LRPC codes with multiple syndromes: near ideal-size KEMs without ideals

TL;DR

This paper presents a new rank-based KEM with small key and ciphertext sizes, leveraging multiple syndromes in LRPC codes to improve security and efficiency without relying on ideal structures.

Contribution

It introduces a novel LRPC code-based KEM that uses multiple syndromes to reduce parameters and improve security, closing the gap between ideal and non-ideal constructions.

Findings

Achieves around 3.5 KB key and ciphertext sizes for 128-bit security.

Reduces parameters while maintaining acceptable decoding failure rates.

Provides a version with ideal structure for bandwidth reduction.

Abstract

We introduce a new rank-based key encapsulation mechanism (KEM) with public key and ciphertext sizes around 3.5 Kbytes each, for 128 bits of security, without using ideal structures. Such structures allow to compress objects, but give reductions to specific problems whose security is potentially weaker than for unstructured problems. To the best of our knowledge, our scheme improves in size all the existing unstructured post-quantum lattice or code-based algorithms such as FrodoKEM or Classic McEliece. Our technique, whose efficiency relies on properties of rank metric, is to build upon existing Low Rank Parity Check (LRPC) code-based KEMs and to send multiple syndromes in one ciphertext, allowing to reduce the parameters and still obtain an acceptable decoding failure rate. Our system relies on the hardness of the Rank Support Learning problem, a well-known variant of the Rank Syndrome Decoding problem. The gain on parameters is enough to significantly close the gap between ideal and non-ideal constructions. It enables to choose an error weight close to the rank Gilbert-Varshamov bound, which is a relatively harder zone for algebraic attacks. We also give a version of our KEM that keeps an ideal structure and permits to roughly divide the bandwidth by two compared to previous versions of LRPC KEMs submitted to the NIST with a Decoding Failure Rate (DFR) of $2^{-128}$.