rollo ank-ouroboros, lake locker · 2019-06-14 · rollo - rank-ouroboros, lake & locker...

30
ROLLO - Rank-Ouroboros, LAKE & LOCKER November 28, 2018 ROLLO is a compilation of three candidates to NIST’s competition for post-quantum cryptography standardization. They are based on rank metric codes and they share the same decryption algorithm for LRPC codes (see Sec.1). Rank-Ouroboros (formerly known as Ouroboros-R) and LAKE are IND-CPA KEM run- ning in the category “post-quantum key exchange”. LOCKER is an IND-CCA2 PKE running in the category “post-quantum public key encryption”. Different sets of parameters for these three cryptosystems are proposed for security strength categories 1, 3, and 5. Principal Submitters (by alphabetical order): Carlos Aguilar Melchor Nicolas Aragon Slim Bettaieb Loïc Bidoux Olivier Blazy Jean-Christophe Deneuville Philippe Gaborit Adrien Hauteville Olivier Ruatta Jean-Pierre Tillich Gilles Zémor Inventors: Same as submitters Developers: Same as submitters Owners: Same as submitters This work was partially funded by French DGA. 1

Upload: others

Post on 06-Mar-2020

7 views

Category:

Documents


0 download

TRANSCRIPT

Page 1: ROLLO ank-Ouroboros, LAKE LOCKER · 2019-06-14 · ROLLO - Rank-Ouroboros, LAKE & LOCKER November 28, 2018 ROLLO is a compilation of three candidates to NIST’s competition for post-quantum

ROLLO -Rank-Ouroboros, LAKE

& LOCKER

November 28, 2018

ROLLO is a compilation of three candidates to NIST’s competition for post-quantumcryptography standardization. They are based on rank metric codes and they share the samedecryption algorithm for LRPC codes (see Sec.1).

Rank-Ouroboros (formerly known as Ouroboros-R) and LAKE are IND-CPA KEM run-ning in the category “post-quantum key exchange”. LOCKER is an IND-CCA2 PKE runningin the category “post-quantum public key encryption”. Different sets of parameters for thesethree cryptosystems are proposed for security strength categories 1, 3, and 5.

Principal Submitters (by alphabetical order):• Carlos Aguilar Melchor• Nicolas Aragon• Slim Bettaieb• Loïc Bidoux• Olivier Blazy• Jean-Christophe Deneuville

• Philippe Gaborit• Adrien Hauteville• Olivier Ruatta• Jean-Pierre Tillich• Gilles Zémor

Inventors: Same as submitters

Developers: Same as submitters

Owners: Same as submitters

This work was partially funded by French DGA.

1

Page 2: ROLLO ank-Ouroboros, LAKE LOCKER · 2019-06-14 · ROLLO - Rank-Ouroboros, LAKE & LOCKER November 28, 2018 ROLLO is a compilation of three candidates to NIST’s competition for post-quantum

Main contactx Philippe Gaborit@ [email protected] +33-626-907-245= University of LimogesB 123 avenue Albert Thomas

87 060 Limoges CedexFrance

Backup point of contactx Adrien Hauteville@ [email protected] +33-642-709-282= University of LimogesB 123 avenue Albert Thomas

87 060 Limoges CedexFrance

2

Page 3: ROLLO ank-Ouroboros, LAKE LOCKER · 2019-06-14 · ROLLO - Rank-Ouroboros, LAKE & LOCKER November 28, 2018 ROLLO is a compilation of three candidates to NIST’s competition for post-quantum

Contents1 Specifications 5

1.1 Presentation of rank metric codes . . . . . . . . . . . . . . . . . . . . . . . . 61.1.1 General definitions . . . . . . . . . . . . . . . . . . . . . . . . . . . . 61.1.2 Double circulant and ideal codes . . . . . . . . . . . . . . . . . . . . . 7

1.2 Difficult problems in rank metric . . . . . . . . . . . . . . . . . . . . . . . . 81.3 The Low Rank Parity Check codes . . . . . . . . . . . . . . . . . . . . . . . 101.4 A support recovery algorithm . . . . . . . . . . . . . . . . . . . . . . . . . . 11

1.4.1 Algorithm . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 111.4.2 Probability of failure . . . . . . . . . . . . . . . . . . . . . . . . . . . 11

1.5 Presentation of the schemes . . . . . . . . . . . . . . . . . . . . . . . . . . . 121.5.1 Rank Ouroboros as a KEM . . . . . . . . . . . . . . . . . . . . . . . 131.5.2 LAKE as a KEM . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 141.5.3 LOCKER as a PKE . . . . . . . . . . . . . . . . . . . . . . . . . . . 15

1.6 Parameters for our schemes . . . . . . . . . . . . . . . . . . . . . . . . . . . 151.6.1 Rank Ouroboros . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 151.6.2 LAKE . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 171.6.3 LOCKER . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 18

2 Performances 192.1 Rank Ouroboros . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 192.2 LAKE . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 202.3 LOCKER . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 212.4 Optimized Implementation . . . . . . . . . . . . . . . . . . . . . . . . . . . . 21

3 Known Answer Test Values 22

4 Security 224.1 Security Models and Hybrid Argument . . . . . . . . . . . . . . . . . . . . . 224.2 IND-CPA security proof of Rank Ouroboros . . . . . . . . . . . . . . . . . . 234.3 IND-CPA security proof of LAKE . . . . . . . . . . . . . . . . . . . . . . . . 244.4 IND-CCA2 security proof of LOCKER . . . . . . . . . . . . . . . . . . . . . 25

4.4.1 IND-CPA security proof of the LOCKER PKE . . . . . . . . . . . . 254.5 A IND-CCA2 conversion of the LOCKER PKE . . . . . . . . . . . . . . . . 26

5 Known Attacks 275.1 Generic attacks . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 275.2 Structural attack against ideal LRPC codes . . . . . . . . . . . . . . . . . . 275.3 Algebraic attacks . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 28

3

Page 4: ROLLO ank-Ouroboros, LAKE LOCKER · 2019-06-14 · ROLLO - Rank-Ouroboros, LAKE & LOCKER November 28, 2018 ROLLO is a compilation of three candidates to NIST’s competition for post-quantum

6 Advantages and Limitations 286.1 Strengths . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 286.2 Limitations . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 29

References 29

4

Page 5: ROLLO ank-Ouroboros, LAKE LOCKER · 2019-06-14 · ROLLO - Rank-Ouroboros, LAKE & LOCKER November 28, 2018 ROLLO is a compilation of three candidates to NIST’s competition for post-quantum

Prologue

The public key encryption protocol NTRU [10] was introduced in 1998, the main ideabehind the protocol is that the secret key consists in the knowledge of a small Euclideanweight vector, which is used to derive a double circulant matrix. This matrix is then seenas a dual matrix of an associated lattice and a specific decoding algorithm based on theknowledge of this small weight dual matrix is used for decryption.

This idea of having as a trapdoor a small weight dual matrix (with a specific associateddecoding algorithm) can naturally be generalized to other metrics. It was done in 2013with MDPC [13] for Hamming metric and also in 2013 for Rank metric with LRPC codes[5]. These three protocols derive from the same basic main idea, adapted for differentmetrics, which have different properties in terms of efficiency, size of parameters and securityreduction.

The previous schemes have many nice features in terms of size of keys, size of exchangeddata and efficiency but suffer from the same weakness: their security do not reduce to a wellknown problem but rather to a specific problem where a special structure is hidden in thepublic matrix. Indeed the public matrix is generated by small weight vectors. Although thisproblem is less specific that hidden structure in the McEliece setting, it remains a potentialweakness for these schemes (even if practically, one does not really know how to use thistype of structure for strongly more efficient attacks in the more general cases).

Recently a new approach called Ouroboros was presented in [1], this approach permits tobenefit from the nice features of the previous schemes, but at the same time has a reductionto decoding random quasi-cyclic codes, rather than a more specific code. Of course thiscomes at a cost: doubling the size of the ciphertext. Rank Ouroboros follows the ideaof [1] for rank metric. The resulting scheme benefits from the nice features of NTRU-likeschemes but has also a reduction to a generic problem, at the cost of doubling the size of theciphertext, also as all associated decoding algorithm for the NTRU-like family of schemes,there is a decryption failure, but in the case of rank metric this decryption failure is lowand perfectly estimated.

This proposal is the fusion of three propositions to standardization for the post-quantumcryptography NIST competition: Rank Ouroboros (formerly Ouroboros-R), LAKE andLOCKER.

1 SpecificationsIn the following document, q denotes a power of a prime p. The finite field with q elementsis denoted by Fq and more generally for any positive integer m the finite field with qm

elements is denoted by Fqm . We will frequently view Fqm as an m-dimensional vector spaceover Fq.

We use bold lowercase (resp. uppercase) letters to denote vectors (resp. matrices).As it will be clear from the context, no distinction will be made between column and

5

Page 6: ROLLO ank-Ouroboros, LAKE LOCKER · 2019-06-14 · ROLLO - Rank-Ouroboros, LAKE & LOCKER November 28, 2018 ROLLO is a compilation of three candidates to NIST’s competition for post-quantum

row vectors. For two matrices A,B of compatible dimensions, we let (A|B) and(AB

)respectively denote the horizontal and vertical concatenations of A and B.

1.1 Presentation of rank metric codes

1.1.1 General definitions

Definition 1.1.1 (Rank metric over Fnqm). Let x = (x1, . . . , xn) ∈ Fnqm and (β1, . . . , βm) ∈Fmqm a basis of Fqm viewed as an m-dimensional vector space over Fq. Each coordinate xj isassociated to a vector of Fmq in this basis: xj =

∑mi=1mijβi. The m × n matrix associated

to x is given by M (x) = (mij)16i6m16j6n

.

The rank weight ‖x‖ of x is defined as

‖x‖ def= RankM (x).

The associated distance d(x,y) between elements x and y in Fnqm is defined by d(x,y) =‖x− y‖.

Definition 1.1.2 (Fqm-linear code). An Fqm-linear code C of dimension k and length n isa subspace of dimension k of Fnqm embedded with the rank metric. It is denoted [n, k]qm.C can be represented by two equivalent ways:

• by a generator matrix G ∈ Fk×nqm . Each row of G is an element of a basis of C,

C = {xG,x ∈ Fkqm}

• by a parity-check matrix H ∈ F(n−k)×nqm . Each row of H determines a parity-check

equation verified by the elements of C:

C = {x ∈ Fnqm :HxT = 0}

We say that G (respectively H) is under systematic form iff it is of the form (Ik|A)(respectively (In−k|B)).

Definition 1.1.3 (Support of a word). Let x = (x1, . . . , xn) ∈ Fnqm. The support E of x,denoted Supp(x), is the Fq-subspace of Fqm generated by the coordinates of x:

E = 〈x1, . . . , xn〉Fq

and we have dimE = ‖x‖.

The number of supports of dimension w of Fqm is denoted by the Gaussian coefficient[mw

]q

=w−1∏i=0

qm − qi

qw − qi.

6

Page 7: ROLLO ank-Ouroboros, LAKE LOCKER · 2019-06-14 · ROLLO - Rank-Ouroboros, LAKE & LOCKER November 28, 2018 ROLLO is a compilation of three candidates to NIST’s competition for post-quantum

1.1.2 Double circulant and ideal codes

To describe an [n, k]qm linear code, we can give its systematic generator matrix or itssystematic parity-check matrix. In both case, the number of bits needed to represent sucha matrix is k(n−k)m dlog2 qe. To reduce the size of a representation of a code, we introducethe double circulant codes.

First we need to define the circulant matrices.

Definition 1.1.4 (Circulant matrix). A square matrix M of size n× n is said circulant ifit is of the form

M =

m0 m1 . . . mn−1mn−1 m0 . . . mn−2...

... . . . ...m1 m2 . . . m0

We denoteMn(Fqm) the set of circulant matrices of size n× n over Fqm.

The following proposition states an important property of circulant matrices.

Proposition 1.1.1. Mn(Fqm) is an Fqm-algebra isomorphic to Fqm [X]/(Xn − 1), that-is-to-say the set of polynomials with coefficients in Fqm modulo Xn − 1. The canonicalisomorphism is given by

ϕ : Fqm [X]/(Xn − 1) −→ Mn(Fqm)

n−1∑i=0

miXi 7−→

m0 m1 . . . mn−1mn−1 m0 . . . mn−2...

... . . . ...m1 m2 . . . m0

(1)

In the following, in order to simplify the notation, we will identify the polynomialG(X) =

∑n−1i=0 giX

i ∈ Fqm [X] with the vector g = (g0, . . . , gn−1) ∈ Fnqm . We will denote ug

mod P the vector of the coefficients of the polynomial(∑n−1

j=0 ujXj) (∑n−1

i=0 giXi)

mod P

or simply ug if there is no ambiguity in the choice of the polynomial P .

Definition 1.1.5 (Double circulant codes). An [2n, n]qm linear code C is said double cir-culant if it has a generator matrix G of the form G = (A|B) where A and B are twocirculant matrices of size n.

With the previous notations, we have C = {(xa,xb),x ∈ Fnqm}. If a is invertible inFqm [X]/(Xn − 1), then C = {(x,xg),x ∈ Fnqm} where g = a−1b. In this case we say thatC is generated by g (mod Xn − 1). Thus we only need nm dlog2 qe bits to describe an[2n, n]qm double circulant code.

We can generalize the double circulant codes by choosing another polynomial P to definethe quotient-ring Fqm [X]/(P ).

7

Page 8: ROLLO ank-Ouroboros, LAKE LOCKER · 2019-06-14 · ROLLO - Rank-Ouroboros, LAKE & LOCKER November 28, 2018 ROLLO is a compilation of three candidates to NIST’s competition for post-quantum

Definition 1.1.6 (Ideal codes). Let P (X) ∈ Fq[X] be a polynomial of degree n andg1, g2 ∈ Fnqm. Let G1(X) =

∑n−1i=0 g1iX

i and G2(X) =∑n−1

j=0 g1jXj the polynomials as-

sociated respectively to g1 and g2.By definition, the [2n, n]qm ideal code C of generator (g1, g2) is the code with generator

matrix

G =

G1(X) mod P G2(X) mod PXG1(X) mod P XG2(X) mod P

......

Xn−1G1(X) mod P Xn−1G2(X) mod P

More concisely, we have C = {(xg1 mod P,xg2 mod P ),x ∈ Fnqm}. We will often omitto precise the polynomial P if there is no ambiguity.

If g1 is invertible, under systematic form, C = {(x,xg),x ∈ Fnqm} with g = g−11 g2mod P .

We need to be careful when we use these notations in the case of parity-check matrix.Indeed, if we have a syndrome σ = e1h1+e2h2 mod P , this equality is equivalent in termof product matrix-vector to (H1|H2)(e1|e2)T = σT where

H1 =

h1 mod PXh1 mod P

...Xn−1h1 mod P

T

and H2 =

h2 mod PXh2 mod P

...Xn−1h2 mod P

T

Thus, we said that (h1,h2) and P generate a parity-check matrix of a code C if (HT1 |HT

2 )is a parity-check matrix of C.

1.2 Difficult problems in rank metric

In this section, we introduce the difficult problems on which our cryptosystem is based.

Problem 1.1 (Rank Syndrome Decoding). Given a full-rank matrix H ∈ F(n−k)×nqm , a

syndrome σ and a weight ω, it is hard to sample a vector x ∈ Fnqm of weight lower than ωsuch that HxT = σT .

The RSD problem has recently been proven hard in [7] on probabilistic reduction.

Problem 1.2 (Quasi-Cyclic Rank Syndrome Decoding). Given a vector h ∈ Fnqm, a syn-drome σ and a weight ω, it is hard to sample a vector x = (x1,x2) ∈ F2n

qm of weight lowerthan ω such that x1 + x2h = σ (mod Xn − 1).

Since h and P = Xn − 1 define a systematic parity-check matrix of an [2n, n]qm doublecirculant (quasi-cyclic) code, the QCRSD problem is a particular case of the RSD problem.

8

Page 9: ROLLO ank-Ouroboros, LAKE LOCKER · 2019-06-14 · ROLLO - Rank-Ouroboros, LAKE & LOCKER November 28, 2018 ROLLO is a compilation of three candidates to NIST’s competition for post-quantum

Problem 1.3 (Quasi-Cyclic Rank Support Recovery). Given a vector h ∈ Fnqm, a syndromeσ and a weight ω, it is hard to recover the support E of dimension lower than ω such thate1 + e2h = σ (mod Xn − 1) where the vectors e1 and e2 were sampled from E.

The QCRSR problem is trivially reduced to the QCRSD problem. Indeed to recover thesupport E of an instance of the QCRSD problem from a solution x of the QCRSD problem,we just have to compute the support of x.

Reciprocally, the QCRSD problem can also be reduced to the QCRSR problem. Let ussuppose we know the support E of a solution of the QCRSR problem for a weight ω. Wewant to find x = (x1,x2) of weight lower than ω such that x1 + x2h = σ (mod Xn − 1).

This equation is equivalent to In H

(x1,0 . . . x1,n−1, x2,0 . . . x2,n−1)T = σT (2)

where H =

h

Xh (mod Xn − 1)...

Xn−1h (mod Xn − 1)

T

and x1 = (x1,0 . . . x1,n−1),x2 = (x2,0 . . . x2,n−1).

Let (E1, . . . , Eω) be a basis of E. We can express the coordinates of x1 and x2 in thisbasis:

∀i ∈ {1, 2}, 0 6 j 6 n− 1, xij =ω∑k=1

λijkEk, with λijk ∈ Fq

Then we rewrite the equations of (2) in the new unknowns λijk. We obtain a system of 2nωunknowns over Fq and n equations over Fqm , so nm equations over Fq.

Since e1 + e2h = σ mod P , the system has at least one solution and by constructionall the solutions have their support included in E of dimension ω, so we can find a solutionto the QCRSD problem by solving this system.

We need to generalize Problems 1.2 and 1.3 to ideal code.

Problem 1.4 (Ideal-Rank Syndrome Decoding). Given a vector h ∈ Fnqm, a polynomialP ∈ Fq[X] of degree n, a syndrome σ and a weight ω, it is hard to sample a vector x =(x1,x2)F2n

qm of weight lower than ω such that x1 + x2h = σ mod P .

As for the QCRSD problem, the IRSD problem is a particular case of the RSD problem.

Problem 1.5 (Ideal-Rank Support Recovery). Given a vector h ∈ Fnqm, a polynomialP ∈ Fq[X] of degree n, a syndrome σ and a weight ω, it is hard to recover the support E ofdimension lower than ω such that e1 + e2h = σ mod P where the vectors e1 and e2 weresampled from E.

9

Page 10: ROLLO ank-Ouroboros, LAKE LOCKER · 2019-06-14 · ROLLO - Rank-Ouroboros, LAKE & LOCKER November 28, 2018 ROLLO is a compilation of three candidates to NIST’s competition for post-quantum

The proof of the equivalence between the IRSD and IRSR problems is exactly the sameone as for the equivalence between the QCRSD and QCRSR problems.

The complexity of known attacks against these problems are described in Section 5.

1.3 The Low Rank Parity Check codes

The LRPC codes have been introduced in [5]. They are good candidates for the cryptosys-tem of McEliece because the have a weak algebraic structure.

Definition 1.3.1 (LRPC codes). Let H = (hij)16i6n−k16j6n

∈ F(n−k)×nqm a full-rank matrix such

that its coefficients generate an Fq-subspace F of small dimension d:

F = 〈hij〉Fq

Let C be the code with parity-check matrix H. By definition, C is an [n, k]qm LRPC code ofweight d.

Such a matrix H is called homogeneous matrix of weight d and support F .

We can now define the ideal LRPC codes as we have defined the ideal codes.

Definition 1.3.2 (Ideal LRPC codes). Let F be a Fq-subspace of dimension d of Fqm,(h1,h2) two vectors of Fnqm of support F and P ∈ Fq[X] a polynomial of degree n. Let

H1 =

h1

Xh1 mod P...

Xn−1h1 mod P

T

and H2 =

y

Xh2 mod P...

Xn−1h2 mod P

T

By definition, the code C with parity check matrix H = (H1|H2) is an ideal LRPC code oftype [2n, n]qm.

As we can see, since P ∈ Fq[X], the support of X ih1 is still F for all 1 6 i 6 n−1 hencethe necessity to choose P with coefficients in the base field Fq to keep the LRPC structureof the ideal code.

To hide the structure of an ideal LRPC, we only reveal its systematic parity-checkmatrix.

Definition 1.3.3 (Ideal LRPC codes indistinguishability). Given a polynomial P ∈ Fq[X]of degree n and a vector h ∈ Fnqm, it is hard to distinguish whether the ideal code C with theparity-check matrix generated by h and P is a random ideal code or if it is an ideal LRPCcode of weight d.

In other words, it is hard to distinguish if h was sampled uniformly at random or asx−1y mod P where the vectors x and y have the same support of small dimension d.

The ideal LRPC codes are particularly interesting if we choose an irreducible polynomialfor P . In this case we counter a structural attack against double circulant LRPC which canbe found in [8].

10

Page 11: ROLLO ank-Ouroboros, LAKE LOCKER · 2019-06-14 · ROLLO - Rank-Ouroboros, LAKE & LOCKER November 28, 2018 ROLLO is a compilation of three candidates to NIST’s competition for post-quantum

1.4 A support recovery algorithm

Notation 1.6. In the following, S is the vector space generated by the coordinates of thesyndrome 〈s1, ..., sn〉. Its dimension is at most rd, and it is a subspace of the product vectorspace 〈E.F 〉 = 〈e1.f1, e2.f1, ..., er.fd〉. Si is defined by Si = f−1i .S with fi an element of abasis of F , and Sij = Si ∩ Sj.

1.4.1 Algorithm

The decoding algorithm of LRPC codes first recover the support of the error vector thensolve a linear system in order to recover the error coordinates. For these proposals, we onlyneed to recover the support of the error. The probabilistic support recovery algorithm wasrecently improved in [2]. The algorithm we present here, uses both the general decodingalgorithm of the LRPC codes described in [5] and a tweak of the improved algorithmdescribed in [2] designed to run in constant time. This algorithm is an improved version ofthe the general decoding algorithm of the LRPC codes described in [5].Algorithm 1: Rank Support Recover (RSR) algorithmData: F = 〈f1, ..., fd〉, s = (s1, · · · , sn) (a vector), r (the dimension of E)Result: A candidate for the vector space E//Part 1 : Compute the vector space 〈E.F 〉

1 Compute S = 〈s1, · · · , sn〉2 Precompute every Si for i = 1 to d3 Precompute every Si,i+1 for i = 1 to d− 14 for i from 1 to d− 2 do5 tmp← S + 〈F.(Si,i+1 + Si+1,i+2 + Si,i+2)〉6 if dim(tmp) 6 rd then7 S ← tmp8 end9 end//Part 2 : Recover the vector space E

10 E ← f−11 .S ∩ ... ∩ f−1d .S11 return E

The algorithm is designed in two parts : the first one is used to recover the whole vectorspace 〈E.F 〉 in case S is of dimension < rd. This ensures that the second part, which isthe general decoding of the LRPC codes, outputs the right E. Note that we don’t need torecover the coordinates of the error vector e since we only use the support E in the protocol.

1.4.2 Probability of failure

The second part of the algorithm will fail if and only if S 6= 〈E.F 〉, thus the global proba-bility of failure depends both from the probability of dim(S) being smaller than rd and theprobability of not recovering 〈E.F 〉 using the first part of the algorithm.

11

Page 12: ROLLO ank-Ouroboros, LAKE LOCKER · 2019-06-14 · ROLLO - Rank-Ouroboros, LAKE & LOCKER November 28, 2018 ROLLO is a compilation of three candidates to NIST’s competition for post-quantum

Notation 1.7. In the following, c is the codimension of S inside 〈E.F 〉 : dim(S) = rd− c.P (c = i) is the probability of S being of codimension i inside 〈E.F 〉 and Pc=i(failure) ifthe probability of not recovering 〈E.F 〉 when c = i.

Proposition 1.8. The probability of failure of the new algorithm isrd−1∑i=1

P (c = i) ×

Pc=i(failure)

Analysis of Pc=1(failure)This algorithm uses the fact that dim(Si∩E) >= r− c (r−1 in this case), which means

each Si contains at least r − 1 vectors of E. Since all other vectors in Si are random, weneed to intersect two different Si in order to recover r − 2 vectors of E : those are the Sij.

At each iteration, we compute Si,i+1 ⊕ Si+1,i+2 ⊕ Si,i+2 to find vectors of E. Once wehave those, we multiply them by the vector space F to find vectors of S. If one of thesevectors (we note it x) is not in S, then S + x = 〈E.F 〉 : we can decode successfully.

We know that every Sij contains at least r − 2 vectors of E. To study what happensduring each iteration of the algorithm, we suppose that Sij contains exactly r − 2 vectorsof E. Two cases may occur during each of the d− 2 iterations :

• If Si,i+1 = Si+1,i+2, then dim(Si,i+1 ⊕ Si+1,i+2 ⊕ Si,i+2) = r − 2, since the equalityimplies that each vector that we find is in Si, Si+1 and Si+2 at the same time. In thatcase the algorithm might not find new vectors of 〈E.F 〉. This equality happens withprobability q2−r.

• Si,i+1 6= Si+1,i+2, then dim(Si,i+1 ⊕ Si+1,i+2 ⊕ Si,i+2) = r : the inequality implies thatdim(Si,i+1 ⊕ Si+1,i+2) = r − 1 and, since Si,i+2 is different from both of the other Sij(otherwise we would be in the first case), the union of the three Sij is exactly E. Inthat case the algorithm always finds 〈E.F 〉.

Since each iteration can fail to recover 〈E.F 〉 with probability q2−r, the probability ofnot finding 〈E.F 〉 when dim(S) = rd− 1 is q(2−r)(d−2).

Proposition 1.9. From [5] we know that P (c = i) = q−i(n−rd+i) thus the probability offailure of this algorithm is max(q(2−r)(d−2) × q−(n−rd+1), q−2(n−rd+2)).

In practice, this algorithm can decode event when c > 1, but Pc=2(failure) is harderto study. Notice that the algorithm supposes that m is sufficiently higher than 2rd− r towork, which will be the case for all parameters considered.

1.5 Presentation of the schemes

In this subsection, Snw(Fqm) stands for a random vector of length n and rank weight w overFqm and Sn1,w(Fqm) stands for a random vector of length n of rank weight w, such that itssupport contains 1 (choose a random subspace of dimension w of Fqm containing 1, thenconsider random coordinates in this support).

12

Page 13: ROLLO ank-Ouroboros, LAKE LOCKER · 2019-06-14 · ROLLO - Rank-Ouroboros, LAKE & LOCKER November 28, 2018 ROLLO is a compilation of three candidates to NIST’s competition for post-quantum

1.5.1 Rank Ouroboros as a KEM

A Key-Encapsulation scheme KEM = (KeyGen,Encap,Decap) is a triple of probabilisticalgorithms together with a key space K. The key generation algorithm KeyGen generatesa pair of public ad secret key (pk, sk). The encapsulation algorithm Encap uses the publickey pk to produce a encapsulation c, and a key K ∈ K. Finally Decap using the secret keysk and an encapsulation c, recovers the key K ∈ K or fails and return ⊥.

Rank Ouroboros is depicted in fig. 1, then formally described in fig. 2. The RSR algo-rithm was presented in previous section.

Alice Bob

seedh$← {0, 1}λ, h seedh← Fnqm

(x,y)$← S2n

1,w(Fqm), s← x+ hyF ← Supp (x,y)

ec ← se − ysrE ← RSR (F, ec, wr)

Hash (E)

h,s−−−−−−→

sr,se←−−−−−−−

SharedSecret

(r1, r2, er)$← S3n

wr(Fqm)

E ← Supp (r1, r2, er)sr ← r1 + hr2, se ← sr2 + er

Hash (E)

Figure 1: Informal description of Rank Ouroboros. h and s constitute the public key. hcan be recovered by publishing only the λ bits of the seed (instead of the n coordinates ofh).

We need to have a common representation of a subspace of dimension r of Fqm . Thenatural way is to choose the unique matrix M ∈ Fr×mq of size r × m in its rows echelonform such that the rows of M are a basis of E.

Correctness: Alice recovers ec = se − ysr = sr2 + er − y(r1 + hr2) = (x+ hy)r2 +er − y(r1+hr2) = xr2−yr1+er, since E = Supp(r1, r2, er) and F = Supp(x,y), and since1 ∈ F , the coordinates of ec generate a subspace of 〈E.F 〉 on which one can apply the RSRalgorithm to recover E.

13

Page 14: ROLLO ank-Ouroboros, LAKE LOCKER · 2019-06-14 · ROLLO - Rank-Ouroboros, LAKE & LOCKER November 28, 2018 ROLLO is a compilation of three candidates to NIST’s competition for post-quantum

• KeyGen(1λ): Picks seedh$← {0, 1}λ, h seedh← Fnqm , (x,y)

$← S2n1,w(Fqm).

Sets s← x+ hy and returns pk = (h, s), sk = (x,y).

• Encap(pk): Picks (r1, r2, er)$← S3n

wr(Fqm), sets E = Supp(r1, r2, er), sr = r1 + hr2, se = sr2 + er

Computes K = Hash(E), and returns c = (sr, se)

• Decap(sk): Sets ec = se − ysr, F = Supp(x,y) and E ← RSR (F, ec, wr)Recovers K = Hash(E)

Figure 2: Formal description of Rank Ouroboros.

1.5.2 LAKE as a KEM

As previously, LAKE is depicted in fig. 1, then formally described in fig. 2. P is a irreduciblepolynomial of Fq[X] of degree n and constitutes a parameter of the cryptosystem.

Alice Bob

(x,y)$← S2n

d (Fqm), h← x−1y mod PF ← Supp (x,y)

s← xcE ← RSR (F, s, r)

Hash (E)

h−−−−−→

c←−−−−−

SharedSecret

(e1, e2)$← S2n

r (Fqm)E ← Supp (e1, e2)

c← e1 + e2h mod P

Hash (E)

Figure 3: Informal description of LAKE. h constitutes the public key.

Correctness: Alice recovers s = xc = xe1 + xe2h = xe1 + ye2 mod P , since E =Supp(e1, e2), F = Supp(x,y) and P ∈ Fq[X], the coordinates of s generate a subspace of〈E.F 〉 on which Bob can apply the RSR algorithm to recover E.

• KeyGen(1λ): Picks (x,y) $← S2nd (Fqm). Ensure that x is invertible modulo P .

Sets h = x−1y mod P and return pk = h, sk = (x,y).

• Encap(pk): Picks (e1, e2)$← S2n

r (Fqm), sets E = Supp(e1, e2), c = e1 + e2h mod PComputes K = Hash(E) and returns c

• Decap(sk): Sets s = xc mod P , F = Supp(x,y) and E ← RSR (F, s, r)Recovers K = Hash(E)

Figure 4: Formal description of LAKE.

Computational costs. The KeyGen cost corresponds to a polynomial inversionmod P in Fqm . The Encap and Decap costs correspond to a a matrix-vector multiplica-tion in Fqm . For a multiplication cost of elements of Fqm in O (m logm log logm), we obtain

14

Page 15: ROLLO ank-Ouroboros, LAKE LOCKER · 2019-06-14 · ROLLO - Rank-Ouroboros, LAKE & LOCKER November 28, 2018 ROLLO is a compilation of three candidates to NIST’s competition for post-quantum

a KeyGen complexity in O (n2 log(n)m logm log logm) and a Decap and Encap complexityin O (n2m logm log logm) plus the decoding cost of the RSR algorithm (intersections ofsubspaces of dimension rd in Fqm ) in O ((rd)2m).

1.5.3 LOCKER as a PKE

A Public Key Encryption (PKE) scheme is defined by three algorithm: the key generationalgorithm KeyGen which takes on input the security parameter λ and outputs a pair of publicand private keys (pk, sk) ; the encryption algorithm Encrypt(pk,M) which outputs theciphertext C corresponding to the message M and the decryption algorithm Decrypt(sk, C)which outputs the plaintext M .

Since LOCKER is almost identical to LAKE, we only give its formal description infig. 5. P is a irreducible polynomial of Fq[X] of degree n and constitutes a parameter ofthe cryptosystem. The symbol ⊕ denotes the bitwise XOR.

• KeyGen(1λ): Picks (x,y) $← S2nd (Fqm). Ensure that x is invertible modulo P .

Sets h = x−1y mod P and return pk = h, sk = (x,y).

• Encrypt(M, pk): Picks (e1, e2)$← S2n

r (Fqm), sets E = Supp(e1, e2), c = e1 + e2h mod PComputes cipher =M ⊕ Hash(E) and returns the ciphertext C = (c, cipher)

• Decrypt(C, sk): Sets s = xc mod P , F = Supp(x,y) and E ← RSR (F, s, r)Return M = cipher ⊕ Hash(E).

Figure 5: Formal description of LAKE.

1.6 Parameters for our schemes

1.6.1 Rank Ouroboros

In this Section, we propose several sets of parameters for Rank Ouroboros, achieving 128,192, or 256 bits of security and corresponding therefore to NIST’s security strength cate-gories 1, 3, and 5 respectively.

Choice of parameters. In section 4, the security of the protocol is reduced to the 2-QCRSD problem for weight w for the secret key, and the 3-QCRSD problem for weight wr anda [3n, n] code. Since 1 is contained in the support of (x,y), the security is straightforwardlyreduced to attacking a [2n, n] 2-QCRSD instance for weight w − 1 rather than w. Theprobability of decryption failure (DFR) comes from the probability that the RSR algorithmfails. The best attacks for these cases are combinatorial attacks described in the nextsection. These parameters have been chosen so that the best known attack requires at least2λ elementary operations for λ bits of security. We refer the reader to Sec. 5 for more detailson best known attacks.

15

Page 16: ROLLO ank-Ouroboros, LAKE LOCKER · 2019-06-14 · ROLLO - Rank-Ouroboros, LAKE & LOCKER November 28, 2018 ROLLO is a compilation of three candidates to NIST’s competition for post-quantum

Size of parameters and computational costs. The public key has size nm, theciphertext has size 2nm. The Encap cost corresponds to a matrix-vector product overFqm , for a multiplication cost of elements of Fqm in m log(m) log(log(m)), we obtain anencryption complexity in O (n2m log (m) log (log (m))). The Decap cost is also a matrix-vector multiplication plus the decoding cost of the RSR algorithm (intersections of subspacesof dimension wwr in Fqm) in O((wwr)2m).

The resulting public key, secret key, ciphertext and shared secret sizes are given inTab. 2. One may use seeds to shorten keys thus obtaining sizes presented in Tab. 3. Theaforementioned sizes are the ones used in our reference implementation.

Instance q n m w wr security DFRRank Ouroboros-I 2 53 89 5 6 128 2−36

Rank Ouroboros-II 2 59 101 6 8 192 2−36

Rank Ouroboros-III 2 67 127 7 8 256 2−42

Table 1: Parameters for Rank Ouroboros.

Instance pk size sk size ct size ss size SecurityRank Ouroboros-I 1180 1180 1180 64 128Rank Ouroboros-II 1490 1490 1490 64 192Rank Ouroboros-III 2128 2128 2128 64 256

Table 2: Resulting theoretical sizes in bytes for Rank Ouroboros. The public key pk iscomposed of (h, s) and has size 2nm. The secret key sk is composed of (x, y) and has size2nm. The ciphertext ct is composed of (sr, se) and has size 2nm. The shared secret ss iscomposed of K and has size 64 (SHA512 output size). The security is expressed in bits.

Instance pk size sk size ct size ss size SecurityRank Ouroboros-I 676 40 1272 64 128Rank Ouroboros-II 807 40 1534 64 192Rank Ouroboros-III 1112 40 2144 64 256

Table 3: Resulting sizes in bytes for Rank Ouroboros using NIST seed expander initializedwith 40 bytes long seeds. The public key pk is composed of (seed1, s) and has size 40 +n(bm/8c + 1). The secret key sk is composed of (seed2) and has size 40. The ciphertextct is composed of (sr, se) and has size 2n(bm/8c+ 1). The shared secret ss is composed ofK and has size 64 (SHA512 output size). The security is expressed in bits. Vectors may beshortened to fit into their theoretical size of 2(bnm/8c+1) bytes rather than 2n(bm/8c+1)bytes if necessary.

16

Page 17: ROLLO ank-Ouroboros, LAKE LOCKER · 2019-06-14 · ROLLO - Rank-Ouroboros, LAKE & LOCKER November 28, 2018 ROLLO is a compilation of three candidates to NIST’s competition for post-quantum

1.6.2 LAKE

In this section, we give some sets of parameters for a security parameters of 128, 192 and256. In all cases, we have chosen q = 2. The parameters are :

• n is the length the vectors h and c sent on the public channel.

• m is the degree of the extension F2m .

• d is the weight of the ideal LRPC code used in the protocol.

• r is the weight of the error.

• P is the irreducible polynomial of degree n of F2[X] which defines the ideal LRPCcode. We have chosen sparse polynomials in order to diminish the computation costs.

• the structural attack parameter is the logarithm in basis 2 of the complexity of thebest attack to recover the structure of the ideal LRPC code. It consists to look for acodeword of weight d in an ideal LRPC of type [2n, n]2m defined by the parity-checkmatrix (In|H) where

H =

h(X) mod PXh(X) mod P

...Xn−1h(X) mod P

• the generic attack parameter is the logarithm in basis 2 of the complexity of the best

attack to recover the support E. It consists to solve the I-RSD problem for a randomideal code of type [2n, n]2m and an error of weight r.

• pf is the probability of failure of the decoding algorithm. We have chosen the param-eters such that the theoretic upper bound is below 2−30.

• the entropy parameter is the entropy of the subspace E. It is equal to log2

([mw

]q

)and have to be greater than the security parameter. We represent E by a matrix ofsize w ×m in its row echelon form.

• the public key size is the number of bits needed to represent the public key h ∈ Fnqm .It is equal to mn.

17

Page 18: ROLLO ank-Ouroboros, LAKE LOCKER · 2019-06-14 · ROLLO - Rank-Ouroboros, LAKE & LOCKER November 28, 2018 ROLLO is a compilation of three candidates to NIST’s competition for post-quantum

Name LAKE I LAKE II LAKE IIISecurity 128 192 256

n 47 53 59m 67 89 107d 6 7 8r 5 6 6P X47 +X5 + 1 X53 +X6 +X2 +X + 1 X59 +X7 +X4 +X2 + 1

Structural Attack 130 207 301Generic Attack 146 221 258

pf 2−30 2−32 2−36

Entropy 311 499 607Public key (bits) 3149 4717 6313

1.6.3 LOCKER

In this section, we give some sets of parameters for a security parameters of 128, 192 and256. The names of parameters are the same as the names of the parameters of LAKE.These parameters have been chosen such that the theoretic upper bound of pf is below 2−64

in the first set of parameters, below 2−80 in the second one and below 2−128 in the last one.

Name LOCKER I LOCKER II LOCKER IIISecurity 128 192 256

n 83 83 89m 71 101 107d 7 7 8r 5 5 6P X83 +X7 +X4 +X2 + 1 X83 +X7 +X4 +X2 + 1 X89 +X38 + 1

Structural Attack 133 209 273Generic Attack 144 195 260

pf 2−64 2−64 2−64

Entropy 331 481 607Public key Size (bits) 5893 8383 9523

Table 4: Probability of failure of the decryption algorithm 6 2−64

18

Page 19: ROLLO ank-Ouroboros, LAKE LOCKER · 2019-06-14 · ROLLO - Rank-Ouroboros, LAKE & LOCKER November 28, 2018 ROLLO is a compilation of three candidates to NIST’s competition for post-quantum

Name LOCKER IV LOCKER V LOCKER VISecurity 128 192 256

n 101 103 103m 79 97 107d 7 8 8r 5 6 6P X101 +X7 +X6 +X + 1 X103 +X9 + 1 X103 +X9 + 1

Structural Attack 136 229 259Generic Attack 157 234 260

pf 2−80 2−80 2−80

Entropy 371 547 607Public key Size (bits) 7979 9991 11021

Table 5: Probability of failure of the decryption algorithm 6 2−80

Name LOCKER VII LOCKER VIII LOCKER IXSecurity 128 192 256

n 149 149 157m 83 101 109d 8 8 9r 5 5 6P X149 +X10 +X9 +X7 + 1 X149 +X10 +X9 +X7 + 1 X157 +X6 +X5 +X2 + 1

Structural Attack 142 196 260Generic Attack 165 192 268

pf 2−128 2−128 2−128

Entropy 391 481 619Public key Size (bits) 12367 15049 17113

Table 6: Probability of failure of the decryption algorithm 6 2−128

2 PerformancesIn this section, we provide concrete performance measures of our implementation.

2.1 Rank Ouroboros

For each parameter set, results have been obtained by running 100,000 random instancesand computing their average execution time. The benchmarks have been performed ona machine running Ubuntu 16.04 LTS. The latter has 32GB of memory and an Intel R©CoreTM i7-4770 CPU @ 3.4GHz for which the Hyper-Threading, Turbo Boost and SpeedStepfeatures were disabled. The scheme have been compiled with gcc (version 7.2.0) usingthe compilation flags -O2 -pedantic. The following third party libraries have been used:openssl (version 1.1.0f), gmp (version 6.1.2) and ntl (version 10.5.0) [14].

19

Page 20: ROLLO ank-Ouroboros, LAKE LOCKER · 2019-06-14 · ROLLO - Rank-Ouroboros, LAKE & LOCKER November 28, 2018 ROLLO is a compilation of three candidates to NIST’s competition for post-quantum

Reference Implementation

The performances of our reference implementation on the aforementioned benchmark plat-form are described in Tab. 7 (timings in ms) and Tab. 8 (millions of CPU cycles required).

Instance KeyGen Encrypt DecryptRank Ouroboros-I 0.18 0.29 0.53Rank Ouroboros-II 0.19 0.33 0.97Rank Ouroboros-III 0.24 0.40 1.38

Table 7: Timings (in ms) of the reference implementation for different instances of RankOuroboros.

Instance KeyGen Encrypt DecryptRank Ouroboros-I 0.60 0.98 1.78Rank Ouroboros-II 0.65 1.12 3.26Rank Ouroboros-III 0.82 1.39 4.73

Table 8: Millions of cycles of the reference implementation for different instances of RankOuroboros.

2.2 LAKE

The benchmarks were performed on an Intel R©CoreTMi7-4700HQ CPU running @ up to3.40GHz and the software was compiled using GCC (version 6.3.0) with the following com-mand : g++ -O2 -pedantic -Wall -Wextra -Wno-vla.

Reference Implementation

Tab. 9 gives timings (in ms) of the reference implementation on our benchmark platform,and Tab. 10 gives the number of CPU cycles.

Instance Keygen Encap DecapLAKE-I 0.65 0.13 0.53LAKE-II 0.73 0.13 0.88LAKE-III 0.77 0.15 1.24

Table 9: Timings (in ms) of the reference implementation for different instances of LAKE.

20

Page 21: ROLLO ank-Ouroboros, LAKE LOCKER · 2019-06-14 · ROLLO - Rank-Ouroboros, LAKE & LOCKER November 28, 2018 ROLLO is a compilation of three candidates to NIST’s competition for post-quantum

Instance Keygen Encap DecapLAKE-I 1.58 0.30 1.27LAKE-II 1.74 0.31 2.09LAKE-III 1.79 0.35 2.89

Table 10: Millions of cycles reference implementation for different instances of LAKE.

2.3 LOCKER

The benchmarks were performed on an Intel R©CoreTMi7-4700HQ CPU running @ up to3.40GHz and the software was compiled using GCC (version 6.3.0) with the following com-mand : g++ -O2 -pedantic -Wall -Wextra -Wno-vla.

Reference Implementation

Tab. 11 gives timings (in ms) of the reference implementation on our benchmark platform,and Tab. 12 gives the number of CPU cycles.

Instance Keygen Encap DecapLOCKER-I 1.09 0.22 1.04LOCKER-II 1.33 0.23 1.08LOCKER-III 1.51 0.25 1.58LOCKER-IV 1.51 0.29 1.16LOCKER-V 1.82 0.36 1.80LOCKER-VI 1.94 0.31 1.68LOCKER-VII 3.53 0.56 1.99LOCKER-VIII 3.85 0.56 2.03LOCKER-IX 4.31 0.62 2.76

Table 11: Timings (in ms) of the reference implementation for different instances ofLOCKER.

2.4 Optimized Implementation

No optimized implementation has been provided. As a consequence, the foldersOptimized_Implementation/ and Reference_Implementation/ are identical. Additionalimplementation (optimized variant using vectorization, constant-time implementation...)might be provided later.

21

Page 22: ROLLO ank-Ouroboros, LAKE LOCKER · 2019-06-14 · ROLLO - Rank-Ouroboros, LAKE & LOCKER November 28, 2018 ROLLO is a compilation of three candidates to NIST’s competition for post-quantum

Instance Keygen Encap DecapLOCKER-I 2.71 0.55 2.57LOCKER-II 3.19 0.23 1.08LOCKER-III 3.58 0.60 3.77LOCKER-IV 3.72 0.71 2.86LOCKER-V 4.36 0.86 4.32LOCKER-VI 4.68 0.75 4.06LOCKER-VII 8.44 1.35 4.78LOCKER-VIII 9.48 1.39 5.00LOCKER-IX 10.4 0.62 2.76

Table 12: Millions of cycles reference implementation for different instances of LOCKER.

3 Known Answer Test ValuesKnown Answer Test (KAT) values have been generated using the script provided bythe NIST. They are available in the folder KAT/Reference_Implementation/. As men-tioned in Sec. 2.4, since the reference and optimized implementations are identical,KAT/Optimized_Implementation/ is just a copy of KAT/Reference_Implementation/.

In addition, we provide, for each parameter set, an example with intermediate values inthe folder KAT/Reference_Implementation/.

Notice that one can generate the aforementioned test files using respectively the katand verbose modes of our implementation. The procedure to follow in order to do so isdetailed in the technical documentation.

4 Security

4.1 Security Models and Hybrid Argument

IND-CPA. IND-CPA is generally proved through the following game: the adversary Achooses two plaintexts µ0 and µ1 and sends them to the challenger who flips a coin b ∈ {0, 1},encrypts µb into ciphertext c and returns c to A. The encryption scheme is said to beIND-CPA secure if A has a negligible advantage in deciding which plaintext c encrypts.This game is formally described hereunder on Fig. 6.The global advantage for polynomial time adversaries (running in time less than t) is:

AdvindE (λ, t) = max

A≤tAdvind

E,A(λ), (3)

where AdvindE,A(λ) is the advantage the adversary A has in winning game Expind−b

E,A (λ):

AdvindE,A(λ) =

∣∣Pr[Expind−1E,A (λ) = 1]− Pr[Expind−0

E,A (λ) = 1]∣∣ . (4)

22

Page 23: ROLLO ank-Ouroboros, LAKE LOCKER · 2019-06-14 · ROLLO - Rank-Ouroboros, LAKE & LOCKER November 28, 2018 ROLLO is a compilation of three candidates to NIST’s competition for post-quantum

Expind−bE,A (λ)

1. param← Setup(1λ)2. (pk, sk)← KeyGen(param)3. (µ0, µ1)← A(FIND : pk)4. c∗ ← Encrypt(pk, µb, θ)5. b′ ← A(GUESS : c∗)6. RETURN b′

Figure 6: Experiment against the indistinguishability under chosen plaintext attacks

Hybrid argument. Alternatively (and equivalently by the hybrid argument), it is pos-sible to construct a sequence of games from a valid encryption of a first message µ0 to avalid encryption of another message µ1 and show that these games are two-by-two indis-tinguishable. We follow this latter approach and prove the security of our KEM similarlyto [1].

4.2 IND-CPA security proof of Rank Ouroboros

Theorem 4.1. Rank Ouroboros is IND-CPA secure under the 2-QCRSD and 3-QCRSD as-sumptions.

The proof follows the same ideas as the one from [1, Proof of Theorem 1].

Proof. It is worth noticing first that an adversary A succeeds in breaking the scheme if hemanages to recover the support E = Supp (r1, r2, er) given only the public key pk = (h, s)and the transcripts (sr = r1 + hr2, se = sr2 + er). This is exactly an instance of the QCRSRproblem defined in Sec. 1.2 (see Pb. 1.5). It has also been shown in that section that theQCRSR problem is equivalent to the QCRSD problem, and the security reduction exploitsthe equivalence between these problems.

The aim is to prove that an adversary distinguishing one game from another can beexploited to break either the 2-QCRSD or the 3-QCRSD assumption (respectively on [2n, n]or [3n, n] codes) in polynomial time. We are going to proceed in a sequence of gamesmoving from the real world with a valid encryption, to an idealistic version where both theciphertext and the key are random. Let A be a probabilistic polynomial time adversaryagainst the IND-CPA of our scheme and consider the following games where we considerthat A receives the encapsulation at the end of each game.

• Game G1 : This game corresponds to an honest run of the protocol. In particular,the simulator has access to all keys / randomness.

• Game G2 : Now the simulator picks uniformly at random x,y (resulting in a randoms). He then proceeds honestly.

23

Page 24: ROLLO ank-Ouroboros, LAKE LOCKER · 2019-06-14 · ROLLO - Rank-Ouroboros, LAKE & LOCKER November 28, 2018 ROLLO is a compilation of three candidates to NIST’s competition for post-quantum

An adversary distinguishing between those two games, can distinguish between a well-formed pk and a random one. The public key in the first game correspond to a valid2-QCRSD instance, while it is a random one in the second.

Hence AdvG1−G2A1,2

≤ Adv(2-QCRSD)(λ)

• Game G3 : Now the simulator also picks uniformly at random er, r1 and r2 and usesthem to generate sr, se. We denote ϕ the operator that on input a vector returns thecorresponding double circulant matrix (see Eq. (1) of Def. 1.1.4).

An adversary has access to:(srse

)=

(In 0 ϕ(h)0 In ϕ(s)

)(r1, er, r2)

>

The syndrome (sr, se) follows the QCRSD distribution in game G2 and the uniformdistribution over (Fn2 )

2 inG3. If an adversary is able to distinguish gamesG2 fromG3,then a simulator can break the underlying problem.

Hence AdvG2−G3A2,3

≤ Adv(3-QCRSD)(λ).

AdvindcpaKEM (A) ≤ Adv2-QCRSD(λ) + Adv3-QCRSD(λ).

Therefore, a PPT adversary A breaking the protocol with non negligible advantage canbe used to solve the QCRSD problem.

4.3 IND-CPA security proof of LAKE

Theorem 4.2. Under the Ideal LRPC indistinguishability 1.3.3 and the Ideal-Rank Sup-port Recovery 1.5 Problems, the KEM presented earlier in section 1.5.2 is indistinguishableagainst Chosen Plaintext Attack in the Random Oracle Model.

Proof. We are going to proceed in a sequence of games. The simulator first starts from thereal scheme. First we replace the public key matrix by a random element, and then we usethe ROM to solve the Ideal-Rank Support Recovery.

We start from the normal game G0: We generate the public key h honestly, and E, calso

• In game G1, we now replace h by a random vector, the rest is identical to the previousgame. From an adversary point of view, the only difference is the distribution on h,which is either generated at random, or as a product of low weight vectors. This isexactly the Ideal LRPC indistinguishability problem, hence

AdvG0A ≤ AdvG1

A + AdvILRPCA

24

Page 25: ROLLO ank-Ouroboros, LAKE LOCKER · 2019-06-14 · ROLLO - Rank-Ouroboros, LAKE & LOCKER November 28, 2018 ROLLO is a compilation of three candidates to NIST’s competition for post-quantum

• In game G2, we now proceed as earlier except we receive h, c from a Support Recoverychallenger. After sending c to the adversary, we monitor the adversary queries to theRandom Oracle, and pick a random one that we forward as our simulator answer tothe Ideal-Rank Support Recovery problem. Either the adversary was able to predictthe random oracle output, or with probably 1/qG, we picked the query associatedwith the support E (by qG we denote the number of queries to the random oracle G),hence

AdvG1A ≤ 2−λ + 1/qG · AdvIRSRA

which leads to the conclusion.

4.4 IND-CCA2 security proof of LOCKER

4.4.1 IND-CPA security proof of the LOCKER PKE

Theorem 4.3. Under the Ideal LRPC indistinguishability 1.3.3 and the Ideal-Rank Sup-port Recovery 1.5 Problems, the encryption scheme presented above in indistinguishableagainst Chosen Plaintext Attack in the Random Oracle Model.

Proof. We are going to proceed in a sequence of games. The simulator first starts from thereal scheme. First we replace the public key matrix by a random element, and then we usethe ROM to solve the QC-Rank Support Recovery.

We start from the normal game G0: We generate the public key ~h honestly, and E,~calso

• In game G1, we now replace ~h by a random vector, the rest is identical to the previousgame. From an adversary point of view, the only difference is the distribution on ~h,which is either generated at random, or as a product of low weight vectors. This isexactly the Decisional Uniform Public Key Sampling problem, hence

AdvG0A ≤ AdvG1

A + AdvDUPKSA

• In game G2, we now proceed as earlier except we replace G(E) by random. It canbe shown, that by monitoring the call to the ROM, the difference between this gameand the previous one can be reduced to the QC-Rank Support Recovery problem, sothat:

AdvG1A ≤ 2−λ + 1/qG · AdvQC−RSR

A .

• In a final game G3 we replace ~d = M ⊕ Rand by just ~d = Rand, which leads to theconclusion.

25

Page 26: ROLLO ank-Ouroboros, LAKE LOCKER · 2019-06-14 · ROLLO - Rank-Ouroboros, LAKE & LOCKER November 28, 2018 ROLLO is a compilation of three candidates to NIST’s competition for post-quantum

4.5 A IND-CCA2 conversion of the LOCKER PKE

Let E be an instance of the LOCKER cryptosystem as described above. Let G, H, and Kbe hash functions, typically SHA512 as advised by NIST. The KEM-DEM version of theLOCKER cryptosystem is defined as follows (following [11]) :

• Setup(1λ): as before, except that k will be the length of the symmetric key beingexchanged, typically k = 256.

• KeyGen (param): exactly as before.

• Encap (pk): generate m$← Fk (this will serve as a seed to derive the shared

key). Derive the randomness θ ← G(m). Generate the ciphertext c ← (u,v) =E .Encrypt(pk,m, θ), and derive the symmetric key K ← K(m, c). Let d← H(m),and send (c,d).

• Decap (sk, c,d): Decrypt m′ ← E .Decrypt(sk, c), compute θ′ ← G(m′), and (re-)encrypt m′ to get c′ ← E .Encrypt(pk,m′, θ′). If c 6= c′ or d 6= H(m′) then abort.Otherwise, derive the shared key K ← K(m, c).

Figure 7: Description of our proposal LOCKER.KEM.

When applying the HHK [11] framework for the Fujisaki-Okamoto transformation, onecan show that the final transformation is CCA-2 secure such that:

AdvCCA−2A ≤ qG · δ + qV · 2−γ +

2qG + 1

|M|+ 3AdvCPA

A

As our scheme is CPA secure, the last term is negligible, we can handle exponentiallylarge message space for a polynomial number of query, so the previous is too.

As shown before, our scheme is gamma-spread so again for a polynomial number ofverification query, the term in qV is negligible.

The tricky term remaining is qG · δ, this is the product of the number of queries to therandom oracle, by the probability of generating an decipherable ciphertext in an honestexecution. For real application, we want schemes to be correct enough so that the proba-bility of such occurrence is very small. This often leads, in application in running with aprobability of a magnitude of 2−64. This may seem not low enough for pure cryptographicsecurity, however it should be noted this number, corresponds to the number of request,adversarially generated where the simulator gives an honest answer to a decryption query,which would mean that a single user would be able to do as many queries as expected bythe whole targeted users in a live application, so a little trade-off at this level seems morethan fair.

26

Page 27: ROLLO ank-Ouroboros, LAKE LOCKER · 2019-06-14 · ROLLO - Rank-Ouroboros, LAKE & LOCKER November 28, 2018 ROLLO is a compilation of three candidates to NIST’s competition for post-quantum

5 Known AttacksThere exist different ways to attack our cryptosystems depending on which one is attacked.If the opponent try to attack LAKE or LOCKER: either he can try to recover the structureof the ideal LRPC code by searching a codeword of weight d in the ideal code generatedby h, or he can try to solve an instance of the IRSR problem 1.5 of weight r for a randomideal code. In the case of Rank Ouroboros, he can only try to solve an instance the QCRSDproblem for a random quasi-cyclic code (see Section 1.6.1 for more details).

There exist two types of generic attacks on these problems:

• the combinatorial attacks where the goal is to find the support of the error or of thecodeword.

• the algebraic attacks where the opponent tries to solve an algebraic system by Groeb-ner basis.

First, we deal with the combinatorial attacks, both in the generic case and in the QC LRPCcase and in a third subsection we discuss about the algebraic attacks.

5.1 Generic attacks

For C a [n, k] rank codes over Fqm the best combinatorial attacks to decode a word with anerror of weight r is in:

O((nm)3qrd

m(k+1)n e−m

)This attack is an improvement of a previous attack described in [6], a detailed description

of the attack can be found in [3]. The general idea of the attack is to adapt the InformationSet Decoding attack for Hamming distance to rank metric. For rank metric the attackertries to guess a subspace which contains the support of the error and test whether the choiceof the subspace contains the support of the error or not, by solving a system of syndromeequations. There is no known attack which uses the quasi-cyclicity or the ideal structureof a code to improve this attack.

The complexity of the best attack against IRSR problem is the same since there is noknown way to compute the support of an error without first computing this error.

5.2 Structural attack against ideal LRPC codes

Let C be an [2n, n]qm ideal LRPC code generated by the two polynomials (x,y) of supportF of dimension d. Let h = x−1y which generates the systematic parity-check matrix of C.The problem is to recover the structure of C, given only access to h.

The most efficient known attack is to find a codeword of weight d in the dual code C⊥generated by h. The best algorithm is the same decoding algorithm used in the previous

27

Page 28: ROLLO ank-Ouroboros, LAKE LOCKER · 2019-06-14 · ROLLO - Rank-Ouroboros, LAKE & LOCKER November 28, 2018 ROLLO is a compilation of three candidates to NIST’s competition for post-quantum

subsection [3]. Its complexity is in:

O(n3m3qdd

m2 e−m

)However its complexity is better in the case of the dual of an ideal LRPC code than in a

random code with the same parameters. Indeed, let H be the matrix of size nn generatedby (x,y). By definition, H is a generator matrix of C⊥. Let (hi)16i6n be the rows of H .For all 1 6 i 6 n, Supp(hi) = F =⇒ C⊥ contains qn codewords of the same support, sothe complexity of the algorithm is divided by qn. Thus, the complexity of the attack is

O(n3m3qdd

m2 e−m−n

)We have used this formula to choose the parameters of LAKE and LOCKER.

There exists a specific attack on the ideal LRPC codes which can be found in [9]. Inthis article, the authors present an attack against double circulant LRPC codes but it canbe adapted straightforwardly in the case of ideal LRPC codes. However, the crucial pointof this attack is that the polynomial Xn − 1 has always X − 1 as divisor and may havemany more factors depending on n and q. In the case of ideal LRPC codes, we can choosean irreducible polynomial P of degree n of Fq[X] to generate the quotient-ring Fq[X]/(P ),which completely negates this specific attack.

5.3 Algebraic attacks

The second way to solve the equations of the systemHe = c is to use the Groebner basis [12].The advantage of these attacks is that they are independent of the size of q. They mainlydepend on the number of unknowns with respect to the number of equations. However,in the case q = 2 the number of unknowns is generally too high for that the algorithmsby Groebner basis are more efficient than the combinatorial attacks. We have chosen ourparameters such that the best attacks are combinatorial, the expected complexity of thealgorithms by Groebner basis is based on the article [4].

6 Advantages and Limitations

6.1 Strengths

The proposed schemes are very efficient, both in terms of size of keys and computationalcomplexity. They also benefit from a constant time decoding algorithm and its failureprobability is very well studied and estimated and can easily be chosen to meet securitystandards. Moreover, the choice of parameters is very versatile. For LAKE and LOCKER,there is a reduction to a well understood generic problem IRSD, which is a natural general-ization of Quasi-Cyclic RSD problem. This type of problems has been used for many yearsfor Hamming and Euclidean distances.

28

Page 29: ROLLO ank-Ouroboros, LAKE LOCKER · 2019-06-14 · ROLLO - Rank-Ouroboros, LAKE & LOCKER November 28, 2018 ROLLO is a compilation of three candidates to NIST’s competition for post-quantum

Rank Ouroboros also benefit from the nice features of the LRPC protocol but with a tightreduction to the generic 2s-QCRSD problems. It comes at price, since the ciphertext sizeis doubled, but due to the inherent difficulty of decoding codes in rank metric, parametersare rather low, and compare very well to other type of protocols.

6.2 Limitations

Rank metric has very nice features, but the use of rank metric for cryptographic purposesis not very old (1991). It may seems as a limitation, but still in recent years there havebeen a lot of activities on understanding the inherent computational difficulty of the relatedproblems and it seems very hard to improve on their general complexity.

like for nay cryptosystems à la McEliece, LAKE and LOCKER security proofs rely onthe hardness of retrieving the structure of a structured code, in our case the LRPC codes.However, this problem has been also studied for Hamming and euclidean metrics and isconsidered hard by the community (for instance, MDPC and NTRU-like cryptosystems arebased on it).

References[1] Carlos Aguilar Melchor, Olivier Blazy, Jean-Christophe Deneuville, Philippe Gaborit,

and Gilles Zémor. Efficient encryption from random quasi-cyclic codes. CoRR,abs/1612.05572, 2016.

[2] Nicolas Aragon, Philippe Gaborit, Adrien Hauteville, Olivier Ruatta, and Gilles Zémor.Low rank parity check codes: New decoding algorithms and application to cryptogra-phy. Available on ArXiv, 2018.

[3] Nicolas Aragon, Philippe Gaborit, Adrien Hauteville, and Jean-Pierre Tillich. A newalgorithm for solving the rank syndrome decoding problem. In Proc. IEEE Int. Sym-posium Inf. Theory - ISIT, Vail, USA, 2018. IEEE.

[4] Luk Bettale, Jean-Charles Faugere, and Ludovic Perret. Hybrid approach for solvingmultivariate systems over finite fields. Journal of Mathematical Cryptology, 3(3):177–197, 2009.

[5] Philippe Gaborit, Gaétan Murat, Olivier Ruatta, and Gilles Zémor. Low rank par-ity check codes and their application to cryptography. In Proceedings of the Work-shop on Coding and Cryptography WCC’2013, Bergen, Norway, 2013. Available onwww.selmer.uib.no/WCC2013/pdfs/Gaborit.pdf.

[6] Philippe Gaborit, Olivier Ruatta, and Julien Schrek. On the complexity of the ranksyndrome decoding problem. IEEE Trans. Information Theory, 62(2):1006–1019, 2016.

29

Page 30: ROLLO ank-Ouroboros, LAKE LOCKER · 2019-06-14 · ROLLO - Rank-Ouroboros, LAKE & LOCKER November 28, 2018 ROLLO is a compilation of three candidates to NIST’s competition for post-quantum

[7] Philippe Gaborit and Gilles Zémor. On the hardness of the decoding and the minimumdistance problems for rank codes. IEEE Trans. Information Theory, 62(12):7245–7252,2016.

[8] Adrien Hauteville and Jean-Pierre Tillich. New algorithms for decoding in the rankmetric and an attack on the LRPC cryptosystem, 2015. abs/1504.05431.

[9] Adrien Hauteville and Jean-Pierre Tillich. New algorithms for decoding in the rankmetric and an attack on the LRPC cryptosystem. In Proc. IEEE Int. Symposium Inf.Theory - ISIT 2015, pages 2747–2751, Hong Kong, China, June 2015.

[10] Jeffrey Hoffstein, Jill Pipher, and Joseph H. Silverman. NTRU: A ring-based publickey cryptosystem. In Joe Buhler, editor, Algorithmic Number Theory, Third Interna-tional Symposium, ANTS-III, Portland, Oregon, USA, June 21-25, 1998, Proceedings,volume 1423 of LNCS, pages 267–288. Springer, 1998.

[11] Dennis Hofheinz, Kathrin Hövelmanns, and Eike Kiltz. A modular analysis of theFujisaki-Okamoto transformation. In Theory of Cryptography Conference, pages 341–371. Springer, 2017.

[12] Françoise Lévy-dit Vehel and Ludovic Perret. Algebraic decoding of codes in rankmetric. In proceedings of YACC06, Porquerolles, France, June 2006. available onhttp://grim.univ-tln.fr/YACC06/abstracts-yacc06.pdf.

[13] Rafael Misoczki, Jean-Pierre Tillich, Nicolas Sendrier, and Paulo S. L. M. Barreto.MDPC-McEliece: New McEliece variants from moderate density parity-check codes.In Proc. IEEE Int. Symposium Inf. Theory - ISIT, pages 2069–2073, 2013.

[14] Victor Shoup. Ntl: A library for doing number theory., 2001.

30