Blockwise Rank Decoding Problem and LRPC Codes: Cryptosystems with Smaller Sizes

In this paper, we initiate the study of the Rank Decoding (RD) problem and LRPC codes with blockwise structures in rank-based cryptosystems. First, we introduce the blockwise errors (l-errors) where each error consists of l blocks of coordinates with disjoint supports, and define the blockwise RD (l-RD) problem as a natural generalization of the RD problem whose solutions are l-errors (note that the standard RD problem is actually a special l-RD problem with l = 1). We adapt the typical attacks on the RD problem to the l-RD problem, and find that the blockwise structures do not ease the problem too much: the l-RD problem is still exponentially hard for appropriate choices of l > 1. Second, we introduce blockwise LRPC (l-LRPC) codes as generalizations of the standard LPRC codes whose parity-check matrices can be divided into l sub-matrices with disjoint supports, i.e., the intersection of two subspaces generated by the entries of any two sub-matrices is a null space, and investigate the decoding algorithms for l-errors. We find that the gain of using l-errors in decoding capacity outweighs the complexity loss in solving the l-RD problem, which makes it possible to design more efficient rank-based cryptosystems with flexible choices of parameters. As an application, we show that the two rank-based cryptosystems submitted to the NIST PQC competition, namely, RQC and ROLLO, can be greatly improved by using the ideal variants of the l-RD problem and l-LRPC codes. Concretely, for 128-bit security, our RQC has total public key and ciphertext sizes of 2.5 KB, which is not only about 50% more compact than the original RQC, but also smaller than the NIST Round 4 code-based submissions HQC, BIKE, and Classic McEliece.