e cient key exchange protocol based on coding theory Jean-Christophe Deneuville](https://reader030.vdocuments.net/reader030/viewer/2022041111/5f155a0ffdabdb63057afc9a/html5/thumbnails/22.jpg)
Reminders on HQC Presentation of the Ouroboros protocol Security Parameters Conclusion
HQC Encryption Scheme [ABD+16]
Encryption scheme in Hamming metric, using Quasi-Cyclic Codes
Notation: Secret data - Public data - One-time Randomness
G is the generator matrix of some public code C.
Alice Bob
seedh$← {0, 1}λ, h
seedh← Fn2
x, y$← Snw (F2), s← x + hy
µ← C.Decode (ρ− vy)
seedh,s−−−−−−−−−→
v,ρ←−−−−−−−
r1, r2$← Snw (F2), ε
$← Sncw (F2)v← r1 + hr2, ρ← µG + sr2 + ε
J.-C. Deneuville Ouroboros: simple, secure, efficient code-based key exchange June the 26th, 2017 4 / 21
![Page 23: Ouroboros: a simple, secure and efficient key exchange ... · Ouroboros: a simple, secure and e cient key exchange protocol based on coding theory Jean-Christophe Deneuville](https://reader030.vdocuments.net/reader030/viewer/2022041111/5f155a0ffdabdb63057afc9a/html5/thumbnails/23.jpg)
Reminders on HQC Presentation of the Ouroboros protocol Security Parameters Conclusion
HQC Encryption Scheme [ABD+16]
Encryption scheme in Hamming metric, using Quasi-Cyclic Codes
Notation: Secret data - Public data - One-time Randomness
G is the generator matrix of some public code C.
Alice Bob
seedh$← {0, 1}λ, h
seedh← Fn2
x, y$← Snw (F2), s← x + hy
µ← C.Decode (ρ− vy)
seedh,s−−−−−−−−−→
v,ρ←−−−−−−−
r1, r2$← Snw (F2), ε
$← Sncw (F2)v← r1 + hr2, ρ← µG + sr2 + ε
J.-C. Deneuville Ouroboros: simple, secure, efficient code-based key exchange June the 26th, 2017 4 / 21
![Page 24: Ouroboros: a simple, secure and efficient key exchange ... · Ouroboros: a simple, secure and e cient key exchange protocol based on coding theory Jean-Christophe Deneuville](https://reader030.vdocuments.net/reader030/viewer/2022041111/5f155a0ffdabdb63057afc9a/html5/thumbnails/24.jpg)
Reminders on HQC Presentation of the Ouroboros protocol Security Parameters Conclusion
HQC Encryption Scheme [ABD+16]
Encryption scheme in Hamming metric, using Quasi-Cyclic Codes
Notation: Secret data - Public data - One-time Randomness
G is the generator matrix of some public code C.
Alice Bob
seedh$← {0, 1}λ, h
seedh← Fn2
x, y$← Snw (F2), s← x + hy
µ← C.Decode (ρ− vy)
seedh,s−−−−−−−−−→
v,ρ←−−−−−−−
r1, r2$← Snw (F2), ε
$← Sncw (F2)v← r1 + hr2, ρ← µG + sr2 + ε
J.-C. Deneuville Ouroboros: simple, secure, efficient code-based key exchange June the 26th, 2017 4 / 21
![Page 25: Ouroboros: a simple, secure and efficient key exchange ... · Ouroboros: a simple, secure and e cient key exchange protocol based on coding theory Jean-Christophe Deneuville](https://reader030.vdocuments.net/reader030/viewer/2022041111/5f155a0ffdabdb63057afc9a/html5/thumbnails/25.jpg)
Reminders on HQC Presentation of the Ouroboros protocol Security Parameters Conclusion
Correctness
Correctness Property
Decrypt (sk,Encrypt (pk,µ, θ)) = µ
C.Decode correctly decodes ρ− v · y whenever
the error term is not too big
ω (s · r2 − v · y + ε) ≤ δω ((x + h · y) · r2 − (r1 + h · r2) · y + ε) ≤ δω(x · r2 − r1 · y + ε) ≤ δ
Error distribution analysis → Decryption failure probability better understood
J.-C. Deneuville Ouroboros: simple, secure, efficient code-based key exchange June the 26th, 2017 5 / 21
![Page 26: Ouroboros: a simple, secure and efficient key exchange ... · Ouroboros: a simple, secure and e cient key exchange protocol based on coding theory Jean-Christophe Deneuville](https://reader030.vdocuments.net/reader030/viewer/2022041111/5f155a0ffdabdb63057afc9a/html5/thumbnails/26.jpg)
Reminders on HQC Presentation of the Ouroboros protocol Security Parameters Conclusion
Correctness
Correctness Property
Decrypt (sk,Encrypt (pk,µ, θ)) = µ
C.Decode correctly decodes ρ− v · y whenever
the error term is not too big
ω (s · r2 − v · y + ε) ≤ δω ((x + h · y) · r2 − (r1 + h · r2) · y + ε) ≤ δω(x · r2 − r1 · y + ε) ≤ δ
Error distribution analysis → Decryption failure probability better understood
J.-C. Deneuville Ouroboros: simple, secure, efficient code-based key exchange June the 26th, 2017 5 / 21
![Page 27: Ouroboros: a simple, secure and efficient key exchange ... · Ouroboros: a simple, secure and e cient key exchange protocol based on coding theory Jean-Christophe Deneuville](https://reader030.vdocuments.net/reader030/viewer/2022041111/5f155a0ffdabdb63057afc9a/html5/thumbnails/27.jpg)
Reminders on HQC Presentation of the Ouroboros protocol Security Parameters Conclusion
Correctness
Correctness Property
Decrypt (sk,Encrypt (pk,µ, θ)) = µ
C.Decode correctly decodes ρ− v · y whenever
the error term is not too big
ω (s · r2 − v · y + ε) ≤ δω ((x + h · y) · r2 − (r1 + h · r2) · y + ε) ≤ δω(x · r2 − r1 · y + ε) ≤ δ
Error distribution analysis → Decryption failure probability better understood
J.-C. Deneuville Ouroboros: simple, secure, efficient code-based key exchange June the 26th, 2017 5 / 21
![Page 28: Ouroboros: a simple, secure and efficient key exchange ... · Ouroboros: a simple, secure and e cient key exchange protocol based on coding theory Jean-Christophe Deneuville](https://reader030.vdocuments.net/reader030/viewer/2022041111/5f155a0ffdabdb63057afc9a/html5/thumbnails/28.jpg)
Reminders on HQC Presentation of the Ouroboros protocol Security Parameters Conclusion
Outline
1 Reminders on HQC
2 Presentation of the Ouroboros protocolCyclic Error DecodingBitFlipping algorithmDescription of the protocol
3 Security
4 Parameters
J.-C. Deneuville Ouroboros: simple, secure, efficient code-based key exchange June the 26th, 2017 6 / 21
![Page 29: Ouroboros: a simple, secure and efficient key exchange ... · Ouroboros: a simple, secure and e cient key exchange protocol based on coding theory Jean-Christophe Deneuville](https://reader030.vdocuments.net/reader030/viewer/2022041111/5f155a0ffdabdb63057afc9a/html5/thumbnails/29.jpg)
Reminders on HQC Presentation of the Ouroboros protocol Security Parameters Conclusion
A particular decoding
HQC requires x · r2 − r1 · y + ε to be “small” to correctly decodeOuroboros further exploits the shape of the error
Cyclic Error Decoding (CED) Problem
Let x, y, r1, r2$← Snw (F2) with w = O(
√n), and e
$← Sncw (F2) a random error vector.
Given (x, y) ∈ (Snw (F2))2 and ec ← xr2 − yr1 + e such that ω(r1) = ω(r2) = w , find (r1, r2).
This is essentially a noisy SD problem
x�
−y� r2
r1
+
e
J.-C. Deneuville Ouroboros: simple, secure, efficient code-based key exchange June the 26th, 2017 7 / 21
![Page 30: Ouroboros: a simple, secure and efficient key exchange ... · Ouroboros: a simple, secure and e cient key exchange protocol based on coding theory Jean-Christophe Deneuville](https://reader030.vdocuments.net/reader030/viewer/2022041111/5f155a0ffdabdb63057afc9a/html5/thumbnails/30.jpg)
Reminders on HQC Presentation of the Ouroboros protocol Security Parameters Conclusion
A particular decoding
HQC requires x · r2 − r1 · y + ε to be “small” to correctly decodeOuroboros further exploits the shape of the error
Cyclic Error Decoding (CED) Problem
Let x, y, r1, r2$← Snw (F2) with w = O(
√n), and e
$← Sncw (F2) a random error vector.
Given (x, y) ∈ (Snw (F2))2 and ec ← xr2 − yr1 + e such that ω(r1) = ω(r2) = w , find (r1, r2).
This is essentially a noisy SD problem
x�
−y� r2
r1
+
e
J.-C. Deneuville Ouroboros: simple, secure, efficient code-based key exchange June the 26th, 2017 7 / 21
![Page 31: Ouroboros: a simple, secure and efficient key exchange ... · Ouroboros: a simple, secure and e cient key exchange protocol based on coding theory Jean-Christophe Deneuville](https://reader030.vdocuments.net/reader030/viewer/2022041111/5f155a0ffdabdb63057afc9a/html5/thumbnails/31.jpg)
Reminders on HQC Presentation of the Ouroboros protocol Security Parameters Conclusion
A particular decoding
HQC requires x · r2 − r1 · y + ε to be “small” to correctly decodeOuroboros further exploits the shape of the error
Cyclic Error Decoding (CED) Problem
Let x, y, r1, r2$← Snw (F2) with w = O(
√n), and e
$← Sncw (F2) a random error vector.
Given (x, y) ∈ (Snw (F2))2 and ec ← xr2 − yr1 + e such that ω(r1) = ω(r2) = w , find (r1, r2).
This is essentially a noisy SD problem
x�
−y� r2
r1
+
e
J.-C. Deneuville Ouroboros: simple, secure, efficient code-based key exchange June the 26th, 2017 7 / 21
![Page 32: Ouroboros: a simple, secure and efficient key exchange ... · Ouroboros: a simple, secure and e cient key exchange protocol based on coding theory Jean-Christophe Deneuville](https://reader030.vdocuments.net/reader030/viewer/2022041111/5f155a0ffdabdb63057afc9a/html5/thumbnails/32.jpg)
Reminders on HQC Presentation of the Ouroboros protocol Security Parameters Conclusion
A particular decoding
HQC requires x · r2 − r1 · y + ε to be “small” to correctly decodeOuroboros further exploits the shape of the error
Cyclic Error Decoding (CED) Problem
Let x, y, r1, r2$← Snw (F2) with w = O(
√n), and e
$← Sncw (F2) a random error vector.
Given (x, y) ∈ (Snw (F2))2 and ec ← xr2 − yr1 + e such that ω(r1) = ω(r2) = w , find (r1, r2).
This is essentially a noisy SD problem
x�
−y� r2
r1
+
e
J.-C. Deneuville Ouroboros: simple, secure, efficient code-based key exchange June the 26th, 2017 7 / 21
![Page 33: Ouroboros: a simple, secure and efficient key exchange ... · Ouroboros: a simple, secure and e cient key exchange protocol based on coding theory Jean-Christophe Deneuville](https://reader030.vdocuments.net/reader030/viewer/2022041111/5f155a0ffdabdb63057afc9a/html5/thumbnails/33.jpg)
Reminders on HQC Presentation of the Ouroboros protocol Security Parameters Conclusion
A particular decoding
HQC requires x · r2 − r1 · y + ε to be “small” to correctly decodeOuroboros further exploits the shape of the error
Cyclic Error Decoding (CED) Problem
Let x, y, r1, r2$← Snw (F2) with w = O(
√n), and e
$← Sncw (F2) a random error vector.
Given (x, y) ∈ (Snw (F2))2 and ec ← xr2 − yr1 + e such that ω(r1) = ω(r2) = w , find (r1, r2).
This is essentially a noisy SD problem
x�
−y� r2
r1
+
e
J.-C. Deneuville Ouroboros: simple, secure, efficient code-based key exchange June the 26th, 2017 7 / 21
![Page 34: Ouroboros: a simple, secure and efficient key exchange ... · Ouroboros: a simple, secure and e cient key exchange protocol based on coding theory Jean-Christophe Deneuville](https://reader030.vdocuments.net/reader030/viewer/2022041111/5f155a0ffdabdb63057afc9a/html5/thumbnails/34.jpg)
Reminders on HQC Presentation of the Ouroboros protocol Security Parameters Conclusion
Outline
1 Reminders on HQC
2 Presentation of the Ouroboros protocolCyclic Error DecodingBitFlipping algorithmDescription of the protocol
3 Security
4 Parameters
J.-C. Deneuville Ouroboros: simple, secure, efficient code-based key exchange June the 26th, 2017 8 / 21
![Page 35: Ouroboros: a simple, secure and efficient key exchange ... · Ouroboros: a simple, secure and e cient key exchange protocol based on coding theory Jean-Christophe Deneuville](https://reader030.vdocuments.net/reader030/viewer/2022041111/5f155a0ffdabdb63057afc9a/html5/thumbnails/35.jpg)
Reminders on HQC Presentation of the Ouroboros protocol Security Parameters Conclusion
Hard Decision Decoding: BitFlipping
Introduced by Gallager in 1962
Iterative decoding for Low Density Parity Check codes
Decoding capacity increase linearly with the code length
Intuition
1 Compute the number of unsatisfied parity-check equations for each bit of the message
2 If this number is greater than some threshold, flip the bit and go to 1.
3 Stop when the syndrome is null (or after a certain number of iterations).
Easy to understand
Easy to implement
Pretty efficient
The threshold value is crucial [CS16]
J.-C. Deneuville Ouroboros: simple, secure, efficient code-based key exchange June the 26th, 2017 9 / 21
![Page 36: Ouroboros: a simple, secure and efficient key exchange ... · Ouroboros: a simple, secure and e cient key exchange protocol based on coding theory Jean-Christophe Deneuville](https://reader030.vdocuments.net/reader030/viewer/2022041111/5f155a0ffdabdb63057afc9a/html5/thumbnails/36.jpg)
Reminders on HQC Presentation of the Ouroboros protocol Security Parameters Conclusion
Hard Decision Decoding: BitFlipping
Introduced by Gallager in 1962
Iterative decoding for Low Density Parity Check codes
Decoding capacity increase linearly with the code length
Intuition
1 Compute the number of unsatisfied parity-check equations for each bit of the message
2 If this number is greater than some threshold, flip the bit and go to 1.
3 Stop when the syndrome is null (or after a certain number of iterations).
Easy to understand
Easy to implement
Pretty efficient
The threshold value is crucial [CS16]
J.-C. Deneuville Ouroboros: simple, secure, efficient code-based key exchange June the 26th, 2017 9 / 21
![Page 37: Ouroboros: a simple, secure and efficient key exchange ... · Ouroboros: a simple, secure and e cient key exchange protocol based on coding theory Jean-Christophe Deneuville](https://reader030.vdocuments.net/reader030/viewer/2022041111/5f155a0ffdabdb63057afc9a/html5/thumbnails/37.jpg)
Reminders on HQC Presentation of the Ouroboros protocol Security Parameters Conclusion
Hard Decision Decoding: BitFlipping
Introduced by Gallager in 1962
Iterative decoding for Low Density Parity Check codes
Decoding capacity increase linearly with the code length
Intuition
1 Compute the number of unsatisfied parity-check equations for each bit of the message
2 If this number is greater than some threshold, flip the bit and go to 1.
3 Stop when the syndrome is null (or after a certain number of iterations).
Easy to understand
Easy to implement
Pretty efficient
The threshold value is crucial [CS16]
J.-C. Deneuville Ouroboros: simple, secure, efficient code-based key exchange June the 26th, 2017 9 / 21
![Page 38: Ouroboros: a simple, secure and efficient key exchange ... · Ouroboros: a simple, secure and e cient key exchange protocol based on coding theory Jean-Christophe Deneuville](https://reader030.vdocuments.net/reader030/viewer/2022041111/5f155a0ffdabdb63057afc9a/html5/thumbnails/38.jpg)
Reminders on HQC Presentation of the Ouroboros protocol Security Parameters Conclusion
Hard Decision Decoding: BitFlipping
Introduced by Gallager in 1962
Iterative decoding for Low Density Parity Check codes
Decoding capacity increase linearly with the code length
Intuition
1 Compute the number of unsatisfied parity-check equations for each bit of the message
2 If this number is greater than some threshold, flip the bit and go to 1.
3 Stop when the syndrome is null (or after a certain number of iterations).
Easy to understand
Easy to implement
Pretty efficient
The threshold value is crucial [CS16]
J.-C. Deneuville Ouroboros: simple, secure, efficient code-based key exchange June the 26th, 2017 9 / 21
![Page 39: Ouroboros: a simple, secure and efficient key exchange ... · Ouroboros: a simple, secure and e cient key exchange protocol based on coding theory Jean-Christophe Deneuville](https://reader030.vdocuments.net/reader030/viewer/2022041111/5f155a0ffdabdb63057afc9a/html5/thumbnails/39.jpg)
Reminders on HQC Presentation of the Ouroboros protocol Security Parameters Conclusion
Hard Decision Decoding: BitFlipping
Introduced by Gallager in 1962
Iterative decoding for Low Density Parity Check codes
Decoding capacity increase linearly with the code length
Intuition
1 Compute the number of unsatisfied parity-check equations for each bit of the message
2 If this number is greater than some threshold, flip the bit and go to 1.
3 Stop when the syndrome is null (or after a certain number of iterations).
Easy to understand
Easy to implement
Pretty efficient
The threshold value is crucial [CS16]
J.-C. Deneuville Ouroboros: simple, secure, efficient code-based key exchange June the 26th, 2017 9 / 21
![Page 40: Ouroboros: a simple, secure and efficient key exchange ... · Ouroboros: a simple, secure and e cient key exchange protocol based on coding theory Jean-Christophe Deneuville](https://reader030.vdocuments.net/reader030/viewer/2022041111/5f155a0ffdabdb63057afc9a/html5/thumbnails/40.jpg)
Reminders on HQC Presentation of the Ouroboros protocol Security Parameters Conclusion
Outline
1 Reminders on HQC
2 Presentation of the Ouroboros protocolCyclic Error DecodingBitFlipping algorithmDescription of the protocol
3 Security
4 Parameters
J.-C. Deneuville Ouroboros: simple, secure, efficient code-based key exchange June the 26th, 2017 10 / 21
![Page 41: Ouroboros: a simple, secure and efficient key exchange ... · Ouroboros: a simple, secure and e cient key exchange protocol based on coding theory Jean-Christophe Deneuville](https://reader030.vdocuments.net/reader030/viewer/2022041111/5f155a0ffdabdb63057afc9a/html5/thumbnails/41.jpg)
Reminders on HQC Presentation of the Ouroboros protocol Security Parameters Conclusion
Ouroboros
Requires a hash function Hash : {0, 1}∗ −→ Sncw (F2) [Sen05]
ε of HQC plays the role of the exchanged secret in Ouroboros
CE-Decoder is a modified BitFlipping algorithm to solve the CED problem
Alice Bob
seedh$← {0, 1}λ, h
seedh← Fn2
x, y$← Snw (F2), s← x + hy
ec ← se − ysr = xr2 − yr1 + ε′
(r1, r2)← CE-Decoder(x, y, ec, t,w ,we)ε← ec − xr2 + yr1 − Hash(r1, r2)
ε
h,s−−−−−−→
sr,se←−−−−−−−
SharedSecret
r1, r2$← Snw (F2)
er ← Hash (r1, r2), ε$← Snwe
(F2)sr ← r1 + hr2, se ← sr2 + er + ε
ε
J.-C. Deneuville Ouroboros: simple, secure, efficient code-based key exchange June the 26th, 2017 11 / 21
![Page 42: Ouroboros: a simple, secure and efficient key exchange ... · Ouroboros: a simple, secure and e cient key exchange protocol based on coding theory Jean-Christophe Deneuville](https://reader030.vdocuments.net/reader030/viewer/2022041111/5f155a0ffdabdb63057afc9a/html5/thumbnails/42.jpg)
Reminders on HQC Presentation of the Ouroboros protocol Security Parameters Conclusion
Ouroboros
Requires a hash function Hash : {0, 1}∗ −→ Sncw (F2) [Sen05]
ε of HQC plays the role of the exchanged secret in Ouroboros
CE-Decoder is a modified BitFlipping algorithm to solve the CED problem
Alice Bob
seedh$← {0, 1}λ, h
seedh← Fn2
x, y$← Snw (F2), s← x + hy
ec ← se − ysr = xr2 − yr1 + ε′
(r1, r2)← CE-Decoder(x, y, ec, t,w ,we)ε← ec − xr2 + yr1 − Hash(r1, r2)
ε
h,s−−−−−−→
sr,se←−−−−−−−
SharedSecret
r1, r2$← Snw (F2)
er ← Hash (r1, r2), ε$← Snwe
(F2)sr ← r1 + hr2, se ← sr2 + er + ε
ε
J.-C. Deneuville Ouroboros: simple, secure, efficient code-based key exchange June the 26th, 2017 11 / 21
![Page 43: Ouroboros: a simple, secure and efficient key exchange ... · Ouroboros: a simple, secure and e cient key exchange protocol based on coding theory Jean-Christophe Deneuville](https://reader030.vdocuments.net/reader030/viewer/2022041111/5f155a0ffdabdb63057afc9a/html5/thumbnails/43.jpg)
Reminders on HQC Presentation of the Ouroboros protocol Security Parameters Conclusion
Ouroboros
Requires a hash function Hash : {0, 1}∗ −→ Sncw (F2) [Sen05]
ε of HQC plays the role of the exchanged secret in Ouroboros
CE-Decoder is a modified BitFlipping algorithm to solve the CED problem
Alice Bob
seedh$← {0, 1}λ, h
seedh← Fn2
x, y$← Snw (F2), s← x + hy
ec ← se − ysr = xr2 − yr1 + ε′
(r1, r2)← CE-Decoder(x, y, ec, t,w ,we)ε← ec − xr2 + yr1 − Hash(r1, r2)
ε
h,s−−−−−−→
sr,se←−−−−−−−
SharedSecret
r1, r2$← Snw (F2)
er ← Hash (r1, r2), ε$← Snwe
(F2)sr ← r1 + hr2, se ← sr2 + er + ε
ε
J.-C. Deneuville Ouroboros: simple, secure, efficient code-based key exchange June the 26th, 2017 11 / 21
![Page 44: Ouroboros: a simple, secure and efficient key exchange ... · Ouroboros: a simple, secure and e cient key exchange protocol based on coding theory Jean-Christophe Deneuville](https://reader030.vdocuments.net/reader030/viewer/2022041111/5f155a0ffdabdb63057afc9a/html5/thumbnails/44.jpg)
Reminders on HQC Presentation of the Ouroboros protocol Security Parameters Conclusion
Ouroboros
Requires a hash function Hash : {0, 1}∗ −→ Sncw (F2) [Sen05]
ε of HQC plays the role of the exchanged secret in Ouroboros
CE-Decoder is a modified BitFlipping algorithm to solve the CED problem
Alice Bob
seedh$← {0, 1}λ, h
seedh← Fn2
x, y$← Snw (F2), s← x + hy
ec ← se − ysr = xr2 − yr1 + ε′
(r1, r2)← CE-Decoder(x, y, ec, t,w ,we)ε← ec − xr2 + yr1 − Hash(r1, r2)
ε
h,s−−−−−−→
sr,se←−−−−−−−
SharedSecret
r1, r2$← Snw (F2)
er ← Hash (r1, r2), ε$← Snwe
(F2)sr ← r1 + hr2, se ← sr2 + er + ε
ε
J.-C. Deneuville Ouroboros: simple, secure, efficient code-based key exchange June the 26th, 2017 11 / 21
![Page 45: Ouroboros: a simple, secure and efficient key exchange ... · Ouroboros: a simple, secure and e cient key exchange protocol based on coding theory Jean-Christophe Deneuville](https://reader030.vdocuments.net/reader030/viewer/2022041111/5f155a0ffdabdb63057afc9a/html5/thumbnails/45.jpg)
Reminders on HQC Presentation of the Ouroboros protocol Security Parameters Conclusion
Ouroboros
Requires a hash function Hash : {0, 1}∗ −→ Sncw (F2) [Sen05]
ε of HQC plays the role of the exchanged secret in Ouroboros
CE-Decoder is a modified BitFlipping algorithm to solve the CED problem
Alice Bob
seedh$← {0, 1}λ, h
seedh← Fn2
x, y$← Snw (F2), s← x + hy
ec ← se − ysr = xr2 − yr1 + ε′
(r1, r2)← CE-Decoder(x, y, ec, t,w ,we)ε← ec − xr2 + yr1 − Hash(r1, r2)
ε
h,s−−−−−−→
sr,se←−−−−−−−
SharedSecret
r1, r2$← Snw (F2)
er ← Hash (r1, r2), ε$← Snwe
(F2)sr ← r1 + hr2, se ← sr2 + er + ε
ε
J.-C. Deneuville Ouroboros: simple, secure, efficient code-based key exchange June the 26th, 2017 11 / 21
![Page 46: Ouroboros: a simple, secure and efficient key exchange ... · Ouroboros: a simple, secure and e cient key exchange protocol based on coding theory Jean-Christophe Deneuville](https://reader030.vdocuments.net/reader030/viewer/2022041111/5f155a0ffdabdb63057afc9a/html5/thumbnails/46.jpg)
Reminders on HQC Presentation of the Ouroboros protocol Security Parameters Conclusion
Ouroboros
Requires a hash function Hash : {0, 1}∗ −→ Sncw (F2) [Sen05]
ε of HQC plays the role of the exchanged secret in Ouroboros
CE-Decoder is a modified BitFlipping algorithm to solve the CED problem
Alice Bob
seedh$← {0, 1}λ, h
seedh← Fn2
x, y$← Snw (F2), s← x + hy
ec ← se − ysr = xr2 − yr1 + ε′
(r1, r2)← CE-Decoder(x, y, ec, t,w ,we)ε← ec − xr2 + yr1 − Hash(r1, r2)
ε
h,s−−−−−−→
sr,se←−−−−−−−
SharedSecret
r1, r2$← Snw (F2)
er ← Hash (r1, r2), ε$← Snwe
(F2)sr ← r1 + hr2, se ← sr2 + er + ε
ε
J.-C. Deneuville Ouroboros: simple, secure, efficient code-based key exchange June the 26th, 2017 11 / 21
![Page 47: Ouroboros: a simple, secure and efficient key exchange ... · Ouroboros: a simple, secure and e cient key exchange protocol based on coding theory Jean-Christophe Deneuville](https://reader030.vdocuments.net/reader030/viewer/2022041111/5f155a0ffdabdb63057afc9a/html5/thumbnails/47.jpg)
Reminders on HQC Presentation of the Ouroboros protocol Security Parameters Conclusion
Ouroboros
Requires a hash function Hash : {0, 1}∗ −→ Sncw (F2) [Sen05]
ε of HQC plays the role of the exchanged secret in Ouroboros
CE-Decoder is a modified BitFlipping algorithm to solve the CED problem
Alice Bob
seedh$← {0, 1}λ, h
seedh← Fn2
x, y$← Snw (F2), s← x + hy
ec ← se − ysr = xr2 − yr1 + ε′
(r1, r2)← CE-Decoder(x, y, ec, t,w ,we)ε← ec − xr2 + yr1 − Hash(r1, r2)
ε
h,s−−−−−−→
sr,se←−−−−−−−
SharedSecret
r1, r2$← Snw (F2)
er ← Hash (r1, r2), ε$← Snwe
(F2)sr ← r1 + hr2, se ← sr2 + er + ε
ε
J.-C. Deneuville Ouroboros: simple, secure, efficient code-based key exchange June the 26th, 2017 11 / 21
![Page 48: Ouroboros: a simple, secure and efficient key exchange ... · Ouroboros: a simple, secure and e cient key exchange protocol based on coding theory Jean-Christophe Deneuville](https://reader030.vdocuments.net/reader030/viewer/2022041111/5f155a0ffdabdb63057afc9a/html5/thumbnails/48.jpg)
Reminders on HQC Presentation of the Ouroboros protocol Security Parameters Conclusion
Outline
1 Reminders on HQC
2 Presentation of the Ouroboros protocol
3 SecuritySecurity Model and Hybrid ArgumentOuroboros Security
4 Parameters
J.-C. Deneuville Ouroboros: simple, secure, efficient code-based key exchange June the 26th, 2017 12 / 21
![Page 49: Ouroboros: a simple, secure and efficient key exchange ... · Ouroboros: a simple, secure and e cient key exchange protocol based on coding theory Jean-Christophe Deneuville](https://reader030.vdocuments.net/reader030/viewer/2022041111/5f155a0ffdabdb63057afc9a/html5/thumbnails/49.jpg)
Reminders on HQC Presentation of the Ouroboros protocol Security Parameters Conclusion
Security Model and Hybrid Argument
Key exchange as an encryption scheme
Same as Ding et al. [Din12, DXL12], Peikert’s [Pei14], BCNS [BCNS15] and NewHope [ADPS16]
Usual game:
Expind−bE,A (λ)
1. param← Setup(1λ)2. (pk, sk)← KeyGen(param)3. (ε0, ε1)← A(FIND : pk)4. c∗ ← Encrypt(pk, εb, θ)5. b′ ← A(GUESS : c∗)6. RETURN b′
Hybrid argument:1 Construct a sequence of games transitioning from Enc(ε0) to
Enc(ε1)2 Prove they are indistinguishable one from another
J.-C. Deneuville Ouroboros: simple, secure, efficient code-based key exchange June the 26th, 2017 13 / 21
![Page 50: Ouroboros: a simple, secure and efficient key exchange ... · Ouroboros: a simple, secure and e cient key exchange protocol based on coding theory Jean-Christophe Deneuville](https://reader030.vdocuments.net/reader030/viewer/2022041111/5f155a0ffdabdb63057afc9a/html5/thumbnails/50.jpg)
Reminders on HQC Presentation of the Ouroboros protocol Security Parameters Conclusion
Security Model and Hybrid Argument
Key exchange as an encryption scheme
Same as Ding et al. [Din12, DXL12], Peikert’s [Pei14], BCNS [BCNS15] and NewHope [ADPS16]
Usual game:
Expind−bE,A (λ)
1. param← Setup(1λ)2. (pk, sk)← KeyGen(param)3. (ε0, ε1)← A(FIND : pk)4. c∗ ← Encrypt(pk, εb, θ)5. b′ ← A(GUESS : c∗)6. RETURN b′
Hybrid argument:1 Construct a sequence of games transitioning from Enc(ε0) to
Enc(ε1)2 Prove they are indistinguishable one from another
J.-C. Deneuville Ouroboros: simple, secure, efficient code-based key exchange June the 26th, 2017 13 / 21
![Page 51: Ouroboros: a simple, secure and efficient key exchange ... · Ouroboros: a simple, secure and e cient key exchange protocol based on coding theory Jean-Christophe Deneuville](https://reader030.vdocuments.net/reader030/viewer/2022041111/5f155a0ffdabdb63057afc9a/html5/thumbnails/51.jpg)
Reminders on HQC Presentation of the Ouroboros protocol Security Parameters Conclusion
Security Model and Hybrid Argument
Key exchange as an encryption scheme
Same as Ding et al. [Din12, DXL12], Peikert’s [Pei14], BCNS [BCNS15] and NewHope [ADPS16]
Usual game:
Expind−bE,A (λ)
1. param← Setup(1λ)2. (pk, sk)← KeyGen(param)3. (ε0, ε1)← A(FIND : pk)4. c∗ ← Encrypt(pk, εb, θ)5. b′ ← A(GUESS : c∗)6. RETURN b′
Hybrid argument:1 Construct a sequence of games transitioning from Enc(ε0) to
Enc(ε1)2 Prove they are indistinguishable one from another
J.-C. Deneuville Ouroboros: simple, secure, efficient code-based key exchange June the 26th, 2017 13 / 21
![Page 52: Ouroboros: a simple, secure and efficient key exchange ... · Ouroboros: a simple, secure and e cient key exchange protocol based on coding theory Jean-Christophe Deneuville](https://reader030.vdocuments.net/reader030/viewer/2022041111/5f155a0ffdabdb63057afc9a/html5/thumbnails/52.jpg)
Reminders on HQC Presentation of the Ouroboros protocol Security Parameters Conclusion
Security Model and Hybrid Argument
Key exchange as an encryption scheme
Same as Ding et al. [Din12, DXL12], Peikert’s [Pei14], BCNS [BCNS15] and NewHope [ADPS16]
Usual game:
Expind−bE,A (λ)
1. param← Setup(1λ)2. (pk, sk)← KeyGen(param)3. (ε0, ε1)← A(FIND : pk)4. c∗ ← Encrypt(pk, εb, θ)5. b′ ← A(GUESS : c∗)6. RETURN b′
Hybrid argument:1 Construct a sequence of games transitioning from Enc(ε0) to
Enc(ε1)2 Prove they are indistinguishable one from another
J.-C. Deneuville Ouroboros: simple, secure, efficient code-based key exchange June the 26th, 2017 13 / 21
![Page 53: Ouroboros: a simple, secure and efficient key exchange ... · Ouroboros: a simple, secure and e cient key exchange protocol based on coding theory Jean-Christophe Deneuville](https://reader030.vdocuments.net/reader030/viewer/2022041111/5f155a0ffdabdb63057afc9a/html5/thumbnails/53.jpg)
Reminders on HQC Presentation of the Ouroboros protocol Security Parameters Conclusion
Outline
1 Reminders on HQC
2 Presentation of the Ouroboros protocol
3 SecuritySecurity Model and Hybrid ArgumentOuroboros Security
4 Parameters
J.-C. Deneuville Ouroboros: simple, secure, efficient code-based key exchange June the 26th, 2017 14 / 21
![Page 54: Ouroboros: a simple, secure and efficient key exchange ... · Ouroboros: a simple, secure and e cient key exchange protocol based on coding theory Jean-Christophe Deneuville](https://reader030.vdocuments.net/reader030/viewer/2022041111/5f155a0ffdabdb63057afc9a/html5/thumbnails/54.jpg)
Reminders on HQC Presentation of the Ouroboros protocol Security Parameters Conclusion
Security
Definition (SD Distribution)
For positive integers, n, k, and w , the SD(n, k ,w) Distribution chooses H$← F(n−k)×n and x
$← Fn
such that ω(x) = w , and outputs (H,Hx>).
Definition (Decisional s-QCSD Problem)
For positive integers n, k , w , s, a random parity check matrix H of a QC code C and y$← Fn, the
Decisional s-Quasi-Cyclic SD Problem s-DQCSD(n, k ,w) asks to decide with non-negligible advantagewhether (H, y>) came from the s-QCSD(n, k ,w) distribution or the uniform distribution overF(n−k)×n × Fn−k .
Theorem
Ouroboros is IND-CPA under the 2-DQCSD and 3-DQCSD assumptions. → sketch of proof
J.-C. Deneuville Ouroboros: simple, secure, efficient code-based key exchange June the 26th, 2017 15 / 21
![Page 55: Ouroboros: a simple, secure and efficient key exchange ... · Ouroboros: a simple, secure and e cient key exchange protocol based on coding theory Jean-Christophe Deneuville](https://reader030.vdocuments.net/reader030/viewer/2022041111/5f155a0ffdabdb63057afc9a/html5/thumbnails/55.jpg)
Reminders on HQC Presentation of the Ouroboros protocol Security Parameters Conclusion
Security
Definition (SD Distribution)
For positive integers, n, k, and w , the SD(n, k ,w) Distribution chooses H$← F(n−k)×n and x
$← Fn
such that ω(x) = w , and outputs (H,Hx>).
Definition (Decisional s-QCSD Problem)
For positive integers n, k , w , s, a random parity check matrix H of a QC code C and y$← Fn, the
Decisional s-Quasi-Cyclic SD Problem s-DQCSD(n, k ,w) asks to decide with non-negligible advantagewhether (H, y>) came from the s-QCSD(n, k ,w) distribution or the uniform distribution overF(n−k)×n × Fn−k .
Theorem
Ouroboros is IND-CPA under the 2-DQCSD and 3-DQCSD assumptions. → sketch of proof
J.-C. Deneuville Ouroboros: simple, secure, efficient code-based key exchange June the 26th, 2017 15 / 21
![Page 56: Ouroboros: a simple, secure and efficient key exchange ... · Ouroboros: a simple, secure and e cient key exchange protocol based on coding theory Jean-Christophe Deneuville](https://reader030.vdocuments.net/reader030/viewer/2022041111/5f155a0ffdabdb63057afc9a/html5/thumbnails/56.jpg)
Reminders on HQC Presentation of the Ouroboros protocol Security Parameters Conclusion
Security
Definition (SD Distribution)
For positive integers, n, k, and w , the SD(n, k ,w) Distribution chooses H$← F(n−k)×n and x
$← Fn
such that ω(x) = w , and outputs (H,Hx>).
Definition (Decisional s-QCSD Problem)
For positive integers n, k , w , s, a random parity check matrix H of a QC code C and y$← Fn, the
Decisional s-Quasi-Cyclic SD Problem s-DQCSD(n, k ,w) asks to decide with non-negligible advantagewhether (H, y>) came from the s-QCSD(n, k ,w) distribution or the uniform distribution overF(n−k)×n × Fn−k .
Theorem
Ouroboros is IND-CPA under the 2-DQCSD and 3-DQCSD assumptions. → sketch of proof
J.-C. Deneuville Ouroboros: simple, secure, efficient code-based key exchange June the 26th, 2017 15 / 21
![Page 57: Ouroboros: a simple, secure and efficient key exchange ... · Ouroboros: a simple, secure and e cient key exchange protocol based on coding theory Jean-Christophe Deneuville](https://reader030.vdocuments.net/reader030/viewer/2022041111/5f155a0ffdabdb63057afc9a/html5/thumbnails/57.jpg)
Reminders on HQC Presentation of the Ouroboros protocol Security Parameters Conclusion
Outline
1 Reminders on HQC
2 Presentation of the Ouroboros protocol
3 Security
4 ParametersReduction CompliantOptimized Parameters
J.-C. Deneuville Ouroboros: simple, secure, efficient code-based key exchange June the 26th, 2017 16 / 21
![Page 58: Ouroboros: a simple, secure and efficient key exchange ... · Ouroboros: a simple, secure and e cient key exchange protocol based on coding theory Jean-Christophe Deneuville](https://reader030.vdocuments.net/reader030/viewer/2022041111/5f155a0ffdabdb63057afc9a/html5/thumbnails/58.jpg)
Reminders on HQC Presentation of the Ouroboros protocol Security Parameters Conclusion
Reduction Compliant Parameters
Ouroboros Parameters
Instance n w we threshold security DFR
Low-I 5, 851 47 94 30 80 0.92·10−5
Low-II 5, 923 47 94 30 80 2.3 · 10−6
Medium-I 13, 691 75 150 45 128 0.96·10−5
Medium-II 14, 243 75 150 45 128 1.09·10−6
Strong-I 40, 013 147 294 85 256 4.20·10−5
Strong-II 40, 973 147 294 85 256 < 10−6
Table : Parameter sets for Ouroboros
J.-C. Deneuville Ouroboros: simple, secure, efficient code-based key exchange June the 26th, 2017 17 / 21
![Page 59: Ouroboros: a simple, secure and efficient key exchange ... · Ouroboros: a simple, secure and e cient key exchange protocol based on coding theory Jean-Christophe Deneuville](https://reader030.vdocuments.net/reader030/viewer/2022041111/5f155a0ffdabdb63057afc9a/html5/thumbnails/59.jpg)
Reminders on HQC Presentation of the Ouroboros protocol Security Parameters Conclusion
Outline
1 Reminders on HQC
2 Presentation of the Ouroboros protocol
3 Security
4 ParametersReduction CompliantOptimized Parameters
J.-C. Deneuville Ouroboros: simple, secure, efficient code-based key exchange June the 26th, 2017 18 / 21
![Page 60: Ouroboros: a simple, secure and efficient key exchange ... · Ouroboros: a simple, secure and e cient key exchange protocol based on coding theory Jean-Christophe Deneuville](https://reader030.vdocuments.net/reader030/viewer/2022041111/5f155a0ffdabdb63057afc9a/html5/thumbnails/60.jpg)
Reminders on HQC Presentation of the Ouroboros protocol Security Parameters Conclusion
Optimized Parameters wrt Best Know Attacks
Ouroboros Optimized Parameters
Instance n w we threshold security DFR
Low-I 4, 813 41 123 27 80 2.23·10−5
Low-II 5, 003 41 123 27 80 2.60·10−6
Medium-I 10, 301 67 201 42 128 1.01·10−4
Medium-II 10, 837 67 201 42 128 < 10−7
Strong-I 32, 771 131 393 77 256 < 10−4
Strong-II 33, 997 131 393 77 256 < 10−7
Table : Optimized parameter sets for Ouroboros in Hamming metric
J.-C. Deneuville Ouroboros: simple, secure, efficient code-based key exchange June the 26th, 2017 19 / 21
![Page 61: Ouroboros: a simple, secure and efficient key exchange ... · Ouroboros: a simple, secure and e cient key exchange protocol based on coding theory Jean-Christophe Deneuville](https://reader030.vdocuments.net/reader030/viewer/2022041111/5f155a0ffdabdb63057afc9a/html5/thumbnails/61.jpg)
Reminders on HQC Presentation of the Ouroboros protocol Security Parameters Conclusion
Conclusion
In this talk
Ouroboros: a secure, simple, and efficient code-based key exchange protocol
Efficient decoding through BitFlipping
Competitive parameters
Further Improvements
Improve BitFlipping threshold [CS16]
Switching to Rank metric drastically improves parameters! → interlude?
Optimize implementation
OpenSSL TLS integration
J.-C. Deneuville Ouroboros: simple, secure, efficient code-based key exchange June the 26th, 2017 20 / 21
![Page 62: Ouroboros: a simple, secure and efficient key exchange ... · Ouroboros: a simple, secure and e cient key exchange protocol based on coding theory Jean-Christophe Deneuville](https://reader030.vdocuments.net/reader030/viewer/2022041111/5f155a0ffdabdb63057afc9a/html5/thumbnails/62.jpg)
Reminders on HQC Presentation of the Ouroboros protocol Security Parameters Conclusion
Conclusion
In this talk
Ouroboros: a secure, simple, and efficient code-based key exchange protocol
Efficient decoding through BitFlipping
Competitive parameters
Further Improvements
Improve BitFlipping threshold [CS16]
Switching to Rank metric drastically improves parameters! → interlude?
Optimize implementation
OpenSSL TLS integration
J.-C. Deneuville Ouroboros: simple, secure, efficient code-based key exchange June the 26th, 2017 20 / 21
![Page 63: Ouroboros: a simple, secure and efficient key exchange ... · Ouroboros: a simple, secure and e cient key exchange protocol based on coding theory Jean-Christophe Deneuville](https://reader030.vdocuments.net/reader030/viewer/2022041111/5f155a0ffdabdb63057afc9a/html5/thumbnails/63.jpg)
Reminders on HQC Presentation of the Ouroboros protocol Security Parameters Conclusion
Conclusion
In this talk
Ouroboros: a secure, simple, and efficient code-based key exchange protocol
Efficient decoding through BitFlipping
Competitive parameters
Further Improvements
Improve BitFlipping threshold [CS16]
Switching to Rank metric drastically improves parameters! → interlude?
Optimize implementation
OpenSSL TLS integration
J.-C. Deneuville Ouroboros: simple, secure, efficient code-based key exchange June the 26th, 2017 20 / 21
![Page 64: Ouroboros: a simple, secure and efficient key exchange ... · Ouroboros: a simple, secure and e cient key exchange protocol based on coding theory Jean-Christophe Deneuville](https://reader030.vdocuments.net/reader030/viewer/2022041111/5f155a0ffdabdb63057afc9a/html5/thumbnails/64.jpg)
Reminders on HQC Presentation of the Ouroboros protocol Security Parameters Conclusion
Conclusion
In this talk
Ouroboros: a secure, simple, and efficient code-based key exchange protocol
Efficient decoding through BitFlipping
Competitive parameters
Further Improvements
Improve BitFlipping threshold [CS16]
Switching to Rank metric drastically improves parameters! → interlude?
Optimize implementation
OpenSSL TLS integration
J.-C. Deneuville Ouroboros: simple, secure, efficient code-based key exchange June the 26th, 2017 20 / 21
![Page 65: Ouroboros: a simple, secure and efficient key exchange ... · Ouroboros: a simple, secure and e cient key exchange protocol based on coding theory Jean-Christophe Deneuville](https://reader030.vdocuments.net/reader030/viewer/2022041111/5f155a0ffdabdb63057afc9a/html5/thumbnails/65.jpg)
Reminders on HQC Presentation of the Ouroboros protocol Security Parameters Conclusion
Conclusion
In this talk
Ouroboros: a secure, simple, and efficient code-based key exchange protocol
Efficient decoding through BitFlipping
Competitive parameters
Further Improvements
Improve BitFlipping threshold [CS16]
Switching to Rank metric drastically improves parameters! → interlude?
Optimize implementation
OpenSSL TLS integration
J.-C. Deneuville Ouroboros: simple, secure, efficient code-based key exchange June the 26th, 2017 20 / 21
![Page 66: Ouroboros: a simple, secure and efficient key exchange ... · Ouroboros: a simple, secure and e cient key exchange protocol based on coding theory Jean-Christophe Deneuville](https://reader030.vdocuments.net/reader030/viewer/2022041111/5f155a0ffdabdb63057afc9a/html5/thumbnails/66.jpg)
Reminders on HQC Presentation of the Ouroboros protocol Security Parameters Conclusion
Conclusion
In this talk
Ouroboros: a secure, simple, and efficient code-based key exchange protocol
Efficient decoding through BitFlipping
Competitive parameters
Further Improvements
Improve BitFlipping threshold [CS16]
Switching to Rank metric drastically improves parameters! → interlude?
Optimize implementation
OpenSSL TLS integration
J.-C. Deneuville Ouroboros: simple, secure, efficient code-based key exchange June the 26th, 2017 20 / 21
![Page 67: Ouroboros: a simple, secure and efficient key exchange ... · Ouroboros: a simple, secure and e cient key exchange protocol based on coding theory Jean-Christophe Deneuville](https://reader030.vdocuments.net/reader030/viewer/2022041111/5f155a0ffdabdb63057afc9a/html5/thumbnails/67.jpg)
Reminders on HQC Presentation of the Ouroboros protocol Security Parameters Conclusion
Conclusion
In this talk
Ouroboros: a secure, simple, and efficient code-based key exchange protocol
Efficient decoding through BitFlipping
Competitive parameters
Further Improvements
Improve BitFlipping threshold [CS16]
Switching to Rank metric drastically improves parameters! → interlude?
Optimize implementation
OpenSSL TLS integration
J.-C. Deneuville Ouroboros: simple, secure, efficient code-based key exchange June the 26th, 2017 20 / 21
![Page 68: Ouroboros: a simple, secure and efficient key exchange ... · Ouroboros: a simple, secure and e cient key exchange protocol based on coding theory Jean-Christophe Deneuville](https://reader030.vdocuments.net/reader030/viewer/2022041111/5f155a0ffdabdb63057afc9a/html5/thumbnails/68.jpg)
Reminders on HQC Presentation of the Ouroboros protocol Security Parameters Conclusion
Conclusion
In this talk
Ouroboros: a secure, simple, and efficient code-based key exchange protocol
Efficient decoding through BitFlipping
Competitive parameters
Further Improvements
Improve BitFlipping threshold [CS16]
Switching to Rank metric drastically improves parameters! → interlude?
Optimize implementation
OpenSSL TLS integration
J.-C. Deneuville Ouroboros: simple, secure, efficient code-based key exchange June the 26th, 2017 20 / 21
![Page 69: Ouroboros: a simple, secure and efficient key exchange ... · Ouroboros: a simple, secure and e cient key exchange protocol based on coding theory Jean-Christophe Deneuville](https://reader030.vdocuments.net/reader030/viewer/2022041111/5f155a0ffdabdb63057afc9a/html5/thumbnails/69.jpg)
Thanks!
Carlos Aguilar Melchor, Olivier Blazy, Jean Christophe
Deneuville, Philippe Gaborit, and Gilles Zemor.Efficient encryption from random quasi-cyclic codes.CoRR, abs/1612.05572, 2016.
Erdem Alkim, Leo Ducas, Thomas Poppelmann, and
Peter Schwabe.Post-quantum key exchange - A new hope.In Thorsten Holz and Stefan Savage, editors, 25thUSENIX Security Symposium, USENIX Security 16,Austin, TX, USA, August 10-12, 2016., pages327–343. USENIX Association, 2016.
Michael Alekhnovich.
More on average case vs approximation complexity.In 44th Symposium on Foundations of ComputerScience (FOCS 2003), 11-14 October 2003,Cambridge, MA, USA, Proceedings, pages 298–307,2003.
Joppe W. Bos, Craig Costello, Michael Naehrig, and
Douglas Stebila.
Post-quantum key exchange for the TLS protocolfrom the ring learning with errors problem.In 2015 IEEE Symposium on Security and Privacy,pages 553–570. IEEE Computer Society Press, May2015.
Julia Chaulet and Nicolas Sendrier.
Worst case qc-mdpc decoder for mceliececryptosystem.In Information Theory (ISIT), 2016 IEEE InternationalSymposium on, pages 1366–1370. IEEE, 2016.
Jintai Ding.
New cryptographic constructions using generalizedlearning with errors problem.Cryptology ePrint Archive, Report 2012/387, 2012.
Jintai Ding, Xiang Xie, and Xiaodong Lin.
A simple provably secure key exchange scheme basedon the learning with errors problem.Cryptology ePrint Archive, Report 2012/688, 2012.
Rafael Misoczki, Jean-Pierre Tillich, Nicolas Sendrier,
and Paulo SLM Barreto.Mdpc-mceliece: New mceliece variants frommoderate density parity-check codes.In Information Theory Proceedings (ISIT), 2013 IEEEInternational Symposium on, pages 2069–2073. IEEE,2013.
Chris Peikert.
Lattice cryptography for the internet.In Michele Mosca, editor, Post-QuantumCryptography - 6th International Workshop,PQCrypto 2014, Waterloo, ON, Canada, October 1-3,2014. Proceedings, volume 8772 of Lecture Notes inComputer Science, pages 197–219. Springer, 2014.
Nicolas Sendrier.
Encoding information into constant weight words.In Information Theory, 2005. ISIT 2005. Proceedings.International Symposium on, pages 435–438. IEEE,2005.
Paper available @ http://unil.im/ouroboros
![Page 70: Ouroboros: a simple, secure and efficient key exchange ... · Ouroboros: a simple, secure and e cient key exchange protocol based on coding theory Jean-Christophe Deneuville](https://reader030.vdocuments.net/reader030/viewer/2022041111/5f155a0ffdabdb63057afc9a/html5/thumbnails/70.jpg)
Thanks!
Carlos Aguilar Melchor, Olivier Blazy, Jean Christophe
Deneuville, Philippe Gaborit, and Gilles Zemor.Efficient encryption from random quasi-cyclic codes.CoRR, abs/1612.05572, 2016.
Erdem Alkim, Leo Ducas, Thomas Poppelmann, and
Peter Schwabe.Post-quantum key exchange - A new hope.In Thorsten Holz and Stefan Savage, editors, 25thUSENIX Security Symposium, USENIX Security 16,Austin, TX, USA, August 10-12, 2016., pages327–343. USENIX Association, 2016.
Michael Alekhnovich.
More on average case vs approximation complexity.In 44th Symposium on Foundations of ComputerScience (FOCS 2003), 11-14 October 2003,Cambridge, MA, USA, Proceedings, pages 298–307,2003.
Joppe W. Bos, Craig Costello, Michael Naehrig, and
Douglas Stebila.
Post-quantum key exchange for the TLS protocolfrom the ring learning with errors problem.In 2015 IEEE Symposium on Security and Privacy,pages 553–570. IEEE Computer Society Press, May2015.
Julia Chaulet and Nicolas Sendrier.
Worst case qc-mdpc decoder for mceliececryptosystem.In Information Theory (ISIT), 2016 IEEE InternationalSymposium on, pages 1366–1370. IEEE, 2016.
Jintai Ding.
New cryptographic constructions using generalizedlearning with errors problem.Cryptology ePrint Archive, Report 2012/387, 2012.
Jintai Ding, Xiang Xie, and Xiaodong Lin.
A simple provably secure key exchange scheme basedon the learning with errors problem.Cryptology ePrint Archive, Report 2012/688, 2012.
Rafael Misoczki, Jean-Pierre Tillich, Nicolas Sendrier,
and Paulo SLM Barreto.Mdpc-mceliece: New mceliece variants frommoderate density parity-check codes.In Information Theory Proceedings (ISIT), 2013 IEEEInternational Symposium on, pages 2069–2073. IEEE,2013.
Chris Peikert.
Lattice cryptography for the internet.In Michele Mosca, editor, Post-QuantumCryptography - 6th International Workshop,PQCrypto 2014, Waterloo, ON, Canada, October 1-3,2014. Proceedings, volume 8772 of Lecture Notes inComputer Science, pages 197–219. Springer, 2014.
Nicolas Sendrier.
Encoding information into constant weight words.In Information Theory, 2005. ISIT 2005. Proceedings.International Symposium on, pages 435–438. IEEE,2005.
Paper available @ http://unil.im/ouroboros
![Page 71: Ouroboros: a simple, secure and efficient key exchange ... · Ouroboros: a simple, secure and e cient key exchange protocol based on coding theory Jean-Christophe Deneuville](https://reader030.vdocuments.net/reader030/viewer/2022041111/5f155a0ffdabdb63057afc9a/html5/thumbnails/71.jpg)
Rank Metric Interlude (1/2)
Rank metric defined over (finite) extensions of finite fields
Fq a finite field with q a power of a prime.
Fqm an extension of degree m of Fq.
Fqm can be seen as a vector space on Fq.
B = (b1, ..., bm) a basis of Fqm over Fq.
Let v = (v1, . . . , vn) be a word of length n in Fqm .
Any coordinate vj =∑m
i=1 vijbi with vij ∈ Fq.v = (v1, ..., vn)→ V =
v11 v12 . . . v1n
v21 v22 . . . v2n
......
. . ....
vm1 vm2 . . . vmn
Rank weight of word
v has rank r = rank(v) iff the rank of V = (vij)ij is r .Equivalently rank(v) = r ⇔ vj ∈ Vr ⊂ Fn
qm with dim(Vr )=r.
J.-C. Deneuville Ouroboros: simple, secure, efficient code-based key exchange June the 26th, 2017 22 / 21
![Page 72: Ouroboros: a simple, secure and efficient key exchange ... · Ouroboros: a simple, secure and e cient key exchange protocol based on coding theory Jean-Christophe Deneuville](https://reader030.vdocuments.net/reader030/viewer/2022041111/5f155a0ffdabdb63057afc9a/html5/thumbnails/72.jpg)
Rank Metric Interlude (1/2)
Rank metric defined over (finite) extensions of finite fields
Fq a finite field with q a power of a prime.
Fqm an extension of degree m of Fq.
Fqm can be seen as a vector space on Fq.
B = (b1, ..., bm) a basis of Fqm over Fq.
Let v = (v1, . . . , vn) be a word of length n in Fqm .
Any coordinate vj =∑m
i=1 vijbi with vij ∈ Fq.v = (v1, ..., vn)→ V =
v11 v12 . . . v1n
v21 v22 . . . v2n
......
. . ....
vm1 vm2 . . . vmn
Rank weight of word
v has rank r = rank(v) iff the rank of V = (vij)ij is r .Equivalently rank(v) = r ⇔ vj ∈ Vr ⊂ Fn
qm with dim(Vr )=r.
J.-C. Deneuville Ouroboros: simple, secure, efficient code-based key exchange June the 26th, 2017 22 / 21
![Page 73: Ouroboros: a simple, secure and efficient key exchange ... · Ouroboros: a simple, secure and e cient key exchange protocol based on coding theory Jean-Christophe Deneuville](https://reader030.vdocuments.net/reader030/viewer/2022041111/5f155a0ffdabdb63057afc9a/html5/thumbnails/73.jpg)
Rank Metric Interlude (1/2)
Rank metric defined over (finite) extensions of finite fields
Fq a finite field with q a power of a prime.
Fqm an extension of degree m of Fq.
Fqm can be seen as a vector space on Fq.
B = (b1, ..., bm) a basis of Fqm over Fq.
Let v = (v1, . . . , vn) be a word of length n in Fqm .
Any coordinate vj =∑m
i=1 vijbi with vij ∈ Fq.v = (v1, ..., vn)→ V =
v11 v12 . . . v1n
v21 v22 . . . v2n
......
. . ....
vm1 vm2 . . . vmn
Rank weight of word
v has rank r = rank(v) iff the rank of V = (vij)ij is r .Equivalently rank(v) = r ⇔ vj ∈ Vr ⊂ Fn
qm with dim(Vr )=r.
J.-C. Deneuville Ouroboros: simple, secure, efficient code-based key exchange June the 26th, 2017 22 / 21
![Page 74: Ouroboros: a simple, secure and efficient key exchange ... · Ouroboros: a simple, secure and e cient key exchange protocol based on coding theory Jean-Christophe Deneuville](https://reader030.vdocuments.net/reader030/viewer/2022041111/5f155a0ffdabdb63057afc9a/html5/thumbnails/74.jpg)
Rank Metric Interlude (2/2)
Best Known Attacks have worse complexity in rank metric (2O(n2)) than in Hamming metric (2O(n))Consequence: worse attacks ⇒ better parameters
Ouroboros-R Parameters
Instancekey size(bits)
n m q w securitydecoding
failure
Ouroboros-R-I 1,591 37 43 2 5 100 10−4
Ouroboros-R-II 2,809 53 53 2 5 128 10−8
Ouroboros-R-III 3, 953 59 67 2 6 192 10−7
Ouroboros-R-IV 5, 293 67 79 2 7 256 10−5
Ouroboros-R-V 5, 618 53 53 4 6 256 10−10
Parameter sets for Ouroboros-R in rank metric.back to conclusion
J.-C. Deneuville Ouroboros: simple, secure, efficient code-based key exchange June the 26th, 2017 23 / 21
![Page 75: Ouroboros: a simple, secure and efficient key exchange ... · Ouroboros: a simple, secure and e cient key exchange protocol based on coding theory Jean-Christophe Deneuville](https://reader030.vdocuments.net/reader030/viewer/2022041111/5f155a0ffdabdb63057afc9a/html5/thumbnails/75.jpg)
Rank Metric Interlude (2/2)
Best Known Attacks have worse complexity in rank metric (2O(n2)) than in Hamming metric (2O(n))Consequence: worse attacks ⇒ better parameters
Ouroboros-R Parameters
Instancekey size(bits)
n m q w securitydecoding
failure
Ouroboros-R-I 1,591 37 43 2 5 100 10−4
Ouroboros-R-II 2,809 53 53 2 5 128 10−8
Ouroboros-R-III 3, 953 59 67 2 6 192 10−7
Ouroboros-R-IV 5, 293 67 79 2 7 256 10−5
Ouroboros-R-V 5, 618 53 53 4 6 256 10−10
Parameter sets for Ouroboros-R in rank metric.back to conclusion
J.-C. Deneuville Ouroboros: simple, secure, efficient code-based key exchange June the 26th, 2017 23 / 21
![Page 76: Ouroboros: a simple, secure and efficient key exchange ... · Ouroboros: a simple, secure and e cient key exchange protocol based on coding theory Jean-Christophe Deneuville](https://reader030.vdocuments.net/reader030/viewer/2022041111/5f155a0ffdabdb63057afc9a/html5/thumbnails/76.jpg)
Rank Metric Interlude (2/2)
Best Known Attacks have worse complexity in rank metric (2O(n2)) than in Hamming metric (2O(n))Consequence: worse attacks ⇒ better parameters
Ouroboros-R Parameters
Instancekey size(bits)
n m q w securitydecoding
failure
Ouroboros-R-I 1,591 37 43 2 5 100 10−4
Ouroboros-R-II 2,809 53 53 2 5 128 10−8
Ouroboros-R-III 3, 953 59 67 2 6 192 10−7
Ouroboros-R-IV 5, 293 67 79 2 7 256 10−5
Ouroboros-R-V 5, 618 53 53 4 6 256 10−10
Parameter sets for Ouroboros-R in rank metric.back to conclusion
J.-C. Deneuville Ouroboros: simple, secure, efficient code-based key exchange June the 26th, 2017 23 / 21
![Page 77: Ouroboros: a simple, secure and efficient key exchange ... · Ouroboros: a simple, secure and e cient key exchange protocol based on coding theory Jean-Christophe Deneuville](https://reader030.vdocuments.net/reader030/viewer/2022041111/5f155a0ffdabdb63057afc9a/html5/thumbnails/77.jpg)
Sketch of proof
Sequence of games from Enc(ε0) to Enc(ε1)
Enc(ε0) Encs?(ε0) Encs?,r?(ε0)
Encs?,r?(ε1)Encs?(ε1)Enc(ε1)
AdvindE,A(λ) ≤ 2 ·
(Adv2-DQCSD(λ) + Adv3-DQCSD(λ)
)back to security
J.-C. Deneuville Ouroboros: simple, secure, efficient code-based key exchange June the 26th, 2017 24 / 21
![Page 78: Ouroboros: a simple, secure and efficient key exchange ... · Ouroboros: a simple, secure and e cient key exchange protocol based on coding theory Jean-Christophe Deneuville](https://reader030.vdocuments.net/reader030/viewer/2022041111/5f155a0ffdabdb63057afc9a/html5/thumbnails/78.jpg)
Sketch of proof
Sequence of games from Enc(ε0) to Enc(ε1)
Enc(ε0) Encs?(ε0) Encs?,r?(ε0)
Encs?,r?(ε1)Encs?(ε1)Enc(ε1)
AdvindE,A(λ) ≤ 2 ·
(Adv2-DQCSD(λ) + Adv3-DQCSD(λ)
)back to security
J.-C. Deneuville Ouroboros: simple, secure, efficient code-based key exchange June the 26th, 2017 24 / 21
![Page 79: Ouroboros: a simple, secure and efficient key exchange ... · Ouroboros: a simple, secure and e cient key exchange protocol based on coding theory Jean-Christophe Deneuville](https://reader030.vdocuments.net/reader030/viewer/2022041111/5f155a0ffdabdb63057afc9a/html5/thumbnails/79.jpg)
Sketch of proof
Sequence of games from Enc(ε0) to Enc(ε1)
Enc(ε0) Encs?(ε0) Encs?,r?(ε0)
Encs?,r?(ε1)Encs?(ε1)Enc(ε1)
AdvindE,A(λ) ≤ 2 ·
(Adv2-DQCSD(λ) + Adv3-DQCSD(λ)
)back to security
J.-C. Deneuville Ouroboros: simple, secure, efficient code-based key exchange June the 26th, 2017 24 / 21
![Page 80: Ouroboros: a simple, secure and efficient key exchange ... · Ouroboros: a simple, secure and e cient key exchange protocol based on coding theory Jean-Christophe Deneuville](https://reader030.vdocuments.net/reader030/viewer/2022041111/5f155a0ffdabdb63057afc9a/html5/thumbnails/80.jpg)
Sketch of proof
Sequence of games from Enc(ε0) to Enc(ε1)
Enc(ε0) Encs?(ε0) Encs?,r?(ε0)
Encs?,r?(ε1)Encs?(ε1)Enc(ε1)
AdvindE,A(λ) ≤ 2 ·
(Adv2-DQCSD(λ) + Adv3-DQCSD(λ)
)back to security
J.-C. Deneuville Ouroboros: simple, secure, efficient code-based key exchange June the 26th, 2017 24 / 21
![Page 81: Ouroboros: a simple, secure and efficient key exchange ... · Ouroboros: a simple, secure and e cient key exchange protocol based on coding theory Jean-Christophe Deneuville](https://reader030.vdocuments.net/reader030/viewer/2022041111/5f155a0ffdabdb63057afc9a/html5/thumbnails/81.jpg)
Sketch of proof
Sequence of games from Enc(ε0) to Enc(ε1)
Enc(ε0) Encs?(ε0) Encs?,r?(ε0)
Encs?,r?(ε1)Encs?(ε1)Enc(ε1)
AdvindE,A(λ) ≤ 2 ·
(Adv2-DQCSD(λ) + Adv3-DQCSD(λ)
)back to security
J.-C. Deneuville Ouroboros: simple, secure, efficient code-based key exchange June the 26th, 2017 24 / 21
![Page 82: Ouroboros: a simple, secure and efficient key exchange ... · Ouroboros: a simple, secure and e cient key exchange protocol based on coding theory Jean-Christophe Deneuville](https://reader030.vdocuments.net/reader030/viewer/2022041111/5f155a0ffdabdb63057afc9a/html5/thumbnails/82.jpg)
Sketch of proof
Sequence of games from Enc(ε0) to Enc(ε1)
Enc(ε0) Encs?(ε0) Encs?,r?(ε0)
Encs?,r?(ε1)Encs?(ε1)Enc(ε1)
AdvindE,A(λ) ≤ 2 ·
(Adv2-DQCSD(λ) + Adv3-DQCSD(λ)
)back to security
J.-C. Deneuville Ouroboros: simple, secure, efficient code-based key exchange June the 26th, 2017 24 / 21
![Page 83: Ouroboros: a simple, secure and efficient key exchange ... · Ouroboros: a simple, secure and e cient key exchange protocol based on coding theory Jean-Christophe Deneuville](https://reader030.vdocuments.net/reader030/viewer/2022041111/5f155a0ffdabdb63057afc9a/html5/thumbnails/83.jpg)
Sketch of proof
Sequence of games from Enc(ε0) to Enc(ε1)
Encs?(ε0)Enc(ε0) Encs?,r?(ε0)
Encs?,r?(ε1)Encs?(ε1)Enc(ε1)
AdvindE,A(λ)
AdvindE,A(λ) ≤ 2 ·
(Adv2-DQCSD(λ) + Adv3-DQCSD(λ)
)back to security
J.-C. Deneuville Ouroboros: simple, secure, efficient code-based key exchange June the 26th, 2017 24 / 21
![Page 84: Ouroboros: a simple, secure and efficient key exchange ... · Ouroboros: a simple, secure and e cient key exchange protocol based on coding theory Jean-Christophe Deneuville](https://reader030.vdocuments.net/reader030/viewer/2022041111/5f155a0ffdabdb63057afc9a/html5/thumbnails/84.jpg)
Sketch of proof
Sequence of games from Enc(ε0) to Enc(ε1)
Encs?(ε0)Enc(ε0) Encs?,r?(ε0)
Encs?,r?(ε1)Encs?(ε1)Enc(ε1)
AdvindE,A(λ)
AdvindE,A(λ) ≤ 2 ·
(Adv2-DQCSD(λ) + Adv3-DQCSD(λ)
)back to security
J.-C. Deneuville Ouroboros: simple, secure, efficient code-based key exchange June the 26th, 2017 24 / 21