Olivier Ruatta

On the Complexity of the Rank Syndrome Decoding Problem

In this paper, we propose two new generic attacks on the rank syndrome decoding (RSD) problem. Let C be a random [n, k] rank code over GF(qm) and let y = x + e be a received word, such that x ∈ C and rank(e) = r. The first attack, the support attack, is combinatorial and permits to recover an error e of rank weight r in min(O((n - k)3m3qr1(km/n)J, O((n - k)3m3q⌈(r-1)I(((k+1)m)/n)J))⌉ operations on GF(q). This new attack improves the exponent for the best generic attack for the RSD problem in the case n > m, by introducing the ratio m/n in the exponential coefficient of the previously best known attacks. The second attack, the annulator polynomial attack, is an algebraic attack based on the theory of q-polynomials introduced by Ore. We propose a new algebraic setting for the RSD problem that permits to consider equations and unknowns in the extension field GF(qm) rather than in GF(q) as it is usually the case. We consider two approaches to solve the problem in this new setting. The linearization technique shows that if n ≥ (k + 1) (r + 1) - 1 the RSD problem can be solved in polynomial time. More generally, we prove that if [(((r + 1)(k + 1)- (n + 1))/r)1 ≤ k, the RSD problem can be solved with an average complexity of O(r3k3qrΓ(((r+1)(k+1)-(n+1))/r)l)⌉ operations in the base field GF(q). We also consider solving with Gröbner bases for which we discuss theoretical complexity, we also consider hybrid solving with Gröbner bases on practical parameters. As an example of application, we use our new attacks on all recent cryptosystems parameters, which repair the GPT cryptosystem, we break all examples of published proposed parameters, and some parameters are broken in less than 1 s in certain cases.

Key exchange and encryption schemes based on non-commutative skew polynomials

In this paper we introduce a new key exchange algorithm (Diffie-Hellman like) based on so called (non-commutative) skew polynomials. The algorithm performs only polynomial multiplications in a special small field and is very efficient. The security of the scheme can be interpretated in terms of solving binary quadratic equations or exhaustive search of a set obtained through linear equations. We give an evaluation of the security in terms of precise experimental heuristics and usual bounds based on Groebner basis solvers. We also derive an El Gamal like encryption protocol. We propose parameters which give 3600 bits exchanged for the key exchange protocol and a size of key of 3600 bits for the encryption protocol, with a complexity of roughly 223 binary operations for performing each protocol. Overall this new approach based on skew polynomials, seems very promising, as a good tradeoff between size of keys and efficiency.

RankSign: An Efficient Signature Algorithm Based on the Rank Metric

In this paper we propose a new approach to code-based signatures that makes use in particular of rank metric codes. When the classical approach consists in finding the unique preimage of a syndrome through a decoding algorithm, we propose to introduce the notion of mixed decoding of erasures and errors for building signature schemes. In that case the difficult problem becomes, as is the case in lattice-based cryptography, finding a preimage of weight above the Gilbert-Varshamov bound (case where many solutions occur) rather than finding a unique preimage of weight below the Gilbert-Varshamov bound. The paper describes RankSign: a new signature algorithm for the rank metric based on a new mixed algorithm for decoding erasures and errors for the recently introduced Low Rank Parity Check (LRPC) codes. We explain how it is possible (depending on choices of parameters) to obtain a full decoding algorithm which is able to find a preimage of reasonable rank weight for any random syndrome with a very strong probability. We study the semantic security of our signature algorithm and show how it is possible to reduce the unforgeability to direct attacks on the public matrix, so that no information leaks through signatures. Finally, we give several examples of parameters for our scheme, some of which with public key of size

Accelerated Solution of Multivariate Polynomial Systems of Equations

11,520

New Results for Rank-Based Cryptography

bits and signature of size

On the isotopic meshing of an algebraic implicit surface

1728

Performance of Gabidulin codes for narrowband PLC smart grid networks

bits. Moreover the scheme can be very fast for small base fields.

Overdetermined Weierstrass iteration and the nearest consistent system

We propose new Las Vegas randomized algorithms for the solution of a square nondegenerate system of equations, with well-separated roots. The algorithms use

Improved Hermite multivariate polynomial interpolation

\Oc (\delta\, \csttn D^{2} \log(D) \log(b))

Efficient erasure list-decoding of Reed-Muller codes

arithmetic operations (in addition to the operations required to compute the normal form of the boundary monomials modulo the ideal) to approximate all real roots of the system as well as all roots lying in a fixed n-dimensional box or disc. Here D is an upper bound on the number of all complex roots of the system (e.g., Bezout or Bernshtein bound),