Dual-Ouroboros: An improvement of the McNie scheme

McNie [ 8 ] is a code-based public key encryption scheme submitted to the NIST Post-Quantum Cryptography standardization [ 10 ] as a candidate. In this paper, we present Dual-Ouroboros, an improvement of McNie, which can be seen as a dual version of the Ouroboros-R protocol [ 1 ], another candidate to the NIST competition. This new improved protocol permits, first, to avoid an attack proposed by Gaborit [ 7 ] and second permits to benefit from a reduction security to a standard problem (as the original Ouroboros protocol).


Introduction
McNie [8] is a code-based public key encryption scheme based on the McEliece and Niederreiter cryptosystems. It was designed to be secure against known structural attacks on code-based cryptosystems. A random generator matrix is used as part of the public key which does not give any information on the private key. This random matrix is also used to mask the private key so the result is a more random matrix, rather than a parity check matrix of an equivalent code.
However, Gaborit [7] suggested a message-recovery attack which reduced the size of the random matrix. Based on this attack and an improvement of the complexity of the ISD on rank-metric codes [2], the security level of McNie decreased by almost a factor of 2. Therefore, it is desirable to modify McNie in order to avoid Gaborit's message-recovery attack. A natural way to improve the McNie protocol is to use the same type of approach which was used for the Ouroboros-R protocol [1]. This approach leads naturally to Dual-Ouroboros, a dual version of Ouroboros-R. Most importantly, such a protocol benefits as the original Ouroboros protocol from the same type of security reduction to a standard problem based on decoding random quasi-cyclic codes, which was not the case of McNie. Overall this dual version leads to a protocol with a longer ciphertext but with a greater encryption rate. This short paper describes the protocol, the undetailed proofs follow from the Ouroboros approach.

Preliminaries
We begin by setting up necessary definitions in order to understand rank metric codes. The following definition gives rise to the notion of the rank metric. We use bold lowercase and capital letters to denote vectors and matrices, respectively.
The rank distance between u and v is the rank weight of their difference, i.e., Rank metric codes are codes defined in the classical way with the rank metric used. An interesting class of rank metric codes is defined as follows.
Definition 2.2. A Low Rank Parity Check (LRPC) code of rank d, is an [n, k] code over F q m which admits a parity check matrix H = (h ij ) of size (n − k) × n such that the sub-vector space of F q m generated by its coefficients h ij is of dimension d. We call a matrix of this form a homogeneous matrix of weight d.
To decode an LRPC code, first recover the support of the error vector and then solve a linear system in order to recover its coordinates [5]. An algorithm to recover the support, called the QCRS-Recover algorithm was presented in [1]. The crucial point to work is that we know a homogeneous parity check matrix of the LRPC code. This algorithm is based on the original LRPC decoding algorithm and is designed to run in constant time.

The McNie public key encryption. Similar to McEliece and Niederreiter,
McNie is a general public-key encryption scheme using any errror-correcting code. In the NIST submission, rank metric codes are used, in particular, LRPC codes.
The key generation, encryption and decryption steps for the McNie public key encryption are described as follows.
• Key Generation: Pick a random l × n generator matrix G over F q m and generate a parity check matrix H for an [n, k] linear code over F q m with an efficient decoding algorithm Φ H which can correct errors of rank weight up to r. Generate an n × n isometry matrix P (an invertible matrix over F q ) and an (n − k) × (n − k) invertible matrix S over F q m . Return the public key pk = (G, F = GP −1 H T S) and the secret key sk = (P , H, S, Φ H ).
• Encryption: Pick a random vector e of rank weight r. A message m is then encrypted as Enc(m) = (c 1 , c 2 ) where c 1 = mG + e and c 2 = mF .
Applying the decryption algorithm Φ H we obtain eP −1 and multiplying by P gives the error vector e. Finally, m is recovered by solving the system mG = c 1 − e.

2.2.
Ouroboros-R. Another submission to the NIST called Ouroboros-R [1] is a key encapsulation mechanism that also uses rank metric codes. The cryptosystem is described as follows.
• Key Generation: Pick a vector h ∈ F n q m and generate a random vector (x, y) ∈ F 2n q m of rank weight w and whose support contains 1. All vectors can be seen as element of F q m [X]/ X n − 1 . Let s = x + hy. Return the public key pk = (h, s) and the secret key sk = (x, y).
• Encapsulation: Pick a random vector (r 1 , r 2 , e r ) ∈ F 3n q m of rank weight w r (similar to the Hamming version in Ouroboros [4]). Let E = Supp(r 1 , r 2 , e r ), s r = r 1 + hr 2 and s e = sr 2 + e r . Compute K = Hash(E) (standard hash algorithm e.g. SHA2, etc.) and return the ciphertext c = (s r , s e ).
• Decapsulation: Let e c = s e − ys r = e r + xr 2 − yr 1 . Apply the QCRS-Recover algorithm to recover E and then finally obtain K = Hash(E).

The dual-ouroboros public key cryptosystem
There was a message recovery attack proposed by Gaborit [7] on the McNie cryptosystem that significantly reduced the security of the original suggested parameters. To avoid this attack, we modify the encryption algorithm by introducing an error e 2 on c 2 . As a consequence, the key generation and the decryption algorithms are also modified.
3.1. Dual-Ouroboros from a modified McNie. With these modifications, the cryptosystem is a non-cyclic dual version of the Ouroboros-R cryptosystem [1]. The detailed key generation, encryption and decryption steps are as follows.

Key Generation
Let H be a parity check matrix for an [n, k] an LRPC code over F q m . It is important to remark that the code with parity check matrix H = H I n−k is still a parity check matrix for an LRPC code. Let Φ H be an efficient decoding algorithm using H , which can correct errors of weight up to r. Generate a random generator matrix G for an [n, l] linear code and a random isometric matrix P . Compute F = GP −1 H T . Let H be an hash function from F 2n−k q m to F l q m modeled as random oracle.

Encryption
Generate random vectors e 1 ∈ F n q m and e 2 = F n−k q m such that e = (e 1 , e 2 ) has (rank) weight r. Let m = m+H(e). Compute c 1 = m G+e 1 and c 2 = m F +e 2 .
The message m ∈ F l q m is encrypted as Enc(m) = (c 1 , c 2 ). Decryption Suppose the vector y = (c 1 , c 2 ) is received. Compute Since e = (e 1 P −1 , −e 2 ) is of weight r, the decoding algorithm Φ H can be applied to obtain (e 1 , −e 2 ) and then apply the isometry P to e 1 = e 1 P −1 to obtain e 1 . Finally, solve the system m G = c 1 −e 1 to recover m and subtract H(e) to retrieve m.

3.2.
Security. The following are considered hard problems in rank metric. Problem 1.Decisional Rank Syndrome Decoding [6] Let H be an (n − k) × n matrix over F q m with k ≤ n, s ∈ F n−k q m and r an integer. Distinguish the distribution (H, s) where s is of the form He T with rankwt(e) = r from the distribution (H, x) where x is a random vector of F n−k q m . Problem 2. Decisional Rank Support Learning [6] Given the generator matrix G of a random [n, l] code over F q m , distinguish the matrix F = GH T where H is an (n − k) × n homogeneous matrix of weight d from a random matrix R over F q m of size l × (n − k).
Remark: In the case where both G and H are quasi-cyclic, the DRSL problem becomes the Quasi-Cyclic Rank Syndrome Decoding problem [1]. Proof. To prove this theorem, we proceed by a sequence of games.
• G 0 : in this game, we use the real scheme. Thus we have (c 1 , c 2 ) = m [G|F ] + (e 1 |e 2 ) with F = GH T . • G 1 : we replace F by a random matrix R and c 2 by c 2 = m R + e 2 . Thus, to distinguish these two games, an adversary has to solve an instance of DRSL. • G 2 : we replace c 1 by a random vector x. By adding H(e) to m, the vector m is perfectly random. Thus an adversary has to distinguish a noisy random codeword c 1 from a random vector x. By multiplying these vectors by a parity-check matrix of the code generated by G, this problem is equivalent to the DRSD problem. Hence to distinguish G 2 from G 1 , an adversary has to solve an instance of DRSD. In the last game, the ciphertext and the public key are truly random. Thus the advantage to distinguish a ciphertext of Dual-Ouroboros is bounded by the sum of the advantages against the DRSD and the DRSL problems.
3.3. Dual-Ouroboros KEM. The previous cryptosystem can be easily adapted to a KEM. The key generation step is the same as described in Section 3.1, and so we have the same public and private keys.
For the encapsulation step, pick vectors r ∈ F l q m , e 1 ∈ F n q m and e 2 ∈ F n−k q m such that e = (e 1 , e 2 ) has weight r. Let E = Supp(e), i.e., E is the F q -subspace of F q m generated by the coordinates of e. Compute The encapsulation is c = (c 1 , c 2 ) and the shared key is K = Hash(E).
Decapsulation is the same as in the decryption step in Section 3.1 except that only the support E of the vector e is needed to recover the shared key K.
The comparison between Ouroboros-R and the Dual-Ouroboros presented in this paper is summarized in the following table.
Ouroboros-R Dual-Ouroboros public key private key x, y ∈ F N q m H ∈ F (n−k)×n q m a homogeneous matrix P : an n × n isometric matrix encryption s r = r 2 h + r 1 c 1 = rG + e 1 s e = r 2 s + e r c 2 = rF + e 2 In the Ouroboros KEM [1], the public key h and the private keys x and y are associated to n×n circulant matrices. If we take n = 2N , P = I n , G a parity-check matrix of the code generated by I N h and H T = x y , then Dual-Ouroboros is the dual non-cyclic version of Ouroboros-R.

Suggested parameters
In order to minimize the key sizes, we use circulant matrices for the keys. Let G = I n 2 G 1 where G 1 is a block circulant matrix of size n/2. Also let H = H 1 H 2 be an LRPC code of rank d where H 1 and H 2 are circulant matrices of size n/2 and P be a block circulant matrix as well. Then we have k = l = n/2.
This results to a dual version of Ouroboros-R with the same key size but longer ciphertext. Hence, we can use the same parameters suggested in [4]. The only difference is that instead of the ciphertext having size 2km, we have ciphertext of size 3km.
Alternatively, we give in Table 1 some theoretical parameters for each of the 128, 192 and 256-bit security levels. This illustrates the trade-off between the key size and decyption failure probability and how the parameters of Dual-Ouroboros can be scaled whether to prioritize low decrption failure probability or low key size. The columns maked 'PK', 'SK' and 'CT' are the sizes for the secret and public keys and the ciphertext, respectively, given in bytes. The column marked 'Failure' is the probability of failure in decoding the underlying LRPC code, given as a power of 2. The LRPC Decoding allgorithm is iniatially given in [5] and improved in [4].