![Page 1: Code-based Cryptography: State of the Art - Part II · Need families of codes with particularautomorphism group. EDOARDO PERSICHETTI FLORIDA ATLANTIC UNIVERSITY 19 MARCH 2019 4](https://reader034.vdocuments.site/reader034/viewer/2022050504/5f96023366781e63d40a02a1/html5/thumbnails/1.jpg)
CODE-BASED CRYPTOGRAPHY:STATE OF THE ART
PART II
Edoardo Persichetti
19 March 2019
EDOARDO PERSICHETTI FLORIDA ATLANTIC UNIVERSITY 19 MARCH 2019 1 / 27
![Page 2: Code-based Cryptography: State of the Art - Part II · Need families of codes with particularautomorphism group. EDOARDO PERSICHETTI FLORIDA ATLANTIC UNIVERSITY 19 MARCH 2019 4](https://reader034.vdocuments.site/reader034/viewer/2022050504/5f96023366781e63d40a02a1/html5/thumbnails/2.jpg)
IN THIS TALK
Structured Codes
Sparse-Matrix Codes
Rank Metric
Conclusions
EDOARDO PERSICHETTI FLORIDA ATLANTIC UNIVERSITY 19 MARCH 2019 2 / 27
![Page 3: Code-based Cryptography: State of the Art - Part II · Need families of codes with particularautomorphism group. EDOARDO PERSICHETTI FLORIDA ATLANTIC UNIVERSITY 19 MARCH 2019 4](https://reader034.vdocuments.site/reader034/viewer/2022050504/5f96023366781e63d40a02a1/html5/thumbnails/3.jpg)
Part I
STRUCTURED CODES
EDOARDO PERSICHETTI FLORIDA ATLANTIC UNIVERSITY 19 MARCH 2019 3 / 27
![Page 4: Code-based Cryptography: State of the Art - Part II · Need families of codes with particularautomorphism group. EDOARDO PERSICHETTI FLORIDA ATLANTIC UNIVERSITY 19 MARCH 2019 4](https://reader034.vdocuments.site/reader034/viewer/2022050504/5f96023366781e63d40a02a1/html5/thumbnails/4.jpg)
STRUCTURED CODES
Traditional approach at current security levels produces very largekeys: several Kb to ≈ 1Mb.(Classic McEliece/NTS-KEM).
The problem is: public key is a large matrix, size O(n2).
Idea: public matrix with compact description (Gaborit ’05).
This would allow to describe public-key more efficiently.
Need families of codes with particular automorphism group.
EDOARDO PERSICHETTI FLORIDA ATLANTIC UNIVERSITY 19 MARCH 2019 4 / 27
![Page 5: Code-based Cryptography: State of the Art - Part II · Need families of codes with particularautomorphism group. EDOARDO PERSICHETTI FLORIDA ATLANTIC UNIVERSITY 19 MARCH 2019 4](https://reader034.vdocuments.site/reader034/viewer/2022050504/5f96023366781e63d40a02a1/html5/thumbnails/5.jpg)
STRUCTURED CODES
Traditional approach at current security levels produces very largekeys: several Kb to ≈ 1Mb.(Classic McEliece/NTS-KEM).
The problem is: public key is a large matrix, size O(n2).
Idea: public matrix with compact description (Gaborit ’05).
This would allow to describe public-key more efficiently.
Need families of codes with particular automorphism group.
EDOARDO PERSICHETTI FLORIDA ATLANTIC UNIVERSITY 19 MARCH 2019 4 / 27
![Page 6: Code-based Cryptography: State of the Art - Part II · Need families of codes with particularautomorphism group. EDOARDO PERSICHETTI FLORIDA ATLANTIC UNIVERSITY 19 MARCH 2019 4](https://reader034.vdocuments.site/reader034/viewer/2022050504/5f96023366781e63d40a02a1/html5/thumbnails/6.jpg)
STRUCTURED CODES
Traditional approach at current security levels produces very largekeys: several Kb to ≈ 1Mb.(Classic McEliece/NTS-KEM).
The problem is: public key is a large matrix, size O(n2).
Idea: public matrix with compact description (Gaborit ’05).
This would allow to describe public-key more efficiently.
Need families of codes with particular automorphism group.
EDOARDO PERSICHETTI FLORIDA ATLANTIC UNIVERSITY 19 MARCH 2019 4 / 27
![Page 7: Code-based Cryptography: State of the Art - Part II · Need families of codes with particularautomorphism group. EDOARDO PERSICHETTI FLORIDA ATLANTIC UNIVERSITY 19 MARCH 2019 4](https://reader034.vdocuments.site/reader034/viewer/2022050504/5f96023366781e63d40a02a1/html5/thumbnails/7.jpg)
STRUCTURED CODES
Traditional approach at current security levels produces very largekeys: several Kb to ≈ 1Mb.(Classic McEliece/NTS-KEM).
The problem is: public key is a large matrix, size O(n2).
Idea: public matrix with compact description (Gaborit ’05).
This would allow to describe public-key more efficiently.
Need families of codes with particular automorphism group.
EDOARDO PERSICHETTI FLORIDA ATLANTIC UNIVERSITY 19 MARCH 2019 4 / 27
![Page 8: Code-based Cryptography: State of the Art - Part II · Need families of codes with particularautomorphism group. EDOARDO PERSICHETTI FLORIDA ATLANTIC UNIVERSITY 19 MARCH 2019 4](https://reader034.vdocuments.site/reader034/viewer/2022050504/5f96023366781e63d40a02a1/html5/thumbnails/8.jpg)
STRUCTURED CODES
Traditional approach at current security levels produces very largekeys: several Kb to ≈ 1Mb.(Classic McEliece/NTS-KEM).
The problem is: public key is a large matrix, size O(n2).
Idea: public matrix with compact description (Gaborit ’05).
This would allow to describe public-key more efficiently.
Need families of codes with particular automorphism group.
EDOARDO PERSICHETTI FLORIDA ATLANTIC UNIVERSITY 19 MARCH 2019 4 / 27
![Page 9: Code-based Cryptography: State of the Art - Part II · Need families of codes with particularautomorphism group. EDOARDO PERSICHETTI FLORIDA ATLANTIC UNIVERSITY 19 MARCH 2019 4](https://reader034.vdocuments.site/reader034/viewer/2022050504/5f96023366781e63d40a02a1/html5/thumbnails/9.jpg)
EXAMPLES IN LITERATURE
Quasi-Cyclic Codes (Berger, Cayrel, Gaborit, Otmani ’09).
Quasi-Dyadic Codes (Misoczki, Barreto ’09).
EDOARDO PERSICHETTI FLORIDA ATLANTIC UNIVERSITY 19 MARCH 2019 5 / 27
![Page 10: Code-based Cryptography: State of the Art - Part II · Need families of codes with particularautomorphism group. EDOARDO PERSICHETTI FLORIDA ATLANTIC UNIVERSITY 19 MARCH 2019 4](https://reader034.vdocuments.site/reader034/viewer/2022050504/5f96023366781e63d40a02a1/html5/thumbnails/10.jpg)
EXAMPLES IN LITERATURE
Quasi-Cyclic Codes (Berger, Cayrel, Gaborit, Otmani ’09).
Quasi-Dyadic Codes (Misoczki, Barreto ’09).
EDOARDO PERSICHETTI FLORIDA ATLANTIC UNIVERSITY 19 MARCH 2019 5 / 27
![Page 11: Code-based Cryptography: State of the Art - Part II · Need families of codes with particularautomorphism group. EDOARDO PERSICHETTI FLORIDA ATLANTIC UNIVERSITY 19 MARCH 2019 4](https://reader034.vdocuments.site/reader034/viewer/2022050504/5f96023366781e63d40a02a1/html5/thumbnails/11.jpg)
SECURITY
Several families have QC/QD description:GRS, Goppa, Generalized Srivastava (P. ’11).
Problem: extra structure = extra info for attacker.
Critical algebraic attack (Faugere, Otmani, Perret, Tillich ’10).
Solve system of equations derived from H ·GT = 0 to recover privatekey.
QC/QD + algebraic structure crucial to reduce number of unknownsof system.
After a few years of fixes and new attacks: keys getting bigger,confidence/interest getting smaller.(Faugere, Otmani, Perret, de Portzamparc, Tillich ’16, Barelli-Couvreur ’18).
EDOARDO PERSICHETTI FLORIDA ATLANTIC UNIVERSITY 19 MARCH 2019 6 / 27
![Page 12: Code-based Cryptography: State of the Art - Part II · Need families of codes with particularautomorphism group. EDOARDO PERSICHETTI FLORIDA ATLANTIC UNIVERSITY 19 MARCH 2019 4](https://reader034.vdocuments.site/reader034/viewer/2022050504/5f96023366781e63d40a02a1/html5/thumbnails/12.jpg)
SECURITY
Several families have QC/QD description:GRS, Goppa, Generalized Srivastava (P. ’11).
Problem: extra structure = extra info for attacker.
Critical algebraic attack (Faugere, Otmani, Perret, Tillich ’10).
Solve system of equations derived from H ·GT = 0 to recover privatekey.
QC/QD + algebraic structure crucial to reduce number of unknownsof system.
After a few years of fixes and new attacks: keys getting bigger,confidence/interest getting smaller.(Faugere, Otmani, Perret, de Portzamparc, Tillich ’16, Barelli-Couvreur ’18).
EDOARDO PERSICHETTI FLORIDA ATLANTIC UNIVERSITY 19 MARCH 2019 6 / 27
![Page 13: Code-based Cryptography: State of the Art - Part II · Need families of codes with particularautomorphism group. EDOARDO PERSICHETTI FLORIDA ATLANTIC UNIVERSITY 19 MARCH 2019 4](https://reader034.vdocuments.site/reader034/viewer/2022050504/5f96023366781e63d40a02a1/html5/thumbnails/13.jpg)
SECURITY
Several families have QC/QD description:GRS, Goppa, Generalized Srivastava (P. ’11).
Problem: extra structure = extra info for attacker.
Critical algebraic attack (Faugere, Otmani, Perret, Tillich ’10).
Solve system of equations derived from H ·GT = 0 to recover privatekey.
QC/QD + algebraic structure crucial to reduce number of unknownsof system.
After a few years of fixes and new attacks: keys getting bigger,confidence/interest getting smaller.(Faugere, Otmani, Perret, de Portzamparc, Tillich ’16, Barelli-Couvreur ’18).
EDOARDO PERSICHETTI FLORIDA ATLANTIC UNIVERSITY 19 MARCH 2019 6 / 27
![Page 14: Code-based Cryptography: State of the Art - Part II · Need families of codes with particularautomorphism group. EDOARDO PERSICHETTI FLORIDA ATLANTIC UNIVERSITY 19 MARCH 2019 4](https://reader034.vdocuments.site/reader034/viewer/2022050504/5f96023366781e63d40a02a1/html5/thumbnails/14.jpg)
SECURITY
Several families have QC/QD description:GRS, Goppa, Generalized Srivastava (P. ’11).
Problem: extra structure = extra info for attacker.
Critical algebraic attack (Faugere, Otmani, Perret, Tillich ’10).
Solve system of equations derived from H ·GT = 0 to recover privatekey.
QC/QD + algebraic structure crucial to reduce number of unknownsof system.
After a few years of fixes and new attacks: keys getting bigger,confidence/interest getting smaller.(Faugere, Otmani, Perret, de Portzamparc, Tillich ’16, Barelli-Couvreur ’18).
EDOARDO PERSICHETTI FLORIDA ATLANTIC UNIVERSITY 19 MARCH 2019 6 / 27
![Page 15: Code-based Cryptography: State of the Art - Part II · Need families of codes with particularautomorphism group. EDOARDO PERSICHETTI FLORIDA ATLANTIC UNIVERSITY 19 MARCH 2019 4](https://reader034.vdocuments.site/reader034/viewer/2022050504/5f96023366781e63d40a02a1/html5/thumbnails/15.jpg)
SECURITY
Several families have QC/QD description:GRS, Goppa, Generalized Srivastava (P. ’11).
Problem: extra structure = extra info for attacker.
Critical algebraic attack (Faugere, Otmani, Perret, Tillich ’10).
Solve system of equations derived from H ·GT = 0 to recover privatekey.
QC/QD + algebraic structure crucial to reduce number of unknownsof system.
After a few years of fixes and new attacks: keys getting bigger,confidence/interest getting smaller.(Faugere, Otmani, Perret, de Portzamparc, Tillich ’16, Barelli-Couvreur ’18).
EDOARDO PERSICHETTI FLORIDA ATLANTIC UNIVERSITY 19 MARCH 2019 6 / 27
![Page 16: Code-based Cryptography: State of the Art - Part II · Need families of codes with particularautomorphism group. EDOARDO PERSICHETTI FLORIDA ATLANTIC UNIVERSITY 19 MARCH 2019 4](https://reader034.vdocuments.site/reader034/viewer/2022050504/5f96023366781e63d40a02a1/html5/thumbnails/16.jpg)
SECURITY
Several families have QC/QD description:GRS, Goppa, Generalized Srivastava (P. ’11).
Problem: extra structure = extra info for attacker.
Critical algebraic attack (Faugere, Otmani, Perret, Tillich ’10).
Solve system of equations derived from H ·GT = 0 to recover privatekey.
QC/QD + algebraic structure crucial to reduce number of unknownsof system.
After a few years of fixes and new attacks: keys getting bigger,confidence/interest getting smaller.(Faugere, Otmani, Perret, de Portzamparc, Tillich ’16, Barelli-Couvreur ’18).
EDOARDO PERSICHETTI FLORIDA ATLANTIC UNIVERSITY 19 MARCH 2019 6 / 27
![Page 17: Code-based Cryptography: State of the Art - Part II · Need families of codes with particularautomorphism group. EDOARDO PERSICHETTI FLORIDA ATLANTIC UNIVERSITY 19 MARCH 2019 4](https://reader034.vdocuments.site/reader034/viewer/2022050504/5f96023366781e63d40a02a1/html5/thumbnails/17.jpg)
CASE STUDY: NIST SUBMISSIONS
BIG QUAKE: based on Quasi-Cyclic Binary Goppa Codes
Designed in a conservative way.
BIG QUAKE parameters (bytes):
q m n t PK Size SK Size Ciph Size Security2 18 10,070 190 149,625 41,804 492 52 18 7,410 152 84,132 30,860 406 32 12 3,510 91 25,389 14,772 201 1
DAGS: based on Quasi-Dyadic q-ary Generalized Srivastava Codes
More aggressive choice of parameters.
DAGS parameters (bytes):q m n t PK Size SK Size Ciph Size Security28 2 1,600 176 19,712 6,400 1,632 528 2 1,216 176 11,264 4,864 1,248 326 2 832 104 8,112 2,496 656 1
EDOARDO PERSICHETTI FLORIDA ATLANTIC UNIVERSITY 19 MARCH 2019 7 / 27
![Page 18: Code-based Cryptography: State of the Art - Part II · Need families of codes with particularautomorphism group. EDOARDO PERSICHETTI FLORIDA ATLANTIC UNIVERSITY 19 MARCH 2019 4](https://reader034.vdocuments.site/reader034/viewer/2022050504/5f96023366781e63d40a02a1/html5/thumbnails/18.jpg)
CASE STUDY: NIST SUBMISSIONS
BIG QUAKE: based on Quasi-Cyclic Binary Goppa Codes
Designed in a conservative way.
BIG QUAKE parameters (bytes):
q m n t PK Size SK Size Ciph Size Security2 18 10,070 190 149,625 41,804 492 52 18 7,410 152 84,132 30,860 406 32 12 3,510 91 25,389 14,772 201 1
DAGS: based on Quasi-Dyadic q-ary Generalized Srivastava Codes
More aggressive choice of parameters.
DAGS parameters (bytes):q m n t PK Size SK Size Ciph Size Security28 2 1,600 176 19,712 6,400 1,632 528 2 1,216 176 11,264 4,864 1,248 326 2 832 104 8,112 2,496 656 1
EDOARDO PERSICHETTI FLORIDA ATLANTIC UNIVERSITY 19 MARCH 2019 7 / 27
![Page 19: Code-based Cryptography: State of the Art - Part II · Need families of codes with particularautomorphism group. EDOARDO PERSICHETTI FLORIDA ATLANTIC UNIVERSITY 19 MARCH 2019 4](https://reader034.vdocuments.site/reader034/viewer/2022050504/5f96023366781e63d40a02a1/html5/thumbnails/19.jpg)
CASE STUDY: NIST SUBMISSIONS
BIG QUAKE: based on Quasi-Cyclic Binary Goppa Codes
Designed in a conservative way.
BIG QUAKE parameters (bytes):
q m n t PK Size SK Size Ciph Size Security2 18 10,070 190 149,625 41,804 492 52 18 7,410 152 84,132 30,860 406 32 12 3,510 91 25,389 14,772 201 1
DAGS: based on Quasi-Dyadic q-ary Generalized Srivastava Codes
More aggressive choice of parameters.
DAGS parameters (bytes):q m n t PK Size SK Size Ciph Size Security28 2 1,600 176 19,712 6,400 1,632 528 2 1,216 176 11,264 4,864 1,248 326 2 832 104 8,112 2,496 656 1
EDOARDO PERSICHETTI FLORIDA ATLANTIC UNIVERSITY 19 MARCH 2019 7 / 27
![Page 20: Code-based Cryptography: State of the Art - Part II · Need families of codes with particularautomorphism group. EDOARDO PERSICHETTI FLORIDA ATLANTIC UNIVERSITY 19 MARCH 2019 4](https://reader034.vdocuments.site/reader034/viewer/2022050504/5f96023366781e63d40a02a1/html5/thumbnails/20.jpg)
CASE STUDY: NIST SUBMISSIONS
BIG QUAKE: based on Quasi-Cyclic Binary Goppa Codes
Designed in a conservative way.
BIG QUAKE parameters (bytes):
q m n t PK Size SK Size Ciph Size Security2 18 10,070 190 149,625 41,804 492 52 18 7,410 152 84,132 30,860 406 32 12 3,510 91 25,389 14,772 201 1
DAGS: based on Quasi-Dyadic q-ary Generalized Srivastava Codes
More aggressive choice of parameters.
DAGS parameters (bytes):q m n t PK Size SK Size Ciph Size Security28 2 1,600 176 19,712 6,400 1,632 528 2 1,216 176 11,264 4,864 1,248 326 2 832 104 8,112 2,496 656 1
EDOARDO PERSICHETTI FLORIDA ATLANTIC UNIVERSITY 19 MARCH 2019 7 / 27
![Page 21: Code-based Cryptography: State of the Art - Part II · Need families of codes with particularautomorphism group. EDOARDO PERSICHETTI FLORIDA ATLANTIC UNIVERSITY 19 MARCH 2019 4](https://reader034.vdocuments.site/reader034/viewer/2022050504/5f96023366781e63d40a02a1/html5/thumbnails/21.jpg)
CASE STUDY: NIST SUBMISSIONS
BIG QUAKE: based on Quasi-Cyclic Binary Goppa Codes
Designed in a conservative way.
BIG QUAKE parameters (bytes):
q m n t PK Size SK Size Ciph Size Security2 18 10,070 190 149,625 41,804 492 52 18 7,410 152 84,132 30,860 406 32 12 3,510 91 25,389 14,772 201 1
DAGS: based on Quasi-Dyadic q-ary Generalized Srivastava Codes
More aggressive choice of parameters.
DAGS parameters (bytes):q m n t PK Size SK Size Ciph Size Security28 2 1,600 176 19,712 6,400 1,632 528 2 1,216 176 11,264 4,864 1,248 326 2 832 104 8,112 2,496 656 1
EDOARDO PERSICHETTI FLORIDA ATLANTIC UNIVERSITY 19 MARCH 2019 7 / 27
![Page 22: Code-based Cryptography: State of the Art - Part II · Need families of codes with particularautomorphism group. EDOARDO PERSICHETTI FLORIDA ATLANTIC UNIVERSITY 19 MARCH 2019 4](https://reader034.vdocuments.site/reader034/viewer/2022050504/5f96023366781e63d40a02a1/html5/thumbnails/22.jpg)
CASE STUDY: NIST SUBMISSIONS
BIG QUAKE: based on Quasi-Cyclic Binary Goppa Codes
Designed in a conservative way.
BIG QUAKE parameters (bytes):
q m n t PK Size SK Size Ciph Size Security2 18 10,070 190 149,625 41,804 492 52 18 7,410 152 84,132 30,860 406 32 12 3,510 91 25,389 14,772 201 1
DAGS: based on Quasi-Dyadic q-ary Generalized Srivastava Codes
More aggressive choice of parameters.
DAGS parameters (bytes):q m n t PK Size SK Size Ciph Size Security28 2 1,600 176 19,712 6,400 1,632 528 2 1,216 176 11,264 4,864 1,248 326 2 832 104 8,112 2,496 656 1
EDOARDO PERSICHETTI FLORIDA ATLANTIC UNIVERSITY 19 MARCH 2019 7 / 27
![Page 23: Code-based Cryptography: State of the Art - Part II · Need families of codes with particularautomorphism group. EDOARDO PERSICHETTI FLORIDA ATLANTIC UNIVERSITY 19 MARCH 2019 4](https://reader034.vdocuments.site/reader034/viewer/2022050504/5f96023366781e63d40a02a1/html5/thumbnails/23.jpg)
Part II
SPARSE-MATRIX CODES
EDOARDO PERSICHETTI FLORIDA ATLANTIC UNIVERSITY 19 MARCH 2019 8 / 27
![Page 24: Code-based Cryptography: State of the Art - Part II · Need families of codes with particularautomorphism group. EDOARDO PERSICHETTI FLORIDA ATLANTIC UNIVERSITY 19 MARCH 2019 4](https://reader034.vdocuments.site/reader034/viewer/2022050504/5f96023366781e63d40a02a1/html5/thumbnails/24.jpg)
SPARSE-MATRIX CODES
Family of codes characterized by very sparse parity-check matrix.
DEFINITION 1 (LDPC CODE)An [n, k ] binary linear code which admits a parity-check matrix ofconstant row weight w ∈ O(1).
If we write H = (H0 | H1) resp. r × k and r × r then G = (Ik | HT0 H−T
1 )
.
The non-trivial block is dense, so this is a natural choice of public keyfor McEliece.
Decodable with very efficient probabilistic “bit flipping” algorithm(Gallager, ’63), small decoding failure rate (DFR).
EDOARDO PERSICHETTI FLORIDA ATLANTIC UNIVERSITY 19 MARCH 2019 9 / 27
![Page 25: Code-based Cryptography: State of the Art - Part II · Need families of codes with particularautomorphism group. EDOARDO PERSICHETTI FLORIDA ATLANTIC UNIVERSITY 19 MARCH 2019 4](https://reader034.vdocuments.site/reader034/viewer/2022050504/5f96023366781e63d40a02a1/html5/thumbnails/25.jpg)
SPARSE-MATRIX CODES
Family of codes characterized by very sparse parity-check matrix.
DEFINITION 1 (LDPC CODE)An [n, k ] binary linear code which admits a parity-check matrix ofconstant row weight w ∈ O(1).
If we write H = (H0 | H1) resp. r × k and r × r then G = (Ik | HT0 H−T
1 )
.
The non-trivial block is dense, so this is a natural choice of public keyfor McEliece.
Decodable with very efficient probabilistic “bit flipping” algorithm(Gallager, ’63), small decoding failure rate (DFR).
EDOARDO PERSICHETTI FLORIDA ATLANTIC UNIVERSITY 19 MARCH 2019 9 / 27
![Page 26: Code-based Cryptography: State of the Art - Part II · Need families of codes with particularautomorphism group. EDOARDO PERSICHETTI FLORIDA ATLANTIC UNIVERSITY 19 MARCH 2019 4](https://reader034.vdocuments.site/reader034/viewer/2022050504/5f96023366781e63d40a02a1/html5/thumbnails/26.jpg)
SPARSE-MATRIX CODES
Family of codes characterized by very sparse parity-check matrix.
DEFINITION 1 (LDPC CODE)An [n, k ] binary linear code which admits a parity-check matrix ofconstant row weight w ∈ O(1).
If we write H = (H0 | H1) resp. r × k and r × r then G = (Ik | HT0 H−T
1 ).
The non-trivial block is dense, so this is a natural choice of public keyfor McEliece.
Decodable with very efficient probabilistic “bit flipping” algorithm(Gallager, ’63), small decoding failure rate (DFR).
EDOARDO PERSICHETTI FLORIDA ATLANTIC UNIVERSITY 19 MARCH 2019 9 / 27
![Page 27: Code-based Cryptography: State of the Art - Part II · Need families of codes with particularautomorphism group. EDOARDO PERSICHETTI FLORIDA ATLANTIC UNIVERSITY 19 MARCH 2019 4](https://reader034.vdocuments.site/reader034/viewer/2022050504/5f96023366781e63d40a02a1/html5/thumbnails/27.jpg)
SPARSE-MATRIX CODES
Family of codes characterized by very sparse parity-check matrix.
DEFINITION 1 (LDPC CODE)An [n, k ] binary linear code which admits a parity-check matrix ofconstant row weight w ∈ O(1).
If we write H = (H0 | H1) resp. r × k and r × r then G = (Ik | HT0 H−T
1 ).
The non-trivial block is dense, so this is a natural choice of public keyfor McEliece.
Decodable with very efficient probabilistic “bit flipping” algorithm(Gallager, ’63), small decoding failure rate (DFR).
EDOARDO PERSICHETTI FLORIDA ATLANTIC UNIVERSITY 19 MARCH 2019 9 / 27
![Page 28: Code-based Cryptography: State of the Art - Part II · Need families of codes with particularautomorphism group. EDOARDO PERSICHETTI FLORIDA ATLANTIC UNIVERSITY 19 MARCH 2019 4](https://reader034.vdocuments.site/reader034/viewer/2022050504/5f96023366781e63d40a02a1/html5/thumbnails/28.jpg)
SPARSE-MATRIX CODES
Family of codes characterized by very sparse parity-check matrix.
DEFINITION 1 (LDPC CODE)An [n, k ] binary linear code which admits a parity-check matrix ofconstant row weight w ∈ O(1).
If we write H = (H0 | H1) resp. r × k and r × r then G = (Ik | HT0 H−T
1 ).
The non-trivial block is dense, so this is a natural choice of public keyfor McEliece.
Decodable with very efficient probabilistic “bit flipping” algorithm(Gallager, ’63), small decoding failure rate (DFR).
EDOARDO PERSICHETTI FLORIDA ATLANTIC UNIVERSITY 19 MARCH 2019 9 / 27
![Page 29: Code-based Cryptography: State of the Art - Part II · Need families of codes with particularautomorphism group. EDOARDO PERSICHETTI FLORIDA ATLANTIC UNIVERSITY 19 MARCH 2019 4](https://reader034.vdocuments.site/reader034/viewer/2022050504/5f96023366781e63d40a02a1/html5/thumbnails/29.jpg)
SECURITY
Distinguish public matrix u look for low-weight codewords in the dual.
This is also a decoding problem! So we have essentially oneassumption.
Best attacks: generic “search” algorithms like Information-SetDecoding (ISD).
MDPC: “relaxed” version of LDPC (Misoczki, Tillich, Sendrier and Barreto ’12).
Change weight w from very low (≈ 10) to “moderate” (O(√
n)).
Still decodable, gain in security makes up for degradation.
EDOARDO PERSICHETTI FLORIDA ATLANTIC UNIVERSITY 19 MARCH 2019 10 / 27
![Page 30: Code-based Cryptography: State of the Art - Part II · Need families of codes with particularautomorphism group. EDOARDO PERSICHETTI FLORIDA ATLANTIC UNIVERSITY 19 MARCH 2019 4](https://reader034.vdocuments.site/reader034/viewer/2022050504/5f96023366781e63d40a02a1/html5/thumbnails/30.jpg)
SECURITY
Distinguish public matrix u look for low-weight codewords in the dual.
This is also a decoding problem! So we have essentially oneassumption.
Best attacks: generic “search” algorithms like Information-SetDecoding (ISD).
MDPC: “relaxed” version of LDPC (Misoczki, Tillich, Sendrier and Barreto ’12).
Change weight w from very low (≈ 10) to “moderate” (O(√
n)).
Still decodable, gain in security makes up for degradation.
EDOARDO PERSICHETTI FLORIDA ATLANTIC UNIVERSITY 19 MARCH 2019 10 / 27
![Page 31: Code-based Cryptography: State of the Art - Part II · Need families of codes with particularautomorphism group. EDOARDO PERSICHETTI FLORIDA ATLANTIC UNIVERSITY 19 MARCH 2019 4](https://reader034.vdocuments.site/reader034/viewer/2022050504/5f96023366781e63d40a02a1/html5/thumbnails/31.jpg)
SECURITY
Distinguish public matrix u look for low-weight codewords in the dual.
This is also a decoding problem! So we have essentially oneassumption.
Best attacks: generic “search” algorithms like Information-SetDecoding (ISD).
MDPC: “relaxed” version of LDPC (Misoczki, Tillich, Sendrier and Barreto ’12).
Change weight w from very low (≈ 10) to “moderate” (O(√
n)).
Still decodable, gain in security makes up for degradation.
EDOARDO PERSICHETTI FLORIDA ATLANTIC UNIVERSITY 19 MARCH 2019 10 / 27
![Page 32: Code-based Cryptography: State of the Art - Part II · Need families of codes with particularautomorphism group. EDOARDO PERSICHETTI FLORIDA ATLANTIC UNIVERSITY 19 MARCH 2019 4](https://reader034.vdocuments.site/reader034/viewer/2022050504/5f96023366781e63d40a02a1/html5/thumbnails/32.jpg)
SECURITY
Distinguish public matrix u look for low-weight codewords in the dual.
This is also a decoding problem! So we have essentially oneassumption.
Best attacks: generic “search” algorithms like Information-SetDecoding (ISD).
MDPC: “relaxed” version of LDPC (Misoczki, Tillich, Sendrier and Barreto ’12).
Change weight w from very low (≈ 10) to “moderate” (O(√
n)).
Still decodable, gain in security makes up for degradation.
EDOARDO PERSICHETTI FLORIDA ATLANTIC UNIVERSITY 19 MARCH 2019 10 / 27
![Page 33: Code-based Cryptography: State of the Art - Part II · Need families of codes with particularautomorphism group. EDOARDO PERSICHETTI FLORIDA ATLANTIC UNIVERSITY 19 MARCH 2019 4](https://reader034.vdocuments.site/reader034/viewer/2022050504/5f96023366781e63d40a02a1/html5/thumbnails/33.jpg)
SECURITY
Distinguish public matrix u look for low-weight codewords in the dual.
This is also a decoding problem! So we have essentially oneassumption.
Best attacks: generic “search” algorithms like Information-SetDecoding (ISD).
MDPC: “relaxed” version of LDPC (Misoczki, Tillich, Sendrier and Barreto ’12).
Change weight w from very low (≈ 10) to “moderate” (O(√
n)).
Still decodable, gain in security makes up for degradation.
EDOARDO PERSICHETTI FLORIDA ATLANTIC UNIVERSITY 19 MARCH 2019 10 / 27
![Page 34: Code-based Cryptography: State of the Art - Part II · Need families of codes with particularautomorphism group. EDOARDO PERSICHETTI FLORIDA ATLANTIC UNIVERSITY 19 MARCH 2019 4](https://reader034.vdocuments.site/reader034/viewer/2022050504/5f96023366781e63d40a02a1/html5/thumbnails/34.jpg)
SECURITY
Distinguish public matrix u look for low-weight codewords in the dual.
This is also a decoding problem! So we have essentially oneassumption.
Best attacks: generic “search” algorithms like Information-SetDecoding (ISD).
MDPC: “relaxed” version of LDPC (Misoczki, Tillich, Sendrier and Barreto ’12).
Change weight w from very low (≈ 10) to “moderate” (O(√
n)).
Still decodable, gain in security makes up for degradation.
EDOARDO PERSICHETTI FLORIDA ATLANTIC UNIVERSITY 19 MARCH 2019 10 / 27
![Page 35: Code-based Cryptography: State of the Art - Part II · Need families of codes with particularautomorphism group. EDOARDO PERSICHETTI FLORIDA ATLANTIC UNIVERSITY 19 MARCH 2019 4](https://reader034.vdocuments.site/reader034/viewer/2022050504/5f96023366781e63d40a02a1/html5/thumbnails/35.jpg)
STRUCTURES SPARSE-MATRIX CODES
Using “plain” LDPC/MDPC is not practical due to long code lengths.
Possible to build QC-LDPC/MDPC codes and have compact keys.
Matrices formed by circulant blocksa0 a1 . . . ap−1
ap−1 a0 . . . ap−2...
.... . .
...a1 a2 . . . a0
Correspond to ideals of R = F2[x ]/(xp − 1): describe using ringarithmetic.
Sparse-matrix codes don’t possess inherent algebraic structure.
QC property alone does not provide a structural attack.
EDOARDO PERSICHETTI FLORIDA ATLANTIC UNIVERSITY 19 MARCH 2019 11 / 27
![Page 36: Code-based Cryptography: State of the Art - Part II · Need families of codes with particularautomorphism group. EDOARDO PERSICHETTI FLORIDA ATLANTIC UNIVERSITY 19 MARCH 2019 4](https://reader034.vdocuments.site/reader034/viewer/2022050504/5f96023366781e63d40a02a1/html5/thumbnails/36.jpg)
STRUCTURES SPARSE-MATRIX CODES
Using “plain” LDPC/MDPC is not practical due to long code lengths.
Possible to build QC-LDPC/MDPC codes and have compact keys.
Matrices formed by circulant blocksa0 a1 . . . ap−1
ap−1 a0 . . . ap−2...
.... . .
...a1 a2 . . . a0
Correspond to ideals of R = F2[x ]/(xp − 1): describe using ringarithmetic.
Sparse-matrix codes don’t possess inherent algebraic structure.
QC property alone does not provide a structural attack.
EDOARDO PERSICHETTI FLORIDA ATLANTIC UNIVERSITY 19 MARCH 2019 11 / 27
![Page 37: Code-based Cryptography: State of the Art - Part II · Need families of codes with particularautomorphism group. EDOARDO PERSICHETTI FLORIDA ATLANTIC UNIVERSITY 19 MARCH 2019 4](https://reader034.vdocuments.site/reader034/viewer/2022050504/5f96023366781e63d40a02a1/html5/thumbnails/37.jpg)
STRUCTURES SPARSE-MATRIX CODES
Using “plain” LDPC/MDPC is not practical due to long code lengths.
Possible to build QC-LDPC/MDPC codes and have compact keys.
Matrices formed by circulant blocksa0 a1 . . . ap−1
ap−1 a0 . . . ap−2...
.... . .
...a1 a2 . . . a0
Correspond to ideals of R = F2[x ]/(xp − 1): describe using ringarithmetic.
Sparse-matrix codes don’t possess inherent algebraic structure.
QC property alone does not provide a structural attack.
EDOARDO PERSICHETTI FLORIDA ATLANTIC UNIVERSITY 19 MARCH 2019 11 / 27
![Page 38: Code-based Cryptography: State of the Art - Part II · Need families of codes with particularautomorphism group. EDOARDO PERSICHETTI FLORIDA ATLANTIC UNIVERSITY 19 MARCH 2019 4](https://reader034.vdocuments.site/reader034/viewer/2022050504/5f96023366781e63d40a02a1/html5/thumbnails/38.jpg)
STRUCTURES SPARSE-MATRIX CODES
Using “plain” LDPC/MDPC is not practical due to long code lengths.
Possible to build QC-LDPC/MDPC codes and have compact keys.
Matrices formed by circulant blocksa0 a1 . . . ap−1
ap−1 a0 . . . ap−2...
.... . .
...a1 a2 . . . a0
Correspond to ideals of R = F2[x ]/(xp − 1): describe using ringarithmetic.
Sparse-matrix codes don’t possess inherent algebraic structure.
QC property alone does not provide a structural attack.
EDOARDO PERSICHETTI FLORIDA ATLANTIC UNIVERSITY 19 MARCH 2019 11 / 27
![Page 39: Code-based Cryptography: State of the Art - Part II · Need families of codes with particularautomorphism group. EDOARDO PERSICHETTI FLORIDA ATLANTIC UNIVERSITY 19 MARCH 2019 4](https://reader034.vdocuments.site/reader034/viewer/2022050504/5f96023366781e63d40a02a1/html5/thumbnails/39.jpg)
STRUCTURES SPARSE-MATRIX CODES
Using “plain” LDPC/MDPC is not practical due to long code lengths.
Possible to build QC-LDPC/MDPC codes and have compact keys.
Matrices formed by circulant blocksa0 a1 . . . ap−1
ap−1 a0 . . . ap−2...
.... . .
...a1 a2 . . . a0
Correspond to ideals of R = F2[x ]/(xp − 1): describe using ringarithmetic.
Sparse-matrix codes don’t possess inherent algebraic structure.
QC property alone does not provide a structural attack.
EDOARDO PERSICHETTI FLORIDA ATLANTIC UNIVERSITY 19 MARCH 2019 11 / 27
![Page 40: Code-based Cryptography: State of the Art - Part II · Need families of codes with particularautomorphism group. EDOARDO PERSICHETTI FLORIDA ATLANTIC UNIVERSITY 19 MARCH 2019 4](https://reader034.vdocuments.site/reader034/viewer/2022050504/5f96023366781e63d40a02a1/html5/thumbnails/40.jpg)
STRUCTURES SPARSE-MATRIX CODES
Using “plain” LDPC/MDPC is not practical due to long code lengths.
Possible to build QC-LDPC/MDPC codes and have compact keys.
Matrices formed by circulant blocksa0 a1 . . . ap−1
ap−1 a0 . . . ap−2...
.... . .
...a1 a2 . . . a0
Correspond to ideals of R = F2[x ]/(xp − 1): describe using ringarithmetic.
Sparse-matrix codes don’t possess inherent algebraic structure.
QC property alone does not provide a structural attack.
EDOARDO PERSICHETTI FLORIDA ATLANTIC UNIVERSITY 19 MARCH 2019 11 / 27
![Page 41: Code-based Cryptography: State of the Art - Part II · Need families of codes with particularautomorphism group. EDOARDO PERSICHETTI FLORIDA ATLANTIC UNIVERSITY 19 MARCH 2019 4](https://reader034.vdocuments.site/reader034/viewer/2022050504/5f96023366781e63d40a02a1/html5/thumbnails/41.jpg)
SPARSE-MATRIX MCELIECE
KEY GENERATION
Choose h0,h1 in R of combined weight w .SK: parity-check matrix formed by circulant blocks h0,h1.PK: generator matrix formed by identity and g = h0h−1
1 .
ENCRYPTION
Take message µ ∈ R.Sample vectors e0,e1 in R of combined weight t .Output c = (µ+ e0, µ · g + e1).
DECRYPTION
Set (e0,e1) = DecodeBitFlipping(c).Return ⊥ if decoding fails.Else recover µ (truncate).
EDOARDO PERSICHETTI FLORIDA ATLANTIC UNIVERSITY 19 MARCH 2019 12 / 27
![Page 42: Code-based Cryptography: State of the Art - Part II · Need families of codes with particularautomorphism group. EDOARDO PERSICHETTI FLORIDA ATLANTIC UNIVERSITY 19 MARCH 2019 4](https://reader034.vdocuments.site/reader034/viewer/2022050504/5f96023366781e63d40a02a1/html5/thumbnails/42.jpg)
SPARSE-MATRIX MCELIECE
KEY GENERATION
Choose h0,h1 in R of combined weight w .SK: parity-check matrix formed by circulant blocks h0,h1.PK: generator matrix formed by identity and g = h0h−1
1 .
ENCRYPTION
Take message µ ∈ R.Sample vectors e0,e1 in R of combined weight t .Output c = (µ+ e0, µ · g + e1).
DECRYPTION
Set (e0,e1) = DecodeBitFlipping(c).Return ⊥ if decoding fails.Else recover µ (truncate).
EDOARDO PERSICHETTI FLORIDA ATLANTIC UNIVERSITY 19 MARCH 2019 12 / 27
![Page 43: Code-based Cryptography: State of the Art - Part II · Need families of codes with particularautomorphism group. EDOARDO PERSICHETTI FLORIDA ATLANTIC UNIVERSITY 19 MARCH 2019 4](https://reader034.vdocuments.site/reader034/viewer/2022050504/5f96023366781e63d40a02a1/html5/thumbnails/43.jpg)
SPARSE-MATRIX MCELIECE
KEY GENERATION
Choose h0,h1 in R of combined weight w .SK: parity-check matrix formed by circulant blocks h0,h1.PK: generator matrix formed by identity and g = h0h−1
1 .
ENCRYPTION
Take message µ ∈ R.Sample vectors e0,e1 in R of combined weight t .Output c = (µ+ e0, µ · g + e1).
DECRYPTION
Set (e0,e1) = DecodeBitFlipping(c).Return ⊥ if decoding fails.Else recover µ (truncate).
EDOARDO PERSICHETTI FLORIDA ATLANTIC UNIVERSITY 19 MARCH 2019 12 / 27
![Page 44: Code-based Cryptography: State of the Art - Part II · Need families of codes with particularautomorphism group. EDOARDO PERSICHETTI FLORIDA ATLANTIC UNIVERSITY 19 MARCH 2019 4](https://reader034.vdocuments.site/reader034/viewer/2022050504/5f96023366781e63d40a02a1/html5/thumbnails/44.jpg)
BIKE
Suite of KEM schemes based on the bit-flipping decoder andQC-MDPC codes.
Three variants, independently published.
1,2: CAKE (Barreto, Gueron, Guneysu, Misoczki, P., Sendrier, Tillich, ’17).
3: Ouroboros (Deneuville, Gaborit, Zemor, ’17).
BIKE-1: use McEliece and non-systematic generator matrix to avoidpolynomial inversion and save time (latency).
BIKE-2: use Niederreiter and systematic parity-check with (possibly)pre-computed keys to save space (bandwidth).
BIKE-3: use “noisy” decoder to have simpler security reduction.
EDOARDO PERSICHETTI FLORIDA ATLANTIC UNIVERSITY 19 MARCH 2019 13 / 27
![Page 45: Code-based Cryptography: State of the Art - Part II · Need families of codes with particularautomorphism group. EDOARDO PERSICHETTI FLORIDA ATLANTIC UNIVERSITY 19 MARCH 2019 4](https://reader034.vdocuments.site/reader034/viewer/2022050504/5f96023366781e63d40a02a1/html5/thumbnails/45.jpg)
BIKE
Suite of KEM schemes based on the bit-flipping decoder andQC-MDPC codes.
Three variants, independently published.
1,2: CAKE (Barreto, Gueron, Guneysu, Misoczki, P., Sendrier, Tillich, ’17).
3: Ouroboros (Deneuville, Gaborit, Zemor, ’17).
BIKE-1: use McEliece and non-systematic generator matrix to avoidpolynomial inversion and save time (latency).
BIKE-2: use Niederreiter and systematic parity-check with (possibly)pre-computed keys to save space (bandwidth).
BIKE-3: use “noisy” decoder to have simpler security reduction.
EDOARDO PERSICHETTI FLORIDA ATLANTIC UNIVERSITY 19 MARCH 2019 13 / 27
![Page 46: Code-based Cryptography: State of the Art - Part II · Need families of codes with particularautomorphism group. EDOARDO PERSICHETTI FLORIDA ATLANTIC UNIVERSITY 19 MARCH 2019 4](https://reader034.vdocuments.site/reader034/viewer/2022050504/5f96023366781e63d40a02a1/html5/thumbnails/46.jpg)
BIKE
Suite of KEM schemes based on the bit-flipping decoder andQC-MDPC codes.
Three variants, independently published.
1,2: CAKE (Barreto, Gueron, Guneysu, Misoczki, P., Sendrier, Tillich, ’17).
3: Ouroboros (Deneuville, Gaborit, Zemor, ’17).
BIKE-1: use McEliece and non-systematic generator matrix to avoidpolynomial inversion and save time (latency).
BIKE-2: use Niederreiter and systematic parity-check with (possibly)pre-computed keys to save space (bandwidth).
BIKE-3: use “noisy” decoder to have simpler security reduction.
EDOARDO PERSICHETTI FLORIDA ATLANTIC UNIVERSITY 19 MARCH 2019 13 / 27
![Page 47: Code-based Cryptography: State of the Art - Part II · Need families of codes with particularautomorphism group. EDOARDO PERSICHETTI FLORIDA ATLANTIC UNIVERSITY 19 MARCH 2019 4](https://reader034.vdocuments.site/reader034/viewer/2022050504/5f96023366781e63d40a02a1/html5/thumbnails/47.jpg)
BIKE
Suite of KEM schemes based on the bit-flipping decoder andQC-MDPC codes.
Three variants, independently published.
1,2: CAKE (Barreto, Gueron, Guneysu, Misoczki, P., Sendrier, Tillich, ’17).
3: Ouroboros (Deneuville, Gaborit, Zemor, ’17).
BIKE-1: use McEliece and non-systematic generator matrix to avoidpolynomial inversion and save time (latency).
BIKE-2: use Niederreiter and systematic parity-check with (possibly)pre-computed keys to save space (bandwidth).
BIKE-3: use “noisy” decoder to have simpler security reduction.
EDOARDO PERSICHETTI FLORIDA ATLANTIC UNIVERSITY 19 MARCH 2019 13 / 27
![Page 48: Code-based Cryptography: State of the Art - Part II · Need families of codes with particularautomorphism group. EDOARDO PERSICHETTI FLORIDA ATLANTIC UNIVERSITY 19 MARCH 2019 4](https://reader034.vdocuments.site/reader034/viewer/2022050504/5f96023366781e63d40a02a1/html5/thumbnails/48.jpg)
BIKE
Suite of KEM schemes based on the bit-flipping decoder andQC-MDPC codes.
Three variants, independently published.
1,2: CAKE (Barreto, Gueron, Guneysu, Misoczki, P., Sendrier, Tillich, ’17).
3: Ouroboros (Deneuville, Gaborit, Zemor, ’17).
BIKE-1: use McEliece and non-systematic generator matrix to avoidpolynomial inversion and save time (latency).
BIKE-2: use Niederreiter and systematic parity-check with (possibly)pre-computed keys to save space (bandwidth).
BIKE-3: use “noisy” decoder to have simpler security reduction.
EDOARDO PERSICHETTI FLORIDA ATLANTIC UNIVERSITY 19 MARCH 2019 13 / 27
![Page 49: Code-based Cryptography: State of the Art - Part II · Need families of codes with particularautomorphism group. EDOARDO PERSICHETTI FLORIDA ATLANTIC UNIVERSITY 19 MARCH 2019 4](https://reader034.vdocuments.site/reader034/viewer/2022050504/5f96023366781e63d40a02a1/html5/thumbnails/49.jpg)
BIKE
Suite of KEM schemes based on the bit-flipping decoder andQC-MDPC codes.
Three variants, independently published.
1,2: CAKE (Barreto, Gueron, Guneysu, Misoczki, P., Sendrier, Tillich, ’17).
3: Ouroboros (Deneuville, Gaborit, Zemor, ’17).
BIKE-1: use McEliece and non-systematic generator matrix to avoidpolynomial inversion and save time (latency).
BIKE-2: use Niederreiter and systematic parity-check with (possibly)pre-computed keys to save space (bandwidth).
BIKE-3: use “noisy” decoder to have simpler security reduction.
EDOARDO PERSICHETTI FLORIDA ATLANTIC UNIVERSITY 19 MARCH 2019 13 / 27
![Page 50: Code-based Cryptography: State of the Art - Part II · Need families of codes with particularautomorphism group. EDOARDO PERSICHETTI FLORIDA ATLANTIC UNIVERSITY 19 MARCH 2019 4](https://reader034.vdocuments.site/reader034/viewer/2022050504/5f96023366781e63d40a02a1/html5/thumbnails/50.jpg)
BIKE
Suite of KEM schemes based on the bit-flipping decoder andQC-MDPC codes.
Three variants, independently published.
1,2: CAKE (Barreto, Gueron, Guneysu, Misoczki, P., Sendrier, Tillich, ’17).
3: Ouroboros (Deneuville, Gaborit, Zemor, ’17).
BIKE-1: use McEliece and non-systematic generator matrix to avoidpolynomial inversion and save time (latency).
BIKE-2: use Niederreiter and systematic parity-check with (possibly)pre-computed keys to save space (bandwidth).
BIKE-3: use “noisy” decoder to have simpler security reduction.
EDOARDO PERSICHETTI FLORIDA ATLANTIC UNIVERSITY 19 MARCH 2019 13 / 27
![Page 51: Code-based Cryptography: State of the Art - Part II · Need families of codes with particularautomorphism group. EDOARDO PERSICHETTI FLORIDA ATLANTIC UNIVERSITY 19 MARCH 2019 4](https://reader034.vdocuments.site/reader034/viewer/2022050504/5f96023366781e63d40a02a1/html5/thumbnails/51.jpg)
LEDACRYPT
Based on QC-LDPC codes.
Two variants from same basis: KEM (Niederreiter) / PKE (McEliece).
Following a long line of work from Baldi, Chiaraluce et al.(2007-onwards).
Variable number of blocks n0 = 2,3,4.
Private key is made dense via secret matrix Q −→ ≈QC-MDPC.
Specialized “Q-decoder” provides better decoding performance.
Sizes comparable to BIKE.
EDOARDO PERSICHETTI FLORIDA ATLANTIC UNIVERSITY 19 MARCH 2019 14 / 27
![Page 52: Code-based Cryptography: State of the Art - Part II · Need families of codes with particularautomorphism group. EDOARDO PERSICHETTI FLORIDA ATLANTIC UNIVERSITY 19 MARCH 2019 4](https://reader034.vdocuments.site/reader034/viewer/2022050504/5f96023366781e63d40a02a1/html5/thumbnails/52.jpg)
LEDACRYPT
Based on QC-LDPC codes.
Two variants from same basis: KEM (Niederreiter) / PKE (McEliece).
Following a long line of work from Baldi, Chiaraluce et al.(2007-onwards).
Variable number of blocks n0 = 2,3,4.
Private key is made dense via secret matrix Q −→ ≈QC-MDPC.
Specialized “Q-decoder” provides better decoding performance.
Sizes comparable to BIKE.
EDOARDO PERSICHETTI FLORIDA ATLANTIC UNIVERSITY 19 MARCH 2019 14 / 27
![Page 53: Code-based Cryptography: State of the Art - Part II · Need families of codes with particularautomorphism group. EDOARDO PERSICHETTI FLORIDA ATLANTIC UNIVERSITY 19 MARCH 2019 4](https://reader034.vdocuments.site/reader034/viewer/2022050504/5f96023366781e63d40a02a1/html5/thumbnails/53.jpg)
LEDACRYPT
Based on QC-LDPC codes.
Two variants from same basis: KEM (Niederreiter) / PKE (McEliece).
Following a long line of work from Baldi, Chiaraluce et al.(2007-onwards).
Variable number of blocks n0 = 2,3,4.
Private key is made dense via secret matrix Q −→ ≈QC-MDPC.
Specialized “Q-decoder” provides better decoding performance.
Sizes comparable to BIKE.
EDOARDO PERSICHETTI FLORIDA ATLANTIC UNIVERSITY 19 MARCH 2019 14 / 27
![Page 54: Code-based Cryptography: State of the Art - Part II · Need families of codes with particularautomorphism group. EDOARDO PERSICHETTI FLORIDA ATLANTIC UNIVERSITY 19 MARCH 2019 4](https://reader034.vdocuments.site/reader034/viewer/2022050504/5f96023366781e63d40a02a1/html5/thumbnails/54.jpg)
LEDACRYPT
Based on QC-LDPC codes.
Two variants from same basis: KEM (Niederreiter) / PKE (McEliece).
Following a long line of work from Baldi, Chiaraluce et al.(2007-onwards).
Variable number of blocks n0 = 2,3,4.
Private key is made dense via secret matrix Q −→ ≈QC-MDPC.
Specialized “Q-decoder” provides better decoding performance.
Sizes comparable to BIKE.
EDOARDO PERSICHETTI FLORIDA ATLANTIC UNIVERSITY 19 MARCH 2019 14 / 27
![Page 55: Code-based Cryptography: State of the Art - Part II · Need families of codes with particularautomorphism group. EDOARDO PERSICHETTI FLORIDA ATLANTIC UNIVERSITY 19 MARCH 2019 4](https://reader034.vdocuments.site/reader034/viewer/2022050504/5f96023366781e63d40a02a1/html5/thumbnails/55.jpg)
LEDACRYPT
Based on QC-LDPC codes.
Two variants from same basis: KEM (Niederreiter) / PKE (McEliece).
Following a long line of work from Baldi, Chiaraluce et al.(2007-onwards).
Variable number of blocks n0 = 2,3,4.
Private key is made dense via secret matrix Q −→ ≈QC-MDPC.
Specialized “Q-decoder” provides better decoding performance.
Sizes comparable to BIKE.
EDOARDO PERSICHETTI FLORIDA ATLANTIC UNIVERSITY 19 MARCH 2019 14 / 27
![Page 56: Code-based Cryptography: State of the Art - Part II · Need families of codes with particularautomorphism group. EDOARDO PERSICHETTI FLORIDA ATLANTIC UNIVERSITY 19 MARCH 2019 4](https://reader034.vdocuments.site/reader034/viewer/2022050504/5f96023366781e63d40a02a1/html5/thumbnails/56.jpg)
LEDACRYPT
Based on QC-LDPC codes.
Two variants from same basis: KEM (Niederreiter) / PKE (McEliece).
Following a long line of work from Baldi, Chiaraluce et al.(2007-onwards).
Variable number of blocks n0 = 2,3,4.
Private key is made dense via secret matrix Q −→ ≈QC-MDPC.
Specialized “Q-decoder” provides better decoding performance.
Sizes comparable to BIKE.
EDOARDO PERSICHETTI FLORIDA ATLANTIC UNIVERSITY 19 MARCH 2019 14 / 27
![Page 57: Code-based Cryptography: State of the Art - Part II · Need families of codes with particularautomorphism group. EDOARDO PERSICHETTI FLORIDA ATLANTIC UNIVERSITY 19 MARCH 2019 4](https://reader034.vdocuments.site/reader034/viewer/2022050504/5f96023366781e63d40a02a1/html5/thumbnails/57.jpg)
LEDACRYPT
Based on QC-LDPC codes.
Two variants from same basis: KEM (Niederreiter) / PKE (McEliece).
Following a long line of work from Baldi, Chiaraluce et al.(2007-onwards).
Variable number of blocks n0 = 2,3,4.
Private key is made dense via secret matrix Q −→ ≈QC-MDPC.
Specialized “Q-decoder” provides better decoding performance.
Sizes comparable to BIKE.
EDOARDO PERSICHETTI FLORIDA ATLANTIC UNIVERSITY 19 MARCH 2019 14 / 27
![Page 58: Code-based Cryptography: State of the Art - Part II · Need families of codes with particularautomorphism group. EDOARDO PERSICHETTI FLORIDA ATLANTIC UNIVERSITY 19 MARCH 2019 4](https://reader034.vdocuments.site/reader034/viewer/2022050504/5f96023366781e63d40a02a1/html5/thumbnails/58.jpg)
SAMPLE PARAMETERS: LEVEL 1
BIKE offers a noticeable tradeoff.
BIKE parameters (bytes):BIKE-# p w t PK Size SK Size Ciph Size
1 10,163 142 134 2,541 267 2,5412 10,163 142 134 1,271 267 1,2713 11,027 134 154 2,757 252 2,757
Below we present LEDAkem for ease of comparison.
LEDAkem parameters (bytes):n0 p w t PK Size SK Size Ciph Size2 15,013 9 143 1,880 468 1,8803 9,643 13 90 2,416 604 1,2084 8,467 11 72 3,192 716 1,064
EDOARDO PERSICHETTI FLORIDA ATLANTIC UNIVERSITY 19 MARCH 2019 15 / 27
![Page 59: Code-based Cryptography: State of the Art - Part II · Need families of codes with particularautomorphism group. EDOARDO PERSICHETTI FLORIDA ATLANTIC UNIVERSITY 19 MARCH 2019 4](https://reader034.vdocuments.site/reader034/viewer/2022050504/5f96023366781e63d40a02a1/html5/thumbnails/59.jpg)
SAMPLE PARAMETERS: LEVEL 1
BIKE offers a noticeable tradeoff.
BIKE parameters (bytes):BIKE-# p w t PK Size SK Size Ciph Size
1 10,163 142 134 2,541 267 2,5412 10,163 142 134 1,271 267 1,2713 11,027 134 154 2,757 252 2,757
Below we present LEDAkem for ease of comparison.
LEDAkem parameters (bytes):n0 p w t PK Size SK Size Ciph Size2 15,013 9 143 1,880 468 1,8803 9,643 13 90 2,416 604 1,2084 8,467 11 72 3,192 716 1,064
EDOARDO PERSICHETTI FLORIDA ATLANTIC UNIVERSITY 19 MARCH 2019 15 / 27
![Page 60: Code-based Cryptography: State of the Art - Part II · Need families of codes with particularautomorphism group. EDOARDO PERSICHETTI FLORIDA ATLANTIC UNIVERSITY 19 MARCH 2019 4](https://reader034.vdocuments.site/reader034/viewer/2022050504/5f96023366781e63d40a02a1/html5/thumbnails/60.jpg)
SAMPLE PARAMETERS: LEVEL 1
BIKE offers a noticeable tradeoff.
BIKE parameters (bytes):BIKE-# p w t PK Size SK Size Ciph Size
1 10,163 142 134 2,541 267 2,5412 10,163 142 134 1,271 267 1,2713 11,027 134 154 2,757 252 2,757
Below we present LEDAkem for ease of comparison.
LEDAkem parameters (bytes):n0 p w t PK Size SK Size Ciph Size2 15,013 9 143 1,880 468 1,8803 9,643 13 90 2,416 604 1,2084 8,467 11 72 3,192 716 1,064
EDOARDO PERSICHETTI FLORIDA ATLANTIC UNIVERSITY 19 MARCH 2019 15 / 27
![Page 61: Code-based Cryptography: State of the Art - Part II · Need families of codes with particularautomorphism group. EDOARDO PERSICHETTI FLORIDA ATLANTIC UNIVERSITY 19 MARCH 2019 4](https://reader034.vdocuments.site/reader034/viewer/2022050504/5f96023366781e63d40a02a1/html5/thumbnails/61.jpg)
SAMPLE PARAMETERS: LEVEL 1
BIKE offers a noticeable tradeoff.
BIKE parameters (bytes):BIKE-# p w t PK Size SK Size Ciph Size
1 10,163 142 134 2,541 267 2,5412 10,163 142 134 1,271 267 1,2713 11,027 134 154 2,757 252 2,757
Below we present LEDAkem for ease of comparison.
LEDAkem parameters (bytes):n0 p w t PK Size SK Size Ciph Size2 15,013 9 143 1,880 468 1,8803 9,643 13 90 2,416 604 1,2084 8,467 11 72 3,192 716 1,064
EDOARDO PERSICHETTI FLORIDA ATLANTIC UNIVERSITY 19 MARCH 2019 15 / 27
![Page 62: Code-based Cryptography: State of the Art - Part II · Need families of codes with particularautomorphism group. EDOARDO PERSICHETTI FLORIDA ATLANTIC UNIVERSITY 19 MARCH 2019 4](https://reader034.vdocuments.site/reader034/viewer/2022050504/5f96023366781e63d40a02a1/html5/thumbnails/62.jpg)
DECODING FAILURES ARE BAD!
Problem 1: reaction attacks (Guo, Johansson, Stankovski, ’16).
Observe decryption of several (≈ 300 million) ciphertexts: analyzedecoding failures to reconstruct private key (distance spectrum).
Solution: use ephemeral keys.
Problem 2: IND-CCA security.
IND-CCA conversions require perfect correctness or at least trivialDFR (≈ 2−128).
Decoding algorithms have (currently) DFR around 10−7 to 10−9.
Solution: all variants only claim IND-CPA security.
EDOARDO PERSICHETTI FLORIDA ATLANTIC UNIVERSITY 19 MARCH 2019 16 / 27
![Page 63: Code-based Cryptography: State of the Art - Part II · Need families of codes with particularautomorphism group. EDOARDO PERSICHETTI FLORIDA ATLANTIC UNIVERSITY 19 MARCH 2019 4](https://reader034.vdocuments.site/reader034/viewer/2022050504/5f96023366781e63d40a02a1/html5/thumbnails/63.jpg)
DECODING FAILURES ARE BAD!
Problem 1: reaction attacks (Guo, Johansson, Stankovski, ’16).
Observe decryption of several (≈ 300 million) ciphertexts: analyzedecoding failures to reconstruct private key (distance spectrum).
Solution: use ephemeral keys.
Problem 2: IND-CCA security.
IND-CCA conversions require perfect correctness or at least trivialDFR (≈ 2−128).
Decoding algorithms have (currently) DFR around 10−7 to 10−9.
Solution: all variants only claim IND-CPA security.
EDOARDO PERSICHETTI FLORIDA ATLANTIC UNIVERSITY 19 MARCH 2019 16 / 27
![Page 64: Code-based Cryptography: State of the Art - Part II · Need families of codes with particularautomorphism group. EDOARDO PERSICHETTI FLORIDA ATLANTIC UNIVERSITY 19 MARCH 2019 4](https://reader034.vdocuments.site/reader034/viewer/2022050504/5f96023366781e63d40a02a1/html5/thumbnails/64.jpg)
DECODING FAILURES ARE BAD!
Problem 1: reaction attacks (Guo, Johansson, Stankovski, ’16).
Observe decryption of several (≈ 300 million) ciphertexts: analyzedecoding failures to reconstruct private key (distance spectrum).
Solution: use ephemeral keys.
Problem 2: IND-CCA security.
IND-CCA conversions require perfect correctness or at least trivialDFR (≈ 2−128).
Decoding algorithms have (currently) DFR around 10−7 to 10−9.
Solution: all variants only claim IND-CPA security.
EDOARDO PERSICHETTI FLORIDA ATLANTIC UNIVERSITY 19 MARCH 2019 16 / 27
![Page 65: Code-based Cryptography: State of the Art - Part II · Need families of codes with particularautomorphism group. EDOARDO PERSICHETTI FLORIDA ATLANTIC UNIVERSITY 19 MARCH 2019 4](https://reader034.vdocuments.site/reader034/viewer/2022050504/5f96023366781e63d40a02a1/html5/thumbnails/65.jpg)
DECODING FAILURES ARE BAD!
Problem 1: reaction attacks (Guo, Johansson, Stankovski, ’16).
Observe decryption of several (≈ 300 million) ciphertexts: analyzedecoding failures to reconstruct private key (distance spectrum).
Solution: use ephemeral keys.
Problem 2: IND-CCA security.
IND-CCA conversions require perfect correctness or at least trivialDFR (≈ 2−128).
Decoding algorithms have (currently) DFR around 10−7 to 10−9.
Solution: all variants only claim IND-CPA security.
EDOARDO PERSICHETTI FLORIDA ATLANTIC UNIVERSITY 19 MARCH 2019 16 / 27
![Page 66: Code-based Cryptography: State of the Art - Part II · Need families of codes with particularautomorphism group. EDOARDO PERSICHETTI FLORIDA ATLANTIC UNIVERSITY 19 MARCH 2019 4](https://reader034.vdocuments.site/reader034/viewer/2022050504/5f96023366781e63d40a02a1/html5/thumbnails/66.jpg)
DECODING FAILURES ARE BAD!
Problem 1: reaction attacks (Guo, Johansson, Stankovski, ’16).
Observe decryption of several (≈ 300 million) ciphertexts: analyzedecoding failures to reconstruct private key (distance spectrum).
Solution: use ephemeral keys.
Problem 2: IND-CCA security.
IND-CCA conversions require perfect correctness or at least trivialDFR (≈ 2−128).
Decoding algorithms have (currently) DFR around 10−7 to 10−9.
Solution: all variants only claim IND-CPA security.
EDOARDO PERSICHETTI FLORIDA ATLANTIC UNIVERSITY 19 MARCH 2019 16 / 27
![Page 67: Code-based Cryptography: State of the Art - Part II · Need families of codes with particularautomorphism group. EDOARDO PERSICHETTI FLORIDA ATLANTIC UNIVERSITY 19 MARCH 2019 4](https://reader034.vdocuments.site/reader034/viewer/2022050504/5f96023366781e63d40a02a1/html5/thumbnails/67.jpg)
DECODING FAILURES ARE BAD!
Problem 1: reaction attacks (Guo, Johansson, Stankovski, ’16).
Observe decryption of several (≈ 300 million) ciphertexts: analyzedecoding failures to reconstruct private key (distance spectrum).
Solution: use ephemeral keys.
Problem 2: IND-CCA security.
IND-CCA conversions require perfect correctness or at least trivialDFR (≈ 2−128).
Decoding algorithms have (currently) DFR around 10−7 to 10−9.
Solution: all variants only claim IND-CPA security.
EDOARDO PERSICHETTI FLORIDA ATLANTIC UNIVERSITY 19 MARCH 2019 16 / 27
![Page 68: Code-based Cryptography: State of the Art - Part II · Need families of codes with particularautomorphism group. EDOARDO PERSICHETTI FLORIDA ATLANTIC UNIVERSITY 19 MARCH 2019 4](https://reader034.vdocuments.site/reader034/viewer/2022050504/5f96023366781e63d40a02a1/html5/thumbnails/68.jpg)
DECODING FAILURES ARE BAD!
Problem 1: reaction attacks (Guo, Johansson, Stankovski, ’16).
Observe decryption of several (≈ 300 million) ciphertexts: analyzedecoding failures to reconstruct private key (distance spectrum).
Solution: use ephemeral keys.
Problem 2: IND-CCA security.
IND-CCA conversions require perfect correctness or at least trivialDFR (≈ 2−128).
Decoding algorithms have (currently) DFR around 10−7 to 10−9.
Solution: all variants only claim IND-CPA security.
EDOARDO PERSICHETTI FLORIDA ATLANTIC UNIVERSITY 19 MARCH 2019 16 / 27
![Page 69: Code-based Cryptography: State of the Art - Part II · Need families of codes with particularautomorphism group. EDOARDO PERSICHETTI FLORIDA ATLANTIC UNIVERSITY 19 MARCH 2019 4](https://reader034.vdocuments.site/reader034/viewer/2022050504/5f96023366781e63d40a02a1/html5/thumbnails/69.jpg)
NEW DEVELOPMENTS
New, improved BIKE decoder (Sendrier, Vasseur, ’19).
Possible to adjust block length to achieve desired DFR.
BIKE will feature IND-CCA version with static keys in Round 2.
5 out of 7 code-based NIST submissions in Round 2 use QCstructure.
Is there any other structure we can use? Can we generalize this, do itbetter/differently?
Use alternative Reproducible Codes (Santini, P., Baldi, ’18).
Can possibly negate DOOM speedup and reaction attacks.
EDOARDO PERSICHETTI FLORIDA ATLANTIC UNIVERSITY 19 MARCH 2019 17 / 27
![Page 70: Code-based Cryptography: State of the Art - Part II · Need families of codes with particularautomorphism group. EDOARDO PERSICHETTI FLORIDA ATLANTIC UNIVERSITY 19 MARCH 2019 4](https://reader034.vdocuments.site/reader034/viewer/2022050504/5f96023366781e63d40a02a1/html5/thumbnails/70.jpg)
NEW DEVELOPMENTS
New, improved BIKE decoder (Sendrier, Vasseur, ’19).
Possible to adjust block length to achieve desired DFR.
BIKE will feature IND-CCA version with static keys in Round 2.
5 out of 7 code-based NIST submissions in Round 2 use QCstructure.
Is there any other structure we can use? Can we generalize this, do itbetter/differently?
Use alternative Reproducible Codes (Santini, P., Baldi, ’18).
Can possibly negate DOOM speedup and reaction attacks.
EDOARDO PERSICHETTI FLORIDA ATLANTIC UNIVERSITY 19 MARCH 2019 17 / 27
![Page 71: Code-based Cryptography: State of the Art - Part II · Need families of codes with particularautomorphism group. EDOARDO PERSICHETTI FLORIDA ATLANTIC UNIVERSITY 19 MARCH 2019 4](https://reader034.vdocuments.site/reader034/viewer/2022050504/5f96023366781e63d40a02a1/html5/thumbnails/71.jpg)
NEW DEVELOPMENTS
New, improved BIKE decoder (Sendrier, Vasseur, ’19).
Possible to adjust block length to achieve desired DFR.
BIKE will feature IND-CCA version with static keys in Round 2.
5 out of 7 code-based NIST submissions in Round 2 use QCstructure.
Is there any other structure we can use? Can we generalize this, do itbetter/differently?
Use alternative Reproducible Codes (Santini, P., Baldi, ’18).
Can possibly negate DOOM speedup and reaction attacks.
EDOARDO PERSICHETTI FLORIDA ATLANTIC UNIVERSITY 19 MARCH 2019 17 / 27
![Page 72: Code-based Cryptography: State of the Art - Part II · Need families of codes with particularautomorphism group. EDOARDO PERSICHETTI FLORIDA ATLANTIC UNIVERSITY 19 MARCH 2019 4](https://reader034.vdocuments.site/reader034/viewer/2022050504/5f96023366781e63d40a02a1/html5/thumbnails/72.jpg)
NEW DEVELOPMENTS
New, improved BIKE decoder (Sendrier, Vasseur, ’19).
Possible to adjust block length to achieve desired DFR.
BIKE will feature IND-CCA version with static keys in Round 2.
5 out of 7 code-based NIST submissions in Round 2 use QCstructure.
Is there any other structure we can use? Can we generalize this, do itbetter/differently?
Use alternative Reproducible Codes (Santini, P., Baldi, ’18).
Can possibly negate DOOM speedup and reaction attacks.
EDOARDO PERSICHETTI FLORIDA ATLANTIC UNIVERSITY 19 MARCH 2019 17 / 27
![Page 73: Code-based Cryptography: State of the Art - Part II · Need families of codes with particularautomorphism group. EDOARDO PERSICHETTI FLORIDA ATLANTIC UNIVERSITY 19 MARCH 2019 4](https://reader034.vdocuments.site/reader034/viewer/2022050504/5f96023366781e63d40a02a1/html5/thumbnails/73.jpg)
NEW DEVELOPMENTS
New, improved BIKE decoder (Sendrier, Vasseur, ’19).
Possible to adjust block length to achieve desired DFR.
BIKE will feature IND-CCA version with static keys in Round 2.
5 out of 7 code-based NIST submissions in Round 2 use QCstructure.
BIKEClassic McElieceHQCLEDAcryptNTS-KEMROLLORQC
Is there any other structure we can use? Can we generalize this, do itbetter/differently?
Use alternative Reproducible Codes (Santini, P., Baldi, ’18).
Can possibly negate DOOM speedup and reaction attacks.
EDOARDO PERSICHETTI FLORIDA ATLANTIC UNIVERSITY 19 MARCH 2019 17 / 27
![Page 74: Code-based Cryptography: State of the Art - Part II · Need families of codes with particularautomorphism group. EDOARDO PERSICHETTI FLORIDA ATLANTIC UNIVERSITY 19 MARCH 2019 4](https://reader034.vdocuments.site/reader034/viewer/2022050504/5f96023366781e63d40a02a1/html5/thumbnails/74.jpg)
NEW DEVELOPMENTS
New, improved BIKE decoder (Sendrier, Vasseur, ’19).
Possible to adjust block length to achieve desired DFR.
BIKE will feature IND-CCA version with static keys in Round 2.
5 out of 7 code-based NIST submissions in Round 2 use QCstructure.
Is there any other structure we can use? Can we generalize this, do itbetter/differently?
Use alternative Reproducible Codes (Santini, P., Baldi, ’18).
Can possibly negate DOOM speedup and reaction attacks.
EDOARDO PERSICHETTI FLORIDA ATLANTIC UNIVERSITY 19 MARCH 2019 17 / 27
![Page 75: Code-based Cryptography: State of the Art - Part II · Need families of codes with particularautomorphism group. EDOARDO PERSICHETTI FLORIDA ATLANTIC UNIVERSITY 19 MARCH 2019 4](https://reader034.vdocuments.site/reader034/viewer/2022050504/5f96023366781e63d40a02a1/html5/thumbnails/75.jpg)
NEW DEVELOPMENTS
New, improved BIKE decoder (Sendrier, Vasseur, ’19).
Possible to adjust block length to achieve desired DFR.
BIKE will feature IND-CCA version with static keys in Round 2.
5 out of 7 code-based NIST submissions in Round 2 use QCstructure.
Is there any other structure we can use? Can we generalize this, do itbetter/differently?
Use alternative Reproducible Codes (Santini, P., Baldi, ’18).
Can possibly negate DOOM speedup and reaction attacks.
EDOARDO PERSICHETTI FLORIDA ATLANTIC UNIVERSITY 19 MARCH 2019 17 / 27
![Page 76: Code-based Cryptography: State of the Art - Part II · Need families of codes with particularautomorphism group. EDOARDO PERSICHETTI FLORIDA ATLANTIC UNIVERSITY 19 MARCH 2019 4](https://reader034.vdocuments.site/reader034/viewer/2022050504/5f96023366781e63d40a02a1/html5/thumbnails/76.jpg)
NEW DEVELOPMENTS
New, improved BIKE decoder (Sendrier, Vasseur, ’19).
Possible to adjust block length to achieve desired DFR.
BIKE will feature IND-CCA version with static keys in Round 2.
5 out of 7 code-based NIST submissions in Round 2 use QCstructure.
Is there any other structure we can use? Can we generalize this, do itbetter/differently?
Use alternative Reproducible Codes (Santini, P., Baldi, ’18).
Can possibly negate DOOM speedup and reaction attacks.
EDOARDO PERSICHETTI FLORIDA ATLANTIC UNIVERSITY 19 MARCH 2019 17 / 27
![Page 77: Code-based Cryptography: State of the Art - Part II · Need families of codes with particularautomorphism group. EDOARDO PERSICHETTI FLORIDA ATLANTIC UNIVERSITY 19 MARCH 2019 4](https://reader034.vdocuments.site/reader034/viewer/2022050504/5f96023366781e63d40a02a1/html5/thumbnails/77.jpg)
Part III
RANK METRIC
EDOARDO PERSICHETTI FLORIDA ATLANTIC UNIVERSITY 19 MARCH 2019 18 / 27
![Page 78: Code-based Cryptography: State of the Art - Part II · Need families of codes with particularautomorphism group. EDOARDO PERSICHETTI FLORIDA ATLANTIC UNIVERSITY 19 MARCH 2019 4](https://reader034.vdocuments.site/reader034/viewer/2022050504/5f96023366781e63d40a02a1/html5/thumbnails/78.jpg)
RANK METRIC
One of alternative metrics used in Coding Theory.
RANK METRIC
Let x ∈ Fnqm and β = (β1, . . . , βm) basis for Fqm over Fq .
wtR(x) = Rank(φβ(x)), where φβ is projection over Fq (columns).dR(x , y) = wtR(x − y).
So rank metric codes are matrix codes.
[n, k ] RANK METRIC LINEAR CODE OVER Fqm
A subspace of dimension k of Fnqm (Gabidulin, ’85).
A subspace of dimension k of Fm×nq (Delsarte, ’78).
SUPPORT OF A WORD
Supp(x) = span < x1, . . . , xn >Fq .
EDOARDO PERSICHETTI FLORIDA ATLANTIC UNIVERSITY 19 MARCH 2019 19 / 27
![Page 79: Code-based Cryptography: State of the Art - Part II · Need families of codes with particularautomorphism group. EDOARDO PERSICHETTI FLORIDA ATLANTIC UNIVERSITY 19 MARCH 2019 4](https://reader034.vdocuments.site/reader034/viewer/2022050504/5f96023366781e63d40a02a1/html5/thumbnails/79.jpg)
RANK METRIC
One of alternative metrics used in Coding Theory.
RANK METRIC
Let x ∈ Fnqm and β = (β1, . . . , βm) basis for Fqm over Fq .
wtR(x) = Rank(φβ(x)), where φβ is projection over Fq (columns).dR(x , y) = wtR(x − y).
So rank metric codes are matrix codes.
[n, k ] RANK METRIC LINEAR CODE OVER Fqm
A subspace of dimension k of Fnqm (Gabidulin, ’85).
A subspace of dimension k of Fm×nq (Delsarte, ’78).
SUPPORT OF A WORD
Supp(x) = span < x1, . . . , xn >Fq .
EDOARDO PERSICHETTI FLORIDA ATLANTIC UNIVERSITY 19 MARCH 2019 19 / 27
![Page 80: Code-based Cryptography: State of the Art - Part II · Need families of codes with particularautomorphism group. EDOARDO PERSICHETTI FLORIDA ATLANTIC UNIVERSITY 19 MARCH 2019 4](https://reader034.vdocuments.site/reader034/viewer/2022050504/5f96023366781e63d40a02a1/html5/thumbnails/80.jpg)
RANK METRIC
One of alternative metrics used in Coding Theory.
RANK METRIC
Let x ∈ Fnqm and β = (β1, . . . , βm) basis for Fqm over Fq .
wtR(x) = Rank(φβ(x)), where φβ is projection over Fq (columns).
dR(x , y) = wtR(x − y).
So rank metric codes are matrix codes.
[n, k ] RANK METRIC LINEAR CODE OVER Fqm
A subspace of dimension k of Fnqm (Gabidulin, ’85).
A subspace of dimension k of Fm×nq (Delsarte, ’78).
SUPPORT OF A WORD
Supp(x) = span < x1, . . . , xn >Fq .
EDOARDO PERSICHETTI FLORIDA ATLANTIC UNIVERSITY 19 MARCH 2019 19 / 27
![Page 81: Code-based Cryptography: State of the Art - Part II · Need families of codes with particularautomorphism group. EDOARDO PERSICHETTI FLORIDA ATLANTIC UNIVERSITY 19 MARCH 2019 4](https://reader034.vdocuments.site/reader034/viewer/2022050504/5f96023366781e63d40a02a1/html5/thumbnails/81.jpg)
RANK METRIC
One of alternative metrics used in Coding Theory.
RANK METRIC
Let x ∈ Fnqm and β = (β1, . . . , βm) basis for Fqm over Fq .
wtR(x) = Rank(φβ(x)), where φβ is projection over Fq (columns).dR(x , y) = wtR(x − y).
So rank metric codes are matrix codes.
[n, k ] RANK METRIC LINEAR CODE OVER Fqm
A subspace of dimension k of Fnqm (Gabidulin, ’85).
A subspace of dimension k of Fm×nq (Delsarte, ’78).
SUPPORT OF A WORD
Supp(x) = span < x1, . . . , xn >Fq .
EDOARDO PERSICHETTI FLORIDA ATLANTIC UNIVERSITY 19 MARCH 2019 19 / 27
![Page 82: Code-based Cryptography: State of the Art - Part II · Need families of codes with particularautomorphism group. EDOARDO PERSICHETTI FLORIDA ATLANTIC UNIVERSITY 19 MARCH 2019 4](https://reader034.vdocuments.site/reader034/viewer/2022050504/5f96023366781e63d40a02a1/html5/thumbnails/82.jpg)
RANK METRIC
One of alternative metrics used in Coding Theory.
RANK METRIC
Let x ∈ Fnqm and β = (β1, . . . , βm) basis for Fqm over Fq .
wtR(x) = Rank(φβ(x)), where φβ is projection over Fq (columns).dR(x , y) = wtR(x − y).
So rank metric codes are matrix codes.
[n, k ] RANK METRIC LINEAR CODE OVER Fqm
A subspace of dimension k of Fnqm (Gabidulin, ’85).
A subspace of dimension k of Fm×nq (Delsarte, ’78).
SUPPORT OF A WORD
Supp(x) = span < x1, . . . , xn >Fq .
EDOARDO PERSICHETTI FLORIDA ATLANTIC UNIVERSITY 19 MARCH 2019 19 / 27
![Page 83: Code-based Cryptography: State of the Art - Part II · Need families of codes with particularautomorphism group. EDOARDO PERSICHETTI FLORIDA ATLANTIC UNIVERSITY 19 MARCH 2019 4](https://reader034.vdocuments.site/reader034/viewer/2022050504/5f96023366781e63d40a02a1/html5/thumbnails/83.jpg)
RANK METRIC
One of alternative metrics used in Coding Theory.
RANK METRIC
Let x ∈ Fnqm and β = (β1, . . . , βm) basis for Fqm over Fq .
wtR(x) = Rank(φβ(x)), where φβ is projection over Fq (columns).dR(x , y) = wtR(x − y).
So rank metric codes are matrix codes.
[n, k ] RANK METRIC LINEAR CODE OVER Fqm
A subspace of dimension k of Fnqm (Gabidulin, ’85).
A subspace of dimension k of Fm×nq (Delsarte, ’78).
SUPPORT OF A WORD
Supp(x) = span < x1, . . . , xn >Fq .
EDOARDO PERSICHETTI FLORIDA ATLANTIC UNIVERSITY 19 MARCH 2019 19 / 27
![Page 84: Code-based Cryptography: State of the Art - Part II · Need families of codes with particularautomorphism group. EDOARDO PERSICHETTI FLORIDA ATLANTIC UNIVERSITY 19 MARCH 2019 4](https://reader034.vdocuments.site/reader034/viewer/2022050504/5f96023366781e63d40a02a1/html5/thumbnails/84.jpg)
RANK METRIC
One of alternative metrics used in Coding Theory.
RANK METRIC
Let x ∈ Fnqm and β = (β1, . . . , βm) basis for Fqm over Fq .
wtR(x) = Rank(φβ(x)), where φβ is projection over Fq (columns).dR(x , y) = wtR(x − y).
So rank metric codes are matrix codes.
[n, k ] RANK METRIC LINEAR CODE OVER Fqm
A subspace of dimension k of Fnqm (Gabidulin, ’85).
A subspace of dimension k of Fm×nq (Delsarte, ’78).
SUPPORT OF A WORD
Supp(x) = span < x1, . . . , xn >Fq .
EDOARDO PERSICHETTI FLORIDA ATLANTIC UNIVERSITY 19 MARCH 2019 19 / 27
![Page 85: Code-based Cryptography: State of the Art - Part II · Need families of codes with particularautomorphism group. EDOARDO PERSICHETTI FLORIDA ATLANTIC UNIVERSITY 19 MARCH 2019 4](https://reader034.vdocuments.site/reader034/viewer/2022050504/5f96023366781e63d40a02a1/html5/thumbnails/85.jpg)
RANK METRIC
One of alternative metrics used in Coding Theory.
RANK METRIC
Let x ∈ Fnqm and β = (β1, . . . , βm) basis for Fqm over Fq .
wtR(x) = Rank(φβ(x)), where φβ is projection over Fq (columns).dR(x , y) = wtR(x − y).
So rank metric codes are matrix codes.
[n, k ] RANK METRIC LINEAR CODE OVER Fqm
A subspace of dimension k of Fnqm (Gabidulin, ’85).
A subspace of dimension k of Fm×nq (Delsarte, ’78).
SUPPORT OF A WORD
Supp(x) = span < x1, . . . , xn >Fq .
EDOARDO PERSICHETTI FLORIDA ATLANTIC UNIVERSITY 19 MARCH 2019 19 / 27
![Page 86: Code-based Cryptography: State of the Art - Part II · Need families of codes with particularautomorphism group. EDOARDO PERSICHETTI FLORIDA ATLANTIC UNIVERSITY 19 MARCH 2019 4](https://reader034.vdocuments.site/reader034/viewer/2022050504/5f96023366781e63d40a02a1/html5/thumbnails/86.jpg)
THE RANK METRIC WORLD
Possible to “translate” many concepts from Hamming metric.
Singleton Bound on largest minimum distance (MRD codes).GV Bound on size of spheres.Syndrome Decoding Problem (RSD): proved to be NP-Hard.
Few families with efficient decoding algorithm.
Gabidulin codes: ≈Reed-Solomon.Low-Rank Parity-Check codes (LRPC): ≈LDPC.
Generic attack: rank equivalent of ISD, combinatorial (Chabaud, Stern, ’96).
Structural attacks exist (Gibson, ’95, ’96, Overbeck, ’05, Debris-Alazard, Tillich, ’18).
EDOARDO PERSICHETTI FLORIDA ATLANTIC UNIVERSITY 19 MARCH 2019 20 / 27
![Page 87: Code-based Cryptography: State of the Art - Part II · Need families of codes with particularautomorphism group. EDOARDO PERSICHETTI FLORIDA ATLANTIC UNIVERSITY 19 MARCH 2019 4](https://reader034.vdocuments.site/reader034/viewer/2022050504/5f96023366781e63d40a02a1/html5/thumbnails/87.jpg)
THE RANK METRIC WORLD
Possible to “translate” many concepts from Hamming metric.
Singleton Bound on largest minimum distance (MRD codes).
GV Bound on size of spheres.Syndrome Decoding Problem (RSD): proved to be NP-Hard.
Few families with efficient decoding algorithm.
Gabidulin codes: ≈Reed-Solomon.Low-Rank Parity-Check codes (LRPC): ≈LDPC.
Generic attack: rank equivalent of ISD, combinatorial (Chabaud, Stern, ’96).
Structural attacks exist (Gibson, ’95, ’96, Overbeck, ’05, Debris-Alazard, Tillich, ’18).
EDOARDO PERSICHETTI FLORIDA ATLANTIC UNIVERSITY 19 MARCH 2019 20 / 27
![Page 88: Code-based Cryptography: State of the Art - Part II · Need families of codes with particularautomorphism group. EDOARDO PERSICHETTI FLORIDA ATLANTIC UNIVERSITY 19 MARCH 2019 4](https://reader034.vdocuments.site/reader034/viewer/2022050504/5f96023366781e63d40a02a1/html5/thumbnails/88.jpg)
THE RANK METRIC WORLD
Possible to “translate” many concepts from Hamming metric.
Singleton Bound on largest minimum distance (MRD codes).GV Bound on size of spheres.
Syndrome Decoding Problem (RSD): proved to be NP-Hard.
Few families with efficient decoding algorithm.
Gabidulin codes: ≈Reed-Solomon.Low-Rank Parity-Check codes (LRPC): ≈LDPC.
Generic attack: rank equivalent of ISD, combinatorial (Chabaud, Stern, ’96).
Structural attacks exist (Gibson, ’95, ’96, Overbeck, ’05, Debris-Alazard, Tillich, ’18).
EDOARDO PERSICHETTI FLORIDA ATLANTIC UNIVERSITY 19 MARCH 2019 20 / 27
![Page 89: Code-based Cryptography: State of the Art - Part II · Need families of codes with particularautomorphism group. EDOARDO PERSICHETTI FLORIDA ATLANTIC UNIVERSITY 19 MARCH 2019 4](https://reader034.vdocuments.site/reader034/viewer/2022050504/5f96023366781e63d40a02a1/html5/thumbnails/89.jpg)
THE RANK METRIC WORLD
Possible to “translate” many concepts from Hamming metric.
Singleton Bound on largest minimum distance (MRD codes).GV Bound on size of spheres.Syndrome Decoding Problem (RSD): proved to be NP-Hard.
Few families with efficient decoding algorithm.
Gabidulin codes: ≈Reed-Solomon.Low-Rank Parity-Check codes (LRPC): ≈LDPC.
Generic attack: rank equivalent of ISD, combinatorial (Chabaud, Stern, ’96).
Structural attacks exist (Gibson, ’95, ’96, Overbeck, ’05, Debris-Alazard, Tillich, ’18).
EDOARDO PERSICHETTI FLORIDA ATLANTIC UNIVERSITY 19 MARCH 2019 20 / 27
![Page 90: Code-based Cryptography: State of the Art - Part II · Need families of codes with particularautomorphism group. EDOARDO PERSICHETTI FLORIDA ATLANTIC UNIVERSITY 19 MARCH 2019 4](https://reader034.vdocuments.site/reader034/viewer/2022050504/5f96023366781e63d40a02a1/html5/thumbnails/90.jpg)
THE RANK METRIC WORLD
Possible to “translate” many concepts from Hamming metric.
Singleton Bound on largest minimum distance (MRD codes).GV Bound on size of spheres.Syndrome Decoding Problem (RSD): proved to be NP-Hard.
Few families with efficient decoding algorithm.
Gabidulin codes: ≈Reed-Solomon.Low-Rank Parity-Check codes (LRPC): ≈LDPC.
Generic attack: rank equivalent of ISD, combinatorial (Chabaud, Stern, ’96).
Structural attacks exist (Gibson, ’95, ’96, Overbeck, ’05, Debris-Alazard, Tillich, ’18).
EDOARDO PERSICHETTI FLORIDA ATLANTIC UNIVERSITY 19 MARCH 2019 20 / 27
![Page 91: Code-based Cryptography: State of the Art - Part II · Need families of codes with particularautomorphism group. EDOARDO PERSICHETTI FLORIDA ATLANTIC UNIVERSITY 19 MARCH 2019 4](https://reader034.vdocuments.site/reader034/viewer/2022050504/5f96023366781e63d40a02a1/html5/thumbnails/91.jpg)
THE RANK METRIC WORLD
Possible to “translate” many concepts from Hamming metric.
Singleton Bound on largest minimum distance (MRD codes).GV Bound on size of spheres.Syndrome Decoding Problem (RSD): proved to be NP-Hard.
Few families with efficient decoding algorithm.
Gabidulin codes: ≈Reed-Solomon.
Low-Rank Parity-Check codes (LRPC): ≈LDPC.
Generic attack: rank equivalent of ISD, combinatorial (Chabaud, Stern, ’96).
Structural attacks exist (Gibson, ’95, ’96, Overbeck, ’05, Debris-Alazard, Tillich, ’18).
EDOARDO PERSICHETTI FLORIDA ATLANTIC UNIVERSITY 19 MARCH 2019 20 / 27
![Page 92: Code-based Cryptography: State of the Art - Part II · Need families of codes with particularautomorphism group. EDOARDO PERSICHETTI FLORIDA ATLANTIC UNIVERSITY 19 MARCH 2019 4](https://reader034.vdocuments.site/reader034/viewer/2022050504/5f96023366781e63d40a02a1/html5/thumbnails/92.jpg)
THE RANK METRIC WORLD
Possible to “translate” many concepts from Hamming metric.
Singleton Bound on largest minimum distance (MRD codes).GV Bound on size of spheres.Syndrome Decoding Problem (RSD): proved to be NP-Hard.
Few families with efficient decoding algorithm.
Gabidulin codes: ≈Reed-Solomon.Low-Rank Parity-Check codes (LRPC): ≈LDPC.
Generic attack: rank equivalent of ISD, combinatorial (Chabaud, Stern, ’96).
Structural attacks exist (Gibson, ’95, ’96, Overbeck, ’05, Debris-Alazard, Tillich, ’18).
EDOARDO PERSICHETTI FLORIDA ATLANTIC UNIVERSITY 19 MARCH 2019 20 / 27
![Page 93: Code-based Cryptography: State of the Art - Part II · Need families of codes with particularautomorphism group. EDOARDO PERSICHETTI FLORIDA ATLANTIC UNIVERSITY 19 MARCH 2019 4](https://reader034.vdocuments.site/reader034/viewer/2022050504/5f96023366781e63d40a02a1/html5/thumbnails/93.jpg)
THE RANK METRIC WORLD
Possible to “translate” many concepts from Hamming metric.
Singleton Bound on largest minimum distance (MRD codes).GV Bound on size of spheres.Syndrome Decoding Problem (RSD): proved to be NP-Hard.
Few families with efficient decoding algorithm.
Gabidulin codes: ≈Reed-Solomon.Low-Rank Parity-Check codes (LRPC): ≈LDPC.
Generic attack: rank equivalent of ISD, combinatorial (Chabaud, Stern, ’96).
Structural attacks exist (Gibson, ’95, ’96, Overbeck, ’05, Debris-Alazard, Tillich, ’18).
EDOARDO PERSICHETTI FLORIDA ATLANTIC UNIVERSITY 19 MARCH 2019 20 / 27
![Page 94: Code-based Cryptography: State of the Art - Part II · Need families of codes with particularautomorphism group. EDOARDO PERSICHETTI FLORIDA ATLANTIC UNIVERSITY 19 MARCH 2019 4](https://reader034.vdocuments.site/reader034/viewer/2022050504/5f96023366781e63d40a02a1/html5/thumbnails/94.jpg)
THE RANK METRIC WORLD
Possible to “translate” many concepts from Hamming metric.
Singleton Bound on largest minimum distance (MRD codes).GV Bound on size of spheres.Syndrome Decoding Problem (RSD): proved to be NP-Hard.
Few families with efficient decoding algorithm.
Gabidulin codes: ≈Reed-Solomon.Low-Rank Parity-Check codes (LRPC): ≈LDPC.
Generic attack: rank equivalent of ISD, combinatorial (Chabaud, Stern, ’96).
Structural attacks exist (Gibson, ’95, ’96, Overbeck, ’05, Debris-Alazard, Tillich, ’18).
EDOARDO PERSICHETTI FLORIDA ATLANTIC UNIVERSITY 19 MARCH 2019 20 / 27
![Page 95: Code-based Cryptography: State of the Art - Part II · Need families of codes with particularautomorphism group. EDOARDO PERSICHETTI FLORIDA ATLANTIC UNIVERSITY 19 MARCH 2019 4](https://reader034.vdocuments.site/reader034/viewer/2022050504/5f96023366781e63d40a02a1/html5/thumbnails/95.jpg)
CASE STUDY: NIST SUBMISSIONS
ROLLO: merge of 3 slightly different proposals on QC-LRPC codes.
LAKE: rank-Niederreiter, ≈BIKE-2.LOCKER: PKE version of LAKE.Rank-Ouroboros: rank version of Ouroboros (BIKE-3).
RQC: based on random codes ≈HQC.
Advantage: higher attack complexity O((n − k)3m3qtd (k+1)mn e−m).
Choose much smaller parameters, get smaller sizes.
No DFR for RQC.
EDOARDO PERSICHETTI FLORIDA ATLANTIC UNIVERSITY 19 MARCH 2019 21 / 27
![Page 96: Code-based Cryptography: State of the Art - Part II · Need families of codes with particularautomorphism group. EDOARDO PERSICHETTI FLORIDA ATLANTIC UNIVERSITY 19 MARCH 2019 4](https://reader034.vdocuments.site/reader034/viewer/2022050504/5f96023366781e63d40a02a1/html5/thumbnails/96.jpg)
CASE STUDY: NIST SUBMISSIONS
ROLLO: merge of 3 slightly different proposals on QC-LRPC codes.
LAKE: rank-Niederreiter, ≈BIKE-2.
LOCKER: PKE version of LAKE.Rank-Ouroboros: rank version of Ouroboros (BIKE-3).
RQC: based on random codes ≈HQC.
Advantage: higher attack complexity O((n − k)3m3qtd (k+1)mn e−m).
Choose much smaller parameters, get smaller sizes.
No DFR for RQC.
EDOARDO PERSICHETTI FLORIDA ATLANTIC UNIVERSITY 19 MARCH 2019 21 / 27
![Page 97: Code-based Cryptography: State of the Art - Part II · Need families of codes with particularautomorphism group. EDOARDO PERSICHETTI FLORIDA ATLANTIC UNIVERSITY 19 MARCH 2019 4](https://reader034.vdocuments.site/reader034/viewer/2022050504/5f96023366781e63d40a02a1/html5/thumbnails/97.jpg)
CASE STUDY: NIST SUBMISSIONS
ROLLO: merge of 3 slightly different proposals on QC-LRPC codes.
LAKE: rank-Niederreiter, ≈BIKE-2.LOCKER: PKE version of LAKE.
Rank-Ouroboros: rank version of Ouroboros (BIKE-3).
RQC: based on random codes ≈HQC.
Advantage: higher attack complexity O((n − k)3m3qtd (k+1)mn e−m).
Choose much smaller parameters, get smaller sizes.
No DFR for RQC.
EDOARDO PERSICHETTI FLORIDA ATLANTIC UNIVERSITY 19 MARCH 2019 21 / 27
![Page 98: Code-based Cryptography: State of the Art - Part II · Need families of codes with particularautomorphism group. EDOARDO PERSICHETTI FLORIDA ATLANTIC UNIVERSITY 19 MARCH 2019 4](https://reader034.vdocuments.site/reader034/viewer/2022050504/5f96023366781e63d40a02a1/html5/thumbnails/98.jpg)
CASE STUDY: NIST SUBMISSIONS
ROLLO: merge of 3 slightly different proposals on QC-LRPC codes.
LAKE: rank-Niederreiter, ≈BIKE-2.LOCKER: PKE version of LAKE.Rank-Ouroboros: rank version of Ouroboros (BIKE-3).
RQC: based on random codes ≈HQC.
Advantage: higher attack complexity O((n − k)3m3qtd (k+1)mn e−m).
Choose much smaller parameters, get smaller sizes.
No DFR for RQC.
EDOARDO PERSICHETTI FLORIDA ATLANTIC UNIVERSITY 19 MARCH 2019 21 / 27
![Page 99: Code-based Cryptography: State of the Art - Part II · Need families of codes with particularautomorphism group. EDOARDO PERSICHETTI FLORIDA ATLANTIC UNIVERSITY 19 MARCH 2019 4](https://reader034.vdocuments.site/reader034/viewer/2022050504/5f96023366781e63d40a02a1/html5/thumbnails/99.jpg)
CASE STUDY: NIST SUBMISSIONS
ROLLO: merge of 3 slightly different proposals on QC-LRPC codes.
LAKE: rank-Niederreiter, ≈BIKE-2.LOCKER: PKE version of LAKE.Rank-Ouroboros: rank version of Ouroboros (BIKE-3).
RQC: based on random codes ≈HQC.
Advantage: higher attack complexity O((n − k)3m3qtd (k+1)mn e−m).
Choose much smaller parameters, get smaller sizes.
No DFR for RQC.
EDOARDO PERSICHETTI FLORIDA ATLANTIC UNIVERSITY 19 MARCH 2019 21 / 27
![Page 100: Code-based Cryptography: State of the Art - Part II · Need families of codes with particularautomorphism group. EDOARDO PERSICHETTI FLORIDA ATLANTIC UNIVERSITY 19 MARCH 2019 4](https://reader034.vdocuments.site/reader034/viewer/2022050504/5f96023366781e63d40a02a1/html5/thumbnails/100.jpg)
CASE STUDY: NIST SUBMISSIONS
ROLLO: merge of 3 slightly different proposals on QC-LRPC codes.
LAKE: rank-Niederreiter, ≈BIKE-2.LOCKER: PKE version of LAKE.Rank-Ouroboros: rank version of Ouroboros (BIKE-3).
RQC: based on random codes ≈HQC.
Advantage: higher attack complexity O((n − k)3m3qtd (k+1)mn e−m).
Choose much smaller parameters, get smaller sizes.
No DFR for RQC.
EDOARDO PERSICHETTI FLORIDA ATLANTIC UNIVERSITY 19 MARCH 2019 21 / 27
![Page 101: Code-based Cryptography: State of the Art - Part II · Need families of codes with particularautomorphism group. EDOARDO PERSICHETTI FLORIDA ATLANTIC UNIVERSITY 19 MARCH 2019 4](https://reader034.vdocuments.site/reader034/viewer/2022050504/5f96023366781e63d40a02a1/html5/thumbnails/101.jpg)
CASE STUDY: NIST SUBMISSIONS
ROLLO: merge of 3 slightly different proposals on QC-LRPC codes.
LAKE: rank-Niederreiter, ≈BIKE-2.LOCKER: PKE version of LAKE.Rank-Ouroboros: rank version of Ouroboros (BIKE-3).
RQC: based on random codes ≈HQC.
Advantage: higher attack complexity O((n − k)3m3qtd (k+1)mn e−m).
Choose much smaller parameters, get smaller sizes.
No DFR for RQC.
EDOARDO PERSICHETTI FLORIDA ATLANTIC UNIVERSITY 19 MARCH 2019 21 / 27
![Page 102: Code-based Cryptography: State of the Art - Part II · Need families of codes with particularautomorphism group. EDOARDO PERSICHETTI FLORIDA ATLANTIC UNIVERSITY 19 MARCH 2019 4](https://reader034.vdocuments.site/reader034/viewer/2022050504/5f96023366781e63d40a02a1/html5/thumbnails/102.jpg)
CASE STUDY: NIST SUBMISSIONS
ROLLO: merge of 3 slightly different proposals on QC-LRPC codes.
LAKE: rank-Niederreiter, ≈BIKE-2.LOCKER: PKE version of LAKE.Rank-Ouroboros: rank version of Ouroboros (BIKE-3).
RQC: based on random codes ≈HQC.
Advantage: higher attack complexity O((n − k)3m3qtd (k+1)mn e−m).
Choose much smaller parameters, get smaller sizes.
No DFR for RQC.
EDOARDO PERSICHETTI FLORIDA ATLANTIC UNIVERSITY 19 MARCH 2019 21 / 27
![Page 103: Code-based Cryptography: State of the Art - Part II · Need families of codes with particularautomorphism group. EDOARDO PERSICHETTI FLORIDA ATLANTIC UNIVERSITY 19 MARCH 2019 4](https://reader034.vdocuments.site/reader034/viewer/2022050504/5f96023366781e63d40a02a1/html5/thumbnails/103.jpg)
RANK METRIC PARAMETERS
ROLLO: large amount of parameter sets, not easy to read through,some info missing. We chose here Rank-Ouroboros.
Rank-Ouroboros parameters (bytes):q m p t PK Size SK Size Ciph Size Security2 127 67 8 2,128 2,128 2,128 52 101 59 8 1,490 1,490 1,490 32 89 53 6 1,180 1,180 1,180 1
DFR for above parameters is still too low (2−36,2−42) for e.g.IND-CCA security.
RQC parameters (bytes):q m p t PK Size SK Size Ciph Size Security2 139 101 8 3,510 3,510 3,574 52 113 97 7 2,741 2,741 2,805 32 89 67 6 1,491 1,491 1,555 1
Sizes can be further compressed using seed expanders (also in otherschemes).
EDOARDO PERSICHETTI FLORIDA ATLANTIC UNIVERSITY 19 MARCH 2019 22 / 27
![Page 104: Code-based Cryptography: State of the Art - Part II · Need families of codes with particularautomorphism group. EDOARDO PERSICHETTI FLORIDA ATLANTIC UNIVERSITY 19 MARCH 2019 4](https://reader034.vdocuments.site/reader034/viewer/2022050504/5f96023366781e63d40a02a1/html5/thumbnails/104.jpg)
RANK METRIC PARAMETERS
ROLLO: large amount of parameter sets, not easy to read through,some info missing. We chose here Rank-Ouroboros.
Rank-Ouroboros parameters (bytes):q m p t PK Size SK Size Ciph Size Security2 127 67 8 2,128 2,128 2,128 52 101 59 8 1,490 1,490 1,490 32 89 53 6 1,180 1,180 1,180 1
DFR for above parameters is still too low (2−36,2−42) for e.g.IND-CCA security.
RQC parameters (bytes):q m p t PK Size SK Size Ciph Size Security2 139 101 8 3,510 3,510 3,574 52 113 97 7 2,741 2,741 2,805 32 89 67 6 1,491 1,491 1,555 1
Sizes can be further compressed using seed expanders (also in otherschemes).
EDOARDO PERSICHETTI FLORIDA ATLANTIC UNIVERSITY 19 MARCH 2019 22 / 27
![Page 105: Code-based Cryptography: State of the Art - Part II · Need families of codes with particularautomorphism group. EDOARDO PERSICHETTI FLORIDA ATLANTIC UNIVERSITY 19 MARCH 2019 4](https://reader034.vdocuments.site/reader034/viewer/2022050504/5f96023366781e63d40a02a1/html5/thumbnails/105.jpg)
RANK METRIC PARAMETERS
ROLLO: large amount of parameter sets, not easy to read through,some info missing. We chose here Rank-Ouroboros.
Rank-Ouroboros parameters (bytes):q m p t PK Size SK Size Ciph Size Security2 127 67 8 2,128 2,128 2,128 52 101 59 8 1,490 1,490 1,490 32 89 53 6 1,180 1,180 1,180 1
DFR for above parameters is still too low (2−36,2−42) for e.g.IND-CCA security.
RQC parameters (bytes):q m p t PK Size SK Size Ciph Size Security2 139 101 8 3,510 3,510 3,574 52 113 97 7 2,741 2,741 2,805 32 89 67 6 1,491 1,491 1,555 1
Sizes can be further compressed using seed expanders (also in otherschemes).
EDOARDO PERSICHETTI FLORIDA ATLANTIC UNIVERSITY 19 MARCH 2019 22 / 27
![Page 106: Code-based Cryptography: State of the Art - Part II · Need families of codes with particularautomorphism group. EDOARDO PERSICHETTI FLORIDA ATLANTIC UNIVERSITY 19 MARCH 2019 4](https://reader034.vdocuments.site/reader034/viewer/2022050504/5f96023366781e63d40a02a1/html5/thumbnails/106.jpg)
RANK METRIC PARAMETERS
ROLLO: large amount of parameter sets, not easy to read through,some info missing. We chose here Rank-Ouroboros.
Rank-Ouroboros parameters (bytes):q m p t PK Size SK Size Ciph Size Security2 127 67 8 2,128 2,128 2,128 52 101 59 8 1,490 1,490 1,490 32 89 53 6 1,180 1,180 1,180 1
DFR for above parameters is still too low (2−36,2−42) for e.g.IND-CCA security.
RQC parameters (bytes):q m p t PK Size SK Size Ciph Size Security2 139 101 8 3,510 3,510 3,574 52 113 97 7 2,741 2,741 2,805 32 89 67 6 1,491 1,491 1,555 1
Sizes can be further compressed using seed expanders (also in otherschemes).
EDOARDO PERSICHETTI FLORIDA ATLANTIC UNIVERSITY 19 MARCH 2019 22 / 27
![Page 107: Code-based Cryptography: State of the Art - Part II · Need families of codes with particularautomorphism group. EDOARDO PERSICHETTI FLORIDA ATLANTIC UNIVERSITY 19 MARCH 2019 4](https://reader034.vdocuments.site/reader034/viewer/2022050504/5f96023366781e63d40a02a1/html5/thumbnails/107.jpg)
RANK METRIC PARAMETERS
ROLLO: large amount of parameter sets, not easy to read through,some info missing. We chose here Rank-Ouroboros.
Rank-Ouroboros parameters (bytes):q m p t PK Size SK Size Ciph Size Security2 127 67 8 2,128 2,128 2,128 52 101 59 8 1,490 1,490 1,490 32 89 53 6 1,180 1,180 1,180 1
DFR for above parameters is still too low (2−36,2−42) for e.g.IND-CCA security.
RQC parameters (bytes):q m p t PK Size SK Size Ciph Size Security2 139 101 8 3,510 3,510 3,574 52 113 97 7 2,741 2,741 2,805 32 89 67 6 1,491 1,491 1,555 1
Sizes can be further compressed using seed expanders (also in otherschemes).
EDOARDO PERSICHETTI FLORIDA ATLANTIC UNIVERSITY 19 MARCH 2019 22 / 27
![Page 108: Code-based Cryptography: State of the Art - Part II · Need families of codes with particularautomorphism group. EDOARDO PERSICHETTI FLORIDA ATLANTIC UNIVERSITY 19 MARCH 2019 4](https://reader034.vdocuments.site/reader034/viewer/2022050504/5f96023366781e63d40a02a1/html5/thumbnails/108.jpg)
CONSIDERATIONS
Sizes: very promising.
Speed: a little behind other code-based schemes.
Cryptanalysis: a lot behind.
At least 25 publications on ISD and improvements (see ClassicMcEliece document).
Only a handful on rank metric(Ourivski, Johansson, ’02, Gaborit, Ruatta, Schrek, ’16, Aragon, Gaborit, Hauteville, Tillich, ’18).
Several aspects and details unclear or unexplored.
More investigation needed.
EDOARDO PERSICHETTI FLORIDA ATLANTIC UNIVERSITY 19 MARCH 2019 23 / 27
![Page 109: Code-based Cryptography: State of the Art - Part II · Need families of codes with particularautomorphism group. EDOARDO PERSICHETTI FLORIDA ATLANTIC UNIVERSITY 19 MARCH 2019 4](https://reader034.vdocuments.site/reader034/viewer/2022050504/5f96023366781e63d40a02a1/html5/thumbnails/109.jpg)
CONSIDERATIONS
Sizes: very promising.
Speed: a little behind other code-based schemes.
Cryptanalysis: a lot behind.
At least 25 publications on ISD and improvements (see ClassicMcEliece document).
Only a handful on rank metric(Ourivski, Johansson, ’02, Gaborit, Ruatta, Schrek, ’16, Aragon, Gaborit, Hauteville, Tillich, ’18).
Several aspects and details unclear or unexplored.
More investigation needed.
EDOARDO PERSICHETTI FLORIDA ATLANTIC UNIVERSITY 19 MARCH 2019 23 / 27
![Page 110: Code-based Cryptography: State of the Art - Part II · Need families of codes with particularautomorphism group. EDOARDO PERSICHETTI FLORIDA ATLANTIC UNIVERSITY 19 MARCH 2019 4](https://reader034.vdocuments.site/reader034/viewer/2022050504/5f96023366781e63d40a02a1/html5/thumbnails/110.jpg)
CONSIDERATIONS
Sizes: very promising.
Speed: a little behind other code-based schemes.
Cryptanalysis: a lot behind.
At least 25 publications on ISD and improvements (see ClassicMcEliece document).
Only a handful on rank metric(Ourivski, Johansson, ’02, Gaborit, Ruatta, Schrek, ’16, Aragon, Gaborit, Hauteville, Tillich, ’18).
Several aspects and details unclear or unexplored.
More investigation needed.
EDOARDO PERSICHETTI FLORIDA ATLANTIC UNIVERSITY 19 MARCH 2019 23 / 27
![Page 111: Code-based Cryptography: State of the Art - Part II · Need families of codes with particularautomorphism group. EDOARDO PERSICHETTI FLORIDA ATLANTIC UNIVERSITY 19 MARCH 2019 4](https://reader034.vdocuments.site/reader034/viewer/2022050504/5f96023366781e63d40a02a1/html5/thumbnails/111.jpg)
CONSIDERATIONS
Sizes: very promising.
Speed: a little behind other code-based schemes.
Cryptanalysis: a lot behind.
At least 25 publications on ISD and improvements (see ClassicMcEliece document).
Only a handful on rank metric(Ourivski, Johansson, ’02, Gaborit, Ruatta, Schrek, ’16, Aragon, Gaborit, Hauteville, Tillich, ’18).
Several aspects and details unclear or unexplored.
More investigation needed.
EDOARDO PERSICHETTI FLORIDA ATLANTIC UNIVERSITY 19 MARCH 2019 23 / 27
![Page 112: Code-based Cryptography: State of the Art - Part II · Need families of codes with particularautomorphism group. EDOARDO PERSICHETTI FLORIDA ATLANTIC UNIVERSITY 19 MARCH 2019 4](https://reader034.vdocuments.site/reader034/viewer/2022050504/5f96023366781e63d40a02a1/html5/thumbnails/112.jpg)
CONSIDERATIONS
Sizes: very promising.
Speed: a little behind other code-based schemes.
Cryptanalysis: a lot behind.
At least 25 publications on ISD and improvements (see ClassicMcEliece document).
Only a handful on rank metric(Ourivski, Johansson, ’02, Gaborit, Ruatta, Schrek, ’16, Aragon, Gaborit, Hauteville, Tillich, ’18).
Several aspects and details unclear or unexplored.
More investigation needed.
EDOARDO PERSICHETTI FLORIDA ATLANTIC UNIVERSITY 19 MARCH 2019 23 / 27
![Page 113: Code-based Cryptography: State of the Art - Part II · Need families of codes with particularautomorphism group. EDOARDO PERSICHETTI FLORIDA ATLANTIC UNIVERSITY 19 MARCH 2019 4](https://reader034.vdocuments.site/reader034/viewer/2022050504/5f96023366781e63d40a02a1/html5/thumbnails/113.jpg)
CONSIDERATIONS
Sizes: very promising.
Speed: a little behind other code-based schemes.
Cryptanalysis: a lot behind.
At least 25 publications on ISD and improvements (see ClassicMcEliece document).
Only a handful on rank metric(Ourivski, Johansson, ’02, Gaborit, Ruatta, Schrek, ’16, Aragon, Gaborit, Hauteville, Tillich, ’18).
Several aspects and details unclear or unexplored.
More investigation needed.
EDOARDO PERSICHETTI FLORIDA ATLANTIC UNIVERSITY 19 MARCH 2019 23 / 27
![Page 114: Code-based Cryptography: State of the Art - Part II · Need families of codes with particularautomorphism group. EDOARDO PERSICHETTI FLORIDA ATLANTIC UNIVERSITY 19 MARCH 2019 4](https://reader034.vdocuments.site/reader034/viewer/2022050504/5f96023366781e63d40a02a1/html5/thumbnails/114.jpg)
CONSIDERATIONS
Sizes: very promising.
Speed: a little behind other code-based schemes.
Cryptanalysis: a lot behind.
At least 25 publications on ISD and improvements (see ClassicMcEliece document).
Only a handful on rank metric(Ourivski, Johansson, ’02, Gaborit, Ruatta, Schrek, ’16, Aragon, Gaborit, Hauteville, Tillich, ’18).
Several aspects and details unclear or unexplored.
More investigation needed.
EDOARDO PERSICHETTI FLORIDA ATLANTIC UNIVERSITY 19 MARCH 2019 23 / 27
![Page 115: Code-based Cryptography: State of the Art - Part II · Need families of codes with particularautomorphism group. EDOARDO PERSICHETTI FLORIDA ATLANTIC UNIVERSITY 19 MARCH 2019 4](https://reader034.vdocuments.site/reader034/viewer/2022050504/5f96023366781e63d40a02a1/html5/thumbnails/115.jpg)
Part IV
CONCLUSIONS
EDOARDO PERSICHETTI FLORIDA ATLANTIC UNIVERSITY 19 MARCH 2019 24 / 27
![Page 116: Code-based Cryptography: State of the Art - Part II · Need families of codes with particularautomorphism group. EDOARDO PERSICHETTI FLORIDA ATLANTIC UNIVERSITY 19 MARCH 2019 4](https://reader034.vdocuments.site/reader034/viewer/2022050504/5f96023366781e63d40a02a1/html5/thumbnails/116.jpg)
CONCLUSIONS
Code-based cryptography is prominent candidate for standardization.
Several distinctive strengths (and few well-known drawbacks).
Suitable for KEM: key exchange + encryption.
NIST has identified three macro-areas, each with their own pros/cons:
Conservative (binary Goppa, no structure)Sparse-matrix (LDPC/MDPC, QC structure...for now)Rank metric (LRPC, QC structure)
HQC/RQC: theoretical security advantage (CCA).
Round 2: protocol refinements, re-parametrizations, new/improvedimplementations.
EDOARDO PERSICHETTI FLORIDA ATLANTIC UNIVERSITY 19 MARCH 2019 25 / 27
![Page 117: Code-based Cryptography: State of the Art - Part II · Need families of codes with particularautomorphism group. EDOARDO PERSICHETTI FLORIDA ATLANTIC UNIVERSITY 19 MARCH 2019 4](https://reader034.vdocuments.site/reader034/viewer/2022050504/5f96023366781e63d40a02a1/html5/thumbnails/117.jpg)
CONCLUSIONS
Code-based cryptography is prominent candidate for standardization.
Several distinctive strengths (and few well-known drawbacks).
Suitable for KEM: key exchange + encryption.
NIST has identified three macro-areas, each with their own pros/cons:
Conservative (binary Goppa, no structure)Sparse-matrix (LDPC/MDPC, QC structure...for now)Rank metric (LRPC, QC structure)
HQC/RQC: theoretical security advantage (CCA).
Round 2: protocol refinements, re-parametrizations, new/improvedimplementations.
EDOARDO PERSICHETTI FLORIDA ATLANTIC UNIVERSITY 19 MARCH 2019 25 / 27
![Page 118: Code-based Cryptography: State of the Art - Part II · Need families of codes with particularautomorphism group. EDOARDO PERSICHETTI FLORIDA ATLANTIC UNIVERSITY 19 MARCH 2019 4](https://reader034.vdocuments.site/reader034/viewer/2022050504/5f96023366781e63d40a02a1/html5/thumbnails/118.jpg)
CONCLUSIONS
Code-based cryptography is prominent candidate for standardization.
Several distinctive strengths (and few well-known drawbacks).
Suitable for KEM: key exchange + encryption.
NIST has identified three macro-areas, each with their own pros/cons:
Conservative (binary Goppa, no structure)Sparse-matrix (LDPC/MDPC, QC structure...for now)Rank metric (LRPC, QC structure)
HQC/RQC: theoretical security advantage (CCA).
Round 2: protocol refinements, re-parametrizations, new/improvedimplementations.
EDOARDO PERSICHETTI FLORIDA ATLANTIC UNIVERSITY 19 MARCH 2019 25 / 27
![Page 119: Code-based Cryptography: State of the Art - Part II · Need families of codes with particularautomorphism group. EDOARDO PERSICHETTI FLORIDA ATLANTIC UNIVERSITY 19 MARCH 2019 4](https://reader034.vdocuments.site/reader034/viewer/2022050504/5f96023366781e63d40a02a1/html5/thumbnails/119.jpg)
CONCLUSIONS
Code-based cryptography is prominent candidate for standardization.
Several distinctive strengths (and few well-known drawbacks).
Suitable for KEM: key exchange + encryption.
NIST has identified three macro-areas, each with their own pros/cons:
Conservative (binary Goppa, no structure)Sparse-matrix (LDPC/MDPC, QC structure...for now)Rank metric (LRPC, QC structure)
HQC/RQC: theoretical security advantage (CCA).
Round 2: protocol refinements, re-parametrizations, new/improvedimplementations.
EDOARDO PERSICHETTI FLORIDA ATLANTIC UNIVERSITY 19 MARCH 2019 25 / 27
![Page 120: Code-based Cryptography: State of the Art - Part II · Need families of codes with particularautomorphism group. EDOARDO PERSICHETTI FLORIDA ATLANTIC UNIVERSITY 19 MARCH 2019 4](https://reader034.vdocuments.site/reader034/viewer/2022050504/5f96023366781e63d40a02a1/html5/thumbnails/120.jpg)
CONCLUSIONS
Code-based cryptography is prominent candidate for standardization.
Several distinctive strengths (and few well-known drawbacks).
Suitable for KEM: key exchange + encryption.
NIST has identified three macro-areas, each with their own pros/cons:
Conservative (binary Goppa, no structure)
Sparse-matrix (LDPC/MDPC, QC structure...for now)Rank metric (LRPC, QC structure)
HQC/RQC: theoretical security advantage (CCA).
Round 2: protocol refinements, re-parametrizations, new/improvedimplementations.
EDOARDO PERSICHETTI FLORIDA ATLANTIC UNIVERSITY 19 MARCH 2019 25 / 27
![Page 121: Code-based Cryptography: State of the Art - Part II · Need families of codes with particularautomorphism group. EDOARDO PERSICHETTI FLORIDA ATLANTIC UNIVERSITY 19 MARCH 2019 4](https://reader034.vdocuments.site/reader034/viewer/2022050504/5f96023366781e63d40a02a1/html5/thumbnails/121.jpg)
CONCLUSIONS
Code-based cryptography is prominent candidate for standardization.
Several distinctive strengths (and few well-known drawbacks).
Suitable for KEM: key exchange + encryption.
NIST has identified three macro-areas, each with their own pros/cons:
Conservative (binary Goppa, no structure)Sparse-matrix (LDPC/MDPC, QC structure...for now)
Rank metric (LRPC, QC structure)
HQC/RQC: theoretical security advantage (CCA).
Round 2: protocol refinements, re-parametrizations, new/improvedimplementations.
EDOARDO PERSICHETTI FLORIDA ATLANTIC UNIVERSITY 19 MARCH 2019 25 / 27
![Page 122: Code-based Cryptography: State of the Art - Part II · Need families of codes with particularautomorphism group. EDOARDO PERSICHETTI FLORIDA ATLANTIC UNIVERSITY 19 MARCH 2019 4](https://reader034.vdocuments.site/reader034/viewer/2022050504/5f96023366781e63d40a02a1/html5/thumbnails/122.jpg)
CONCLUSIONS
Code-based cryptography is prominent candidate for standardization.
Several distinctive strengths (and few well-known drawbacks).
Suitable for KEM: key exchange + encryption.
NIST has identified three macro-areas, each with their own pros/cons:
Conservative (binary Goppa, no structure)Sparse-matrix (LDPC/MDPC, QC structure...for now)Rank metric (LRPC, QC structure)
HQC/RQC: theoretical security advantage (CCA).
Round 2: protocol refinements, re-parametrizations, new/improvedimplementations.
EDOARDO PERSICHETTI FLORIDA ATLANTIC UNIVERSITY 19 MARCH 2019 25 / 27
![Page 123: Code-based Cryptography: State of the Art - Part II · Need families of codes with particularautomorphism group. EDOARDO PERSICHETTI FLORIDA ATLANTIC UNIVERSITY 19 MARCH 2019 4](https://reader034.vdocuments.site/reader034/viewer/2022050504/5f96023366781e63d40a02a1/html5/thumbnails/123.jpg)
CONCLUSIONS
Code-based cryptography is prominent candidate for standardization.
Several distinctive strengths (and few well-known drawbacks).
Suitable for KEM: key exchange + encryption.
NIST has identified three macro-areas, each with their own pros/cons:
Conservative (binary Goppa, no structure)Sparse-matrix (LDPC/MDPC, QC structure...for now)Rank metric (LRPC, QC structure)
HQC/RQC: theoretical security advantage (CCA).
Round 2: protocol refinements, re-parametrizations, new/improvedimplementations.
EDOARDO PERSICHETTI FLORIDA ATLANTIC UNIVERSITY 19 MARCH 2019 25 / 27
![Page 124: Code-based Cryptography: State of the Art - Part II · Need families of codes with particularautomorphism group. EDOARDO PERSICHETTI FLORIDA ATLANTIC UNIVERSITY 19 MARCH 2019 4](https://reader034.vdocuments.site/reader034/viewer/2022050504/5f96023366781e63d40a02a1/html5/thumbnails/124.jpg)
CONCLUSIONS
Code-based cryptography is prominent candidate for standardization.
Several distinctive strengths (and few well-known drawbacks).
Suitable for KEM: key exchange + encryption.
NIST has identified three macro-areas, each with their own pros/cons:
Conservative (binary Goppa, no structure)Sparse-matrix (LDPC/MDPC, QC structure...for now)Rank metric (LRPC, QC structure)
HQC/RQC: theoretical security advantage (CCA).
Round 2: protocol refinements, re-parametrizations, new/improvedimplementations.
EDOARDO PERSICHETTI FLORIDA ATLANTIC UNIVERSITY 19 MARCH 2019 25 / 27
![Page 125: Code-based Cryptography: State of the Art - Part II · Need families of codes with particularautomorphism group. EDOARDO PERSICHETTI FLORIDA ATLANTIC UNIVERSITY 19 MARCH 2019 4](https://reader034.vdocuments.site/reader034/viewer/2022050504/5f96023366781e63d40a02a1/html5/thumbnails/125.jpg)
FOLLOW THE NIST COMPETITION
FAU has been funded by NIST for PQC project.
Detailed competition wiki/database.
Will include parameters, sizes, security assumptions etc. +challenges.
“Living” resource with external contributions.
Work in progress, first draft nearly ready - stay tuned!
EDOARDO PERSICHETTI FLORIDA ATLANTIC UNIVERSITY 19 MARCH 2019 26 / 27
![Page 126: Code-based Cryptography: State of the Art - Part II · Need families of codes with particularautomorphism group. EDOARDO PERSICHETTI FLORIDA ATLANTIC UNIVERSITY 19 MARCH 2019 4](https://reader034.vdocuments.site/reader034/viewer/2022050504/5f96023366781e63d40a02a1/html5/thumbnails/126.jpg)
FOLLOW THE NIST COMPETITION
FAU has been funded by NIST for PQC project.
Detailed competition wiki/database.
Will include parameters, sizes, security assumptions etc. +challenges.
“Living” resource with external contributions.
Work in progress, first draft nearly ready - stay tuned!
EDOARDO PERSICHETTI FLORIDA ATLANTIC UNIVERSITY 19 MARCH 2019 26 / 27
![Page 127: Code-based Cryptography: State of the Art - Part II · Need families of codes with particularautomorphism group. EDOARDO PERSICHETTI FLORIDA ATLANTIC UNIVERSITY 19 MARCH 2019 4](https://reader034.vdocuments.site/reader034/viewer/2022050504/5f96023366781e63d40a02a1/html5/thumbnails/127.jpg)
FOLLOW THE NIST COMPETITION
FAU has been funded by NIST for PQC project.
Detailed competition wiki/database.
Will include parameters, sizes, security assumptions etc. +challenges.
“Living” resource with external contributions.
Work in progress, first draft nearly ready - stay tuned!
EDOARDO PERSICHETTI FLORIDA ATLANTIC UNIVERSITY 19 MARCH 2019 26 / 27
![Page 128: Code-based Cryptography: State of the Art - Part II · Need families of codes with particularautomorphism group. EDOARDO PERSICHETTI FLORIDA ATLANTIC UNIVERSITY 19 MARCH 2019 4](https://reader034.vdocuments.site/reader034/viewer/2022050504/5f96023366781e63d40a02a1/html5/thumbnails/128.jpg)
FOLLOW THE NIST COMPETITION
FAU has been funded by NIST for PQC project.
Detailed competition wiki/database.
Will include parameters, sizes, security assumptions etc. +challenges.
“Living” resource with external contributions.
Work in progress, first draft nearly ready - stay tuned!
EDOARDO PERSICHETTI FLORIDA ATLANTIC UNIVERSITY 19 MARCH 2019 26 / 27
![Page 129: Code-based Cryptography: State of the Art - Part II · Need families of codes with particularautomorphism group. EDOARDO PERSICHETTI FLORIDA ATLANTIC UNIVERSITY 19 MARCH 2019 4](https://reader034.vdocuments.site/reader034/viewer/2022050504/5f96023366781e63d40a02a1/html5/thumbnails/129.jpg)
FOLLOW THE NIST COMPETITION
FAU has been funded by NIST for PQC project.
Detailed competition wiki/database.
Will include parameters, sizes, security assumptions etc. +challenges.
“Living” resource with external contributions.
Work in progress, first draft nearly ready - stay tuned!
EDOARDO PERSICHETTI FLORIDA ATLANTIC UNIVERSITY 19 MARCH 2019 26 / 27
![Page 130: Code-based Cryptography: State of the Art - Part II · Need families of codes with particularautomorphism group. EDOARDO PERSICHETTI FLORIDA ATLANTIC UNIVERSITY 19 MARCH 2019 4](https://reader034.vdocuments.site/reader034/viewer/2022050504/5f96023366781e63d40a02a1/html5/thumbnails/130.jpg)
Thank you
EDOARDO PERSICHETTI FLORIDA ATLANTIC UNIVERSITY 19 MARCH 2019 27 / 27