A Reaction Attack against Cryptosystems based on LRPC Codes Gustavo - - PowerPoint PPT Presentation

A Reaction Attack against Cryptosystems based

• n LRPC Codes

Gustavo Banegas

joint work with Simona Samardjiska, Paolo Santini and Edoardo Persichetti

Latincrypt 2019 October 3rd, 2019

A Reaction Attack against Cryptosystems based on LRPC Codes Gustavo Banegas 1

Outline

Introduction Reaction Attack Our Result Conclusion

A Reaction Attack against Cryptosystems based on LRPC Codes Gustavo Banegas 2

Post-quantum cryptography

Why do we need post-quantum cryptography?

Shor’s Algorithm solves in polynomial time: ◮ Integer factorization; RSA is dead. ◮ The discrete-logarithm problem in finite fields; DSA is dead. ◮ The discrete-logarithm problem on elliptic curves; ECDSA is dead.

A Reaction Attack against Cryptosystems based on LRPC Codes Gustavo Banegas 3

Post-quantum cryptography

What is post-quantum cryptography?

A Reaction Attack against Cryptosystems based on LRPC Codes Gustavo Banegas 4

Post-quantum cryptography

Timeline

◮ 2016: NIST calls for submissions to “Post-Quantum Cryptography Standardization Project”. ◮ 2017: NIST receives 69 proper submissions. ◮ 2018-19: NIST 2nd round of proposals with 26 proposals. ◮ 17 code-based in the 1st round; 7 code-based in 2nd round.

A Reaction Attack against Cryptosystems based on LRPC Codes Gustavo Banegas 5

Code-based Cryptography

Code-based cryptography in a nutshell

Plaintext Codeword Ciphertext Linear transformation Add errors Remove errors Inverse transformation

◮ Originally proposed by McEliece in 1978; ◮ It uses a linear code:

◮ Goppa codes; ◮ LDPC/MDPC; ◮ Rank Metric (LRPC); ◮ Several others.

A Reaction Attack against Cryptosystems based on LRPC Codes Gustavo Banegas 6

Rank Metric Codes

A Low-Rank Parity-Check (LRPC) code

A LRPC C over Fqm of length n, dimension k and rank d is described by an (n − k) × n parity-check matrix H = {hi,j} ∈ F(n−k)×n

qm

, ◮ Each coefficient hi,j can be written as hi,j =

d

• l=1

hi,j,lFl, hi,j,l ∈ Fq, each Fi ∈ Fqm, and F = F1, F2, · · · , Fd is a Fq subspace of Fqm.

A Reaction Attack against Cryptosystems based on LRPC Codes Gustavo Banegas 7

Decoding LRPC codes

How to decode LRPC codes?

Let s = (s1, . . . , sn−k) ∈ Fn−k

qm

be the syndrome of e, i.e. He⊤ = s. Decoding: Recover e from the knowledge of s. Crucial facts: ◮ If hi,j ∈ F = F1, F2, · · · , Fd and e ∈ E = E1, E2, · · · , Er then si ∈ F1E1, F1E2, . . . , FdEr ◮ Assume S = s1, s2, . . . , sn−k = F1E1, F1E2, . . . , FdEr then:

• 1. Set Si = F −1

i

.S. Then Si = F −1

i

.. . . FiE1, FiE2, . . . , FiEr... ⇒ E = E1, E2, · · · , Er ⊂ Si

• 2. Find E = S1 ∩ S2 ∩ · · · ∩ Sd
• 3. Find e by solving He⊤ = s

A Reaction Attack against Cryptosystems based on LRPC Codes Gustavo Banegas 8

Decoding of LRPC codes

When do decoding failures happen?

• 1. When Dim
• EF
• < rd: this happens with probability

P1 =

d qm−rd

• 2. When E = d

i=1 Si: when m > rd + 8, this happens with

probability P2 ≪ 2−30

• 3. When Dim
• S
• < rd this happens with probability

P3 =

1 qn−k+1−rd

◮ In practice usually P1, P2 ≪ P3.

A Reaction Attack against Cryptosystems based on LRPC Codes Gustavo Banegas 9

LRPC cryptosystems

What is a LRPC cryptosystem?

Basically any cryptosystem that ◮ uses LRPC codes (low rank of Hsecret) ◮ uses RHsecret = H to hide the secret Hsecret ◮ relies on the Rank syndrome decoding problem: Find e such that He⊤ = s and |e| r. ◮ LRPC cryptosystem [Gaborit et al.’13] ◮ McNie [Kim et al.’17] (NIST 1st round candidate) ◮ ROLLO (Rank-Ouroboros, LAKE and LOCKER) [Aguilar Melchor et al. ’17] (NIST 2nd round candidate) ◮ Durandal [Aragon et al.’19]

A Reaction Attack against Cryptosystems based on LRPC Codes Gustavo Banegas 10

Reaction attack

A Reaction Attack against Cryptosystems based on LRPC Codes Gustavo Banegas 11

Reaction attack

m1, e1, c1 =m1G+e1

A Reaction Attack against Cryptosystems based on LRPC Codes Gustavo Banegas 11

Reaction attack

m1, e1, c1 =m1G+e1 c1

A Reaction Attack against Cryptosystems based on LRPC Codes Gustavo Banegas 11

Reaction attack

m1, e1, c1 =m1G+e1 c1

← Decode(c1)

A Reaction Attack against Cryptosystems based on LRPC Codes Gustavo Banegas 11

Reaction attack

m1, e1, c1 =m1G+e1 c1

← Decode(c1)

m2, e2, c2

A Reaction Attack against Cryptosystems based on LRPC Codes Gustavo Banegas 11

Reaction attack

m1, e1, c1 =m1G+e1 c1

← Decode(c1)

m2, e2, c2 c2

A Reaction Attack against Cryptosystems based on LRPC Codes Gustavo Banegas 11

Reaction attack

m1, e1, c1 =m1G+e1 c1

← Decode(c1)

m2, e2, c2 c2

← Decode(c2)

A Reaction Attack against Cryptosystems based on LRPC Codes Gustavo Banegas 11

Reaction attack

m1, e1, c1 =m1G+e1 c1

← Decode(c1)

m2, e2, c2 c2

← Decode(c2)

. . .

A Reaction Attack against Cryptosystems based on LRPC Codes Gustavo Banegas 11

Reaction attack

m1, e1, c1 =m1G+e1 c1

← Decode(c1)

m2, e2, c2 c2

← Decode(c2)

. . . mt, et, ct

A Reaction Attack against Cryptosystems based on LRPC Codes Gustavo Banegas 11

Reaction attack

m1, e1, c1 =m1G+e1 c1

← Decode(c1)

m2, e2, c2 c2

← Decode(c2)

. . . mt, et, ct ct

A Reaction Attack against Cryptosystems based on LRPC Codes Gustavo Banegas 11

Reaction attack

m1, e1, c1 =m1G+e1 c1

← Decode(c1)

m2, e2, c2 c2

← Decode(c2)

. . . mt, et, ct ct

X← Decode(ct)

A Reaction Attack against Cryptosystems based on LRPC Codes Gustavo Banegas 11

Reaction attack

m1, e1, c1 =m1G+e1 c1

← Decode(c1)

m2, e2, c2 c2

← Decode(c2)

. . . mt, et, ct ct

X← Decode(ct)

Pls resend!

A Reaction Attack against Cryptosystems based on LRPC Codes Gustavo Banegas 11

Reaction attack

m1, e1, c1 =m1G+e1 c1

← Decode(c1)

m2, e2, c2 c2

← Decode(c2)

. . . mt, et, ct ct

X← Decode(ct)

Pls resend!

A Reaction Attack against Cryptosystems based on LRPC Codes Gustavo Banegas 11

Key recovery attack

When does a decoding failure happen?

(A closer look at) the syndrome equation for LRPC: Hsecrete⊤ = s si =

n

• j=1

hi,jej =

n

• j=1

d

• l=1

hi,j,lFl r

• v=1

ej,uEu

• =

d

• l=1

r

• u=1

FlEu  

n

• j=1

hi,j,lej,u   , ∀i ∈ {1, . . . , n − k}. In matrix form: s = (F1E1, F1E2 . . . , FdEr) · ¯ Ah,e Recall: Decoding fails when Dim

• S
• < rd

¯ Ah,e is not of full rank

A Reaction Attack against Cryptosystems based on LRPC Codes Gustavo Banegas 12

Our Attack

What to do with the errors?

       ve1 · ¯ Ae1(h) = 01×n−k ve2 · ¯ Ae2(h) = 01×n−k . . . vet · ¯ Aet(h) = 01×n−k

A Reaction Attack against Cryptosystems based on LRPC Codes Gustavo Banegas 13

Our Attack

What to do with the errors?

       ve1 · ¯ Ae1(h) = 01×n−k ve2 · ¯ Ae2(h) = 01×n−k . . . vet · ¯ Aet(h) = 01×n−k High level attack idea:

0: Collect errors e1, e2, . . . , et from decryption failures 0: repeat 0:

h ← SolveSystem(ve1, ve2, . . . , vet, e1, e2, . . . , et)

0:

if h = ⊥ then

0:

Collect ℓ messages, errors, ciphertexts (mi, ei, ci)

0:

F, success ← FindBasis(h, {(mi, ei, ci)}ℓ

i=1)

0:

else success ← ⊥

0: until success 0: H ← ReconstructMatrix(h, F)

return H of small rank d =0

A Reaction Attack against Cryptosystems based on LRPC Codes Gustavo Banegas 13

Our Attack

How to solve the system?

       ve1 · ¯ Ae1(h) = 01×n−k ve2 · ¯ Ae2(h) = 01×n−k . . . vet · ¯ Aet(h) = 01×n−k ◮ Kernel method

◮ n − k equations for each error ei ◮ nd unknown coefficients in h ◮ guess vei in kernel of ¯ Aet(h) ◮ ⇒ linear system only in the nd h-variables ◮ need to collect t

nd n−k errors from DF

A Reaction Attack against Cryptosystems based on LRPC Codes Gustavo Banegas 14

Our Attack

How to solve the system?

       ve1 · ¯ Ae1(h) = 01×n−k ve2 · ¯ Ae2(h) = 01×n−k . . . vet · ¯ Aet(h) = 01×n−k ◮ Kernel method

◮ n − k equations for each error ei ◮ nd unknown coefficients in h ◮ guess vei in kernel of ¯ Aet(h) ◮ ⇒ linear system only in the nd h-variables ◮ need to collect t

nd n−k errors from DF

◮ Probability of guessing vei correctly: Pei = qKei qrd , where qKei = |Ker(¯ Aei(h))|.

A Reaction Attack against Cryptosystems based on LRPC Codes Gustavo Banegas 14

Our Attack

How to solve the system?

       ve1 · ¯ Ae1(h) = 01×n−k ve2 · ¯ Ae2(h) = 01×n−k . . . vet · ¯ Aet(h) = 01×n−k ◮ Kernel method

◮ n − k equations for each error ei ◮ nd unknown coefficients in h ◮ guess vei in kernel of ¯ Aet(h) ◮ ⇒ linear system only in the nd h-variables ◮ need to collect t

nd n−k errors from DF

◮ Probability of guessing vei correctly: Pei = qKei qrd , where qKei = |Ker(¯ Aei(h))|. ◮ Probability of guessing all ve1, . . . , vet: Pt = Pt

ei = q−(rd−1)t.

A Reaction Attack against Cryptosystems based on LRPC Codes Gustavo Banegas 14

Our Attack

Can it be improved?

An LRPC cryptosystem, with a secret key sk = (H, ·) has an equivalent key sk′ = (H′, ·′), if sk′ = sk and sk′ can be used as a secret key with equal efficiency as sk. In particular, H′ is of the same rank as H. ◮ If W ∈ GLn(Fq), sk′ = (WH′, ·′) is an equivalent key. ◮ Decryption failures are invariant with respect to equivalent keys ◮ We can rewrite H as H =

d

• i=1

ˆ Hi · Fi =

d

• i=1

[ˆ Hi1|ˆ Hi2] · Fi ⇒ H′ = [In−k|ˆ H′

12]·F1 + d

• i=2

[ˆ H′

i1|ˆ

H′

i2] · Fi is an equivalent key.

◮ We reduce the number of variables to nd − (n − k).

A Reaction Attack against Cryptosystems based on LRPC Codes Gustavo Banegas 15

Our Attack

Our attack on McNie

◮ We evaluated the attack on the 1st round submission parameters

n k d r q m Dec. Failure Security (bits) Classical Attack

(bits)

Quantum Attack

(bits)

t 93 62 3 5 2 37 2−17 128 138 82.8 8 105 70 3 5 2 37 2−20 128 140 83.7 8 111 74 3 7 2 41 2−17 192 188 108 8 123 82 3 7 2 41 2−20 192 189 109 8 111 74 3 7 2 59 2−17 256 188 108 8 141 94 3 9 2 47 2−20 256 238 134 8

◮ Better attacks exist - We do not take advantage of any additional structure of McNie ◮ We do not take full advantage of the high decryption failure

A Reaction Attack against Cryptosystems based on LRPC Codes Gustavo Banegas 16

Conclusion

Final notes

◮ Reaction attacks in the Hamming metric - Guo, Johansson, Stankovski ’16; ◮ A concurrent work in the Rank metric - Aragon, Gaborit ’19; Differences to our attack ◮ We need only a handful of observed decryption failures ◮ We do not rely on any statistical tests ◮ We do not rely on any specific decoder ◮ We assume “randomly generated” errors

A Reaction Attack against Cryptosystems based on LRPC Codes Gustavo Banegas 17

Questions

Thank you for your attention. Questions? gustavo@cryptme.in

A Reaction Attack against Cryptosystems based on LRPC Codes Gustavo Banegas 18