WO2024018158A1 - Method for exchanging a secret which can withstand quantum computer attacks, and associated computer system and computer program - Google Patents

Abstract

The invention relates to a method (KEM) for transporting a secret which can withstand quantum computer attacks. Such a transport method (KEM) in accordance with the invention consists of respective methods for generating general parameters, generating secret and public keys, and encapsulating and decapsulating the secret to be transported. Such a method for transporting a secret is arranged to be implemented by a computer system (1) including a plurality of electronic devices (10-1, 10-2, 10-g) seeking to establish a secure communication channel, utilising the transported secret to establish a session key. The invention further relates to such a computer system (1) and to any computer program in which the program instructions, once written to the memories (14) of the plurality of electronic devices of the system (1), result in the implementation of a method (KEM) for transporting a secret according to the invention.

Description

METHOD FOR EXCHANGING A SECRET RESISTANT TO ATTACK BY QUANTUM COMPUTER, COMPUTER SYSTEM AND ASSOCIATED COMPUTER PROGRAM

The invention relates to the field of cryptology.

More specifically, the invention relates to methods of transporting a secret resistant to quantum computer attacks, such methods consisting of methods of parameter generation, key generation, key encapsulation (encryption) and decapsulation. (decryption) of encrypted keys. The invention further relates to any computer system comprising a plurality of electronic devices each comprising a central processing unit controlling a memory by signals, as well as an input unit and an output unit, implementing any one said methods of generating parameters, generating keys, encapsulating (encrypting) keys and decapsulating (decrypting) encrypted keys. One of the preferred fields of application of such an invention concerns secure communications between electronic devices of such a computer system, the latter using a key or more generally a secret exchanged via an insecure and tamper-resistant communication channel. quantum computer attacks through the implementation of said methods of parameter generation, key generation, key encapsulation (encryption) and decapsulation (decryption) of keys encrypted by said computer system.

The clear description of the invention requires the introduction of notations as well as the reminder of the following concepts known to those skilled in the art:

- “public key cryptography”;

- “post-quantum cryptography”;

- the “backpack problem (also referred to by the acronym SàD)”;

- the use of the “LLL” algorithm in order to distribute the information;

- “key encapsulation mechanisms” also referred to by the acronym “KEM”. Unless otherwise specified, lowercase letters with an arrow denote vectors. For example x ^lni designates a vector of n elements

Scalar operations on vectors must be interpreted as acting on the components of the vectors. For example, the elements of the vector

_mo dc are defined by the relation y _t = axt + b mod c while the elements of are z _t =

x _t mod y _t for i = 1, ..., n.

The usual scalar product will be noted

The operator “•” involving vectors of dimension greater than 1 will be noted

{x ₁ , ..., x _n } is an n-coordinate vector and is a t-coordinate vector each having n coordinates, namely

Other common and useful notations used in this document are given in the following table:

The invention belongs to the category of asymmetric cryptographic methods also known as “public key cryptographic methods”.

These are algorithms and protocols allowing secure communication between the entity which encrypts the message, known as the sender and generally designated by the reference S in this document, and the entity which decrypts it, known as the recipient and generally designated by the reference R in this document. Initially R and S do not share a common secret key.

Asymmetric cryptography defines two keys: a public key pk known to everyone and a private key sk kept confidential by the recipient R.

The encryption algorithm f is assumed to be accessible to all potential senders S wishing to communicate with the recipient R.

The ^-1 decryption algorithm is also assumed to be accessible to everyone and public.

A computer program whose program instructions cause the implementation of the algorithms / and ^-1 by any computer or electronic device arranged to store said computer program in a memory, can be published without fear for the security of said communication. Thus, any entity S wishing to send a message m in an encrypted manner to a specific recipient R can use the public key pk of the recipient R in order to create an encrypted c for R. Only R will be capable of decrypting c.

In a public key encryption algorithm, the sender S encrypts the message m using said encryption algorithm f to obtain an encrypted c = /(pk, m), using said public key pk of said recipient R. Conversely, the recipient R of the message m decrypts the encrypted c by applying said decryption algorithm ^-1 . The latter / ^-1 is such that m = where sk is the secret key linked to the public key pk held by

said recipient R.

Said public keys pk and secret sk are generated using a probabilistic algorithm called “parameter generation algorithm” and a probabilistic algorithm called “key generation algorithm” which will be discussed later. Sometimes, and this is the case in the present invention, the parameter generation and key generation algorithms are merged into a single algorithm.

Thus, the fundamental identity of asymmetric encryption is m = / ^-1 (sk,/(pk, m)).

For example, a famous/public key encryption algorithm is the so-called RSA algorithm described in U.S. Patent 4,405,829 and in the associated publication R. L. Rivest, A. Shamir, and L. M. Adleman, “A Method for Obtaining Digital Signatures and Public -key CryptoSystems”, Communications of the ACM, volume 21, no. 2, pages 120 to 126, 1978.

Algorithms using elliptic curves are also known (for example as disclosed in the article N. Koblitz, “Elliptic-Curve Cryptosystems”, Mathematics of Computation, volume n° 48, pages 203 to 209, 1987, or the article by V. Miller entitled “Use of Elliptic Curves in Cryptography”, CRYPTO 85, 1985) or the Diffie-Hellman key exchange described in American patent US 4,200,770. These algorithms have the disadvantage of requiring very heavy modular calculations but they have especially the disadvantage of not resisting attacks carried out using a new type of equipment: quantum computers.

Quantum computing emerged in the early 1980s. Rather than being confined to the limits of electronic circuits and electricity, quantum computing operates according to the principles of quantum physics, which is why it is capable of deal so effectively with very complex mathematical problems. It could one day achieve feats that traditional computing simply proves incapable of. The evolution of quantum computers has been slow, but things are now accelerating thanks to the efforts of academics and industries aimed at standardizing encryption processes resistant to quantum attacks.

Most current public key encryption techniques are based on algorithms that integrate difficult problems from number theory, such as factorization or the calculation of the discrete logarithm. Designed in 1976, the previously mentioned RSA encryption constitutes the precursor of almost all modern encryption schemes, according to which each recipient R has a public key pk and a private key sk. To send a confidential message to this recipient R, the data m of said message are encoded in the form of a large integer and scrambled using the public key pk corresponding to the private key sk held by said recipient R to whom the sender S wishes to communicate said message m, to form an encrypted c. The recipient R who receives said encrypted c can then decrypt the latter using his private key sk. In RSA encryption, the public key pk is in the form of a large composite number n, and an exponent e, often equal to three. The private key sk is characterized by the prime factors of n.

Thanks to specific algorithms known to those skilled in the art (such as, for example, the Schor algorithm described in the document PW Schor (1994). “Algorithms for quantum computation: discrete logarithms and factoring”. Proceedings 35th Annual Symposium on Foundations of Computer Science. IEEE Comput. Soc. Press: pp. 124-134), a quantum computer having enough q-bits (“quantum bits”) could factor large numbers. In the context of RSA encryption, an adversary possessing a quantum computer could start from a public key pk, factor n in order to obtain the private key sk and thus read the content of any encrypted c. This ability to factor numbers virtually wipes out the entirety of modern cryptography. The repercussions of this attack tool are considerable, because in the context of the Internet, the omnipresent security in the way we communicate and share information online is based on public key encryption.

So, if an adversary managed to have a quantum computer, it could theoretically cause total chaos. It could create encryption certificates and impersonate a bank to steal funds, disrupt cryptocurrency technology, break into digital wallets, and spy on and decrypt confidential communications. .

An encryption algorithm capable of resisting an adversary equipped with a quantum computer belongs to the category of “post-quantum algorithms”.

Thus, an important objective of the present invention is to provide a post-quantum encryption method which is resistant to attacks carried out using quantum computers.

It is intellectually attractive to base a public key cryptography algorithm on the so-called “knapsack problem” hereinafter referred to by the acronym SàD. Indeed, this problem is considered very difficult to solve. It is part of the class of most difficult problems to solve with a computer: NP-complete problems. Schematically, such a problem virtually amounts to choosing objects from a plurality of objects of possibly distinct weight to fill a backpack so that the latter is of a determined weight once loaded. In its most basic form called “decisional”, the SàD problem consists of saying whether a target integer b can be expressed as the sum of a subset of a given set of integers A = {a _lt . .. , a _n e N ⁿ .

In other words, given as inputs a set of positive integers A and a target be N, the decision-making SàD problem consists of saying whether or not there exists a sequence of bits

... , x _n } satisfactory

= b.

Despite its apparent simplicity, the SàD decision problem is NP-complete as explained in the document M. R. Garey and D. S. Johnson, “Computers and Intractability: A Guide to the Theory of NP-Completeness”, W. H. Freeman, 1979, ISBN 0-7167 -1044-7. This property makes the SàD problem particularly interesting for cryptographic constructions.

Indeed, prior art in cryptography used SàD for such purposes.

The SàD problem also exists in a so-called “computational” version which consists not only of saying whether there exists a sequence of bits {x ₁ , ..., x _n } but also of finding (discovering) it explicitly.

Historically, Merkle and Hellman proposed (cf. M. R. Garey and D. S. Johnson, “Computers and Intractability: A Guide to the Theory of NP-Completeness”, W. H. Freeman, 1979, ISBN 0-7167-1044-7) one of the first cryptosystems based on the computational SàD problem. Several other SàD-based cryptosystems were proposed for decades but, unfortunately, many of these cryptosystems were broken, as explained in the document A.M. Odlyzko, “The rise and fall of knapsack cryptosystems”, Cryptology and computational number theory, vol. . 42, pp. 75-88, 1990.

Indeed, while random instances of the SàD problem are difficult to solve, the need to be able to decipher (that is to say, to reverse the summation process) forces designers to introduce structures into the SàDs thus used. specific mathematics. It is the introduction of these specific structures, which differentiates cryptographic SàDs from random SàDs, which ultimately made it possible to break them. A very important parameter allowing you to control the difficulty of solving a SàD instance is its density. Density is defined as the ratio A between n and the size of the largest of α _i . More precisely, Δ can be denoted

When A < 0.94, there are fast algorithms, called “in polynomial time”, making it possible to solve the SàD, see the document M.J. Coster, A. Joux, B.A. LaMacchia, A.M. Odlyzko, C-P. Schnorr and J. Stern, “Improved Low-Density Subset Sum Algorithms, Computational Complexity,” vol. 2, pp. 111-128, 1992.

In particular, random instances of SàD can be reformulated as a problem of approximating the shortest vector in a network as stipulated in the documents of J. C. Lagarias and A.M. Odlyzko, “Solving Low-Density Subset Sum Problems”, J. ACM, flight. 32, no. 1, pp. 229-246, 1985” and A.M. Frieze, “On the Lagarias-Odlyzko Algorithm for the Subset Sum Problem”, SIAM J. Comput., vol. 15, no. 2, pp. 536--539, 1986. When the density is low (A < 0.94, as explained in the document by M.J. Coster, A. Joux, B.A. LaMacchia, A.M. Odlyzko, C-P. Schnorr and J. Stern, “Improved Low-Density Subset Sum Algorithms, Computational Complexity", vol. 2, pp. 111 -128, 1992), efficient algorithms finding such short vectors exist. These algorithms then make it possible to solve the SàD, as explained in various documents including:

- V. Lyubashevsky, “The Parity Problem in the Presence of Noise, Decoding Random Linear Codes, and the Subset Sum Problem, Approximation, Randomization and Combinatorial Optimization, Algorithms and Techniques”, 8th International Workshop on Approximation Algorithms for Combinatorial Optimization Problems, APPROX 2005 and 9th International Workshop on Randomization and Computation, RANDOM 2005, Berkeley, CA, USA, August 22-24, 2005, Proceedings, pp. 378-389, 2005; - Y. Desmedt, “Knapsack Cryptographic Schemes”, Encyclopedia of Cryptography and Security, 2nd Ed, pp. 695-704, 2011;

- E.F. Brickell, “Solving Low Density Knapsacks”, Advances in Cryptology, Proceedings of CRYPTO'83, Santa Barbara, California, USA, August 21 -24, 1983, pp. 25-37, 1983.

Since densities A greater than 1 do not guarantee that there is a unique solution to the SàD problem, the range of densities usable for the construction of SàDs which are both invertible and high density lies in the range of relatively reduced values 0.94 < A < 1 (cf. R. Impagliazzo and M. Naor, “Efficient Cryptographie Schemes Provably as Secure as Subset Sum”, J. Cryptology, vol. 9, n° 4, pp. 199-216, 1996 ). This interval leaves little latitude for the design of cryptosystems but presents an advantage from a security point of view because the only algorithms allowing SàDs to be solved in this interval are of exponential complexity (as explained in the following documents N. Howgrave - Graham and A. Joux, “New Generic Algorithms for Hard Knapsacks”, Advances in Cryptology - EUROCRYPT 2010, 29th Annual International Conference on the Theory and Applications of Cryptographic Techniques, Monaco / French Riviera, May 30 - June 3, 2010. Proceedings , pp. 235-256,

2010 or A. Becker, J-S. Coron and A. Joux, “Improved Generic Algorithms for Hard Knapsacks”, Advances in Cryptology - EUROCRYPT

2011 - 30th Annual International Conference on the Theory and Applications of Cryptographic Techniques, Tallinn, Estonia, May 15-19, 2011. Proceedings, pp. 364-385, 2011) requiring an execution time which increases in Ô(2 ^{0 291n} ). The object of the invention is precisely to propose a new process based on such dense SàDs.

Finally, post-quantum cryptosystems based on networks such as those described in the documents cited below, also rely on the difficulty of resolving SàDs. We can mention the following documents describing such encryption processes:

- M. Ajtai and C. Dwork, “A Public-Key Cryptosystem with Worst-Case/Average-Case Equivalence”, Proceedings of the Twenty-Ninth Annual ACM Symposium on the Theory of Computing, El Paso, Texas, USA, May 4 -6, 1997, pp. 284-293, 1997;

- O. Regev, “On lattices, learning with errors, random linear codes, and cryptography”, J. ACM, vol. 56, no. 6, pp. 34:1-34:40, 2009;

- O. Regev, “New lattice-based cryptographic constructions”, J. ACM, vol. 51, no. 6, pp. 899-942, 2004;

- Ch. Peikert, “Public-key cryptosystems from the worst-case shortest vector problem: extended abstract”, Proceedings of the 41 st Annual {ACM} Symposium on Theory of Computing, STOC 2009, Bethesda, MD, USA, May 31 - June 2, 2009, pp. 333-342, 2009.

- V. Lyubashevsky, A. Palacio and G. Segev, “Public-Key Cryptographic Primitives Provably as Secure as Subset Sum”, Theory of Cryptography, 7th Theory of Cryptography Conference, TCC 2010, Zurich, Switzerland, February 9-11, 2010 . Proceedings, pp. 382-400, 2010.

A method for distributing information in a modular equation is the so-called “LLL” algorithm, published by A.K. Lenstra, HW. Lenstra, and L. Lovész, (1982) “Factoring polynomials with rational coefficients” - Mathematische Annalen. 261 (4): 515-534.

Let x _lt ... , x _k e N ^k be a collection of k integer unknowns. Let pe N be a module and let a ₀ , ..., a _k e N ^k . Consider the equation of SàD a _Q = =i Q-iXi modp.

It is known to those skilled in the art that said LLL algorithm makes it possible to find x _lt ..., x _k since

In particular, the LLL algorithm can be adapted in order to provide any unequal distribution of sizes between the x _t as long as the size of p is equal to the sum of the sizes of the x _t .

A detailed theoretical analysis of the LLL algorithm and how LLL can be leveraged to perform such information distribution is given in the Ph.Q. document. Nguyen and J. Stern, “The Two Faces of Lattices in Cryptology”, Cryptography and Lattices, International Conference, CaLC 2001, Providence, Rl, USA, March 29-30, 2001, Revised

Papers, pp. 146-180, 2001” and in chapter 13 of the document by A. Joux, “Algorithmic cryptanalysis”, 2009, CRC Press, in the context of generalized SàDs.

A typical example of the use of this information distribution technique in a cryptanalysis context can be found in the document by M. Beunardeau, A. Connolly, R. Géraud and D. Naccache, “On the Hardness of the Mersenne Low Hamming Ratio Assumption”, Cryptology ePrint Archive, Report 2017/522, 2017, https://ia.cr/2017/522. For example, it is possible to distribute the information in the modular equation y + Ax + B = O mod by finding a solution %, y where one of the unknowns is of size log ₂ - (7 bits and the other of size q bits as illustrated by the following script in Mathematica language (formal calculation software published by Wolfram Research) requiring the distribution of information according to a ratio 20%-80%.

This script actually prints: {{- 314929374373641319630381 ,822627}, True, {19.6499,78.0594,99.6896}}

In cryptology, a key encapsulation mechanism or KEM (English acronym for “Key Encapsulation Mechanism”, sometimes also called “key transport”) is a protocol for securely transmitting a session key K to the recipient R using an unsecured channel. The encapsulation of such a key K is one of the components of a hybrid cryptography scheme, the other being the encapsulation of data (by means of the key K thus transmitted). Encapsulation serves the same function as a key transport protocol, with the difference that the key K is here entirely generated by the sender S, which allows, among other things, to start transmitting the encrypted data to R directly with the encapsulated key K.

Among the encapsulation mechanisms standardized by standard ISO/IEC 18033-26, known to those skilled in the art, are RSA-OAEP and RSA-KEM.

As a general rule, the key encapsulation mechanism consists of encrypting a random key K by a second electronic device S of a computer system, by means of a public key pk dedicated to a first recipient electronic device R. The encrypted C is transmitted to said first electronic device R, the latter being responsible for decrypting said cipher C by means of its private key sk. The sender S and the recipient /? then have the same shared secret K, allowing secure communication. Thus, any public key encryption immediately provides a key encapsulation mechanism and vice versa. In practice, it is also necessary to protect the encapsulated key K against manipulation, for example by adding redundancy or an authentication code to it.

We consider the following scenario in which a sender S generates an encapsulated key K and sends it to a recipient R. A KEM results in four successive processes, respectively (1) generation of general parameters, (2) generation of the secret and public keys of the recipient R, the latter being published, (3) encapsulation then transmission by the sender S (from said general parameters by and from the public key pk of the recipient R of the key K thus encapsulated for the attention of the recipient R, and (4) decapsulation or recovery of the latter by said recipient R.

These four successive processes, which will be described later in the form of processes 110, 120, 130 and 140 in connection with Figures 2 to 5, respectively implement four algorithms that we can designate by the terms AlgSetllp, AlgKeyGen, Encap, Decap , as indicated by the notation KEM: = (AlgSetllp, AlgKeyGen, Encap, Decap) and consist of the following sequence of steps:

- the recipient R generates for example general parameters, noted by, necessary for the operation of the KEM, as summarized in the relationship by <- AlgSetUp;

- said recipient R generates a private key sk and a published public key pk, as summarized by the relationship {sk, pk} «- AlgKeyGen(par);

- for its part, the sender S uses par and pk to produce a key K which it keeps confidential and an encrypted code C encapsulating said secret key K to be transmitted to the recipient R, as summarized in the relationship {C, K} <- Encap(by, pk); at the end of this step, the cipher C is sent to the recipient R;

- said recipient R receives the encrypted C and recovers the key K encapsulated in the latter, as summarized in the relationship K «- Decap(par, sk, C) by implementing the Decap decapsulation algorithm; if said decapsulation step was not successful, the Decap algorithm possibly returns an “error” message.

At the end of this sequence, R and S share the same secret session key K. Among the numerous advantages brought by the present invention, we can mention that:

- the information that any potential attacker would seek to obtain from the public key is reduced as much as possible. In fact, the invention keeps hidden the modulo module which the SàD calculations are carried out. In doing so, it is reasonably surmised that the invention protects the proposed cryptosystem from network-based attacks that target modular SàDs;

- a KEM according to the invention resists quantum attacks because said KEM is based neither on the factorization problem nor on the discrete logarithm problem, both vulnerable to quantum attacks;

- a KEM according to the invention is particularly optimized and efficient since the algorithms implemented in the context of the invention require few operations to store and execute the Encap and Decap algorithms, thus combining high execution performance and preservation of capacity storage of equipment implementing KEM; moreover, the number of code instructions necessary to carry out the invention in software or the number of logic gates necessary to carry out the invention in hardware is very low;

- the RAM necessary for the execution of said Encap and Decap algorithms is also low compared to the prior art, thus also preserving the resources of said equipment implementing a KEM according to the invention;

- the bandwidth necessary for exchanges between equipment implementing a KEM according to the invention is considerably increased with regard to the prior art, since to securely exchange a key K of k bits, a KEM according to the invention requires a maximum transmission of O(k) bits, where conventional algorithms require O(k ² ), thus further increasing the performance of said KEM according to the invention compared to the prior art; it should be noted that a KEM according to one of the embodiments of the invention allows the transmission of tk key bits instead of k, where, typically t < 4.

- according to preferred embodiments, the invention also provides for being able to compress the public key pk and/or the private key sk, so that the hardware resources necessary for the implementation of such a KEM are even further preserved.

From a theoretical and practical point of view, a great advantage of the invention lies in the fact that the parameter p (which will be discussed later) remains secret. Thus, an adversary does not face a modular SàD problem but a SàD problem on integers, which is much more difficult.

To this end, the invention firstly provides a method of transporting a secret K resistant to attacks by quantum computer, said method being implemented by a computer system comprising a first and a second electronic devices, said first and second electronic devices each comprising a processing unit cooperating with a data memory and means of communication with the outside world, said first electronic device R being designed to receive and exploit the secret K previously produced and encapsulated by said second electronic device S, said transport method comprising:

- a step of generating and publishing general parameters by said transport method implemented by the first electronic device R;

- a step of generating a pair {sk,pk} of secret and public keys, as well as publishing said public key produced, said step being implemented by the first device electronic 7?, said pair of secret and public keys {sk, pk} being produced from said general parameters by and from a first random data produced by a random number generator of said first electronic device R;

- a step of encapsulating the secret K in the form of a cipher C and transmitting the latter, said step being implemented by said second electronic device S from said general parameters by, of the public key pk of said first electronic device R and a second random data item produced by the random number generator of said second electronic device S

- a step of decapsulating said secret K implemented by said first electronic device R from said cipher C, said general parameters by and from the pair {sk, pk] of secret and public keys already produced by the first device electronic R.

To resist an attack by quantum computer, said second random data is used to derive a vector of n integers

and in that the step of encapsulating the secret K in the form of a cipher C and transmitting the latter consists of implementing two sums having the same indexes m ₁ , ..., m _n , the cipher C consisting of a first sum such that C

and the secret K consisting of a second sum, called

“mirror sum” such that K “-

, said first sum being calculated in a first algebraic structure, said second sum being calculated in a second algebraic structure and the vectors v ^{| |} and s^l being extracted from the public key pk of said first electronic device R.

The invention provides for different variants according to which:

- said first and second algebraic structures are the ring of integers Z; - said first and second algebraic structures are finite fields;

- said first algebraic structure is the ring of integers Z and said second algebraic structure is a finite field;

- said first algebraic structure is a finite field and said second algebraic structure is the ring of integers Z.

According to a first embodiment of a KEM conforming to the invention secure against selected clear attacks (CPA-secure):

- the step of generating and publishing general parameters par consists of determining an integer n such that k < n, k being a security parameter, par being defined by the pair par = {n, k}

- the step of generating a pair {sk, pk} of secret and public keys, as well as publishing said public key pk produced, consists of: o using the first random data in order to derive the following parameters:

- an n-bit integer p;

- a prime integer q of k bits;

- integers d and p such that

- a vector of n positive integers w _r , ...,w _n of which

the sum is bounded by p; o produce the secret key sk «- [p, d, p}; o produce the public key pk the vectors

And

being defined by the two relations

mod p and sM «- w^p mod q.

- the step of encapsulating the secret K consists of using the second random data in order to produce a vector of n integers m to from which the figures are calculated

and the key K «- m _o dq:

- the step of decapsulating the secret K consists of recovering the key K such that K «- b mod q where b «- Cd mod p.

According to this first embodiment, the vector can be produced by the following sequence of operations:

- as long as said vector

does not contain n distinct elements do: according to the criterion

According to a second embodiment, to further strengthen the robustness of a KEM according to the invention, the component q of the public key pk may not be exposed to the second electronic device S. For this:

- the step of generating and publishing general parameters par consists of determining an integer n such that k < n, k being a security parameter, par being defined by the pair par = {n, k};

- the step of generating a pair {sk, pk} of secret and public keys, as well as publishing said public key pk produced, consists of: o using the first random data in order to derive the following parameters:

- a bit integer p;

- a prime integer q of k bits;

- integers d and p such that

- a vector

of n positive integers w _± , ...,w _n whose sum is bounded by p and such that

mod q) <q; o produce the secret key sk «- [p, d, p}; o produce the public key pk «- the vectors

being defined by the two relations

«- mod p and

p mod q

- the encapsulation step of the secret K consists of using the second random data in order to produce a vector of n integers

from which the cipher C is calculated

and the key K «-

- the step of decapsulating the secret K consists of recovering the key K such that K «- pb mod q where b «- Cd mod p.

To reduce the sizes of the keys {sk,pk}, a method according to the invention can be adapted so that:

- the step of generating and publishing general parameters par consists of determining an integer n such that k < n, k being a security parameter, par being defined by the pair par = {n,k};

- the step of generating a pair {sk,pk} of secret and public keys, as well as publishing said public key pk produced, consists of: o using the first random data in order to produce two seeds (seed_pk, seed_sk) «- [0.2 ^k - l] ² ; o produce the secret key sk «- [p, d,p} where pe P _n , from Z* and pe Z* are derived deterministically from seed_sk; o produce the public key

■ the vector v' e [1, 2 ⁿ - l] ⁿ is derived deterministically from seed_pk; - q is a k-bit prime number derived deterministically from seed_pk;

- the vector

and the vector being produced by the

following process:

• for 1 < i < n do: o as long as (v't + z _t ~) d mod p > [p/n] refresh z _f «- [0,n ² - 1];

• sh]

mod p) mod q; o compress the pk key into {seed_pk

- the secret K encapsulation step consists of: o decompressing

by deriving from the seed_pk the vector

then form

o generate from the second random data, a vector of n integers

from which the cipher is calculated

- the step of decapsulating the secret K consists of recovering the data sk ;= [p, d, p} from seed_sk then recovering (141) the key K such that K «- pb mod q where b «- Cd mod p.

According to an advantageous embodiment, p can be prime or such that PGCD(d, p) = 1.

To optimize the bandwidth necessary for the implementation of a method in accordance with the invention, and transmit longer keys, the method in accordance with the invention can be adapted so that:

- the step of generating and publishing general parameters by consists of determining an integer n such that k < n, k being a security parameter and an integer t non-zero, said general parameters being the triplet {t, n, k};

- the step (120) of generating a pair {sk, pk] of secret and public keys, as well as publishing said public key pk, consists of producing, from the first random data item, the following data: o a k-bit integer q; o a vector o a vector

o an invertible random matrix M of dimension txt whose elements are taken randomly from Z _q ; o a secret key o a public key for the vectors

being produced such that: verifies the condition i, j, 0 <

v _t < 2 ⁿ and djVt mod p ₇ - <pj/n;

- the secret encapsulation step

consists of using the second random data in order to produce a vector of n integers from which the cipher C is calculated. and the key

mod q} ;

- the secret decapsulation stage

consists of recovering

(141) the key

such as

mod

C rfM mod pt.

According to an advantageous embodiment, t can be less than or equal to 4.

Likewise, an advantageous embodiment may consist of n being such that n > 3A4k.

For additional security, the encapsulation and decapsulation steps of the secret K, respectively

, may include the application of a one-way function OWF(x) to audit secret K (respectively

) to produce a second secret K' = OWF(/<) (respectively K' = OWF <M) actually used instead of K (respectively ffM) by an application implementing KEM, i.e. for purposes cryptographic. Indeed, such additional protection destroys possible algebraic properties remaining in K (respectively ffM).

According to a second object, the invention relates to a computer program product comprising one or more program instructions executable by the processing unit of a computer, said program instructions being loadable into a memory of said computer and the execution of which by said processing unit causes the implementation of a method for transporting a secret K resistant to attacks by quantum computer according to the invention.

According to a third object, the invention relates to a storage medium readable by a computer comprising the instructions of such a computer program product.

According to a fourth object, the invention relates to a computer system comprising a plurality of electronic devices each comprising a processing unit and a memory, said memory of each of said electronic devices comprising the program instructions of a computer program product according to the invention.

Other characteristics and advantages will appear more clearly on reading the following description and examining the accompanying figures, including:

- Figure 1 illustrates an example of a computer system comprising a plurality of electronic devices implementing a key transport method according to the invention;

- Figure 2 illustrates an example of a functional method for producing general parameters of a key transport method according to the invention;

- Figure 3 illustrates an example of a functional method for generating public and private keys implemented by any electronic device of a computer system conforming to the invention;

- Figure 4 illustrates an example of a functional session key encapsulation method implemented by any electronic device of a computer system conforming to the invention wishing to share said session key with another electronic device of said computer system ;

- Figure 5 illustrates an example of a functional session key decapsulation method implemented by any electronic device of a computer system conforming to the invention recipient of a session key encapsulated by another electronic device of said computer system .

It is usual to define the following security concepts for KEMs:

- a KEM: = (AlgSetUp, AlgKeyGen, Encap, Decap) is

“(1 - ) correct” if vpk,sk eAlgKeyGen,Pr[Decap(sk, C) = K (C, I) «- Encap(pk)] > 1 - A. In particular, a KEM is “perfectly correct” if A = 0; - a KEM: = (AlgSetUp, AlgKeyGen, Encap, Decap) is safe against chosen-clear attacks (CPA-safe) if for any distinguishing algorithm executing in polynomial time, given {by, pk}, the advantage of distinguishing (C, K ₀ ) from (C, /<, ), where (C, K _o ) <- Encap

is chosen uniformly and independently of C, is negligible;

- A KEM: = (AlgSetUp, AlgKeyGen, Encap, Decap) is safe against chosen cipher attacks (CCA-safe) if for any distinguishing algorithm running in polynomial time and having access to a decapsulation oracle and to { by, pk}, the advantage of distinguishing (C, K ₀ ) from (C, /<, ) where (C, K _o ) <- Encap(pk) and where

is chosen uniformly and independently of C is negligible, as long as the distinguisher constrains itself to never ask the oracle to decipher C.

Depending on particular characteristics, any of the devices for generating parameters, generating keys, encapsulating (encrypting) keys and decapsulating (decrypting) encrypted keys briefly explained above in the context of an electronic circuit.

Such an electronic circuit could, for example, be made up of a microprocessor, a programmed circuit (also sometimes called FPGA for “Field Programmable Gate Array”) or a hardwired logic chip (also sometimes called ASIC for “Application Specific Integrated Circuit”). ").

The invention also relates to an irremovable, or partially or completely removable, data storage means, comprising computer program code instructions for executing the steps of any of the methods of generating parameters, generating keys, encapsulation (encryption) of keys and decapsulation (decryption) of encrypted keys, in accordance with the invention. The invention also relates to a computer program downloadable from a network of communication and/or stored on a computer-readable medium and/or executable by a microprocessor comprising program instructions which, when executed by the computer or microprocessor, cause the implementation of a compliant KEM to the invention.

This computer program is notable in that it includes instructions for carrying out the steps of any of the methods of parameter generation, key generation, key encapsulation (encryption) and decapsulation ( decryption) of encrypted keys exposed above, when executed on a computer or in a microprocessor. Other aspects and advantages of the invention will appear on reading the detailed description below of particular embodiments, given by way of non-limiting examples.

We will now illustrate the concept of constructing a KEM system according to the invention.

In other words, we will show how to construct the algorithm which will be used to process a block of data according to the invention. It should be noted that the choice of functions or numerical values in the examples included is essentially aimed at simplicity of presentation, and does not claim to reflect advantageous values in terms of practical implementation of the invention.

As indicated above, the present invention also relates to a computer system comprising a plurality of communicating electronic devices implementing any of the methods of generating parameters, generating keys, encapsulating (encrypting) keys and decapsulation (decryption) of encrypted keys described above.

As shown in Figure 1, this computer system 1 comprises a plurality of electronic devices 10-1, 10-2,. ,.,10-g. Conventionally, each electronic device consists of an instance of an electronic device 10 comprising a central processing unit 11 controlling electronic elements including a data memory 12 and a program memory 14, said memories 12 and 14 can form only one and the same physical entity. Such an electronic device 10 may include a random number generator 13, the latter possibly forming a single physical entity with said processing unit 11.

By “memory” we mean any computer memory whether it is volatile or not. Non-volatile memory is a computer memory whose technology retains its data in the absence of an electrical energy supply. It may contain data resulting from inputs, calculations, measurements and/or program instructions. The main non-volatile memories currently available are electrically writable such as EPROM technology (“Erasable Programmable Read-Only Memory”, according to Anglo-Saxon terminology) or even electrically writable and erasable such as EEPROM (“Electrically-Erasable Programmable Read” technologies). -Only Memory”, according to Anglo-Saxon terminology), flash, SSD (“Solid-State Drive”, according to Anglo-Saxon terminology), etc. Non-volatile memories are distinguished from so-called “volatile” memories whose data is lost in the absence of a power supply. The main volatile memories currently available use RAM technologies (“Random Access Memory” according to Anglo-Saxon terminology or also called “random access memory”), DRAM (dynamic random access memory, requiring regular updating), SRAM (static random access memory requiring a such updating during a power shortage), DPRAM or VRAM (particularly suitable for video), etc.

An electronic device 10 further comprises means of communication 15 with the outside world in the form of an input unit and an output unit. Said communication means 15 cooperate with the processing unit 11 and ensure wireless or wired proximity communication with any other electronic device of said computer system 1. To operate, that is to say so that the processing unit 11 implements a method according to the invention, an electronic device 10 comprises generally a source of electrical energy 16 in the form of one or more batteries for example. Such a source of electrical energy 16 may be internal or external to said electronic device 10. The processing unit 11 may also include means 17 for controlling a man-machine input and/or output interface 20. In throughout the document, the term “man-machine output interface” means any device, used alone or in combination, making it possible to output or deliver a graphic, haptic, sound or, more generally, perceptible representation by humans. Such an output man-machine interface may consist, in a non-exhaustive manner, of one or more screens, speakers or other suitable alternative means. The term “man-machine input interface” means a computer keyboard, a pointing device, a touch screen, a microphone or, more generally, any interface arranged to translate a gesture or an instruction issued by a human into data. command or configuration. Advantageously, the input and output man-machine interfaces can constitute only one and the same physical entity.

Such a computer system 1 can be adapted by loading into the program memory 14 of each electronic device 10-1, 10-2,...,10-g a computer program P comprising instructions to cause, during their executions, the implementation of a method for generating parameters, generating keys, encapsulating and/or decapsulating according to the invention. This program may use any programming language, and be in the form of source code, object code, or intermediate code between source code and object code, such as in interpreted, partially or fully compiled form, or in n any other desirable shape.

As indicated previously, to be able to exchange a secret via an insecure communication channel and resistant to attacks by a quantum computer, one of the electronic devices of the computer system 1 described in connection with the figure 1, for example the electronic device 10- 1, implements a method 110 for generating parameters by via the execution of an AlgSetllp algorithm mentioned previously. The electronic device 10-1 could be the future recipient R of a secret K which will be communicated to it by an electronic transmitter device s of said computer system 1, such as the electronic device 10-2, or else consist of any other electronic device 10-2, ..., 10-g) of said system 1.

Figure 2 thus describes a functional flowchart of such a method 110 implemented by an electronic device of a computer system 1, such as the electronic device 10-1 recipient R of a secret.

Such a method 110 takes as input a security parameter k and includes a step 112 of generating the parameters necessary for implementing a work of a KEM conforming to the invention. Such a method may include a preliminary step 111 of producing a first random or pseudo-random data item PP by the random or pseudo-random number generator 13, all or part of said parameters being able to be produced from said first random data item or pseudo-random PP. Said method 110 may include a step 113 to cause the transmission, by the communication means 15, of an MPAR message to all or part of the electronic devices 10-2, ..., 10-g of the computer system 1 conveying said parameters by. On receipt of such an MPAR message, said electronic devices 10-2, ..., 10-g record the values of said parameters in their respective data memories 12.

Figure 3 describes a functional flowchart of a key generation method 120 implemented by any electronic device of a computer system 1, such as the electronic device 10-1 recipient R of a secret, via the execution of 'an AlgKeyGen algorithm mentioned previously.

Such a method 120 comprises a step 121 of producing a second random or pseudo-random data item SS by the random or pseudo-random number generator 13 and a step 122 of generating the keys {sk, pk} using said second random or pseudorandom data SS. Said method 120 then comprises a step 123 of recording in the data memory 12 of the electronic device R, 10-1, implementing said method 120, values of said keys {sk, pk}. Said method 120 further comprises a step 124 for causing the transmission of a message to cause the transmission of an MPK message to all or part of the electronic devices 10-2, ..., 10-g of the system computer 1, said MPK message conveying said public key pk. On receipt of such a message, said electronic devices 10-2,..., 10-g record the value of said public key pk in their respective data memories 12, advantageously in a data structure KR associating the latter with identifiers ID1, ..., IDg characterizing the electronic devices having published their keys.

The invention provides, when the methods 110 and 120 are implemented consecutively by the same electronic device of said computer system 1, that the parameters by which were produced in step 112 of the method 110 can be conveyed jointly with the public key pk by the MPK message, the transmission of which by the communication means 15 is caused by step 124 of the method 120.

Figure 4 describes a functional flowchart of a method 130 for encapsulating a secret K implemented by an electronic device of a computer system 1, such as the electronic device S, 10-2, via the execution of 'an Encap algorithm mentioned previously. Such an electronic device S, 10-2 may wish to address said secret K in the form of a cipher C intended for the sole electronic device R, 10-1 having implemented the method 120 as described previously in connection with the figure 3.

A method 130 comprises a step 131 of producing a third random or pseudo-random data MM by the generator of random or pseudo-random numbers 13 and a step 133 of generating a cipher C of a secret K that the we wish to produce and thus encapsulate to be communicated in a secure manner, using said third random or pseudo-random data MM, parameters by and the public key pk of the recipient electronic device /?, 10-1 of said cipher. For this, said method 130 comprises a step 132, prior to step 133, of reading the data memory 12 to know the value of said public key pk of said recipient R, 10-1. Said method 130 then comprises a step 134 of triggering the transmission of a message MC conveying said cipher C to the electronic device R, 10-1 of the computer system 1 conveying said cipher. In this case, according to the example illustrated in Figure 1, such a method 130 can be implemented by the electronic device 10-2 acting as sender S of said encrypted code C to the attention of the electronic device R, 10-1 designated by the selection 132 of the public key pk of the latter as the sole recipient of said cipher C and capable of being able to decrypt it as we will study it in connection with Figure 5.

Said figure 5 thus describes a functional flowchart of a method 140 for deciphering the cipher C or decapsulating a secret K implemented by an electronic device of a computer system 1, such as the electronic device R, 10-1 , via the execution of a Decap algorithm mentioned previously. Such a method 140 is implemented in response to the reception of an MC message conveying a cipher C produced by a third-party electronic device according to an encapsulation or encryption method 130 described previously in connection with Figure 4.

Such a method 140 comprises a first step 141 of reading from the data memory 12 the respective values of the public key pk and the secret key sk previously produced in step 122 of a method 120 already described in connection with Figure 3. Said public keys pk and secret sk being specific to the recipient electronic device R, 10-1 of the cipher C, said keys are respectively denoted pk and sk in Figure 5. Said step 141 also uses the parameters by, transmitted to steps 112 and/or 123. Such a step 141 further consists of reading from said data memory 12 the values of the parameters by previously produced by a parameter generation method such as method 110, now and already described in connection with Figure 2 and implemented by the present electronic device R, 10-1 or by a third-party electronic device. A method 140 also includes a step 142 of producing said secret K which we wish to extract from the code C received. Such a decapsulation step 142 is carried out from said cipher C, the parameters by and the public keys pk and secret sk of the receiving electronic device R (10-1) of said cipher C. In this case, according to the example illustrated by Figure 1, such a method 140 can be implemented by the electronic device 10-1 acting as recipient R of said cipher C addressed by the electronic device 10-2 acting as sender s.

All cryptosystems based on SàD aim to find the vector

in the formula or in a formula

equivalent modulo a certain module.

The general inventive concept deviates from this architecture by introducing at least two SàDs denoted

act as a SàD coupled with a “mirror SàD”. The sender generates

randomly and calculates at least two

are C and K for a certain function (x) whose parameters are unknown to him. The said two sums were

The sum K serves as a shared secret. The sum C is the cipher conveying K.

Note that, unlike classic SàD KEMs, here it is not

but K which is transferred. The recipient R (10-1) applies to C a process such that

It should also be noted that different Ks can result in the same K and that in practice this is indeed the case. Thus we see that the heart of the invention lies in the development of functions and having the property required above.

Let us describe some examples of such processes that can be combined with each other. According to a first example called "modular calculations" and denoted P ₁ , if we set v _t = mod q then, subject to compliance with a size condition on the v _t and/or subject to disclosing q, the function

consists of reducing C modulo q and dividing the result by q modulo q. The addition of a constant, namely v allows, if the Hamming weight of is a

fixed parameter, to add more variability in

Subtracting two such v _t will eliminate q ₂ and cancel its effect but if such an operation is combined and nested within the bricks

following periods, its effect will be preserved. It should also be noted that nothing prevents us from nesting several modular calculations, modulo different q, into each other. For example let v _t = q' ₁ q ₁ s _i +q ₂ mod q) + q' ₂ mod q'. mod q'.

This allows, by subtraction of 2q' ₂ modulo q' and by division by modulo q' to "pop" the quantity mod q) mod q'.

We then see that, if we have terms in such an addition, the choice nq <q' makes it possible to find the quantity mod q) in Z. A subtraction of the constant 2q ₂ modulo q and a modular division by q _± will give the sum modulo q or the sum in Z if the sum of the s _t does not exceed q. It is obvious to those skilled in the art that different stages can thus be fitted together.

According to a second example called “Concatenation with a random” and noted let us take where the r _t are random numbers, and the notation

denotes a sequence of u = log ₂ bits equal to 0. By adding to the maximum n such v _t we will obtain the quantity which allows us to

cut the upper part of the number and find the sum of the

Let's look at a third example called “Cut and swap” and denoted Φ _з . We also note that the s _t can be divided into two or more bit streams s _t [j of equal or unequal size, for example s _t = s _t [2] |s _f [1]. These bit streams can be permuted according to a known permutation of R (the device electronic device 10-1 in Figure 1) but not S (the electronic device 10-2 in Figure 1). In the illustrative example given here, we can for example take v _t = st [1] | [2] which amounts to inverting the high weights and low weights of the quantity (taking care to reserve between s _f [l] and s _f [2] a “buffer” of u = [log ₂ bits equal to 0 intended to absorb the withholding of the bill). By adding at most n such

we will obtain the quantity:

This quantity can be easily cut up and “put back in the correct order” to form the quantity

Finally, let's look at a fourth example called “Linear combinations with internal key” and denoted ₄ . Let's take

where the r _f are random numbers. By adding at most n such

we will get the quantity

Which makes it possible to cut the upper part of the number and find the sum of the

Note that confidential constants can come

enhance the relationship: thus making it even more

complex.

All these methods (P _t to construct the v _t are associable with each other and can give rise to a multitude of functions, in a manner obvious to those skilled in the art. The definition of

<> is part of the private key of R (for example, electronic device 10-1 in Figure 1). This definition can be encoded in the form of a binary number denoted sk _ext seen as an extension of sk describing the parameterization and composition of different transforms (P^ fa leading to the encoding of in

which can, without limitation, be chosen from among the transforms that we have just seen. In the following, particular functions <P, (p will be chosen for illustrative and non-limiting purposes.

Let us describe a first embodiment of a KEM conforming to the invention through one of the respective arrangements of the methods 110, 120, 130 and 140 mentioned previously in connection with Figures 2 to 5. This first mode is said to be safe against selected clear attacks (CPA-safe), we will call it KEMCPA.

According to this first embodiment of a KEM according to the invention, the parameters produced by a parameter generation method 110 simply consist of fixing the sizes of the keys used by the key generation 120 and encapsulation 130 methods. and decapsulation 140 implemented in a computer system such as system 1 according to FIG. More precisely, said parameters consist of an integer n chosen or predetermined so that k < n, k being a security parameter. According to a preferred embodiment, n will be chosen such that n > 3A4k. The particularly advantageous values for the parameter k are 128, 192 and 256. The values of n which correspond to them being respectively 440, 664, 880. In order to facilitate the IT or hardware implementation we recommend taking the value n approximated to nearest byte.

The method 120 for generating the public keys pk and secret keys sk can be summarized by the formula {sk,pk} = AlgGen _CPA (, k). This method 120 implemented by any electronic device 10-1 to 10-g of said computer system 1, comprises a step 121 of producing random or pseudo-random data SS by the random or pseudo-random number generator 13. Such random or pseudo-random data SS makes it possible to derive the elements p, q, d, .,w.

Thus, as an example of an embodiment, such a step 121 consists of the following operations:

$

- (p, q) ^ P _n x P _k ;

Step 122 of producing the pair of secret and public keys {sk, pk} may consist of implementing the following operations:

mod p; mod q;

sk «- [p, d, p}

Step 121 was described with p prime of n bits. Alternatively, p could be chosen such that GCD(d, p) = 1 so that d is invertible.

Furthermore, expressed above,

can be carried out by the implementation of a “RandSumVec” routine advantageously consisting of a simplified version of the Kraemer algorithm disclosed by NA Smith, and RW Tromble, “Sampling uniformly from the unit simplex”, Johns Hopkins University, Tech . Rep, vol. 29, 2004.

Such a routine can thus consist of first initializing the vector so that Then, said routine consists of putting

implement the following operations:

- as long as said vector does not contain n distinct elements

do: according to the criterion

As an illustrative example, such a process 120 (AlgGen _CPA ) could be expressed in Mathematica language as follows:

The “RandSumVec” routine could be expressed in Mathematica language as follows:

According to this first embodiment of a KEMCPA in accordance with the invention, a method 130 for encapsulating a secret - which can be summarized by the formulation {C, K} = Encap _CPA (, k, pk) - implemented by any electronic device of a computer system 1, such as the electronic device S, 10-2, comprises a step 131 of producing random or pseudo-random data MM by the random or pseudo-random number generator 13. Such MM data allows the derivation of a vector of n random bits such that

Since the public key pk (read in step 132) of the electronic device recipient of the secret K encapsulated in the form of a cipher C is expressed in the form (cf. step 122 of generating the keys {sk, pk ] of

method 110 previously described), step 133 of generating said cipher C and secret K is such that

As an illustrative example, such a process 130 (Encap _CPA ) could be expressed in Mathematica language as follows:

According to this first embodiment of a KEMCPA in accordance with the invention, the method 140 of decryption or decapsulation of a secret K, from which a session key can be created - method 140 which can be summarized by the formulation K = Decap _CPA (, k, sk, pk, C) - implemented by any electronic device of a computer system 1, such as the electronic device R, 10-1 in response to receipt of a message conveying an encrypted C e N < n(p - 1) < n2 ⁿ produced by a third-party electronic device of said computer system 1 according to an encapsulation or encryption method 130 described previously, comprises a first step 141 of reading in the memory of data 12 of the respective values of the public key pk = and the secret key sk = [p, d, p} previously produced at

step 122 of the key generation method 120 already described in connection with FIG. 3, as well as parameters consisting of the integers n and k such that, advantageously n > 3A4k.

Step 142 of said method 140 consisting of the recovery of said secret K which one wishes to derive from the received ciphertext C consists of the operations K <- pb mod q knowing that b <- Cd mod p.

As an illustrative example, such a process 140 (Decap _CPA ) could be expressed in Mathematica language as follows:

It is easy to verify that this KEMCPA (consisting of processes 110, 120, 130 and 140 described above) according to this first embodiment in accordance with the invention is perfectly correct. Indeed, it is enough to verify that b mod q.

To this end, let us expand the definition of b such that b =

It is now possible to verify that _what makes it possible to obtain the value

This allows the verification to be completed

As an illustrative example, such a correctness check could be expressed in Mathematica language as follows:

This first embodiment of a KEM in accordance with the invention is secure against selected clear attacks (CPA-secure).

The performances of the process thus obtained are as follows: the size of the private key sk is 2n + k = 2.291n bits, the size of the public key is n(n + k) + k = 2.291 ² + 0.291n bits, the encrypted has size n + log ₂ n bits and the key K shared between R (10-1) and S (10-2) is of size k = 0.291n bits.

The implementation of the invention has the advantage of being achievable using very traditional arithmetic operations. For example, modular multiplication can be carried out using the Montgomery algorithm (described in the publication PL Montgomery, “Modular multiplication without trial division”, Mathematics of computation, vol. 44, no. 170, pp. 519-521, 1985.) and/or include precalculated constants as described in publication D. Naccache, D. M'raïhi and D. Raphael!, (1995). “Can Montgomery parasites be avoided? A design methodology based on key and cryptosystem modifications”. Designs, Codes, and Cryptography, 5(1), pp. 73-80. Advantageously, one could also, without risk for security, use a module whose form facilitates modular arithmetic or even perform the addition of integers very quickly and in parallel using the strategy of representing integers by so-called residues. RNS (“Residue Number System”), for example, as described in the publication D. Naccache, D. M’Raïhi, W. Wolfowicz and A. di Porto, “Are Crypto-Accelerators Really Inevitable? 20 Bit Zero-Knowledge in Less than a Second on Simple 8-bit Microcontrollers", Advances in Cryptology - {EUROCRYPT} '95, International Conference on the Theory and Application of Cryptographic Techniques, Saint-Malo, France, May 21 -25, 1995, Proceeding, Lecture Notes in Computer Science, vol. 921, pp. 404-409, Springer, 1995.

Furthermore, in order to further strengthen the security of the invention, the following embodiment is proposed: According to this particularly advantageous embodiment of a KEM conforming to the invention, the Encap _CPA and Decap _CPA algorithms, i.e. i.e. the methods 130 and 140 previously mentioned, do not directly return K but rather K' = 0WF(/<), O WF (%) being a one-way function. An application using the key, for example an email client encrypting and decrypting emails exchanged by users, can then use K' as the final encryption key. The idea behind this additional protection is to destroy the remaining algebraic properties of K by the one-way function O WF (%).

The invention also provides for adapting such a KEM so that it is secure against selected cipher attacks (CCA-secure); we will name it KEMCCA. According to this second example of implementation, a classic transform is applied such as that disclosed in the document AW Dent, ed. KG Paterson, “A Designer's Guide to KEMs”, Cryptography and Coding, 9th IMA International Conference, Cirencester, UK, December 16-18, 2003, Proceedings, Lecture Notes in Computer Science, vol. 2898, p. 133-151, Springer, 2003 or, alternatively, that proposed in the document E. Fujisaki and T. Okamoto, “How to Enhance the Security of Public-Key Encryption at Minimum Cost”, Public Key Cryptography, Second International Workshop on Practice and Theory in Public Key Cryptography, PKC '99, Kamakura, Japan, March 1 -3, 1999, Proceedings, pp. 53-68, 1999.

Steps 110 and 120 (AlgGen _CPA ) to respectively produce the general parameters by and the pair of secret and public keys {sk, pk} as mentioned in connection with the previous embodiment are unchanged. In other words AlgGen _CPA : = AlgGen _CCA . On the other hand, the encapsulation 130 and decapsulation 140 steps are adapted. As such, the random number generator 13 of the electronic devices of a computer system according to the invention, such as the system 1 according to FIG. 1, are arranged to implement a so-called “seed” PRNG method to generate in a pseudo-random manner the hazards necessary for the implementation of the session key encapsulation method 130. Such a so-called “seed” process can be taken for example from the document by DJ Bernstein, “The ChaCha family of stream ciphers”, https://cr.yp.to/chacha.html, 2008 or even from the document by J. O'Connor, J. -Ph. Aumasson, S. Neves and Z. Wilcox-O'Hearn, “BLAKE3: one function, fast everywhere”, 2021, https://blake.io.

By way of example, the method 130 as described in connection with Figure 4 - which can be summarized under the formulation {G, K} = Encap _CCA (, k, pk) - can consist of that (Encap _CPA ) already described in connection with the first mode, except that step 131 of producing pseudo-random data

MM also consists of initializing Encap _CPA . PRNG. seed «- K _CCA <- {0,l} ^k .

Step 133 consists of producing not directly the cipher C which will ultimately be transmitted but a component C of it such that C

Said step 133 further consists of producing a second component C ₂ «- K ® K _CCA of said cipher C. At the end of the implementation of the method 130 the future shared session key is K _CCA and the cipher C transmitted is VS-. = (C _lt C ₂ ). As an illustrative example, such a process 130 (Encap _CPA ) could be expressed in Mathematica language as follows:

A process 140 for decapsulating the secret K _CCA - which can be summarized by the formulation _CCA - can then consist of said cipher to implement a step 142, as described

in connection with the first embodiment from the general parameters by = {, k}, from the secret key, from the public key pk =

and the component of C recover the value of the secret K by

a simple call to K <- Decap _CPA (, k, sk, pk, C. Said step 142 is then adapted to calculate

and thus recover the random number / _CCA . According to this embodiment, such a step 142 must include a test to verify the consistency of K _CCA by implementing a processing 133 identical to that implemented by the device transmitting the cipher C, the result of this processing must correspond to the set constituted by the component and the key K. If not, the value of K _CCA is not

confirmed and/or an error is generated.

As an illustrative example, such a process 140 (Decap _CCA ) could be expressed in Mathematica language as follows:

Which allows an execution such as:

The performances of the process thus obtained are as follows: the size of the private key sk is 2n + k = 2.291n bits, the size of the public key is n(n + k) + k = 2.291 ² + 0.291n bits, the encrypted has size n + log ₂ n + k bits and the key K shared between R, 10-1 and S, 10-2 is of size k = 0.291n bits.

Furthermore, a common practice in cryptography consists of reducing the memory space necessary for saving data and saving parameters, noted here

by “generating them on the fly”.

Such on-the-fly generation requires that the data generated on-the-fly does not have any special mathematical properties. For example, in the case where the

are public

can be for example, successive pieces of bits, taken from a constant such as n = 3.14159 •••.

It is also common to define in such a case ôi-= HAS H (i, constant), where the “constant” (possibly public) appearing in HASH is a numerical value allowing the customization of the

When the data

are confidential data (typically private keys), it is usual to use a one-way key function used as follows: 5 _f :=OWF(Lseed) where “seed” is confidential data.

In the context of the invention, we will generically denote such constructions by <5);= Expand (i, %).

Such processes allow the generation

in a way that requires much less memory than needed for saving literal

Thus, this process allows a considerable reduction in the size of the data

thus generated.

As such, the invention provides a third embodiment for reducing the size of the secret and public keys {sk, pk] produced in step 120 of a KEM conforming to the invention, we will call it CompKEM _CPA . According to this third embodiment, the encapsulation steps 130 (Encap _CPA ) and decapsulation 140 (Decap _CPA ) as mentioned in connection with the first embodiment can remain unchanged.

The effect of this embodiment on the size of the key is drastic: if the seeds used are each of k' bits, for KEM _CPA and KEM _CCA the size of sk falls to k bits while the size of pk is reduced at k' + n(k + 2 log ₂ ri) =k”+n(0.291n + 2 log ₂ n). In practice we will take k' = k.

Step 120 of producing the secret and public keys {sk, pk} implemented by the first electronic device R, 10-1 - which can be summarized by the formulation {sk, pk} = CompAlgGen _CPA (, k ) consists of:

- generate a second random data SS by the random number generator 13 and derive from said second random data SS two seeds (seed_pk, seed_sk)

$

«- [0.2 ^k - l] ² ; note that this is the most general description since seed_pk could not come from the SS hazard but represent a fixed constant such that n = 3.1415 ••• or be derived from the PP data;

- produce the secret key sk «- [p, d, p} where pe P _n , from Z* and /ze Z* being derived deterministically from seed_sk;

- produce the public key

o the vector v' e [1, 2 ⁿ - l] ⁿ is derived deterministically from seed_pk; oq is a k-bit prime number derived deterministically from seed_pk; being produced according to the process

following :

- for 1 < i < n do:

• as refresh ) mod q

- the key

compressible

It is recommended to avoid taking for z _f the smallest value such that (v't + zt)d mod p < p/n because such a choice would generate an information leak: namely that values lower than z _t are not solutions of this inequality. Thus, it is recommended to take a z _t in the interval [0, ² ], or, for even greater security in an interval [ ] for T > 2. For the choice T = 2 the CompAlgGen _CPA process could fail with a probability r( ) defined as follows: is negligible because with the smallest recommended value of k

for the use of the present invention, namely k = 128, we obtain n = 440 and therefore r(440) 2 ^-189 . Thus, we are guaranteed to find a good vector to represent using bits instead of n ² bits.

As an illustrative example, such a CompKEM _CPA process could be expressed in Mathematica language as follows:

Running such code will effectively print "true":

This code is given for illustrative purposes because the Mathematica software hash function returns a hash of limited size, so the illustrative example will stop working for large values of n. For simplicity, the example generates compressible and uncompressed keys. A compressible key being a key that can be easily compressed.

Note also that instead of using an exhaustive search, it is possible to use the LLL algorithm in order to distribute the modular information and solve the equation w _t = dÇv't + z _f ) mod p for the unknowns w _it Zi under the constraints w _t < [p/n and z _t < n ² . This is an alternative method of compressing the public key, the implementation of which will be obvious to those skilled in the art. This process easily extends for T > 2. The sk expansion formulas, obvious to those skilled in the art, are:

<- {f _p (Expand(0, graine_sk)), f _d (Expand(l, graine_sk)), (Expand(2, graine_sk))} The functions f _p ,f _d ,f derive the parameters [p, d ,p} of seed_sk.

The pk expansion formulas are more technically delicate:

= {Expand (0, seed_pk), CompressV(seed_pk), uncompressed] where the auxiliary algorithm CompressV(seed_pk) requires the following explanation: We start by deriving Expand (l,seed_pk) from

seed_pk (which is public for example, the identity of R (10-1)). It is also possible to use for a constant common to all

users such as •• or generate seed_pk from the

PP data.

However, in doing so we encounter a problem: if the arbitrary value of is used instead of retro-cal eu les

will be full size, ie potentially greater than [p/n and will therefore not satisfy the constraint

.

In order to get around this difficulty, we will use the originals instead, by introducing short facts

our fixes such as

Expand (

mod p.

Thus we can ensure that for all i = 1, ... n, w _t < p/n, by absorbing the missing entropy in

The compressed public key pk will therefore be composed as follows: pk =

A fourth embodiment provides a notable improvement in the bandwidth of the inventive method. It consists of a generalization to several vectors at the same time. The resulting algorithm will be denoted by mKEM _CPA = {mAIgSetUp, mAlgGen _CPA , mEncap _CPA , mDecap _CPA ] where the letter "m" added before the name of the algorithm is the acronym for the word "multiple". To this end, a new integer parameter t > 1 is introduced in the description. When t = 1 the mKEM _CPA algorithm becomes identical to KEM _CPA . It is clear to those skilled in the art that the same transform making it possible to transform KEM _CPA and KEM _CCA makes it possible to transform mKEM _CPA into a CCA level mKEM _CCA algorithm.

In CPA mode, this embodiment has the characteristics of a private key sk of size 2tn + t ² k = t(2 + 0.291t) bits, a public key pk of size n ² + nkt + k = ² (l + 0.291 t) + 0.291n, an exchanged key of size kt = 0.291nt bits and an encrypted key of size n + log ₂ bits.

For this, the present invention uses a square matrix M of dimensions t x t. Such a matrix M must have a non-zero determinant. The obvious way to generate such matrices M is to choose them randomly until a matrix M with non-zero determinant is obtained.

Since in the present invention, the dimension t of the matrix is very small (typically t < 4), such a method proves acceptable, suitable and effective.

As an illustrative example, such a matrix generation process could be expressed in Mathematica language as follows:

An example of implementation of such a fourth embodiment mKEM _CPA can be described algorithmically by the following operations, relating to the production 120 (mAlgGen _CPA ) of the pair of keys {sk,pk}, consisting of generating:

an invertible matrix M of dimension txt of elements of

Techniques for producing the vector are described

later in this document.

The encapsulation method 130 (mEncap _CPA (n, k, t, pk)) of the secret

according to this fourth embodiment differs from Encap _CPA in that said public key pk = mod q] where

was generated randomly and the cipher is C

The decapsulation process 140 (mDecap _CPA (n, k, t, sk,pk, C)) of the secret —

takes as input a public key pk an encrypted secret key C e N < n(p - 1) < n2 ⁿ . Step 142 of said

In order to clarify how mKEM _CPA works we will explain why mKEM _CPA is perfectly correct.

We would like to verify that

To this end, we will develop

and check that, in doing so, we indeed obtain M ■

It therefore remains to be demonstrated that

These operations are correct thanks to the constraint imposed on djVt mod pj allowing the values to fall back into Z.

In connection with method 120 (mAlgGen _CPA ) producing the pair of keys {sk,pk}, let us examine different possible realizations to produce vW. Thus, it is important to describe the way in which said component vW of the public key pk can be generated. Unlike the first embodiment of a KEM according to the invention (KEM _CPA ), when t >

must be found during key generation. When t = 1, the value of vW is deducted from

or in the case of mKEM _CPA , the element

must be determined before calculating wW. The concern induced by this modification in the order of operations is that now the v _t are intrinsically non-random given the additional constraints which are simultaneously imposed on them. Thus, it is important to counter this adverse effect and ensure that the v _t have high entropy. Obviously, a choice of high t will make the generation of

slower.

A first example of carrying out the production of the vector

denoted GenV(t,n,p[ ^f L dM) can be described algorithmically by the following table:

As an illustrative example, such a Gen process could

be expressed in Mathematica language as follows:

Running such code will effectively print "true":

This makes it possible to test all the steps of the algorithm as follows:

Running such code will effectively print "true":

Note that this key search procedure is easily parallelizable and can take advantage of n processors to accelerate the search by a factor n. Indeed, each v _t can be entrusted to a separate processor and generated independently of the others. This remark also applies to the procedure described in the second example of carrying out the production of rW which follows. According to a second embodiment of the production

the exhaustive search can be considerably reduced by chaining several steps illustrated below. Since this embodiment allows compliance with the size constraint on four elements, we can also advantageously use this variant to generate keys not exposing the data q (this embodiment will be described later) for t = 2, thus combining both the increased security of the variant not exposing q and the increased bandwidth of the t = 2 variant.

To do this, we start with a classic generation of first

We start by guaranteeing the condition modulo p ₄ by construction, by taking a random w ₄ such that w ₄ , we back-calculate v = mod PL then we determine w ₂ = vd ₂ mod p ₂ . We randomly remove w ₄ until we obtain a .

We can notice that if we increase v by a few u units, this will not damage the size conditions on w ₄ and w ₂ due to the judicious choice of d ₄ , d ₂ . Indeed: v = w ₁ d ₁ ¹ mod pL implies ud d^ ¹ mod p ₄ . Thus, it is possible to increase v by a few units until we find a w ₃ = vd ₃ mod p ₃ such that w ₃ < p ₃ /(2 ). We notice that the two exhaustive searches carried out previously do not multiply but are added. In order to satisfy the constraint also on w ₄ , the previous calculations are repeated L times (for a certain parameter L) and we will constitute a database BD containing the different values of v thus obtained, noted

The calculation ends by combining the values in BD by summation v' = v[i] + v[j] until finding a pair (i,j) such that w ₄ = v'd ₄ mod p ₄ is satisfied w ₄

This calculation can be completed in three ways:

- we find such that mod p ₄ , (solution of type

1, rare);

- we find a pair

such that w ₄ = v'd ₄ mod p ₄ < p ₄ ((2n) is satisfied (type 2 solution, more common due to the birthday paradox);

- we find a pair such that w ₄ = v'd ₄ mod

is satisfied (type 3 solution, less common

than solutions of type 2) where, moreover, w[i] > w[/] in Z when the quantities w[i],w[/] of which taken modulo all p _t for i = 1, ... , t. This is necessary in order to allow a subtraction in the correct order of the operands in Z allowing v' to be shortened.

If the iteration on L was not sufficient, you must continue to iterate for a larger value of L.

It is important to note that although this procedure must be repeated for each coordinate of the vector v ^{| |} , the base BD can be recycled from one coordinate to another: once a solution has been found for a given coordinate, this solution and/or its components can be removed (erased) from BD and the resulting base can be used to initiate the search for the next coordinate

without having to recalculate BD de novo. All you have to do is continue to enrich BD. As an illustrative example, such a method allowing the generation of a coordinate of the vector of

could be expressed in Mathematica language as follows:

Whatever the solution chosen to implement this fourth embodiment of a KEM conforming to the invention, the choice of t is essential. Note that the parameter t cannot be too large. An intuitive argument for such an inherent limitation is that if one generates a key of more than n bits, its entropy will be bounded in any case (because there will always be a better attack consisting of trying all possible values of mW by a exhaustive search). This establishes a first constraint which is t < n/k. Given that t must be integer, we propose to take either t = [n/k] or t = [n/k. If t = [n/k] is chosen, the resulting key must be hashed to n bits before use. Note that it would be appropriate to avoid t > 4 because the values chosen for n and k would all be such that [n/k] = 3.

Thus, for t = 1, the generation of keys is immediate for any embodiment exposing the component q in the public key pk. It is also true for any embodiment, described later, not exposing said component q in the public key pk. For t = 2, key generation is immediate for any embodiment exposing the component q in the public key pk. It remains fast for any embodiment, described later, not exposing said component q in the public key pk. The size of K is sufficient for the majority of practical applications.

For t = 3, key generation is easy for any embodiment exposing the component q in the public key pk. The size of K, however, becomes large and exceeds what is usually required for practical applications.

For t = 4, key generation remains reasonable for any embodiment exposing the component q in the public key pk. However, the size of K is maximized and the ratio between the entropy of K and the number of operations performed begins to decrease.

It is therefore recommended to take t = 1, or t = 2 or t = 3 (which are particularly interesting) depending on the application needs and reserve the choice t = 4 for applications requiring keys as long as possible. There seems to be no apparent utility in using t > 4.

As mentioned previously, the invention provides a fifth embodiment for which the q component of the public key pk is not exposed and thus further strengthen the robustness of a KEM according to the invention.

According to a fifth embodiment of a KEM conforming to the invention, which we will call qLessKEM _CPA , it is possible to omit the q component of the public key pk.

According to a first technique for implementing such a qLessKEM _CPA , q becomes one of the components of the secret key sk, said keys {sk, pk} being produced within the framework of a process 120 adapted accordingly which we will call qLessAlgGen _CPA to differentiate it from the AlgGen _CPA algorithm already described in connection with the KEM _CPA .

Like the latter, the parameters par consist of an integer n chosen or predetermined so that k < n, k being a security parameter provided by the user. According to a preferred embodiment, n will be chosen such that n > 3A4k.

The method 120 of generating the public keys pk and secret sk, is a process which can be summarized by the formula {sk,pk} = qLessAlgGen _CPA (, k), the latter being implemented by any electronic device 10- 1 to 10-g of said computer system 1, comprises a step 121 of producing a second random or pseudo-random data SS by the random or pseudo-random number generator 13. Such a second random or pseudo-random data SS allows to derive a set of n positive integers which we will note w _r , ...,w _n . The invention provides that the sum of said n integers w _r , ..., w _n is bounded by a parameter p, advantageously first.

Thus, as an example of implementation, such a step 121 consists of the following operations:

$

- (p, q) «- P _n x P _k ;

The formula

mod q) < q must be interpreted as follows: first of all said computer system 1 calculates the numbers

= pw _t mod q, once the Yi is obtained, the Yi are summed as integers without the resulting sum being reduced modulo q.

Step 121 was described with p prime of n bits. Alternatively, p could be chosen such that GCD(d, p) = 1 so that d is invertible.

Furthermore, the operation

and such that pwi mod q) < q expressed above, can be achieved by the implementation of a subroutine named qLessRandSumVec which can be described algorithmically by the following table:

As an illustrative example, such a process qLessRandSumVec generating the vector of wW could be expressed in Mathematica language as follows:

The method 120, denoted qLessAlgGen _CPA (, k), therefore includes a step 122 of producing the pair of secret and public keys {sk, pk} which may consist of the implementation of the following operations:

mod q; sk <- {q,p, d,q}

As an illustrative example, such a method (120) qLessAlgGen _CPA (,k) could be expressed in Mathematica language as follows:

According to this embodiment of a qLessKEM _CPA not exposing q in the public key pk, a method 130 of encryption or encapsulation of a secret - which can be summarized by the formulation {C, K} ^ - qLessEncap _CPA (, k, pk) - implemented by any electronic device of a computer system 1, such as the electronic device S (10-2), comprises a step 131 of producing random or pseudo-data random MM by the random or pseudo-random number generator 13. Such MM data making it possible to derive a vector of n integers such that

Since the public key pk (read in step 132) of the electronic device recipient of the secret K encapsulated in the form of a cipher C is expressed in the form pk =

(cf. step 122 of generating the keys {sk,pk} of the method 110 previously described), step 133 of generating said cipher C and the secret K is such that

note that neither the calculation of C nor the calculation of K uses modular reductions.

As an illustrative example, such a method (130) qLessEncap _CPA (, k, pk) could be expressed in Mathematica language as follows:

According to this qLessKEM _CPA embodiment in accordance with the invention, the method 140 of decryption or decapsulation of a secret K, in this case a session key - method 140 which can be summarized by the formulation K «- qLessDecap _CPA (, k, sk, C) - implemented by any electronic device of a computer system 1, such as the electronic device R (10-1), in response to the reception of a message conveying an encrypted C e N < n(p - 1) < n2 ⁿ produced by a third-party electronic device of said computer system 1 according to an encapsulation or encryption method 130 described previously, comprises a first step 141 of reading the value from the data memory 12 of the secret key sk = [q, p, d, p} previously produced in step 122 of the key generation method 120 already described in connection with Figure 3, as well as parameters by consisting of them integers and k such that, advantageously > 3.44k.

Step 142 of said method 140 consisting of the recovery of said secret K which one wishes to derive from the received cipher C consists of the operations K «- pb mod q knowing that b «- Cd mod p.

As an illustrative example, such a method (140)qLessDecap _CPA (, k, sk, C) allowing the vector of w ] could be expressed in Mathematica language as follows:

Running such code will effectively print "true":

Alternatively, the invention provides a second technique resulting in a KEM not exposing q, this variant being denoted qLess2KEM _CPA . For example, instead of carrying out an exhaustive search on the z _f , it has already been specified that it is possible to exploit the LLL algorithm in the CompKEM _CPA algorithm to solve the equation w _t = (v'i + z^d mod p for the unknowns w _f ,z _f under the constraints w _t < [p/n] and z _f < ^2. This equation admits on average n solutions due to the fact that size(w _f ) + size(z _f ) > size(p). It is then sufficient to carry out an exhaustive search in this space of = n solutions until identifying a solution such that s _t = w _t p mod q < [q/n ] It follows that the electronic transmitter device S (10-2) no longer needs to calculate K modulo q and q remains unknown to the adversary.

The invention provides a third technique for not exposing q to the adversary, this variant being denoted qLess3KEM _CPA . If compression of the public key pk is not required, the key generation method 120 can be modified by generating Then, using LLL, solve p mod q for small z,s (typically

z _t < n ² ) and Si < [q/n]. This equation admits on average n solutions because size(s _f ) + size(z _f ) > size(q-). Once the resolution is completed, it is possible to define

Since now p there is no need to provide p in pk. Since now

there is also no need to provide q in pk and the adversary cannot use q for attack purposes.

The invention provides a fourth technique for not exposing q to the adversary, this variant being denoted qLess4KEM _CPA . Indeed, it is also possible to omit q in the calculation of the secret K by s, 10-2 and give a potentially negative cipher C. In this embodiment to encapsulate a secret K, the electronic device S, 10-2 proceeds in two steps: the vector

is chosen in

e [-1.0, l] ⁿ in such a way that K is a positive integer less than q. For this purpose, it is only necessary to provide a bound on q and not q. Once K has been calculated, the corresponding cipher C is calculated in Z, possibly resulting in a signed number whose sign is part of the cipher C. The decapsulation procedure is invariant.

To produce K so that K is a positive integer less than q, according to a first sub-embodiment of qLess4KEM _CPA , the electronic device s, 10-2 divides the bits of

into three parts: one half is chosen equal to zero, one quarter is chosen equal to 1 and one quarter is chosen equal to -1. A lower bound B on q is given to the electronic device S, 10-2 so that the latter can choose an assortment of keys s _t such that K is positive and less than q.

According to a second sub-embodiment of qLess4KEM _CPA , it is possible to take then, once the sum

known, S (10-2) we divide K by one of the s _t (for example s, ), calculate the quantity verifies that 0 < K < B and then corrects the cipher C in subt

scratching

According to a third sub-embodiment of qLess4KEM _CPA , it is possible to take

[0,1] then, once the sum

known, S (10-2) subtracts from /C a linear combination of s _t noted , calculates the quantity K = K - T _s , verifies that 0 < K < B and then S

(10-2) corrects the cipher C by subtracting a “mirror factor” T _v

to C.

The invention provides a fifth technique for not exposing q to the adversary, this variant being denoted qLess5KEM _CPA . This process uses exhaustive search to find the little i such that ixq added to the decapsulated key gives the encapsulated key calculated in the integers. This equality being confirmed by a redundancy of the key, denoted h and added to the cipher.

As an illustrative example, such a qLess5KEM _CPA process could be expressed in Mathematica language as follows:

Running such code will effectively print "true":

This process can also be generalized to the case t > 1 in an obvious way.

Finally, the invention provides a sixth technique for not exposing q to the adversary, this variant being denoted qLess6KEM _CPA . Indeed, it is also possible to omit q in the calculation of the secret K by s, 10-2 and proceed as follows, illustrated below with the parameter t = 1. During encapsulation, calculate K in Z by performing a simple sum over the integers. Once C received by /?, 10-1, the latter can find K' = K mod q. To help the electronic device R, 10-1 find K in Z, the electronic device S, 10-2 sends, with C, the most significant log ₂ bits of K denoted here c. So K = c2 ^k + K'. Knowing K' and c, the electronic device R, 10-1 can easily calculate K.

As an illustrative example, such a qLess6KEM _CPA process could be expressed in Mathematica language as follows, where we note the importance of generating q modules of exactly k bits:

Running such code will effectively print "true":

Furthermore, given the simple algebraic structure of the invention, it is possible to generalize such an algebraic structure to a variety of rings, groups and finite fields. Such generalizations (translations from one algebraic structure to another), obvious to those skilled in the art, are frequently the case in cryptology, as evidenced by the following references: - M. van Dijk, C. Gentry, S. Halevi and V. Vaikuntanathan, “Fully

Homomorphic Encryption over the Integers”, Advances in Cryptology - EUROCRYPT 2010, 29th Annual International Conference on the Theory and Applications of Cryptographic Techniques, Monaco / French Riviera, May 30 - June 3, 2010. Proceedings, Lecture Notes in Computer Science, vol. 6110, p.

24-43, Springer, 201; - JH Cheon and D. Stehlé, “Fully Homomorphic Encryption over the Integers Revisited”, Advances in Cryptology -- EUROCRYPT 2015, 2015, Springer Berlin Heidelberg, pp. 513 — 536;

- D. Aggarwal, A. Joux, A. Prakash and M. Santha, “A New Public-Key Cryptosystem via Mersenne Numbers”, Advances in Cryptology - CRYPTO 2018 - 38th Annual International Cryptology Conference, Santa Barbara, CA, USA, August 19-23, 2018, Proceedings, Part III, Lecture Notes in Computer Science, vol. 10993, p. 459-482, Springer, 2018;

- J.S. Coron, T. Lepoint and M. Tibouchi, “New Multilinear Maps Over the Integers”, Advances in Cryptology - CRYPTO 2015 - 35th Annual Cryptology Conference, Santa Barbara, CA, USA, August 16-20, 2015, Proceedings, Part I, Lecture Notes in Computer Science, vol. 9215, pp. 267-286, Springer, 2015;

- K. Jarvis and M. Nevins, “ETRU: NTRU over the Eisenstein integers”, Des. Cryptogr. Codes, vol. 74, no. 1, pp. 219-242, 2015;

- Joux, “Fully homomorphic encryption modulo Fermat numbers”,

Cryptology ePrint Archive, Report 2019/187, 2019, https://ia.cr/2019/187.

Similarly, the inventive method could be generalized to non-binary mW. The algorithms presented in the present invention would then be based on the Bounded Knapsack Problem, cf. H. Kellerer, U. Pferschy and D. Pisinger, “The Bounded Knapsack Problem”, Knapsack Problems, 2004, Springer Berlin Heidelberg, Berlin, Heidelberg, pp. 185-209). Such a generalization leads to a modification of the size of the mW and therefore a new balancing of the parameters and security levels, as is obvious to those skilled in the art.

The invention has been described through an example illustrated by Figure 1 according to which a second electronic device S, 10-2 wishes to share the value of a second secret s, which we can reference K _S ^ _R , with a unique first electronic device R, 10-1 for exploiting said secret K _S -, _R and producing a session key. For this, said secret K _S -, _R , is encapsulated (process 130) from the public key pk _R of the recipient R, 10-1 (produced by a method 120) in the form of an encrypted Cs^R- Said recipient R, 10- 1 recovers the value of said secret K _S -, _R by implementing a decapsulation process (process 140) of said cipher

The invention further provides that the methods 130 and 140 can be implemented successively in opposite directions by the two electronic devices S, 10-2 and R, 10-1. Thus, in turn the first electronic device R, 10-1, acting as S shares the value of a secret K, which we can reference K _R -, _S , with the unique second electronic device S, 10-2 acting like R to exploit said K _R ^ _S secret and produce a session key. Said secret K _R -, _S , is encapsulated (process 130) in the form of an encrypted CR^S from the public key pk _s , of the recipient S, 10-2. Said recipient S, 10-2 recovers the value of said secret K _R ^ _S by implementing a decapsulation process (process 140) of said cipher CR ^ S -

The invention then provides that the future session key used by the two electronic devices S, 10-2 and R, 10-1 can result from a combination of the secrets K _S ^ _R and K _R ^ _S thus exchanged in a secure manner . By way of non-limiting examples, said session key may result from the implementation by the two electronic devices S, 10-2 and R, 10-1 of an exclusive or- or a hash function applied to said secrets K _S -, _R and K _R -, _S.

Finally, it is important to note that the different processes and embodiments can be combined with each other in order to offer numerous implementation options obvious to those skilled in the art.

By way of non-limiting example, the following method, denoted mCompKEM _CPA , provides both compression of public keys such as that provided by CompKEM _CPA and an extension to t > 1 such as that provided by mKEM _CPA . Since the mCompEncap _CPA and mCompDecap _CPA processes are obvious to those skilled in the art, we will endeavor to explain how to compress the pair {sk, pk} in the case t > 1.

The step of generating a pair {sk, pk} of secret and public keys, denoted CompAlgGen _{cpA 2} (, k), corresponding to AlgKeyGen, as well as publishing said public key pk produced consists of:

- generate a second random data SS by a random number generator 13 of the first electronic device R, 10-1 accomplishing said step, said second random data SS and derive {seed_pk, seed_sk}

the pk_seed is public and the sk_seed is kept secret;

- produce the compressible secret key sk <- {p, d, p} where pe P _n , d ∈ and p ∈ are derived deterministically from seed_sk;

- produce the compressible public key pk where:

oq is a k-bit prime derived deterministically from seed_pk;

is deterministically derived from seed_pk; is initialized randomly

is produced as follows:

■ for 1 < i < n, refresh

It is easy to see that pk can be compressed into

which allows for considerable memory savings.

Claims

CLAIMS Method for transporting (100) a secret K resistant to attacks by quantum computer, said method being implemented by a computer system (10) comprising a first (10-1) and a second (10-2) electronic devices , said first and second electronic devices each comprising a processing unit (11) cooperating with a data memory (12) and means of communication (15) with the outside world, said first electronic device R (10-1) being designed to receive and exploit the secret K previously produced and encapsulated by said second electronic device S (10-2), said transport method (100) comprising:

- a step (110) of generating and publishing general parameters by said transport method (100) implemented by the first electronic device R (10-1);

- a step (120) of generating a pair {sk, pk} of secret and public keys, as well as publishing said public key produced, said step (120) being implemented by the first electronic device R (10) -1), said pair of secret and public keys {sk, pk} being produced from said general parameters by and from a first random data (SS) produced by a random number generator (13) of said first electronic device R (10-1);

- a step (130) of encapsulating the secret K in the form of a cipher C and transmitting the latter, said step (130) being implemented by said second electronic device S (10-2) from said general parameters by, the public key pk of said first electronic device R (10-1) and a second random data (MM) produced by the random number generator (13) of said second electronic device S (10-2);

- a step (140) of decapsulating said secret K implemented by said first electronic device R (10-1) from said cipher C, said general parameters by and the pair {sk,pk} of secret and public keys of already produced (120) by the first electronic device R (10-1); said transport method (100) being characterized in that said second random data (MM) is used to derive a vector of n integers mW and in that the step (130) of encapsulating the secret K in the form of a encrypted C and transmission of the latter consists of implementing two sums having the same indexes m ₁ , ..., m _n , the encrypted C consisting of a first sum such that C «- mW. _V W and the secret K consisting of a second sum, called a “mirror sum” such that K “- mW. $14 said first sum being calculated in a first algebraic structure, said second sum being calculated in a second algebraic structure and the vectors vW and sW being extracted from the public key pk of said first electronic device R (10-1).

2. Method (100) according to claim 1 for which said first and second algebraic structures are the ring of integers Z.

3. Method (100) according to claim 1 for which said first and second algebraic structures are finite fields.

4. Method (100) according to claim 1 for which said first algebraic structure is the ring of integers Z and said second algebraic structure is a finite field.

5. Method (100) according to claim 1 for which said first algebraic structure is a finite field and said second algebraic structure is the ring of integers Z.

6. Method (100) according to claim 4 for which:

- the step (110) of generating and publishing general parameters par consists of determining an integer n such that k < n, k being a security parameter, par being defined by the pair par = {n, k }

- the step (120) of generating a pair {sk, pk] of secret and public keys, as well as publishing said public key pk produced, consists of: o using the first random data (SS) in order to derive the following parameters:

- an n-bit integer p;

- a prime integer q of k bits;

- integers d and p such that

- a vector

of n positive integers w _r , ..., w _n whose sum is bounded by p; o produce the secret key sk «- [p, d, p}; o produce the public key pk «- the vectors

being defined by the two relations

mod p and mod q

- the step (130) of encapsulating the secret K consists of using the second random data (MM) in order to produce a vector of n integers from which the cipher is calculated

and the key

the step (140) of decapsulating the secret K consists of recovering (141) the key K such that K «- pb mod q where b «- Cd mod p. ed according to the preceding claim for which the vector is produced by the following sequence of operations:

- as long as said vector

does not contain n distinct elements do: according to the criterion

n — 1;

ed (100) according to claim 2, for which:

- the step (110) of generating and publishing general parameters par consists of determining an integer n such that k < n, k being a security parameter, par being defined by the pair par = {n,k }

- the step (120) of generating a pair {sk, pk] of secret and public keys, as well as publishing said public key pk produced, consists of: o using the first random data (SS) in order to derive the following parameters:

■ an n-bit integer p;

■ a prime integer q of k bits;

■ integers d and p such that

- a vector

of n positive integers w _± , ..., w _n whose sum is bounded by p and such that mod q) <q;

o produce the secret key sk «- [p, d, p}; o produce the public key pk «- the vectors

being defined by the two relations

mod q;

- the step (130) of encapsulating the secret K consists of using the second random data (MM) in order to produce a vector of integer n

from which the cipher is calculated

and the key K

- step (140) of decapsulating the secret K consists of recovering (141) the key K such that K <- pb mod q where b «- Cd mod p.

9. Method (100) according to claim 4, for which:

- the step (110) of generating and publishing general parameters par consists of determining an integer n such that k < n, k being a security parameter, par being defined by the pair par = {n,k } ;

- the step (120) of generating a pair {sk, pk] of secret and public keys, as well as publishing said public key pk produced, consists of: o using the first random data (SS) in order to produce two seeds (seed_pk, seed_sk)

o produce the secret key sk

and μ ∈ are deterministically derived from seed_sk; - o produce the public key

- the vector is derived from

deterministic way of seed_pk;

- q is a k-bit prime number derived deterministically from seed_pk;

- the vector z

and the vector

being produced by the following process:

• for 1 < i < n do: o as long as (v't + z _f ) d mod p > [p/n] refresh z _f «- [0,n ² - 1];

• d mod p) mod g;

o compress the pk key into

- step (130) of encapsulating the secret K, consists of: o decompress {seed_pk, by deriving from the

seed_pk the vector then form

o generate from the second random data (MM), a vector of n integers

from which the cipher is calculated

- the step (140) of decapsulating the secret K consists of recovering the data sk := [p, d,p} from seed_sk then recovering (141) the key K such that K «- pb mod q where b “-

Cd mod p.

10. Method (100) according to any one of claims 6 to 9, for which p is prime or such that PGCD(d, p) = 1.

11. Method (100) according to claim 4 for which: - the step (110) of generating and publishing general parameters by consists of determining an integer n such that k < n, k being a security parameter and a non-zero integer t, said general parameters by being the triple {t,n,k}

- the step (120) of generating a pair {sk, pk] of secret and public keys, as well as publishing said public key pk, consists of producing, from the first random data (SS), the data following:

o an invertible random matrix M of dimension txt whose elements are taken randomly from Z _q ; o a secret key sk « o a public key pk the vectors and

being produced such as:

verifies the condition Yi,j, 0 < v _t <

- the step (130) of encapsulating the secret

consists of using the second random data (MM) in order to produce a vector of n integers m from which the cipher is calculated

- the step (140) of decapsulating the secret

consists of such that

mod q where

12. Method according to the preceding claim for which t is less than or equal to 4.

13. Method (100) according to any one of claims 6 to 12, for which n is such that n > 3A4k.

14. Method (100) according to any one of claims 1 to 10, for which the steps (130) of encapsulation and decapsulation of the secret K comprise the application of a one-way function OWF(x) to said secret K to produce a second secret K' = 0WF(/<) intended to be exploited for cryptographic purposes.

15. Method (100) according to claim 11 or 12, for which the step (130) of encapsulating the secret K comprises the application of a one-way function O WF (%) to said secret

to produce a second secret K' = intended to be exploited for cryptographic purposes.

16. Computer program product comprising one or more program instructions (P) executable by the processing unit (11) of a computer, said program instructions (P) being loadable into a memory (14) of said computer and the execution of which by said processing unit (11) causes the implementation of a method (100) according to any one of the preceding claims.

17. Computer-readable storage medium comprising the instructions of a computer program product according to the preceding claim. 18. Computer system (1) comprising a plurality of electronic devices (10-1, 10-2, 10-g) each comprising a processing unit (11) and a memory (14), said memory (14) of each of said electronic devices (10-1, 10-2, 10-g) comprising the program instructions (P) of a computer program product according to claim 16.