Nicolas Aragon

Nicolas Aragon, Marco Baldi, Jean-Christophe Deneuville et al.

We present an attack against a code-based signature scheme based on the Lyubashevsky protocol that was recently proposed by Song, Huang, Mu, Wu and Wang (SHMWW). The private key in the SHMWW scheme contains columns coming in part from an identity matrix and in part from a random matrix. The existence of two types of columns leads to a strong bias in the distribution of set bits in produced signatures. Our attack exploits such a bias to recover the private key from a bunch of collected signatures. We provide a theoretical analysis of the attack along with experimental evaluations, and we show that as few as 10 signatures are enough to be collected for successfully recovering the private key. As for previous attempts of adapting Lyubashevsky's protocol to the case of code-based cryptography, the SHMWW scheme is thus proved unable to provide acceptable security. This confirms that devising secure code-based signature schemes with efficiency comparable to that of other post-quantum solutions (e.g., based on lattices) is still a challenging task.

Nicolas Aragon, Philippe Gaborit, Gilles Zémor

The HQC encryption framework is a general code-based encryption scheme for which decryption returns a noisy version of the plaintext. Any instantiation of the scheme will therefore use an error-correcting procedure relying on a fixed auxiliary code. Unlike the McEliece encryption framework whose security is directly related to how well one can hide the structure of an error-correcting code, the security reduction of the HQC encryption framework is independent of the nature of the auxiliary decoding procedure which is publicly available. What is expected from it is that the decoding algorithm is both efficient and has a decoding failure rate which can be easily modelized and analyzed. The original error-correction procedure proposed for the HQC framework was to use tensor products of BCH codes and repetition codes. In this paper we consider another code family for removing the error vector deriving from the general framework: the concatenation of Reed-Muller and Reed-Solomon codes. We denote this instantiation of the HQC framework by HQC-RMRS. These codes yield better decoding results than the BCH and repetition codes: overall we gain roughly 17\% in the size of the key and the ciphertext, while keeping a simple modelization of the decoding error rate. The paper also presents a simplified and more precise analysis of the distribution of the error vector output by the HQC protocol.

Nicolas Aragon, Philippe Gaborit, Adrien Hauteville et al.

We introduce a new family of rank metric codes: Low Rank Parity Check codes (LRPC), for which we propose an efficient probabilistic decoding algorithm. This family of codes can be seen as the equivalent of classical LDPC codes for the rank metric. We then use these codes to design cryptosystems à la McEliece: more precisely we propose two schemes for key encapsulation mechanism (KEM) and public key encryption (PKE). Unlike rank metric codes used in previous encryption algorithms -notably Gabidulin codes - LRPC codes have a very weak algebraic structure. Our cryptosystems can be seen as an equivalent of the NTRU cryptosystem (and also to the more recent MDPC \cite{MTSB12} cryptosystem) in a rank metric context. The present paper is an extended version of the article introducing LRPC codes, with important new contributions. We have improved the decoder thanks to a new approach which allows for decoding of errors of higher rank weight, namely up to $\frac{2}{3}(n-k)$ when the previous decoding algorithm only decodes up to $\frac{n-k}{2}$ errors. Our codes therefore outperform the classical Gabidulin code decoder which deals with weights up to $\frac{n-k}{2}$. This comes at the expense of probabilistic decoding, but the decoding error probability can be made arbitrarily small. The new approach can also be used to decrease the decoding error probability of previous schemes, which is especially useful for cryptography. Finally, we introduce ideal rank codes, which generalize double-circulant rank codes and allow us to avoid known structural attacks based on folding. To conclude, we propose different parameter sizes for our schemes and we obtain a public key of 3337 bits for key exchange and 5893 bits for public key encryption, both for 128 bits of security.