Two Attacks on Rank Metric Code-Based Schemes: RankSign and an IBE Scheme

RankSign [30] is a code-based signature scheme proposed to the NIST competition for quantum-safe cryptography [5] and, moreover, is a fundamental building block of a new Identity-Based-Encryption (IBE) [26]. This signature scheme is based on the rank metric and enjoys remarkably small key sizes, about 10KBytes for an intended level of security of 128 bits. Unfortunately we will show that all the parameters proposed for this scheme in [5] can be broken by an algebraic attack that exploits the fact that the augmented LRPC codes used in this scheme have very low weight codewords. Therefore, without RankSign the IBE cannot be instantiated at this time. As a second contribution we will show that the problem is deeper than finding a new signature in rank-based cryptography, we also found an attack on the generic problem upon which its security reduction relies. However, contrarily to the RankSign scheme, it seems that the parameters of the IBE scheme could be chosen in order to avoid our attack. Finally, we have also shown that if one replaces the rank metric in the [26] IBE scheme by the Hamming metric, then a devastating attack can be found.

[1]  Ernest F. Brickell,et al.  An Observation on the Security of McEliece's Public-Key Cryptosystem , 1988, EUROCRYPT.

[2]  Adrien Hauteville,et al.  Identity-Based Encryption from Codes with Rank Metric , 2017, CRYPTO.

[3]  Eugene Prange,et al.  The use of information sets in decoding cyclic codes , 1962, IRE Trans. Inf. Theory.

[4]  Ernst M. Gabidulin Attacks and counter-attacks on the GPT public key cryptosystem , 2008, Des. Codes Cryptogr..

[5]  Tanja Lange,et al.  Smaller decoding exponents: ball-collision decoding , 2011, IACR Cryptol. ePrint Arch..

[6]  Jacques Stern,et al.  A method for finding codewords of small weight , 1989, Coding Theory and Applications.

[7]  Jeffrey Shallit,et al.  The Computational Complexity of Some Problems of Linear Algebra , 1996, J. Comput. Syst. Sci..

[8]  Michael Alekhnovich More on Average Case vs Approximation Complexity , 2011, computational complexity.

[9]  Philippe Gaborit,et al.  On the Complexity of the Rank Syndrome Decoding Problem , 2013, IEEE Transactions on Information Theory.

[10]  Jean-Pierre Tillich,et al.  Two attacks on rank metric code-based schemes: RankSign and an Identity-Based-Encryption scheme , 2018, 1804.02556.

[11]  Ernst M. Gabidulin,et al.  Modified GPT PKC with Right Scrambler , 2001, Electron. Notes Discret. Math..

[12]  Gilles Zémor,et al.  New Results for Rank-Based Cryptography , 2014, AFRICACRYPT.

[13]  Antoine Joux,et al.  Decoding Random Binary Linear Codes in 2n/20: How 1+1=0 Improves Information Set Decoding , 2012, IACR Cryptol. ePrint Arch..

[14]  Gilles Zémor,et al.  On the Hardness of the Decoding and the Minimum Distance Problems for Rank Codes , 2016, IEEE Transactions on Information Theory.

[15]  Matthieu Finiasz,et al.  How to Achieve a McEliece-Based Digital Signature Scheme , 2001, ASIACRYPT.

[16]  Ernst M. Gabidulin,et al.  Ideals over a Non-Commutative Ring and thier Applications in Cryptology , 1991, EUROCRYPT.

[17]  Nico Döttling,et al.  From Selective IBE to Full IBE and Selective HIBE , 2017, TCC.

[18]  Nico Döttling,et al.  Identity-Based Encryption from the Diffie-Hellman Assumption , 2017, CRYPTO.

[19]  Matthew K. Franklin,et al.  Identity-Based Encryption from the Weil Pairing , 2001, CRYPTO.

[20]  Adi Shamir,et al.  Identity-Based Cryptosystems and Signature Schemes , 1984, CRYPTO.

[21]  Nicolas Courtois,et al.  Efficient Zero-Knowledge Authentication Based on a Linear Algebra Problem MinRank , 2001, ASIACRYPT.

[22]  Nico Döttling,et al.  New Constructions of Identity-Based and Key-Dependent Message Secure Encryption Schemes , 2018, Public Key Cryptography.

[23]  Craig Gentry,et al.  Trapdoors for hard lattices and new cryptographic constructions , 2008, IACR Cryptol. ePrint Arch..

[24]  Alexander Meurer,et al.  Decoding Random Linear Codes in $\tilde{\mathcal{O}}(2^{0.054n})$ , 2011, ASIACRYPT.

[25]  Gilles Zémor,et al.  Low Rank Parity Check codes and their application to cryptography , 2013 .

[26]  Adi Shamir,et al.  Cryptanalysis of the HFE Public Key Cryptosystem by Relinearization , 1999, CRYPTO.

[27]  Jean-Charles Faugère,et al.  Computing loci of rank defects of linear matrices using Gröbner bases and applications to cryptology , 2010, ISSAC.

[28]  Gilles Zémor,et al.  RankSign: An Efficient Signature Algorithm Based on the Rank Metric , 2014, PQCrypto.

[29]  Ludovic Perret,et al.  Cryptanalysis of MinRank , 2008, CRYPTO.

[30]  Elwyn R. Berlekamp,et al.  On the inherent intractability of certain coding problems (Corresp.) , 1978, IEEE Trans. Inf. Theory.

[31]  Matthieu Finiasz,et al.  Security Bounds for the Design of Code-Based Cryptosystems , 2009, ASIACRYPT.

[32]  Pierre Loidreau,et al.  Asymptotic behaviour of codes in rank metric over finite fields , 2012, Designs, Codes and Cryptography.

[33]  Alexander May,et al.  On Computing Nearest Neighbors with Applications to Decoding of Binary Linear Codes , 2015, EUROCRYPT.