Ouroboros: a simple, secure and efficient key exchange protocol basedon coding theory
Jean-Christophe Deneuville<[email protected]>
June the 26th, 2017PQCrypto’17
Utrecht
Joint work with:
P. Gaborit G. ZemorUniversity of Limoges University of Bordeaux
Motivations
[ME78]
Key Sizes
80’s↓
00’s[Nie86] Other variations
Most of them broken
[Ale03]
[Gab05]
[Gab91]
[ABDGZ16]
HQC
RQC
[Ove07]Attacks
Bottom Line
LackaProof
LackEfficiency
Security reductionto a standardproblem (randomcodes)
RankMetric
Groupaction
[MB09] dyadic[BCGO09] alternant
[BBC08]QC-LDPC
Ntru-like[MTSB13]QC-MDPC
[GMRZ13]QC-LRPCNtru-like
RSBCHGoppaRM
Motivations
[ME78]
Key Sizes
80’s↓
00’s
[Nie86]
Other variationsMost of them broken
[Ale03]
[Gab05]
[Gab91]
[ABDGZ16]
HQC
RQC
[Ove07]Attacks
Bottom Line
LackaProof
LackEfficiency
Security reductionto a standardproblem (randomcodes)
RankMetric
Groupaction
[MB09] dyadic[BCGO09] alternant
[BBC08]QC-LDPC
Ntru-like[MTSB13]QC-MDPC
[GMRZ13]QC-LRPCNtru-like
RSBCHGoppaRM
Motivations
[ME78]
Key Sizes
80’s↓
00’s[Nie86]
Other variationsMost of them broken
[Ale03]
[Gab05]
[Gab91]
[ABDGZ16]
HQC
RQC
[Ove07]Attacks
Bottom Line
LackaProof
LackEfficiency
Security reductionto a standardproblem (randomcodes)
RankMetric
Groupaction
[MB09] dyadic[BCGO09] alternant
[BBC08]QC-LDPC
Ntru-like[MTSB13]QC-MDPC
[GMRZ13]QC-LRPCNtru-like
RSBCHGoppaRM
Motivations
[ME78]
Key Sizes
80’s↓
00’s[Nie86]
Other variationsMost of them broken
[Ale03]
[Gab05]
[Gab91]
[ABDGZ16]
HQC
RQC
[Ove07]Attacks
Bottom Line
LackaProof
LackEfficiency
Security reductionto a standardproblem (randomcodes)
RankMetric
Groupaction
[MB09] dyadic[BCGO09] alternant
[BBC08]QC-LDPC
Ntru-like[MTSB13]QC-MDPC
[GMRZ13]QC-LRPCNtru-like
RSBCHGoppaRM
Motivations
[ME78]
Key Sizes
80’s↓
00’s[Nie86] Other variations
Most of them broken
[Ale03]
[Gab05]
[Gab91]
[ABDGZ16]
HQC
RQC
[Ove07]Attacks
Bottom Line
LackaProof
LackEfficiency
Security proof
RankMetric
Groupaction
[MB09] dyadic[BCGO09] alternant
[BBC08]QC-LDPC
Ntru-like[MTSB13]QC-MDPC
[GMRZ13]QC-LRPCNtru-like
RSBCHGoppaRM
Motivations
[ME78]
Key Sizes
80’s↓
00’s[Nie86] Other variations
Most of them broken
[Ale03]
[Gab05]
[Gab91]
[ABDGZ16]
HQC
RQC
[Ove07]Attacks
Bottom Line
LackaProof
LackEfficiency
Security proof
RankMetric
Groupaction
[MB09] dyadic[BCGO09] alternant
[BBC08]QC-LDPC
Ntru-like[MTSB13]QC-MDPC
[GMRZ13]QC-LRPCNtru-like
RSBCHGoppaRM
Motivations
[ME78]
Key Sizes
80’s↓
00’s[Nie86] Other variations
Most of them broken
[Ale03]
[Gab05]
[Gab91]
[ABDGZ16]
HQC
RQC
[Ove07]Attacks
Bottom Line
LackaProof
LackEfficiency
Security proof
RankMetric
Groupaction
[MB09] dyadic[BCGO09] alternant
[BBC08]QC-LDPC
Ntru-like[MTSB13]QC-MDPC
[GMRZ13]QC-LRPCNtru-like
RSBCHGoppaRM
Motivations
[ME78]
Key Sizes
80’s↓
00’s[Nie86] Other variations
Most of them broken
[Ale03]
[Gab05]
[Gab91]
[ABDGZ16]
HQC
RQC
[Ove07]Attacks
Bottom Line
LackaProof
LackEfficiency
Security proof
RankMetric
Groupaction
[MB09] dyadic[BCGO09] alternant
[BBC08]QC-LDPC
Ntru-like[MTSB13]QC-MDPC
[GMRZ13]QC-LRPCNtru-like
RSBCHGoppaRM
Motivations
[ME78]
Key Sizes
80’s↓
00’s[Nie86] Other variations
Most of them broken
[Ale03]
[Gab05]
[Gab91]
[ABDGZ16]
HQC
RQC
[Ove07]Attacks
Bottom Line
LackaProof
LackEfficiency
Security proof
RankMetric
Groupaction
[MB09] dyadic[BCGO09] alternant
[BBC08]QC-LDPC
Ntru-like[MTSB13]QC-MDPC
[GMRZ13]QC-LRPCNtru-like
RSBCHGoppaRM
Motivations
[ME78]
Key Sizes
80’s↓
00’s[Nie86] Other variations
Most of them broken
[Ale03]
[Gab05]
[Gab91]
[ABDGZ16]
HQC
RQC
[Ove07]Attacks
Bottom Line
LackaProof
LackEfficiency
Security proof
RankMetric
Groupaction
[MB09] dyadic[BCGO09] alternant
[BBC08]QC-LDPC
Ntru-like[MTSB13]QC-MDPC
[GMRZ13]QC-LRPCNtru-like
RSBCHGoppaRM
Motivations
[ME78]
Key Sizes
80’s↓
00’s[Nie86] Other variations
Most of them broken
[Ale03]
[Gab05]
[Gab91]
[ABDGZ16]
HQC
RQC
[Ove07]Attacks
Bottom Line
LackaProof
LackEfficiency
Security proof
RankMetric
Groupaction
[MB09] dyadic[BCGO09] alternant
[BBC08]QC-LDPC
Ntru-like[MTSB13]QC-MDPC
[GMRZ13]QC-LRPCNtru-like
RSBCHGoppaRM
Motivations
[ME78]
Key Sizes
80’s↓
00’s[Nie86] Other variations
Most of them broken
[Ale03]
[Gab05]
[Gab91]
[ABDGZ16]
HQC
RQC
[Ove07]Attacks
Bottom Line
LackaProof
LackEfficiency
Security proof
RankMetric
Groupaction
[MB09] dyadic[BCGO09] alternant
[BBC08]QC-LDPC
Ntru-like[MTSB13]QC-MDPC
[GMRZ13]QC-LRPCNtru-like
RSBCHGoppaRM
Motivations
[ME78]
Key Sizes
80’s↓
00’s[Nie86] Other variations
Most of them broken
[Ale03]
[Gab05]
[Gab91]
[ABDGZ16]
HQC
RQC
[Ove07]Attacks
Bottom Line
LackaProof
LackEfficiency
Security proof
RankMetric
Groupaction
[MB09] dyadic[BCGO09] alternant
[BBC08]QC-LDPC
Ntru-like[MTSB13]QC-MDPC
[GMRZ13]QC-LRPCNtru-like
RSBCHGoppaRM
Motivations
[ME78]
Key Sizes
80’s↓
00’s[Nie86] Other variations
Most of them broken
[Ale03]
[Gab05]
[Gab91]
[ABDGZ16]
HQC
RQC
[Ove07]Attacks
Bottom Line
LackaProof
LackEfficiency
Security proof
RankMetric
Groupaction
[MB09] dyadic[BCGO09] alternant
[BBC08]QC-LDPC
Ntru-like[MTSB13]QC-MDPC
[GMRZ13]QC-LRPCNtru-like
RSBCHGoppaRM
Motivations
[ME78]
Key Sizes
80’s↓
00’s[Nie86] Other variations
Most of them broken
[Ale03]
[Gab05]
[Gab91]
[ABDGZ16]
HQC
RQC
[Ove07]Attacks
Bottom Line
LackaProof
LackEfficiency
Security proof
RankMetric
Groupaction
[MB09] dyadic[BCGO09] alternant
[BBC08]QC-LDPC
Ntru-like[MTSB13]QC-MDPC
[GMRZ13]QC-LRPCNtru-like
RSBCHGoppaRM
Motivations
[ME78]
Key Sizes
80’s↓
00’s[Nie86] Other variations
Most of them broken
[Ale03]
[Gab05]
[Gab91]
[ABDGZ16]
HQC
RQC
[Ove07]Attacks
Bottom Line
LackaProof
LackEfficiency
Security proof
RankMetric
Groupaction
[MB09] dyadic[BCGO09] alternant
[BBC08]QC-LDPC
Ntru-like[MTSB13]QC-MDPC
[GMRZ13]QC-LRPCNtru-like
RSBCHGoppaRM
Motivations
[ME78]
Key Sizes
80’s↓
00’s[Nie86] Other variations
Most of them broken
[Ale03]
[Gab05]
[Gab91]
[ABDGZ16]
HQC
RQC
[Ove07]Attacks
Bottom Line
LackaProof
LackEfficiency
Security proof
RankMetric
Groupaction
[MB09] dyadic[BCGO09] alternant
[BBC08]QC-LDPC
Ntru-like[MTSB13]QC-MDPC
[GMRZ13]QC-LRPCNtru-like
RSBCHGoppaRM
Motivations
[ME78]
Key Sizes
80’s↓
00’s[Nie86] Other variations
Most of them broken
[Ale03]
[Gab05]
[Gab91]
[ABDGZ16]
HQC
RQC
[Ove07]Attacks
Bottom Line
Proof
Efficiency
Security proof
RankMetric
Groupaction
[MB09] dyadic[BCGO09] alternant
[BBC08]QC-LDPC
Ntru-like[MTSB13]QC-MDPC
[GMRZ13]QC-LRPCNtru-like
RSBCHGoppaRM
Reminders on HQC Presentation of the Ouroboros protocol Security Parameters Conclusion
Outline
1 Reminders on HQC
2 Presentation of the Ouroboros protocol
3 Security
4 Parameters
J.-C. Deneuville Ouroboros: simple, secure, efficient code-based key exchange June the 26th, 2017 3 / 21
Reminders on HQC Presentation of the Ouroboros protocol Security Parameters Conclusion
HQC Encryption Scheme [ABD+16]
Encryption scheme in Hamming metric, using Quasi-Cyclic Codes
Notation: Secret data - Public data - One-time Randomness
G is the generator matrix of some public code C.
Alice Bob
seedh$← {0, 1}λ, h
seedh← Fn2
x, y$← Snw (F2), s← x + hy
µ← C.Decode (ρ− vy)
seedh,s−−−−−−−−−→
v,ρ←−−−−−−−
r1, r2$← Snw (F2), ε
$← Sncw (F2)v← r1 + hr2, ρ← µG + sr2 + ε
J.-C. Deneuville Ouroboros: simple, secure, efficient code-based key exchange June the 26th, 2017 4 / 21
Reminders on HQC Presentation of the Ouroboros protocol Security Parameters Conclusion
HQC Encryption Scheme [ABD+16]
Encryption scheme in Hamming metric, using Quasi-Cyclic Codes
Notation: Secret data - Public data - One-time Randomness
G is the generator matrix of some public code C.
Alice Bob
seedh$← {0, 1}λ, h
seedh← Fn2
x, y$← Snw (F2), s← x + hy
µ← C.Decode (ρ− vy)
seedh,s−−−−−−−−−→
v,ρ←−−−−−−−
r1, r2$← Snw (F2), ε
$← Sncw (F2)v← r1 + hr2, ρ← µG + sr2 + ε
J.-C. Deneuville Ouroboros: simple, secure, efficient code-based key exchange June the 26th, 2017 4 / 21
Reminders on HQC Presentation of the Ouroboros protocol Security Parameters Conclusion
HQC Encryption Scheme [ABD+16]
Encryption scheme in Hamming metric, using Quasi-Cyclic Codes
Notation: Secret data - Public data - One-time Randomness
G is the generator matrix of some public code C.
Alice Bob
seedh$← {0, 1}λ, h
seedh← Fn2
x, y$← Snw (F2), s← x + hy
µ← C.Decode (ρ− vy)
seedh,s−−−−−−−−−→
v,ρ←−−−−−−−
r1, r2$← Snw (F2), ε
$← Sncw (F2)v← r1 + hr2, ρ← µG + sr2 + ε
J.-C. Deneuville Ouroboros: simple, secure, efficient code-based key exchange June the 26th, 2017 4 / 21
Reminders on HQC Presentation of the Ouroboros protocol Security Parameters Conclusion
HQC Encryption Scheme [ABD+16]
Encryption scheme in Hamming metric, using Quasi-Cyclic Codes
Notation: Secret data - Public data - One-time Randomness
G is the generator matrix of some public code C.
Alice Bob
seedh$← {0, 1}λ, h
seedh← Fn2
x, y$← Snw (F2), s← x + hy
µ← C.Decode (ρ− vy)
seedh,s−−−−−−−−−→
v,ρ←−−−−−−−
r1, r2$← Snw (F2), ε
$← Sncw (F2)v← r1 + hr2, ρ← µG + sr2 + ε
J.-C. Deneuville Ouroboros: simple, secure, efficient code-based key exchange June the 26th, 2017 4 / 21
Reminders on HQC Presentation of the Ouroboros protocol Security Parameters Conclusion
Correctness
Correctness Property
Decrypt (sk,Encrypt (pk,µ, θ)) = µ
C.Decode correctly decodes ρ− v · y whenever
the error term is not too big
ω (s · r2 − v · y + ε) ≤ δω ((x + h · y) · r2 − (r1 + h · r2) · y + ε) ≤ δω(x · r2 − r1 · y + ε) ≤ δ
Error distribution analysis → Decryption failure probability better understood
J.-C. Deneuville Ouroboros: simple, secure, efficient code-based key exchange June the 26th, 2017 5 / 21
Reminders on HQC Presentation of the Ouroboros protocol Security Parameters Conclusion
Correctness
Correctness Property
Decrypt (sk,Encrypt (pk,µ, θ)) = µ
C.Decode correctly decodes ρ− v · y whenever
the error term is not too big
ω (s · r2 − v · y + ε) ≤ δω ((x + h · y) · r2 − (r1 + h · r2) · y + ε) ≤ δω(x · r2 − r1 · y + ε) ≤ δ
Error distribution analysis → Decryption failure probability better understood
J.-C. Deneuville Ouroboros: simple, secure, efficient code-based key exchange June the 26th, 2017 5 / 21
Reminders on HQC Presentation of the Ouroboros protocol Security Parameters Conclusion
Correctness
Correctness Property
Decrypt (sk,Encrypt (pk,µ, θ)) = µ
C.Decode correctly decodes ρ− v · y whenever
the error term is not too big
ω (s · r2 − v · y + ε) ≤ δω ((x + h · y) · r2 − (r1 + h · r2) · y + ε) ≤ δω(x · r2 − r1 · y + ε) ≤ δ
Error distribution analysis → Decryption failure probability better understood
J.-C. Deneuville Ouroboros: simple, secure, efficient code-based key exchange June the 26th, 2017 5 / 21
Reminders on HQC Presentation of the Ouroboros protocol Security Parameters Conclusion
Outline
1 Reminders on HQC
2 Presentation of the Ouroboros protocolCyclic Error DecodingBitFlipping algorithmDescription of the protocol
3 Security
4 Parameters
J.-C. Deneuville Ouroboros: simple, secure, efficient code-based key exchange June the 26th, 2017 6 / 21
Reminders on HQC Presentation of the Ouroboros protocol Security Parameters Conclusion
A particular decoding
HQC requires x · r2 − r1 · y + ε to be “small” to correctly decodeOuroboros further exploits the shape of the error
Cyclic Error Decoding (CED) Problem
Let x, y, r1, r2$← Snw (F2) with w = O(
√n), and e
$← Sncw (F2) a random error vector.
Given (x, y) ∈ (Snw (F2))2 and ec ← xr2 − yr1 + e such that ω(r1) = ω(r2) = w , find (r1, r2).
This is essentially a noisy SD problem
x�
−y� r2
r1
+
e
J.-C. Deneuville Ouroboros: simple, secure, efficient code-based key exchange June the 26th, 2017 7 / 21
Reminders on HQC Presentation of the Ouroboros protocol Security Parameters Conclusion
A particular decoding
HQC requires x · r2 − r1 · y + ε to be “small” to correctly decodeOuroboros further exploits the shape of the error
Cyclic Error Decoding (CED) Problem
Let x, y, r1, r2$← Snw (F2) with w = O(
√n), and e
$← Sncw (F2) a random error vector.
Given (x, y) ∈ (Snw (F2))2 and ec ← xr2 − yr1 + e such that ω(r1) = ω(r2) = w , find (r1, r2).
This is essentially a noisy SD problem
x�
−y� r2
r1
+
e
J.-C. Deneuville Ouroboros: simple, secure, efficient code-based key exchange June the 26th, 2017 7 / 21
Reminders on HQC Presentation of the Ouroboros protocol Security Parameters Conclusion
A particular decoding
HQC requires x · r2 − r1 · y + ε to be “small” to correctly decodeOuroboros further exploits the shape of the error
Cyclic Error Decoding (CED) Problem
Let x, y, r1, r2$← Snw (F2) with w = O(
√n), and e
$← Sncw (F2) a random error vector.
Given (x, y) ∈ (Snw (F2))2 and ec ← xr2 − yr1 + e such that ω(r1) = ω(r2) = w , find (r1, r2).
This is essentially a noisy SD problem
x�
−y� r2
r1
+
e
J.-C. Deneuville Ouroboros: simple, secure, efficient code-based key exchange June the 26th, 2017 7 / 21
Reminders on HQC Presentation of the Ouroboros protocol Security Parameters Conclusion
A particular decoding
HQC requires x · r2 − r1 · y + ε to be “small” to correctly decodeOuroboros further exploits the shape of the error
Cyclic Error Decoding (CED) Problem
Let x, y, r1, r2$← Snw (F2) with w = O(
√n), and e
$← Sncw (F2) a random error vector.
Given (x, y) ∈ (Snw (F2))2 and ec ← xr2 − yr1 + e such that ω(r1) = ω(r2) = w , find (r1, r2).
This is essentially a noisy SD problem
x�
−y� r2
r1
+
e
J.-C. Deneuville Ouroboros: simple, secure, efficient code-based key exchange June the 26th, 2017 7 / 21
Reminders on HQC Presentation of the Ouroboros protocol Security Parameters Conclusion
A particular decoding
HQC requires x · r2 − r1 · y + ε to be “small” to correctly decodeOuroboros further exploits the shape of the error
Cyclic Error Decoding (CED) Problem
Let x, y, r1, r2$← Snw (F2) with w = O(
√n), and e
$← Sncw (F2) a random error vector.
Given (x, y) ∈ (Snw (F2))2 and ec ← xr2 − yr1 + e such that ω(r1) = ω(r2) = w , find (r1, r2).
This is essentially a noisy SD problem
x�
−y� r2
r1
+
e
J.-C. Deneuville Ouroboros: simple, secure, efficient code-based key exchange June the 26th, 2017 7 / 21
Reminders on HQC Presentation of the Ouroboros protocol Security Parameters Conclusion
Outline
1 Reminders on HQC
2 Presentation of the Ouroboros protocolCyclic Error DecodingBitFlipping algorithmDescription of the protocol
3 Security
4 Parameters
J.-C. Deneuville Ouroboros: simple, secure, efficient code-based key exchange June the 26th, 2017 8 / 21
Reminders on HQC Presentation of the Ouroboros protocol Security Parameters Conclusion
Hard Decision Decoding: BitFlipping
Introduced by Gallager in 1962
Iterative decoding for Low Density Parity Check codes
Decoding capacity increase linearly with the code length
Intuition
1 Compute the number of unsatisfied parity-check equations for each bit of the message
2 If this number is greater than some threshold, flip the bit and go to 1.
3 Stop when the syndrome is null (or after a certain number of iterations).
Easy to understand
Easy to implement
Pretty efficient
The threshold value is crucial [CS16]
J.-C. Deneuville Ouroboros: simple, secure, efficient code-based key exchange June the 26th, 2017 9 / 21
Reminders on HQC Presentation of the Ouroboros protocol Security Parameters Conclusion
Hard Decision Decoding: BitFlipping
Introduced by Gallager in 1962
Iterative decoding for Low Density Parity Check codes
Decoding capacity increase linearly with the code length
Intuition
1 Compute the number of unsatisfied parity-check equations for each bit of the message
2 If this number is greater than some threshold, flip the bit and go to 1.
3 Stop when the syndrome is null (or after a certain number of iterations).
Easy to understand
Easy to implement
Pretty efficient
The threshold value is crucial [CS16]
J.-C. Deneuville Ouroboros: simple, secure, efficient code-based key exchange June the 26th, 2017 9 / 21
Reminders on HQC Presentation of the Ouroboros protocol Security Parameters Conclusion
Hard Decision Decoding: BitFlipping
Introduced by Gallager in 1962
Iterative decoding for Low Density Parity Check codes
Decoding capacity increase linearly with the code length
Intuition
1 Compute the number of unsatisfied parity-check equations for each bit of the message
2 If this number is greater than some threshold, flip the bit and go to 1.
3 Stop when the syndrome is null (or after a certain number of iterations).
Easy to understand
Easy to implement
Pretty efficient
The threshold value is crucial [CS16]
J.-C. Deneuville Ouroboros: simple, secure, efficient code-based key exchange June the 26th, 2017 9 / 21
Reminders on HQC Presentation of the Ouroboros protocol Security Parameters Conclusion
Hard Decision Decoding: BitFlipping
Introduced by Gallager in 1962
Iterative decoding for Low Density Parity Check codes
Decoding capacity increase linearly with the code length
Intuition
1 Compute the number of unsatisfied parity-check equations for each bit of the message
2 If this number is greater than some threshold, flip the bit and go to 1.
3 Stop when the syndrome is null (or after a certain number of iterations).
Easy to understand
Easy to implement
Pretty efficient
The threshold value is crucial [CS16]
J.-C. Deneuville Ouroboros: simple, secure, efficient code-based key exchange June the 26th, 2017 9 / 21
Reminders on HQC Presentation of the Ouroboros protocol Security Parameters Conclusion
Hard Decision Decoding: BitFlipping
Introduced by Gallager in 1962
Iterative decoding for Low Density Parity Check codes
Decoding capacity increase linearly with the code length
Intuition
1 Compute the number of unsatisfied parity-check equations for each bit of the message
2 If this number is greater than some threshold, flip the bit and go to 1.
3 Stop when the syndrome is null (or after a certain number of iterations).
Easy to understand
Easy to implement
Pretty efficient
The threshold value is crucial [CS16]
J.-C. Deneuville Ouroboros: simple, secure, efficient code-based key exchange June the 26th, 2017 9 / 21
Reminders on HQC Presentation of the Ouroboros protocol Security Parameters Conclusion
Outline
1 Reminders on HQC
2 Presentation of the Ouroboros protocolCyclic Error DecodingBitFlipping algorithmDescription of the protocol
3 Security
4 Parameters
J.-C. Deneuville Ouroboros: simple, secure, efficient code-based key exchange June the 26th, 2017 10 / 21
Reminders on HQC Presentation of the Ouroboros protocol Security Parameters Conclusion
Ouroboros
Requires a hash function Hash : {0, 1}∗ −→ Sncw (F2) [Sen05]
ε of HQC plays the role of the exchanged secret in Ouroboros
CE-Decoder is a modified BitFlipping algorithm to solve the CED problem
Alice Bob
seedh$← {0, 1}λ, h
seedh← Fn2
x, y$← Snw (F2), s← x + hy
ec ← se − ysr = xr2 − yr1 + ε′
(r1, r2)← CE-Decoder(x, y, ec, t,w ,we)ε← ec − xr2 + yr1 − Hash(r1, r2)
ε
h,s−−−−−−→
sr,se←−−−−−−−
SharedSecret
r1, r2$← Snw (F2)
er ← Hash (r1, r2), ε$← Snwe
(F2)sr ← r1 + hr2, se ← sr2 + er + ε
ε
J.-C. Deneuville Ouroboros: simple, secure, efficient code-based key exchange June the 26th, 2017 11 / 21
Reminders on HQC Presentation of the Ouroboros protocol Security Parameters Conclusion
Ouroboros
Requires a hash function Hash : {0, 1}∗ −→ Sncw (F2) [Sen05]
ε of HQC plays the role of the exchanged secret in Ouroboros
CE-Decoder is a modified BitFlipping algorithm to solve the CED problem
Alice Bob
seedh$← {0, 1}λ, h
seedh← Fn2
x, y$← Snw (F2), s← x + hy
ec ← se − ysr = xr2 − yr1 + ε′
(r1, r2)← CE-Decoder(x, y, ec, t,w ,we)ε← ec − xr2 + yr1 − Hash(r1, r2)
ε
h,s−−−−−−→
sr,se←−−−−−−−
SharedSecret
r1, r2$← Snw (F2)
er ← Hash (r1, r2), ε$← Snwe
(F2)sr ← r1 + hr2, se ← sr2 + er + ε
ε
J.-C. Deneuville Ouroboros: simple, secure, efficient code-based key exchange June the 26th, 2017 11 / 21
Reminders on HQC Presentation of the Ouroboros protocol Security Parameters Conclusion
Ouroboros
Requires a hash function Hash : {0, 1}∗ −→ Sncw (F2) [Sen05]
ε of HQC plays the role of the exchanged secret in Ouroboros
CE-Decoder is a modified BitFlipping algorithm to solve the CED problem
Alice Bob
seedh$← {0, 1}λ, h
seedh← Fn2
x, y$← Snw (F2), s← x + hy
ec ← se − ysr = xr2 − yr1 + ε′
(r1, r2)← CE-Decoder(x, y, ec, t,w ,we)ε← ec − xr2 + yr1 − Hash(r1, r2)
ε
h,s−−−−−−→
sr,se←−−−−−−−
SharedSecret
r1, r2$← Snw (F2)
er ← Hash (r1, r2), ε$← Snwe
(F2)sr ← r1 + hr2, se ← sr2 + er + ε
ε
J.-C. Deneuville Ouroboros: simple, secure, efficient code-based key exchange June the 26th, 2017 11 / 21
Reminders on HQC Presentation of the Ouroboros protocol Security Parameters Conclusion
Ouroboros
Requires a hash function Hash : {0, 1}∗ −→ Sncw (F2) [Sen05]
ε of HQC plays the role of the exchanged secret in Ouroboros
CE-Decoder is a modified BitFlipping algorithm to solve the CED problem
Alice Bob
seedh$← {0, 1}λ, h
seedh← Fn2
x, y$← Snw (F2), s← x + hy
ec ← se − ysr = xr2 − yr1 + ε′
(r1, r2)← CE-Decoder(x, y, ec, t,w ,we)ε← ec − xr2 + yr1 − Hash(r1, r2)
ε
h,s−−−−−−→
sr,se←−−−−−−−
SharedSecret
r1, r2$← Snw (F2)
er ← Hash (r1, r2), ε$← Snwe
(F2)sr ← r1 + hr2, se ← sr2 + er + ε
ε
J.-C. Deneuville Ouroboros: simple, secure, efficient code-based key exchange June the 26th, 2017 11 / 21
Reminders on HQC Presentation of the Ouroboros protocol Security Parameters Conclusion
Ouroboros
Requires a hash function Hash : {0, 1}∗ −→ Sncw (F2) [Sen05]
ε of HQC plays the role of the exchanged secret in Ouroboros
CE-Decoder is a modified BitFlipping algorithm to solve the CED problem
Alice Bob
seedh$← {0, 1}λ, h
seedh← Fn2
x, y$← Snw (F2), s← x + hy
ec ← se − ysr = xr2 − yr1 + ε′
(r1, r2)← CE-Decoder(x, y, ec, t,w ,we)ε← ec − xr2 + yr1 − Hash(r1, r2)
ε
h,s−−−−−−→
sr,se←−−−−−−−
SharedSecret
r1, r2$← Snw (F2)
er ← Hash (r1, r2), ε$← Snwe
(F2)sr ← r1 + hr2, se ← sr2 + er + ε
ε
J.-C. Deneuville Ouroboros: simple, secure, efficient code-based key exchange June the 26th, 2017 11 / 21
Reminders on HQC Presentation of the Ouroboros protocol Security Parameters Conclusion
Ouroboros
Requires a hash function Hash : {0, 1}∗ −→ Sncw (F2) [Sen05]
ε of HQC plays the role of the exchanged secret in Ouroboros
CE-Decoder is a modified BitFlipping algorithm to solve the CED problem
Alice Bob
seedh$← {0, 1}λ, h
seedh← Fn2
x, y$← Snw (F2), s← x + hy
ec ← se − ysr = xr2 − yr1 + ε′
(r1, r2)← CE-Decoder(x, y, ec, t,w ,we)ε← ec − xr2 + yr1 − Hash(r1, r2)
ε
h,s−−−−−−→
sr,se←−−−−−−−
SharedSecret
r1, r2$← Snw (F2)
er ← Hash (r1, r2), ε$← Snwe
(F2)sr ← r1 + hr2, se ← sr2 + er + ε
ε
J.-C. Deneuville Ouroboros: simple, secure, efficient code-based key exchange June the 26th, 2017 11 / 21
Reminders on HQC Presentation of the Ouroboros protocol Security Parameters Conclusion
Ouroboros
Requires a hash function Hash : {0, 1}∗ −→ Sncw (F2) [Sen05]
ε of HQC plays the role of the exchanged secret in Ouroboros
CE-Decoder is a modified BitFlipping algorithm to solve the CED problem
Alice Bob
seedh$← {0, 1}λ, h
seedh← Fn2
x, y$← Snw (F2), s← x + hy
ec ← se − ysr = xr2 − yr1 + ε′
(r1, r2)← CE-Decoder(x, y, ec, t,w ,we)ε← ec − xr2 + yr1 − Hash(r1, r2)
ε
h,s−−−−−−→
sr,se←−−−−−−−
SharedSecret
r1, r2$← Snw (F2)
er ← Hash (r1, r2), ε$← Snwe
(F2)sr ← r1 + hr2, se ← sr2 + er + ε
ε
J.-C. Deneuville Ouroboros: simple, secure, efficient code-based key exchange June the 26th, 2017 11 / 21
Reminders on HQC Presentation of the Ouroboros protocol Security Parameters Conclusion
Outline
1 Reminders on HQC
2 Presentation of the Ouroboros protocol
3 SecuritySecurity Model and Hybrid ArgumentOuroboros Security
4 Parameters
J.-C. Deneuville Ouroboros: simple, secure, efficient code-based key exchange June the 26th, 2017 12 / 21
Reminders on HQC Presentation of the Ouroboros protocol Security Parameters Conclusion
Security Model and Hybrid Argument
Key exchange as an encryption scheme
Same as Ding et al. [Din12, DXL12], Peikert’s [Pei14], BCNS [BCNS15] and NewHope [ADPS16]
Usual game:
Expind−bE,A (λ)
1. param← Setup(1λ)2. (pk, sk)← KeyGen(param)3. (ε0, ε1)← A(FIND : pk)4. c∗ ← Encrypt(pk, εb, θ)5. b′ ← A(GUESS : c∗)6. RETURN b′
Hybrid argument:1 Construct a sequence of games transitioning from Enc(ε0) to
Enc(ε1)2 Prove they are indistinguishable one from another
J.-C. Deneuville Ouroboros: simple, secure, efficient code-based key exchange June the 26th, 2017 13 / 21
Reminders on HQC Presentation of the Ouroboros protocol Security Parameters Conclusion
Security Model and Hybrid Argument
Key exchange as an encryption scheme
Same as Ding et al. [Din12, DXL12], Peikert’s [Pei14], BCNS [BCNS15] and NewHope [ADPS16]
Usual game:
Expind−bE,A (λ)
1. param← Setup(1λ)2. (pk, sk)← KeyGen(param)3. (ε0, ε1)← A(FIND : pk)4. c∗ ← Encrypt(pk, εb, θ)5. b′ ← A(GUESS : c∗)6. RETURN b′
Hybrid argument:1 Construct a sequence of games transitioning from Enc(ε0) to
Enc(ε1)2 Prove they are indistinguishable one from another
J.-C. Deneuville Ouroboros: simple, secure, efficient code-based key exchange June the 26th, 2017 13 / 21
Reminders on HQC Presentation of the Ouroboros protocol Security Parameters Conclusion
Security Model and Hybrid Argument
Key exchange as an encryption scheme
Same as Ding et al. [Din12, DXL12], Peikert’s [Pei14], BCNS [BCNS15] and NewHope [ADPS16]
Usual game:
Expind−bE,A (λ)
1. param← Setup(1λ)2. (pk, sk)← KeyGen(param)3. (ε0, ε1)← A(FIND : pk)4. c∗ ← Encrypt(pk, εb, θ)5. b′ ← A(GUESS : c∗)6. RETURN b′
Hybrid argument:1 Construct a sequence of games transitioning from Enc(ε0) to
Enc(ε1)2 Prove they are indistinguishable one from another
J.-C. Deneuville Ouroboros: simple, secure, efficient code-based key exchange June the 26th, 2017 13 / 21
Reminders on HQC Presentation of the Ouroboros protocol Security Parameters Conclusion
Security Model and Hybrid Argument
Key exchange as an encryption scheme
Same as Ding et al. [Din12, DXL12], Peikert’s [Pei14], BCNS [BCNS15] and NewHope [ADPS16]
Usual game:
Expind−bE,A (λ)
1. param← Setup(1λ)2. (pk, sk)← KeyGen(param)3. (ε0, ε1)← A(FIND : pk)4. c∗ ← Encrypt(pk, εb, θ)5. b′ ← A(GUESS : c∗)6. RETURN b′
Hybrid argument:1 Construct a sequence of games transitioning from Enc(ε0) to
Enc(ε1)2 Prove they are indistinguishable one from another
J.-C. Deneuville Ouroboros: simple, secure, efficient code-based key exchange June the 26th, 2017 13 / 21
Reminders on HQC Presentation of the Ouroboros protocol Security Parameters Conclusion
Outline
1 Reminders on HQC
2 Presentation of the Ouroboros protocol
3 SecuritySecurity Model and Hybrid ArgumentOuroboros Security
4 Parameters
J.-C. Deneuville Ouroboros: simple, secure, efficient code-based key exchange June the 26th, 2017 14 / 21
Reminders on HQC Presentation of the Ouroboros protocol Security Parameters Conclusion
Security
Definition (SD Distribution)
For positive integers, n, k, and w , the SD(n, k ,w) Distribution chooses H$← F(n−k)×n and x
$← Fn
such that ω(x) = w , and outputs (H,Hx>).
Definition (Decisional s-QCSD Problem)
For positive integers n, k , w , s, a random parity check matrix H of a QC code C and y$← Fn, the
Decisional s-Quasi-Cyclic SD Problem s-DQCSD(n, k ,w) asks to decide with non-negligible advantagewhether (H, y>) came from the s-QCSD(n, k ,w) distribution or the uniform distribution overF(n−k)×n × Fn−k .
Theorem
Ouroboros is IND-CPA under the 2-DQCSD and 3-DQCSD assumptions. → sketch of proof
J.-C. Deneuville Ouroboros: simple, secure, efficient code-based key exchange June the 26th, 2017 15 / 21
Reminders on HQC Presentation of the Ouroboros protocol Security Parameters Conclusion
Security
Definition (SD Distribution)
For positive integers, n, k, and w , the SD(n, k ,w) Distribution chooses H$← F(n−k)×n and x
$← Fn
such that ω(x) = w , and outputs (H,Hx>).
Definition (Decisional s-QCSD Problem)
For positive integers n, k , w , s, a random parity check matrix H of a QC code C and y$← Fn, the
Decisional s-Quasi-Cyclic SD Problem s-DQCSD(n, k ,w) asks to decide with non-negligible advantagewhether (H, y>) came from the s-QCSD(n, k ,w) distribution or the uniform distribution overF(n−k)×n × Fn−k .
Theorem
Ouroboros is IND-CPA under the 2-DQCSD and 3-DQCSD assumptions. → sketch of proof
J.-C. Deneuville Ouroboros: simple, secure, efficient code-based key exchange June the 26th, 2017 15 / 21
Reminders on HQC Presentation of the Ouroboros protocol Security Parameters Conclusion
Security
Definition (SD Distribution)
For positive integers, n, k, and w , the SD(n, k ,w) Distribution chooses H$← F(n−k)×n and x
$← Fn
such that ω(x) = w , and outputs (H,Hx>).
Definition (Decisional s-QCSD Problem)
For positive integers n, k , w , s, a random parity check matrix H of a QC code C and y$← Fn, the
Decisional s-Quasi-Cyclic SD Problem s-DQCSD(n, k ,w) asks to decide with non-negligible advantagewhether (H, y>) came from the s-QCSD(n, k ,w) distribution or the uniform distribution overF(n−k)×n × Fn−k .
Theorem
Ouroboros is IND-CPA under the 2-DQCSD and 3-DQCSD assumptions. → sketch of proof
J.-C. Deneuville Ouroboros: simple, secure, efficient code-based key exchange June the 26th, 2017 15 / 21
Reminders on HQC Presentation of the Ouroboros protocol Security Parameters Conclusion
Outline
1 Reminders on HQC
2 Presentation of the Ouroboros protocol
3 Security
4 ParametersReduction CompliantOptimized Parameters
J.-C. Deneuville Ouroboros: simple, secure, efficient code-based key exchange June the 26th, 2017 16 / 21
Reminders on HQC Presentation of the Ouroboros protocol Security Parameters Conclusion
Reduction Compliant Parameters
Ouroboros Parameters
Instance n w we threshold security DFR
Low-I 5, 851 47 94 30 80 0.92·10−5
Low-II 5, 923 47 94 30 80 2.3 · 10−6
Medium-I 13, 691 75 150 45 128 0.96·10−5
Medium-II 14, 243 75 150 45 128 1.09·10−6
Strong-I 40, 013 147 294 85 256 4.20·10−5
Strong-II 40, 973 147 294 85 256 < 10−6
Table : Parameter sets for Ouroboros
J.-C. Deneuville Ouroboros: simple, secure, efficient code-based key exchange June the 26th, 2017 17 / 21
Reminders on HQC Presentation of the Ouroboros protocol Security Parameters Conclusion
Outline
1 Reminders on HQC
2 Presentation of the Ouroboros protocol
3 Security
4 ParametersReduction CompliantOptimized Parameters
J.-C. Deneuville Ouroboros: simple, secure, efficient code-based key exchange June the 26th, 2017 18 / 21
Reminders on HQC Presentation of the Ouroboros protocol Security Parameters Conclusion
Optimized Parameters wrt Best Know Attacks
Ouroboros Optimized Parameters
Instance n w we threshold security DFR
Low-I 4, 813 41 123 27 80 2.23·10−5
Low-II 5, 003 41 123 27 80 2.60·10−6
Medium-I 10, 301 67 201 42 128 1.01·10−4
Medium-II 10, 837 67 201 42 128 < 10−7
Strong-I 32, 771 131 393 77 256 < 10−4
Strong-II 33, 997 131 393 77 256 < 10−7
Table : Optimized parameter sets for Ouroboros in Hamming metric
J.-C. Deneuville Ouroboros: simple, secure, efficient code-based key exchange June the 26th, 2017 19 / 21
Reminders on HQC Presentation of the Ouroboros protocol Security Parameters Conclusion
Conclusion
In this talk
Ouroboros: a secure, simple, and efficient code-based key exchange protocol
Efficient decoding through BitFlipping
Competitive parameters
Further Improvements
Improve BitFlipping threshold [CS16]
Switching to Rank metric drastically improves parameters! → interlude?
Optimize implementation
OpenSSL TLS integration
J.-C. Deneuville Ouroboros: simple, secure, efficient code-based key exchange June the 26th, 2017 20 / 21
Reminders on HQC Presentation of the Ouroboros protocol Security Parameters Conclusion
Conclusion
In this talk
Ouroboros: a secure, simple, and efficient code-based key exchange protocol
Efficient decoding through BitFlipping
Competitive parameters
Further Improvements
Improve BitFlipping threshold [CS16]
Switching to Rank metric drastically improves parameters! → interlude?
Optimize implementation
OpenSSL TLS integration
J.-C. Deneuville Ouroboros: simple, secure, efficient code-based key exchange June the 26th, 2017 20 / 21
Reminders on HQC Presentation of the Ouroboros protocol Security Parameters Conclusion
Conclusion
In this talk
Ouroboros: a secure, simple, and efficient code-based key exchange protocol
Efficient decoding through BitFlipping
Competitive parameters
Further Improvements
Improve BitFlipping threshold [CS16]
Switching to Rank metric drastically improves parameters! → interlude?
Optimize implementation
OpenSSL TLS integration
J.-C. Deneuville Ouroboros: simple, secure, efficient code-based key exchange June the 26th, 2017 20 / 21
Reminders on HQC Presentation of the Ouroboros protocol Security Parameters Conclusion
Conclusion
In this talk
Ouroboros: a secure, simple, and efficient code-based key exchange protocol
Efficient decoding through BitFlipping
Competitive parameters
Further Improvements
Improve BitFlipping threshold [CS16]
Switching to Rank metric drastically improves parameters! → interlude?
Optimize implementation
OpenSSL TLS integration
J.-C. Deneuville Ouroboros: simple, secure, efficient code-based key exchange June the 26th, 2017 20 / 21
Reminders on HQC Presentation of the Ouroboros protocol Security Parameters Conclusion
Conclusion
In this talk
Ouroboros: a secure, simple, and efficient code-based key exchange protocol
Efficient decoding through BitFlipping
Competitive parameters
Further Improvements
Improve BitFlipping threshold [CS16]
Switching to Rank metric drastically improves parameters! → interlude?
Optimize implementation
OpenSSL TLS integration
J.-C. Deneuville Ouroboros: simple, secure, efficient code-based key exchange June the 26th, 2017 20 / 21
Reminders on HQC Presentation of the Ouroboros protocol Security Parameters Conclusion
Conclusion
In this talk
Ouroboros: a secure, simple, and efficient code-based key exchange protocol
Efficient decoding through BitFlipping
Competitive parameters
Further Improvements
Improve BitFlipping threshold [CS16]
Switching to Rank metric drastically improves parameters! → interlude?
Optimize implementation
OpenSSL TLS integration
J.-C. Deneuville Ouroboros: simple, secure, efficient code-based key exchange June the 26th, 2017 20 / 21
Reminders on HQC Presentation of the Ouroboros protocol Security Parameters Conclusion
Conclusion
In this talk
Ouroboros: a secure, simple, and efficient code-based key exchange protocol
Efficient decoding through BitFlipping
Competitive parameters
Further Improvements
Improve BitFlipping threshold [CS16]
Switching to Rank metric drastically improves parameters! → interlude?
Optimize implementation
OpenSSL TLS integration
J.-C. Deneuville Ouroboros: simple, secure, efficient code-based key exchange June the 26th, 2017 20 / 21
Reminders on HQC Presentation of the Ouroboros protocol Security Parameters Conclusion
Conclusion
In this talk
Ouroboros: a secure, simple, and efficient code-based key exchange protocol
Efficient decoding through BitFlipping
Competitive parameters
Further Improvements
Improve BitFlipping threshold [CS16]
Switching to Rank metric drastically improves parameters! → interlude?
Optimize implementation
OpenSSL TLS integration
J.-C. Deneuville Ouroboros: simple, secure, efficient code-based key exchange June the 26th, 2017 20 / 21
Thanks!
Carlos Aguilar Melchor, Olivier Blazy, Jean Christophe
Deneuville, Philippe Gaborit, and Gilles Zemor.Efficient encryption from random quasi-cyclic codes.CoRR, abs/1612.05572, 2016.
Erdem Alkim, Leo Ducas, Thomas Poppelmann, and
Peter Schwabe.Post-quantum key exchange - A new hope.In Thorsten Holz and Stefan Savage, editors, 25thUSENIX Security Symposium, USENIX Security 16,Austin, TX, USA, August 10-12, 2016., pages327–343. USENIX Association, 2016.
Michael Alekhnovich.
More on average case vs approximation complexity.In 44th Symposium on Foundations of ComputerScience (FOCS 2003), 11-14 October 2003,Cambridge, MA, USA, Proceedings, pages 298–307,2003.
Joppe W. Bos, Craig Costello, Michael Naehrig, and
Douglas Stebila.
Post-quantum key exchange for the TLS protocolfrom the ring learning with errors problem.In 2015 IEEE Symposium on Security and Privacy,pages 553–570. IEEE Computer Society Press, May2015.
Julia Chaulet and Nicolas Sendrier.
Worst case qc-mdpc decoder for mceliececryptosystem.In Information Theory (ISIT), 2016 IEEE InternationalSymposium on, pages 1366–1370. IEEE, 2016.
Jintai Ding.
New cryptographic constructions using generalizedlearning with errors problem.Cryptology ePrint Archive, Report 2012/387, 2012.
Jintai Ding, Xiang Xie, and Xiaodong Lin.
A simple provably secure key exchange scheme basedon the learning with errors problem.Cryptology ePrint Archive, Report 2012/688, 2012.
Rafael Misoczki, Jean-Pierre Tillich, Nicolas Sendrier,
and Paulo SLM Barreto.Mdpc-mceliece: New mceliece variants frommoderate density parity-check codes.In Information Theory Proceedings (ISIT), 2013 IEEEInternational Symposium on, pages 2069–2073. IEEE,2013.
Chris Peikert.
Lattice cryptography for the internet.In Michele Mosca, editor, Post-QuantumCryptography - 6th International Workshop,PQCrypto 2014, Waterloo, ON, Canada, October 1-3,2014. Proceedings, volume 8772 of Lecture Notes inComputer Science, pages 197–219. Springer, 2014.
Nicolas Sendrier.
Encoding information into constant weight words.In Information Theory, 2005. ISIT 2005. Proceedings.International Symposium on, pages 435–438. IEEE,2005.
Paper available @ http://unil.im/ouroboros
Thanks!
Carlos Aguilar Melchor, Olivier Blazy, Jean Christophe
Deneuville, Philippe Gaborit, and Gilles Zemor.Efficient encryption from random quasi-cyclic codes.CoRR, abs/1612.05572, 2016.
Erdem Alkim, Leo Ducas, Thomas Poppelmann, and
Peter Schwabe.Post-quantum key exchange - A new hope.In Thorsten Holz and Stefan Savage, editors, 25thUSENIX Security Symposium, USENIX Security 16,Austin, TX, USA, August 10-12, 2016., pages327–343. USENIX Association, 2016.
Michael Alekhnovich.
More on average case vs approximation complexity.In 44th Symposium on Foundations of ComputerScience (FOCS 2003), 11-14 October 2003,Cambridge, MA, USA, Proceedings, pages 298–307,2003.
Joppe W. Bos, Craig Costello, Michael Naehrig, and
Douglas Stebila.
Post-quantum key exchange for the TLS protocolfrom the ring learning with errors problem.In 2015 IEEE Symposium on Security and Privacy,pages 553–570. IEEE Computer Society Press, May2015.
Julia Chaulet and Nicolas Sendrier.
Worst case qc-mdpc decoder for mceliececryptosystem.In Information Theory (ISIT), 2016 IEEE InternationalSymposium on, pages 1366–1370. IEEE, 2016.
Jintai Ding.
New cryptographic constructions using generalizedlearning with errors problem.Cryptology ePrint Archive, Report 2012/387, 2012.
Jintai Ding, Xiang Xie, and Xiaodong Lin.
A simple provably secure key exchange scheme basedon the learning with errors problem.Cryptology ePrint Archive, Report 2012/688, 2012.
Rafael Misoczki, Jean-Pierre Tillich, Nicolas Sendrier,
and Paulo SLM Barreto.Mdpc-mceliece: New mceliece variants frommoderate density parity-check codes.In Information Theory Proceedings (ISIT), 2013 IEEEInternational Symposium on, pages 2069–2073. IEEE,2013.
Chris Peikert.
Lattice cryptography for the internet.In Michele Mosca, editor, Post-QuantumCryptography - 6th International Workshop,PQCrypto 2014, Waterloo, ON, Canada, October 1-3,2014. Proceedings, volume 8772 of Lecture Notes inComputer Science, pages 197–219. Springer, 2014.
Nicolas Sendrier.
Encoding information into constant weight words.In Information Theory, 2005. ISIT 2005. Proceedings.International Symposium on, pages 435–438. IEEE,2005.
Paper available @ http://unil.im/ouroboros
Rank Metric Interlude (1/2)
Rank metric defined over (finite) extensions of finite fields
Fq a finite field with q a power of a prime.
Fqm an extension of degree m of Fq.
Fqm can be seen as a vector space on Fq.
B = (b1, ..., bm) a basis of Fqm over Fq.
Let v = (v1, . . . , vn) be a word of length n in Fqm .
Any coordinate vj =∑m
i=1 vijbi with vij ∈ Fq.v = (v1, ..., vn)→ V =
v11 v12 . . . v1n
v21 v22 . . . v2n
......
. . ....
vm1 vm2 . . . vmn
Rank weight of word
v has rank r = rank(v) iff the rank of V = (vij)ij is r .Equivalently rank(v) = r ⇔ vj ∈ Vr ⊂ Fn
qm with dim(Vr )=r.
J.-C. Deneuville Ouroboros: simple, secure, efficient code-based key exchange June the 26th, 2017 22 / 21
Rank Metric Interlude (1/2)
Rank metric defined over (finite) extensions of finite fields
Fq a finite field with q a power of a prime.
Fqm an extension of degree m of Fq.
Fqm can be seen as a vector space on Fq.
B = (b1, ..., bm) a basis of Fqm over Fq.
Let v = (v1, . . . , vn) be a word of length n in Fqm .
Any coordinate vj =∑m
i=1 vijbi with vij ∈ Fq.v = (v1, ..., vn)→ V =
v11 v12 . . . v1n
v21 v22 . . . v2n
......
. . ....
vm1 vm2 . . . vmn
Rank weight of word
v has rank r = rank(v) iff the rank of V = (vij)ij is r .Equivalently rank(v) = r ⇔ vj ∈ Vr ⊂ Fn
qm with dim(Vr )=r.
J.-C. Deneuville Ouroboros: simple, secure, efficient code-based key exchange June the 26th, 2017 22 / 21
Rank Metric Interlude (1/2)
Rank metric defined over (finite) extensions of finite fields
Fq a finite field with q a power of a prime.
Fqm an extension of degree m of Fq.
Fqm can be seen as a vector space on Fq.
B = (b1, ..., bm) a basis of Fqm over Fq.
Let v = (v1, . . . , vn) be a word of length n in Fqm .
Any coordinate vj =∑m
i=1 vijbi with vij ∈ Fq.v = (v1, ..., vn)→ V =
v11 v12 . . . v1n
v21 v22 . . . v2n
......
. . ....
vm1 vm2 . . . vmn
Rank weight of word
v has rank r = rank(v) iff the rank of V = (vij)ij is r .Equivalently rank(v) = r ⇔ vj ∈ Vr ⊂ Fn
qm with dim(Vr )=r.
J.-C. Deneuville Ouroboros: simple, secure, efficient code-based key exchange June the 26th, 2017 22 / 21
Rank Metric Interlude (2/2)
Best Known Attacks have worse complexity in rank metric (2O(n2)) than in Hamming metric (2O(n))Consequence: worse attacks ⇒ better parameters
Ouroboros-R Parameters
Instancekey size(bits)
n m q w securitydecoding
failure
Ouroboros-R-I 1,591 37 43 2 5 100 10−4
Ouroboros-R-II 2,809 53 53 2 5 128 10−8
Ouroboros-R-III 3, 953 59 67 2 6 192 10−7
Ouroboros-R-IV 5, 293 67 79 2 7 256 10−5
Ouroboros-R-V 5, 618 53 53 4 6 256 10−10
Parameter sets for Ouroboros-R in rank metric.back to conclusion
J.-C. Deneuville Ouroboros: simple, secure, efficient code-based key exchange June the 26th, 2017 23 / 21
Rank Metric Interlude (2/2)
Best Known Attacks have worse complexity in rank metric (2O(n2)) than in Hamming metric (2O(n))Consequence: worse attacks ⇒ better parameters
Ouroboros-R Parameters
Instancekey size(bits)
n m q w securitydecoding
failure
Ouroboros-R-I 1,591 37 43 2 5 100 10−4
Ouroboros-R-II 2,809 53 53 2 5 128 10−8
Ouroboros-R-III 3, 953 59 67 2 6 192 10−7
Ouroboros-R-IV 5, 293 67 79 2 7 256 10−5
Ouroboros-R-V 5, 618 53 53 4 6 256 10−10
Parameter sets for Ouroboros-R in rank metric.back to conclusion
J.-C. Deneuville Ouroboros: simple, secure, efficient code-based key exchange June the 26th, 2017 23 / 21
Rank Metric Interlude (2/2)
Best Known Attacks have worse complexity in rank metric (2O(n2)) than in Hamming metric (2O(n))Consequence: worse attacks ⇒ better parameters
Ouroboros-R Parameters
Instancekey size(bits)
n m q w securitydecoding
failure
Ouroboros-R-I 1,591 37 43 2 5 100 10−4
Ouroboros-R-II 2,809 53 53 2 5 128 10−8
Ouroboros-R-III 3, 953 59 67 2 6 192 10−7
Ouroboros-R-IV 5, 293 67 79 2 7 256 10−5
Ouroboros-R-V 5, 618 53 53 4 6 256 10−10
Parameter sets for Ouroboros-R in rank metric.back to conclusion
J.-C. Deneuville Ouroboros: simple, secure, efficient code-based key exchange June the 26th, 2017 23 / 21
Sketch of proof
Sequence of games from Enc(ε0) to Enc(ε1)
Enc(ε0) Encs?(ε0) Encs?,r?(ε0)
Encs?,r?(ε1)Encs?(ε1)Enc(ε1)
AdvindE,A(λ) ≤ 2 ·
(Adv2-DQCSD(λ) + Adv3-DQCSD(λ)
)back to security
J.-C. Deneuville Ouroboros: simple, secure, efficient code-based key exchange June the 26th, 2017 24 / 21
Sketch of proof
Sequence of games from Enc(ε0) to Enc(ε1)
Enc(ε0) Encs?(ε0) Encs?,r?(ε0)
Encs?,r?(ε1)Encs?(ε1)Enc(ε1)
AdvindE,A(λ) ≤ 2 ·
(Adv2-DQCSD(λ) + Adv3-DQCSD(λ)
)back to security
J.-C. Deneuville Ouroboros: simple, secure, efficient code-based key exchange June the 26th, 2017 24 / 21
Sketch of proof
Sequence of games from Enc(ε0) to Enc(ε1)
Enc(ε0) Encs?(ε0) Encs?,r?(ε0)
Encs?,r?(ε1)Encs?(ε1)Enc(ε1)
AdvindE,A(λ) ≤ 2 ·
(Adv2-DQCSD(λ) + Adv3-DQCSD(λ)
)back to security
J.-C. Deneuville Ouroboros: simple, secure, efficient code-based key exchange June the 26th, 2017 24 / 21
Sketch of proof
Sequence of games from Enc(ε0) to Enc(ε1)
Enc(ε0) Encs?(ε0) Encs?,r?(ε0)
Encs?,r?(ε1)Encs?(ε1)Enc(ε1)
AdvindE,A(λ) ≤ 2 ·
(Adv2-DQCSD(λ) + Adv3-DQCSD(λ)
)back to security
J.-C. Deneuville Ouroboros: simple, secure, efficient code-based key exchange June the 26th, 2017 24 / 21
Sketch of proof
Sequence of games from Enc(ε0) to Enc(ε1)
Enc(ε0) Encs?(ε0) Encs?,r?(ε0)
Encs?,r?(ε1)Encs?(ε1)Enc(ε1)
AdvindE,A(λ) ≤ 2 ·
(Adv2-DQCSD(λ) + Adv3-DQCSD(λ)
)back to security
J.-C. Deneuville Ouroboros: simple, secure, efficient code-based key exchange June the 26th, 2017 24 / 21
Sketch of proof
Sequence of games from Enc(ε0) to Enc(ε1)
Enc(ε0) Encs?(ε0) Encs?,r?(ε0)
Encs?,r?(ε1)Encs?(ε1)Enc(ε1)
AdvindE,A(λ) ≤ 2 ·
(Adv2-DQCSD(λ) + Adv3-DQCSD(λ)
)back to security
J.-C. Deneuville Ouroboros: simple, secure, efficient code-based key exchange June the 26th, 2017 24 / 21
Sketch of proof
Sequence of games from Enc(ε0) to Enc(ε1)
Encs?(ε0)Enc(ε0) Encs?,r?(ε0)
Encs?,r?(ε1)Encs?(ε1)Enc(ε1)
AdvindE,A(λ)
AdvindE,A(λ) ≤ 2 ·
(Adv2-DQCSD(λ) + Adv3-DQCSD(λ)
)back to security
J.-C. Deneuville Ouroboros: simple, secure, efficient code-based key exchange June the 26th, 2017 24 / 21
Sketch of proof
Sequence of games from Enc(ε0) to Enc(ε1)
Encs?(ε0)Enc(ε0) Encs?,r?(ε0)
Encs?,r?(ε1)Encs?(ε1)Enc(ε1)
AdvindE,A(λ)
AdvindE,A(λ) ≤ 2 ·
(Adv2-DQCSD(λ) + Adv3-DQCSD(λ)
)back to security
J.-C. Deneuville Ouroboros: simple, secure, efficient code-based key exchange June the 26th, 2017 24 / 21