lake locker ind-cpa kem ind-cca2 pke based on rank … · lake / locker ind-cpa kem / ind-cca2 pke...
TRANSCRIPT
![Page 1: LAKE LOCKER IND-CPA KEM IND-CCA2 PKE Based on Rank … · LAKE / LOCKER IND-CPA KEM / IND-CCA2 PKE Based on Rank Metric Codes NIST First Post-Quantum Cryptography Standardization](https://reader033.vdocuments.net/reader033/viewer/2022060311/5f0adce67e708231d42db582/html5/thumbnails/1.jpg)
LAKE / LOCKER IND-CPA KEM / IND-CCA2 PKE
Based on Rank Metric Codes NIST First Post-Quantum Cryptography Standardization Conference
Nicolas Aragon1 Olivier Blazy1 Jean-Christophe Deneuville1,4 Philippe Gaborit1
Adrien Hauteville1 Olivier Ruatta1 Jean-Pierre Tillich2 Gilles Zémor3
1University of Limoges, XLIM-DMI, France ; 2Inria, Paris, France
3Mathematical Institute of Bordeaux, France
4INSA-CVL, Bourges, France
04/13/2018 LAKE & LOCKER 04/13/2018 1 / 20
![Page 2: LAKE LOCKER IND-CPA KEM IND-CCA2 PKE Based on Rank … · LAKE / LOCKER IND-CPA KEM / IND-CCA2 PKE Based on Rank Metric Codes NIST First Post-Quantum Cryptography Standardization](https://reader033.vdocuments.net/reader033/viewer/2022060311/5f0adce67e708231d42db582/html5/thumbnails/2.jpg)
Limitations:The decryption failure probability does not decrease quickly.Security is not based on a random quasi-cyclic/ideal code (but considered hard by thecommunity).Decoding in the rank metric is a more recent problem (27 years old).
Advantages and Limitations
Advantages: Very easy to understand (à la Niederreiter). Very small key size. Very fast keygen/encryption/decryption time. The decryption failure probability is well-understood and theoretically bounded.
LAKE & LOCKER 04/13/2018 2 / 20
![Page 3: LAKE LOCKER IND-CPA KEM IND-CCA2 PKE Based on Rank … · LAKE / LOCKER IND-CPA KEM / IND-CCA2 PKE Based on Rank Metric Codes NIST First Post-Quantum Cryptography Standardization](https://reader033.vdocuments.net/reader033/viewer/2022060311/5f0adce67e708231d42db582/html5/thumbnails/3.jpg)
Advantages and Limitations
Advantages: Very easy to understand (à la Niederreiter). Very small key size. Very fast keygen/encryption/decryption time. The decryption failure probability is well-understood and theoretically bounded.
Limitations: The decryption failure probability does not decrease quickly. Security is not based on a random quasi-cyclic/ideal code (but considered hard by the community). Decoding in the rank metric is a more recent problem (27 years old).
LAKE & LOCKER 04/13/2018 2 / 20
![Page 4: LAKE LOCKER IND-CPA KEM IND-CCA2 PKE Based on Rank … · LAKE / LOCKER IND-CPA KEM / IND-CCA2 PKE Based on Rank Metric Codes NIST First Post-Quantum Cryptography Standardization](https://reader033.vdocuments.net/reader033/viewer/2022060311/5f0adce67e708231d42db582/html5/thumbnails/4.jpg)
Presentation of the rank metric
1 Presentation of the rank metric
2 Description of the schemes
3 Security and parameters
LAKE & LOCKER 04/13/2018 3 / 20
![Page 5: LAKE LOCKER IND-CPA KEM IND-CCA2 PKE Based on Rank … · LAKE / LOCKER IND-CPA KEM / IND-CCA2 PKE Based on Rank Metric Codes NIST First Post-Quantum Cryptography Standardization](https://reader033.vdocuments.net/reader033/viewer/2022060311/5f0adce67e708231d42db582/html5/thumbnails/5.jpg)
Let β1, . . . , βm be a basis of Fqm/Fq. To each vector x ∈ Fnqm we can associate a matrix Mx
x = (x1, . . . , xn) ∈ Fnqm ↔Mx =
⎛⎜⎝x11 . . . x1n...
. . ....
xm1 . . . xmn
⎞⎟⎠ ∈ Fm×nq
such that xj =Pm
i=1 xijβi for each j ∈ [1..n].
DefnitiondR(x , y) = Rank(Mx −My ) and |x |R = RankMx .
Presentation of the rank metric
Rank Metric
We only consider codes with coeÿcients in Fqm .
LAKE & LOCKER 04/13/2018 4 / 20
![Page 6: LAKE LOCKER IND-CPA KEM IND-CCA2 PKE Based on Rank … · LAKE / LOCKER IND-CPA KEM / IND-CCA2 PKE Based on Rank Metric Codes NIST First Post-Quantum Cryptography Standardization](https://reader033.vdocuments.net/reader033/viewer/2022060311/5f0adce67e708231d42db582/html5/thumbnails/6.jpg)
Presentation of the rank metric
Rank Metric
We only consider codes with coeÿcients in Fqm . Let β1, . . . , βm be a basis of Fqm /Fq. To each vector x ∈ Fn
qm we can associate a matrix Mx ⎞⎛ x11 . . . x1n . ..x = (x1, . . . , xn) ∈ Fn
qm ↔ Mx = ⎜⎝ ⎟⎠ ∈ Fm×n
q . . ... .
P
xm1 . . . xmn
m i=1 xij βi for each j ∈ [1..n].such that xj =
Defnition dR(x , y) = Rank(Mx − My ) and |x |R = Rank Mx .
LAKE & LOCKER 04/13/2018 4 / 20
![Page 7: LAKE LOCKER IND-CPA KEM IND-CCA2 PKE Based on Rank … · LAKE / LOCKER IND-CPA KEM / IND-CCA2 PKE Based on Rank Metric Codes NIST First Post-Quantum Cryptography Standardization](https://reader033.vdocuments.net/reader033/viewer/2022060311/5f0adce67e708231d42db582/html5/thumbnails/7.jpg)
Number of supports of weight w :
Rank Hamming�mw
�q
≈ qw(m−w)
�nw
�6 2n
Complexity in the worst case:quadratically exponential for Rank Metricsimply exponential for Hamming Metric
Presentation of the rank metric
Support of a Word
Defnition The support of a word is the Fq-subspace generated by its coordinates:
Supp(x) = hx1, . . . , xniFq
LAKE & LOCKER 04/13/2018 5 / 20
![Page 8: LAKE LOCKER IND-CPA KEM IND-CCA2 PKE Based on Rank … · LAKE / LOCKER IND-CPA KEM / IND-CCA2 PKE Based on Rank Metric Codes NIST First Post-Quantum Cryptography Standardization](https://reader033.vdocuments.net/reader033/viewer/2022060311/5f0adce67e708231d42db582/html5/thumbnails/8.jpg)
Complexity in the worst case:quadratically exponential for Rank Metricsimply exponential for Hamming Metric
Presentation of the rank metric
Support of a Word
Defnition The support of a word is the Fq-subspace generated by its coordinates:
Supp(x) = hx1, . . . , xniFq
Number of supports of weight w :
Rank Hamming� � � � nm w(m−w) 6 2n≈ q
w w q
LAKE & LOCKER 04/13/2018 5 / 20
![Page 9: LAKE LOCKER IND-CPA KEM IND-CCA2 PKE Based on Rank … · LAKE / LOCKER IND-CPA KEM / IND-CCA2 PKE Based on Rank Metric Codes NIST First Post-Quantum Cryptography Standardization](https://reader033.vdocuments.net/reader033/viewer/2022060311/5f0adce67e708231d42db582/html5/thumbnails/9.jpg)
Presentation of the rank metric
Support of a Word
Defnition The support of a word is the Fq-subspace generated by its coordinates:
Supp(x) = hx1, . . . , xniFq
Number of supports of weight w :
Rank Hamming� � � � nm w(m−w) 6 2n≈ q
w w q
Complexity in the worst case: quadratically exponential for Rank Metric simply exponential for Hamming Metric
LAKE & LOCKER 04/13/2018 5 / 20
![Page 10: LAKE LOCKER IND-CPA KEM IND-CCA2 PKE Based on Rank … · LAKE / LOCKER IND-CPA KEM / IND-CCA2 PKE Based on Rank Metric Codes NIST First Post-Quantum Cryptography Standardization](https://reader033.vdocuments.net/reader033/viewer/2022060311/5f0adce67e708231d42db582/html5/thumbnails/10.jpg)
The decoding algorithm requires a parity-check matrix of weight d .
Presentation of the rank metric
LRPC Codes
Defnition
Let H ∈ F(qnm −k)×n a full-rank matrix such that the dimension d of hhij iFq is small.
By defnition, H is a parity-check matrix of an [n, k]qm LRPC code. We say that d is the weight of the matrix H .
LAKE & LOCKER 04/13/2018 6 / 20
![Page 11: LAKE LOCKER IND-CPA KEM IND-CCA2 PKE Based on Rank … · LAKE / LOCKER IND-CPA KEM / IND-CCA2 PKE Based on Rank Metric Codes NIST First Post-Quantum Cryptography Standardization](https://reader033.vdocuments.net/reader033/viewer/2022060311/5f0adce67e708231d42db582/html5/thumbnails/11.jpg)
Presentation of the rank metric
LRPC Codes
Defnition
Let H ∈ F(qnm −k)×n a full-rank matrix such that the dimension d of hhij iFq is small.
By defnition, H is a parity-check matrix of an [n, k]qm LRPC code. We say that d is the weight of the matrix H .
The decoding algorithm requires a parity-check matrix of weight d .
LAKE & LOCKER 04/13/2018 6 / 20
![Page 12: LAKE LOCKER IND-CPA KEM IND-CCA2 PKE Based on Rank … · LAKE / LOCKER IND-CPA KEM / IND-CCA2 PKE Based on Rank Metric Codes NIST First Post-Quantum Cryptography Standardization](https://reader033.vdocuments.net/reader033/viewer/2022060311/5f0adce67e708231d42db582/html5/thumbnails/12.jpg)
Presentation of the rank metric
Notation
From now, all vectors of Fnqm can be viewed as elements of Fqm [X ]/(P) for some polynomial P .
u X u mod P
⎞⎛ ⎜⎜⎜⎝
⎟⎟⎟⎠ Let u ∈ Fn
qm , (u)M denotes the matrix . . . X n−1u mod P
LAKE & LOCKER 04/13/2018 7 / 20
![Page 13: LAKE LOCKER IND-CPA KEM IND-CCA2 PKE Based on Rank … · LAKE / LOCKER IND-CPA KEM / IND-CCA2 PKE Based on Rank Metric Codes NIST First Post-Quantum Cryptography Standardization](https://reader033.vdocuments.net/reader033/viewer/2022060311/5f0adce67e708231d42db582/html5/thumbnails/13.jpg)
P ∈ Fq[X ] =⇒ the weight of H is d .Ideal LRPC in rank metric ' QC-MDPC in Hamming metric ' NTRU in Euclidean metric.
Presentation of the rank metric
Ideal LRPC Codes
Defnition Let F be a Fq-subspace of dimension d of Fqm , (h1, h2) two vectors of Fn
qm of support F and P ∈ Fq[X ] a polynomial of degree n.� � By defnition, the matrix H = (h1)M|(h2)M is a parity-check matrix of an [2n, n]qm ideal LRPC code C.
LAKE & LOCKER 04/13/2018 8 / 20
![Page 14: LAKE LOCKER IND-CPA KEM IND-CCA2 PKE Based on Rank … · LAKE / LOCKER IND-CPA KEM / IND-CCA2 PKE Based on Rank Metric Codes NIST First Post-Quantum Cryptography Standardization](https://reader033.vdocuments.net/reader033/viewer/2022060311/5f0adce67e708231d42db582/html5/thumbnails/14.jpg)
Ideal LRPC in rank metric ' QC-MDPC in Hamming metric ' NTRU in Euclidean metric.
Presentation of the rank metric
Ideal LRPC Codes
Defnition Let F be a Fq-subspace of dimension d of Fqm , (h1, h2) two vectors of Fn
qm of support F and P ∈ Fq[X ] a polynomial of degree n.� � By defnition, the matrix H = (h1)M|(h2)M is a parity-check matrix of an [2n, n]qm ideal LRPC code C.
P ∈ Fq[X ] =⇒ the weight of H is d .
LAKE & LOCKER 04/13/2018 8 / 20
![Page 15: LAKE LOCKER IND-CPA KEM IND-CCA2 PKE Based on Rank … · LAKE / LOCKER IND-CPA KEM / IND-CCA2 PKE Based on Rank Metric Codes NIST First Post-Quantum Cryptography Standardization](https://reader033.vdocuments.net/reader033/viewer/2022060311/5f0adce67e708231d42db582/html5/thumbnails/15.jpg)
Presentation of the rank metric
Ideal LRPC Codes
Defnition Let F be a Fq-subspace of dimension d of Fqm , (h1, h2) two vectors of Fn
qm of support F and P ∈ Fq[X ] a polynomial of degree n.� � By defnition, the matrix H = (h1)M|(h2)M is a parity-check matrix of an [2n, n]qm ideal LRPC code C.
P ∈ Fq[X ] =⇒ the weight of H is d . Ideal LRPC in rank metric ' QC-MDPC in Hamming metric ' NTRU in Euclidean metric.
LAKE & LOCKER 04/13/2018 8 / 20
![Page 16: LAKE LOCKER IND-CPA KEM IND-CCA2 PKE Based on Rank … · LAKE / LOCKER IND-CPA KEM / IND-CCA2 PKE Based on Rank Metric Codes NIST First Post-Quantum Cryptography Standardization](https://reader033.vdocuments.net/reader033/viewer/2022060311/5f0adce67e708231d42db582/html5/thumbnails/16.jpg)
P irreducible =⇒ resistant against folding attacks [4].
Presentation of the rank metric
I − LRPC Problem
Problem (Ideal LRPC codes indistinguishability)
Given h ∈ Fnqm and P ∈ Fq[X ] of degree n, it is hard to distinguish if h was sampled uniformly
at random or as x−1y mod P , where x and y have the same support of small dimension d .
Since h defnes an ideal code, it is hard to distinguish between a random ideal code and an ideal LRPC code.
LAKE & LOCKER 04/13/2018 9 / 20
![Page 17: LAKE LOCKER IND-CPA KEM IND-CCA2 PKE Based on Rank … · LAKE / LOCKER IND-CPA KEM / IND-CCA2 PKE Based on Rank Metric Codes NIST First Post-Quantum Cryptography Standardization](https://reader033.vdocuments.net/reader033/viewer/2022060311/5f0adce67e708231d42db582/html5/thumbnails/17.jpg)
Presentation of the rank metric
I − LRPC Problem
Problem (Ideal LRPC codes indistinguishability)
Given h ∈ Fnqm and P ∈ Fq[X ] of degree n, it is hard to distinguish if h was sampled uniformly
at random or as x−1y mod P , where x and y have the same support of small dimension d .
Since h defnes an ideal code, it is hard to distinguish between a random ideal code and an ideal LRPC code. P irreducible =⇒ resistant against folding attacks [4].
LAKE & LOCKER 04/13/2018 9 / 20
![Page 18: LAKE LOCKER IND-CPA KEM IND-CCA2 PKE Based on Rank … · LAKE / LOCKER IND-CPA KEM / IND-CCA2 PKE Based on Rank Metric Codes NIST First Post-Quantum Cryptography Standardization](https://reader033.vdocuments.net/reader033/viewer/2022060311/5f0adce67e708231d42db582/html5/thumbnails/18.jpg)
Probabilistic reduction to the NP-Complete ISD problem [3].
Presentation of the rank metric
RSD Problem
Problem (Rank Syndrome Decoding problem)
, s ∈ Fn−k
HeT = sT
|e|R = r
Given H ∈ F(qnm −k)×n
qm and an integer r , fnd e ∈ Fnqm such that:
LAKE & LOCKER 04/13/2018 10 / 20
![Page 19: LAKE LOCKER IND-CPA KEM IND-CCA2 PKE Based on Rank … · LAKE / LOCKER IND-CPA KEM / IND-CCA2 PKE Based on Rank Metric Codes NIST First Post-Quantum Cryptography Standardization](https://reader033.vdocuments.net/reader033/viewer/2022060311/5f0adce67e708231d42db582/html5/thumbnails/19.jpg)
Presentation of the rank metric
RSD Problem
Problem (Rank Syndrome Decoding problem)
, s ∈ Fn−k
HeT = sT
|e|R = r
Given H ∈ F(qnm −k)×n
qm and an integer r , fnd e ∈ Fnqm such that:
Probabilistic reduction to the NP-Complete ISD problem [3].
LAKE & LOCKER 04/13/2018 10 / 20
![Page 20: LAKE LOCKER IND-CPA KEM IND-CCA2 PKE Based on Rank … · LAKE / LOCKER IND-CPA KEM / IND-CCA2 PKE Based on Rank Metric Codes NIST First Post-Quantum Cryptography Standardization](https://reader033.vdocuments.net/reader033/viewer/2022060311/5f0adce67e708231d42db582/html5/thumbnails/20.jpg)
Presentation of the rank metric
I − RSD problem
Problem (Ideal Rank Syndrome Decoding problem)
Given h ∈ Fn [X ] of degree n, s ∈ Fn−k and an integer r , fnd e = (e1|e2) ∈ F2n qm , P ∈ Fq qm qm
such that: he1 + e2 = s mod P
|e|R = r
LAKE & LOCKER 04/13/2018 11 / 20
![Page 21: LAKE LOCKER IND-CPA KEM IND-CCA2 PKE Based on Rank … · LAKE / LOCKER IND-CPA KEM / IND-CCA2 PKE Based on Rank Metric Codes NIST First Post-Quantum Cryptography Standardization](https://reader033.vdocuments.net/reader033/viewer/2022060311/5f0adce67e708231d42db582/html5/thumbnails/21.jpg)
Description of the schemes
1
2
3
Presentation of the rank metric
Description of the schemes
Security and parameters
LAKE & LOCKER 04/13/2018 12 / 20
![Page 22: LAKE LOCKER IND-CPA KEM IND-CCA2 PKE Based on Rank … · LAKE / LOCKER IND-CPA KEM / IND-CCA2 PKE Based on Rank Metric Codes NIST First Post-Quantum Cryptography Standardization](https://reader033.vdocuments.net/reader033/viewer/2022060311/5f0adce67e708231d42db582/html5/thumbnails/22.jpg)
Description of the schemes
LAKE, a Key Encapsulation Mechanism
Our schemes contain a hash function G modeled as a ROM and an irreducible polynomial P ∈ Fq[X ] of degree n.
Alice Bob $
(x , y ) ← Fnqm × Fn
qm s.t. Supp(x) = Supp(y ) of dim d h
h ← x−1y mod P −−−−−→ (e1, e2)
$← Fn qm × Fn
qm s.t. Supp(e1, e2) = E of dim r
xs = xe1 + y e2 mod P s←−−−−− s = e1 + e2h mod P
E ← LRPC.Deco de(x , y , xs, r)
G (E) Shared Secret G (E)
LAKE & LOCKER 04/13/2018 13 / 20
![Page 23: LAKE LOCKER IND-CPA KEM IND-CCA2 PKE Based on Rank … · LAKE / LOCKER IND-CPA KEM / IND-CCA2 PKE Based on Rank Metric Codes NIST First Post-Quantum Cryptography Standardization](https://reader033.vdocuments.net/reader033/viewer/2022060311/5f0adce67e708231d42db582/html5/thumbnails/23.jpg)
Description of the schemes
LOCKER, a Public Key Encryption
Our schemes contain an hash function G modeled as a ROM and an irreducible polynomial P ∈ Fq[X ] of degree n. KeyGen(1λ):
$(x , y) ← Fq
nm × Fq
nm s.t. Supp(x) = Supp(y) of dim d
h ← x−1y mod P
sk := (x , y ), pk := h
Bob Alice $
(e1, e2) ← Fnqm × Fn
qm s.t. xs = xe1 + ye2 mod PSupp(e1, e2) = E of dim r C ,s E ← LRPC.Decode(x , y , xs, r)s = e1 + e2h mod P −−−−−→ L L M = C G (E )
C = M G (E )
LAKE & LOCKER 04/13/2018 14 / 20
![Page 24: LAKE LOCKER IND-CPA KEM IND-CCA2 PKE Based on Rank … · LAKE / LOCKER IND-CPA KEM / IND-CCA2 PKE Based on Rank Metric Codes NIST First Post-Quantum Cryptography Standardization](https://reader033.vdocuments.net/reader033/viewer/2022060311/5f0adce67e708231d42db582/html5/thumbnails/24.jpg)
Security and parameters
1 Presentation of the rank metric
2 Description of the schemes
3 Security and parameters
LAKE & LOCKER 04/13/2018 15 / 20
![Page 25: LAKE LOCKER IND-CPA KEM IND-CCA2 PKE Based on Rank … · LAKE / LOCKER IND-CPA KEM / IND-CCA2 PKE Based on Rank Metric Codes NIST First Post-Quantum Cryptography Standardization](https://reader033.vdocuments.net/reader033/viewer/2022060311/5f0adce67e708231d42db582/html5/thumbnails/25.jpg)
Applying HHK [5] to LOCKER PKE → IND-CCA2 LOCKER KEMIND-CCA2 LOCKER KEM → LOCKER HE
Security and parameters
Semantic Security
Theorem Under the assumption of the hardness of the I − LRPC and the I − RSD problems, LAKE and LOCKER are IND-CPA in the Random Oracle Model.
LAKE & LOCKER 04/13/2018 16 / 20
![Page 26: LAKE LOCKER IND-CPA KEM IND-CCA2 PKE Based on Rank … · LAKE / LOCKER IND-CPA KEM / IND-CCA2 PKE Based on Rank Metric Codes NIST First Post-Quantum Cryptography Standardization](https://reader033.vdocuments.net/reader033/viewer/2022060311/5f0adce67e708231d42db582/html5/thumbnails/26.jpg)
Security and parameters
Semantic Security
Theorem Under the assumption of the hardness of the I − LRPC and the I − RSD problems, LAKE and LOCKER are IND-CPA in the Random Oracle Model.
Applying HHK [5] to LOCKER PKE → IND-CCA2 LOCKER KEM IND-CCA2 LOCKER KEM → LOCKER HE
LAKE & LOCKER 04/13/2018 16 / 20
![Page 27: LAKE LOCKER IND-CPA KEM IND-CCA2 PKE Based on Rank … · LAKE / LOCKER IND-CPA KEM / IND-CCA2 PKE Based on Rank Metric Codes NIST First Post-Quantum Cryptography Standardization](https://reader033.vdocuments.net/reader033/viewer/2022060311/5f0adce67e708231d42db582/html5/thumbnails/27.jpg)
Quantum Speed-Up: Grover’s algorithm directly applies to GRS+ =⇒ exponent isdivided by 2 [2].
I− RSD I− LRPC
O�(nm)3q
12
�rlm(n+1)
2n
m−m
��O�(nm)3q
12(ddm
2 e−m−n)�
Security and parameters
Known Attacks
Combinatorial attacks: try to guess the support of the error or of the small-weight codeword. The best algorithm is GRS+ [1]. On average:
I − RSD I − LRPC� l m � � �m(n+1)r −m ddm e−m−n2nO (nm)3q O (nm)3q 2
LAKE & LOCKER 04/13/2018 17 / 20
![Page 28: LAKE LOCKER IND-CPA KEM IND-CCA2 PKE Based on Rank … · LAKE / LOCKER IND-CPA KEM / IND-CCA2 PKE Based on Rank Metric Codes NIST First Post-Quantum Cryptography Standardization](https://reader033.vdocuments.net/reader033/viewer/2022060311/5f0adce67e708231d42db582/html5/thumbnails/28.jpg)
Security and parameters
Known Attacks
Combinatorial attacks: try to guess the support of the error or of the small-weight codeword. The best algorithm is GRS+ [1]. On average:
I − RSD I − LRPC� l m � � �m(n+1)r −m ddm e−m−n2nO (nm)3q O (nm)3q 2
Quantum Speed-Up: Grover’s algorithm directly applies to GRS+ =⇒ exponent is divided by 2 [2].
I − RSD I − LRPC� � l m �� � �1 m(n+1)r −m (ddm e−m−n)2 2nO (nm)3q O (nm)3q 2
1 2
LAKE & LOCKER 04/13/2018 17 / 20
![Page 29: LAKE LOCKER IND-CPA KEM IND-CCA2 PKE Based on Rank … · LAKE / LOCKER IND-CPA KEM / IND-CCA2 PKE Based on Rank Metric Codes NIST First Post-Quantum Cryptography Standardization](https://reader033.vdocuments.net/reader033/viewer/2022060311/5f0adce67e708231d42db582/html5/thumbnails/29.jpg)
Security and parameters
Examples of parameters: LAKE
All the times are given in ms, performed on an Intel Core i7-4700HQ CPU running at 3.40GHz.
Security Message/key Size (bits)
KeyGen Time
Encap Time
Decap Time
Probability of failure
128 3,149 0.65 0.13 0.53 < 2−30
192 4,717 0.73 0.13 0.88 < 2−32
256 6,313 0.77 0.15 1.24 < 2−36
LAKE & LOCKER 04/13/2018 18 / 20
![Page 30: LAKE LOCKER IND-CPA KEM IND-CCA2 PKE Based on Rank … · LAKE / LOCKER IND-CPA KEM / IND-CCA2 PKE Based on Rank Metric Codes NIST First Post-Quantum Cryptography Standardization](https://reader033.vdocuments.net/reader033/viewer/2022060311/5f0adce67e708231d42db582/html5/thumbnails/30.jpg)
Security and parameters
Examples of parameters: LOCKER
All the times are given in ms, performed on an Intel Core i7-4700HQ CPU running at 3.40GHz.
Security PK Size (bits)
CT Size (bits)
Encrypt Time
Decrypt Time
Probability of failure
128 5,893 6,405 0.22 1.04 < 2−64
192 8,383 8,895 0.23 1.08 < 2−64
256 9,523 10,023 0.25 1.58 < 2−64
128 12,367 12,879 0.56 1.99 < 2−128
192 15,049 15,561 0.56 2.03 < 2−128
256 17,113 17,625 0.62 2.76 < 2−128
LAKE & LOCKER 04/13/2018 19 / 20
![Page 31: LAKE LOCKER IND-CPA KEM IND-CCA2 PKE Based on Rank … · LAKE / LOCKER IND-CPA KEM / IND-CCA2 PKE Based on Rank Metric Codes NIST First Post-Quantum Cryptography Standardization](https://reader033.vdocuments.net/reader033/viewer/2022060311/5f0adce67e708231d42db582/html5/thumbnails/31.jpg)
Security and parameters
Thank you for your attention !Any questions ?
LAKE & LOCKER 04/13/2018 20 / 20
![Page 32: LAKE LOCKER IND-CPA KEM IND-CCA2 PKE Based on Rank … · LAKE / LOCKER IND-CPA KEM / IND-CCA2 PKE Based on Rank Metric Codes NIST First Post-Quantum Cryptography Standardization](https://reader033.vdocuments.net/reader033/viewer/2022060311/5f0adce67e708231d42db582/html5/thumbnails/32.jpg)
Security and parameters
Nicolas Aragon, Philippe Gaborit, Adrien Hauteville, and Jean-Pierre Tillich. Improvement of Generic Attacks on the Rank Syndrome Decoding Problem. working paper or preprint, October 2017.
Philippe Gaborit, Adrien Hauteville, and Jean-Pierre Tillich. Ranksynd a PRNG based on rank metric. In Post-Quantum Cryptography 2016, pages 18–28, Fukuoka, Japan, February 2016.
Philippe Gaborit and Gilles Zémor. On the hardness of the decoding and the minimum distance problems for rank codes. IEEE Trans. Information Theory, 62(12):7245–7252, 2016.
Adrien Hauteville and Jean-Pierre Tillich. New algorithms for decoding in the rank metric and an attack on the LRPC cryptosystem. In Proc. IEEE Int. Symposium Inf. Theory - ISIT 2015, pages 2747–2751, Hong Kong, China, June 2015.
Dennis Hofheinz, Kathrin Hövelmanns, and Eike Kiltz. A modular analysis of the Fujisaki-Okamoto transformation.
LAKE & LOCKER 04/13/2018 20 / 20
![Page 33: LAKE LOCKER IND-CPA KEM IND-CCA2 PKE Based on Rank … · LAKE / LOCKER IND-CPA KEM / IND-CCA2 PKE Based on Rank Metric Codes NIST First Post-Quantum Cryptography Standardization](https://reader033.vdocuments.net/reader033/viewer/2022060311/5f0adce67e708231d42db582/html5/thumbnails/33.jpg)
Security and parameters
In Theory of Cryptography Conference, pages 341–371. Springer, 2017.
LAKE & LOCKER 04/13/2018 20 / 20