We propose and analyze \(\textsf{LowMS}\), a new rank-based key encapsulation mechanism (KEM). The acronym stands for Loidreau with Multiple Syndromes, since our work combines the cryptosystem of Loidreau (presented at PQCrypto 2017) together with the multiple syndromes approach, that allows to reduce parameters by sending several syndromes with the same error support in one ciphertext. Our scheme is designed without using ideal structures. Considering cryptosystems without such an ideal structure, like the FrodoKEM cryptosystem, is important since structure allows to compress objects, but gives reductions to specific problems whose security may potentially be weaker than for unstructured problems. For 128 bits of security, we propose parameters with a public key size of 4.8 KB and a ciphertext size of 1.1 KB. To the best of our knowledge, our scheme is the smallest among all existing unstructured post-quantum lattice or code-based algorithms, when taking into account the sum of the public key size and the ciphertext size. In that sense, our scheme is for instance about 4 times shorter than FrodoKEM. Our system relies on the hardness of the Rank Support Learning problem, a well-known variant of the Rank Syndrome Decoding problem, and on the problem of indistinguishability of distorted Gabidulin codes, i.e., Gabidulin codes multiplied by a homogeneous matrix of given rank. The latter problem was introduced by Loidreau in his paper.

我们提出并分析了\(\textsf{LowMS}\)，一种新的基于等级的密钥封装机制（KEM）。该缩写代表Loidreau with Multiple Syndromes，因为我们的工作将 Loidreau 密码系统（在PQCrypto 2017 上提出）与多综合症方法结合在一起，允许通过在一个密文中发送具有相同错误支持的多个综合症来减少参数。我们的方案是在没有使用理想结构的情况下设计的。考虑没有这种理想结构的密码系统（例如 FrodoKEM 密码系统）很重要，因为结构允许压缩对象，但可以减少特定问题的安全性可能比非结构化问题更弱。对于 128 位安全性，我们建议参数的公钥大小为 4.8 KB，密文大小为 1.1 KB。据我们所知，当考虑到公钥大小和密文大小之和时，我们的方案是所有现有非结构化后量子点阵或基于代码的算法中最小的。从这个意义上说，我们的方案比 FrodoKEM 短大约 4 倍。我们的系统依赖于排名支持学习问题的难度（排名综合症解码问题的一个众所周知的变体），以及扭曲的加比杜林代码的不可区分性问题，即加比杜林代码乘以给定排名的齐次矩阵。Loidreau 在他的论文中介绍了后一个问题。