An efficient structural attack on NIST submission DAGS lise Barelli 1 - - PowerPoint PPT Presentation

An efficient structural attack on NIST submission DAGS

Élise Barelli1 and Alain Couvreur 2,3

1Université de Versailles Saint Quentin 2INRIA 3LIX, École polytechnique

Asiacrypt 2018

• E. Barelli, A. Couvreur

Structural attack on DAGS Asiacrypt 2018 1 / 28

Context

DAGS is a proposal to NIST call for post quantum cryptography. McEliece-like public key encryption scheme (+ conversion to a KEM). Based on quasi–dyadic alternant codes. Original parameters : Security n dim Cpub Ground field G Key size 128 832 416 F32 (Z/2Z)4 6.8 kB 192 1216 512 F64 (Z/2Z)5 8.5 kB 256 2112 704 F64 (Z/2Z)6 11.6 kB

• Note. Parameters have been updated (see further).
• E. Barelli, A. Couvreur

Structural attack on DAGS Asiacrypt 2018 2 / 28

1

Prerequisites

2

Description of the attack

3

Complexity and implementation

• E. Barelli, A. Couvreur

Structural attack on DAGS Asiacrypt 2018 3 / 28

Prerequisites

(Generalised) Reed–Solomon codes

Definition 1 (Reed–Solomon codes) Let n, k be positive integers k n. Let x = (x1, . . . , xn) ∈ Fn

q be a vector

with distinct entries RSk(x) def = {(f (x1), . . . , f (xn)) | deg(f ) < k} .

• E. Barelli, A. Couvreur

Structural attack on DAGS Asiacrypt 2018 4 / 28

Prerequisites

(Generalised) Reed–Solomon codes

Definition 1 (Reed–Solomon codes) Let n, k be positive integers k n. Let x = (x1, . . . , xn) ∈ Fn

q be a vector

with distinct entries RSk(x) def = {(f (x1), . . . , f (xn)) | deg(f ) < k} . Definition 2 (Generalised Reed–Solomon codes) Let n, k be positive integers k n. Let x = (x1, . . . , xn) ∈ Fn

q be a vector

with distinct entries and y = (y1, . . . , yn) ∈ (F×

q )n.

GRSk(x, y) def = {(y1f (x1), . . . , ynf (xn)) | deg(f ) < k} .

• E. Barelli, A. Couvreur

Structural attack on DAGS Asiacrypt 2018 4 / 28

Prerequisites

(Generalised) Reed–Solomon codes

Definition 1 (Reed–Solomon codes) Let n, k be positive integers k n. Let x = (x1, . . . , xn) ∈ Fn

q be a vector

with distinct entries RSk(x) def = {(f (x1), . . . , f (xn)) | deg(f ) < k} . Definition 2 (Generalised Reed–Solomon codes) Let n, k be positive integers k n. Let x = (x1, . . . , xn) ∈ Fn

q be a vector

with distinct entries and y = (y1, . . . , yn) ∈ (F×

q )n.

GRSk(x, y) def = {(y1f (x1), . . . , ynf (xn)) | deg(f ) < k} .

• Claim. For such codes one can correct up to n−k

2

errors in polynomial time.

• E. Barelli, A. Couvreur

Structural attack on DAGS Asiacrypt 2018 4 / 28

Prerequisites

Alternant codes

Definition 3 (Alternant codes) Let n, k be positive integers k n. Let x = (x1, . . . , xn) ∈ Fn

qm be a vector

with distinct entries and y = (y1, . . . , yn) ∈ (F×

qm)n. An alternant code is a

code of the form GRSr(x, y) ∩ Fn

q.

• E. Barelli, A. Couvreur

Structural attack on DAGS Asiacrypt 2018 5 / 28

Prerequisites

Alternant codes

Definition 3 (Alternant codes) Let n, k be positive integers k n. Let x = (x1, . . . , xn) ∈ Fn

qm be a vector

with distinct entries and y = (y1, . . . , yn) ∈ (F×

qm)n. An alternant code is a

code of the form GRSr(x, y) ∩ Fn

q.

• E. Barelli, A. Couvreur

Structural attack on DAGS Asiacrypt 2018 5 / 28

Prerequisites

Alternant codes

Definition 3 (Alternant codes) Let n, k be positive integers k n. Let x = (x1, . . . , xn) ∈ Fn

qm be a vector

with distinct entries and y = (y1, . . . , yn) ∈ (F×

qm)n. An alternant code is a

code of the form GRSr(x, y) ∩ Fn

q.

Fact 1. Alternant codes inherit from generalised Reed–Solomon decoding algorithms.

• E. Barelli, A. Couvreur

Structural attack on DAGS Asiacrypt 2018 5 / 28

Prerequisites

Alternant codes

Definition 3 (Alternant codes) Let n, k be positive integers k n. Let x = (x1, . . . , xn) ∈ Fn

qm be a vector

with distinct entries and y = (y1, . . . , yn) ∈ (F×

qm)n. An alternant code is a

code of the form GRSr(x, y) ∩ Fn

q.

Fact 1. Alternant codes inherit from generalised Reed–Solomon decoding algorithms. Fact 2. Their parameters are not as good as GRS codes, but they are much less structured which is interesting for cryptography.

• E. Barelli, A. Couvreur

Structural attack on DAGS Asiacrypt 2018 5 / 28

Prerequisites

History – McEliece (1978)

1978 : McEliece’s original proposal based on binary Goppa codes (special case of alternant codes). Public key : 32kB for ≈ 80 bits of security1. 2018 : NIST proposal : Classic McEliece. Public key > 1MB for > 256 bits of security.

1With respect to Prange algorithm

• E. Barelli, A. Couvreur

Structural attack on DAGS Asiacrypt 2018 6 / 28

Prerequisites

History – McEliece (1978)

1978 : McEliece’s original proposal based on binary Goppa codes (special case of alternant codes). Public key : 32kB for ≈ 80 bits of security1. 2018 : NIST proposal : Classic McEliece. Public key > 1MB for > 256 bits of security. During these 40 years many attempts to get shorter keys.

1With respect to Prange algorithm

• E. Barelli, A. Couvreur

Structural attack on DAGS Asiacrypt 2018 6 / 28

Prerequisites

History – McEliece (1978)

1978 : McEliece’s original proposal based on binary Goppa codes (special case of alternant codes). Public key : 32kB for ≈ 80 bits of security1. 2018 : NIST proposal : Classic McEliece. Public key > 1MB for > 256 bits of security. During these 40 years many attempts to get shorter keys. How?

1With respect to Prange algorithm

• E. Barelli, A. Couvreur

Structural attack on DAGS Asiacrypt 2018 6 / 28

Prerequisites

Idea 1 : Reducing the extension degree

Fqm

m

GRSk(x, y) Fq GRSk(x, y) ∩ Fn

q

• Fact. The larger the m the worse the parameters. But:
• E. Barelli, A. Couvreur

Structural attack on DAGS Asiacrypt 2018 7 / 28

Prerequisites

Idea 1 : Reducing the extension degree

Fqm

m

GRSk(x, y) Fq GRSk(x, y) ∩ Fn

q

• Fact. The larger the m the worse the parameters. But:

Case m = 1 is broken (Sidelnikov, Shestakov 1992); Some specific cases of m = 2 and 3 called wild Goppa codes are broken too:

C., Otmani, Tillich, 2014; Faugère, Perret, de Portzamparc, 2014

• E. Barelli, A. Couvreur

Structural attack on DAGS Asiacrypt 2018 7 / 28

Prerequisites

Idea 2 : Using codes with a non trivial automorphism group

• Advantage. Permits to reduce the public key size with almost no

incidence on the security

• E. Barelli, A. Couvreur

Structural attack on DAGS Asiacrypt 2018 8 / 28

Prerequisites

Idea 2 : Using codes with a non trivial automorphism group

• Advantage. Permits to reduce the public key size with almost no

incidence on the security w.r.t. message security attacks.

• E. Barelli, A. Couvreur

Structural attack on DAGS Asiacrypt 2018 8 / 28

Prerequisites

Idea 2 : Using codes with a non trivial automorphism group

• Advantage. Permits to reduce the public key size with almost no

incidence on the security w.r.t. message security attacks. But, may affect the security w.r.t. key recovery attacks.

• E. Barelli, A. Couvreur

Structural attack on DAGS Asiacrypt 2018 8 / 28

Prerequisites

Idea 2 : Using codes with a non trivial automorphism group

• Advantage. Permits to reduce the public key size with almost no

incidence on the security w.r.t. message security attacks. But, may affect the security w.r.t. key recovery attacks. Some tempting choices of using large groups lead to key recovery attacks: Otmani, Tillich, Dallot (2008); Faugère, Otmani, Perret, Tillich (2010); Faugère, Otmani, Perret, Tillich, de Portzamparc (2016).

• E. Barelli, A. Couvreur

Structural attack on DAGS Asiacrypt 2018 8 / 28

Prerequisites

DAGS

DAGS scheme’s public keys are Quasi–dyadic alternant codes. i.e. GRSk(x, y) ∩ Fn

q with an automorphism group acting as:

• E. Barelli, A. Couvreur

Structural attack on DAGS Asiacrypt 2018 9 / 28

Prerequisites

DAGS

DAGS scheme’s public keys are Quasi–dyadic alternant codes. i.e. GRSk(x, y) ∩ Fn

q with an automorphism group acting as:

• E. Barelli, A. Couvreur

Structural attack on DAGS Asiacrypt 2018 10 / 28

Prerequisites

DAGS

DAGS scheme’s public keys are Quasi–dyadic alternant codes. i.e. GRSk(x, y) ∩ Fn

q with an automorphism group acting as:

• E. Barelli, A. Couvreur

Structural attack on DAGS Asiacrypt 2018 11 / 28

Prerequisites

DAGS

DAGS scheme’s public keys are Quasi–dyadic alternant codes. i.e. GRSk(x, y) ∩ Fn

q with an automorphism group acting as:

• E. Barelli, A. Couvreur

Structural attack on DAGS Asiacrypt 2018 12 / 28

Prerequisites

DAGS

DAGS scheme’s public keys are Quasi–dyadic alternant codes. i.e. GRSk(x, y) ∩ Fn

q with an automorphism group acting as:

• E. Barelli, A. Couvreur

Structural attack on DAGS Asiacrypt 2018 13 / 28

Prerequisites

DAGS

DAGS scheme’s public keys are Quasi–dyadic alternant codes. i.e. GRSk(x, y) ∩ Fn

q with an automorphism group acting as:

• E. Barelli, A. Couvreur

Structural attack on DAGS Asiacrypt 2018 14 / 28

Prerequisites

DAGS

DAGS scheme’s public keys are Quasi–dyadic alternant codes. i.e. GRSk(x, y) ∩ Fn

q with an automorphism group acting as:

• E. Barelli, A. Couvreur

Structural attack on DAGS Asiacrypt 2018 15 / 28

Prerequisites

DAGS

In short :automorphism group G is ∼ = (Z/2Z)γ for some γ > 0. Public key. An Fq[G]–basis of GRSk(x, y) ∩ Fn

q;

Secret Key. The pair (x, y).

• Important. The extension degree m is 2.

Fq2

m=2

GRSk(x, y) ⊆ Fn

q2

Fq GRSk(x, y) ∩ Fn

q

• E. Barelli, A. Couvreur

Structural attack on DAGS Asiacrypt 2018 16 / 28

Description of the attack

Section 2 Description of the attack

• E. Barelli, A. Couvreur

Structural attack on DAGS Asiacrypt 2018 17 / 28

Description of the attack

Tool 1 : the conductor

In Fn

q we denote by ⋆ the component wise product:

u ⋆ v def = (u1v1, . . . , unvn). Then, the star product of two codes A , B ⊆ Fn

q:

A ⋆ B def = Span{a ⋆ b | a ∈ A , b ∈ B} Definition 4 Let U , V ⊆ Fn

q be two codes:

Cond(U , V ) = {x ∈ Fn

q | x ⋆ U ⊆ V }

Remark Equivalently, the conductor is the largest code X satisfying X ⋆ U ⊆ V .

• E. Barelli, A. Couvreur

Structural attack on DAGS Asiacrypt 2018 18 / 28

Description of the attack

Why are conductors good for?

Illustrative example. Suppose the public key is GRSk(x, y) Suppose we obtained GRSk−1(x, y) (for instance by brute force search) Lemma 5 Cond(GRSk−1(x, y), GRSk(x, y)) = RS2(x) = Span{1, x}. Idea of the proof. The largest space of polynomials S such that S · Fq[X]<k−1 ⊆ Fq[X]<k is Fq[X]<2 = Span{1, X}.

• E. Barelli, A. Couvreur

Structural attack on DAGS Asiacrypt 2018 19 / 28

Description of the attack

Why are conductors good for?

Illustrative example. Suppose the public key is GRSk(x, y) Suppose we obtained GRSk−1(x, y) (for instance by brute force search) Lemma 6 Cond(GRSk−1(x, y), GRSk(x, y)) = RS2(x) = Span{1, x}. Fundamental fact : the result does not depend on y!

• E. Barelli, A. Couvreur

Structural attack on DAGS Asiacrypt 2018 20 / 28

Description of the attack

With alternant codes, things become harder...

Lemma 7 Cond(GRSk−1(x, y) ∩ Fn

q, GRSk(x, y) ∩ Fn q) ⊇ RS2(x) ∩ Fn q.

• E. Barelli, A. Couvreur

Structural attack on DAGS Asiacrypt 2018 21 / 28

Description of the attack

With alternant codes, things become harder...

Lemma 7 Cond(GRSk−1(x, y) ∩ Fn

q, GRSk(x, y) ∩ Fn q) ⊇ RS2(x) ∩ Fn q.

Good news : typically equality holds.

• E. Barelli, A. Couvreur

Structural attack on DAGS Asiacrypt 2018 21 / 28

Description of the attack

With alternant codes, things become harder...

Lemma 7 Cond(GRSk−1(x, y) ∩ Fn

q, GRSk(x, y) ∩ Fn q) ⊇ RS2(x) ∩ Fn q.

Good news : typically equality holds. Bad news : typically RS2(x) ∩ Fn

q = Span{(1, . . . , 1)}.

• E. Barelli, A. Couvreur

Structural attack on DAGS Asiacrypt 2018 21 / 28

Description of the attack

With alternant codes, things become harder...

One has to increase the gap between the degrees. Lemma 8 For any 0 a < k, Cond(GRSk−a(x, y) , GRSk(x, y) ) = RSa+1(x) .

• E. Barelli, A. Couvreur

Structural attack on DAGS Asiacrypt 2018 22 / 28

Description of the attack

With alternant codes, things become harder...

One has to increase the gap between the degrees. Lemma 8 For any 0 a < k, Cond(GRSk−a(x, y) ∩ Fn

q, GRSk(x, y) ∩ Fn q) ⊇ RSa+1(x) ∩ Fn q.

• E. Barelli, A. Couvreur

Structural attack on DAGS Asiacrypt 2018 22 / 28

Description of the attack

With alternant codes, things become harder...

One has to increase the gap between the degrees. Lemma 8 For any 0 a < k, Cond(GRSk−a(x, y) ∩ Fn

q, GRSk(x, y) ∩ Fn q) ⊇ RSa+1(x) ∩ Fn q.

• Idea. Choose a so that RSa+1(x) ∩ Fn

q = Span{(1, . . . , 1)}.

• E. Barelli, A. Couvreur

Structural attack on DAGS Asiacrypt 2018 22 / 28

Description of the attack

With alternant codes, things become harder...

One has to increase the gap between the degrees. Lemma 8 For any 0 a < k, Cond(GRSk−a(x, y) ∩ Fn

q, GRSk(x, y) ∩ Fn q) ⊇ RSa+1(x) ∩ Fn q.

• Idea. Choose a so that RSa+1(x) ∩ Fn

q = Span{(1, . . . , 1)}.

For instance RSq+1(x) ∩ Fn

q contains xq + x (image of x by TrFq2/Fq).

• E. Barelli, A. Couvreur

Structural attack on DAGS Asiacrypt 2018 22 / 28

Description of the attack

(Very Naive attack)

Recall that Cpub = GRSk(x, y) ∩ Fn

q and m = 2.

We look for GRSk−q(x, y) ∩ Fn

q

For any D ⊆ Cpub ∩ Fn

q of codimension 2q, compute Cond(D, Cpub).

If the conductor = Span{(1, . . . , 1)}, you probably found RSq+1(x) ∩ Fn

• q. Deducing x from this code is rather easy.
• E. Barelli, A. Couvreur

Structural attack on DAGS Asiacrypt 2018 23 / 28

Description of the attack

(Very Naive attack)

Recall that Cpub = GRSk(x, y) ∩ Fn

q and m = 2.

We look for GRSk−q(x, y) ∩ Fn

q

For any D ⊆ Cpub ∩ Fn

q of codimension 2q, compute Cond(D, Cpub).

If the conductor = Span{(1, . . . , 1)}, you probably found RSq+1(x) ∩ Fn

• q. Deducing x from this code is rather easy.

→ Cost O(q2q·(dim Cpub−2q)). e.g. For DAGS_1 : > 2112640 operations.

• E. Barelli, A. Couvreur

Structural attack on DAGS Asiacrypt 2018 23 / 28

Description of the attack

(Very Naive attack)

Recall that Cpub = GRSk(x, y) ∩ Fn

q and m = 2.

We look for GRSk−q(x, y) ∩ Fn

q

For any D ⊆ Cpub ∩ Fn

q of codimension 2q, compute Cond(D, Cpub).

If the conductor = Span{(1, . . . , 1)}, you probably found RSq+1(x) ∩ Fn

• q. Deducing x from this code is rather easy.

→ Cost O(q2q·(dim Cpub−2q)). e.g. For DAGS_1 : > 2112640 operations. → Up to now we never used the automorphism group.

• E. Barelli, A. Couvreur

Structural attack on DAGS Asiacrypt 2018 23 / 28

Description of the attack

Tool 2 : The invariant code

Consider the code Cpub

G def

= {c ∈ Cpub | ∀σ ∈ G, σ(c) = c}. Theorem 9 (Proved under some heuristic) Cond(

• GRSk−q(x, y) ∩ Fn

q

G, Cpub) = RSq+2(x) ∩ Fn

q.

• E. Barelli, A. Couvreur

Structural attack on DAGS Asiacrypt 2018 24 / 28

Description of the attack

Tool 2 : The invariant code

Consider the code Cpub

G def

= {c ∈ Cpub | ∀σ ∈ G, σ(c) = c}. Theorem 9 (Proved under some heuristic) Cond(

• GRSk−q(x, y) ∩ Fn

q

G, Cpub) = RSq+2(x) ∩ Fn

q.

• E. Barelli, A. Couvreur

Structural attack on DAGS Asiacrypt 2018 24 / 28

Description of the attack

Tool 2 : The invariant code

Consider the code Cpub

G def

= {c ∈ Cpub | ∀σ ∈ G, σ(c) = c}. Theorem 9 (Proved under some heuristic) Cond(

• GRSk−q(x, y) ∩ Fn

q

G, Cpub) = RSq+2(x) ∩ Fn

q.

→ Enumerate D ⊆ Cpub

G of codimension 2q |G|.

→ Cost O(q

2q |G| · dim Cpub−2q |G|

).

• E. Barelli, A. Couvreur

Structural attack on DAGS Asiacrypt 2018 24 / 28

Description of the attack

Tool 2 : The invariant code

Consider the code Cpub

G def

= {c ∈ Cpub | ∀σ ∈ G, σ(c) = c}. Theorem 9 (Proved under some heuristic) Cond(

• GRSk−q(x, y) ∩ Fn

q

G, Cpub) = RSq+2(x) ∩ Fn

q.

→ Enumerate D ⊆ Cpub

G of codimension 2q |G|.

→ Cost O(q

2q |G| · dim Cpub−2q |G|

). → Next, using some classical coding theoretic operations (shortening) we can reduce the cost to O(q

4q |G| ).

• E. Barelli, A. Couvreur

Structural attack on DAGS Asiacrypt 2018 24 / 28

Complexity and implementation

Section 3 Complexity and implementation

• E. Barelli, A. Couvreur

Structural attack on DAGS Asiacrypt 2018 25 / 28

Complexity and implementation

In practice

The average work factor will be: Claimed q |G| Work security factor DAGS_1 128 bits 25 24 ≈ 270 DAGS_3 192 bits 26 25 ≈ 280 DAGS_5 256 bits 26 26 ≈ 258

• E. Barelli, A. Couvreur

Structural attack on DAGS Asiacrypt 2018 26 / 28

Complexity and implementation

Second approach using polynomial system solving

Brute force search can be replaced by the resolution of a system of polynomial equations of degree 2.

• Note. Magma implementation on personal computer.
• E. Barelli, A. Couvreur

Structural attack on DAGS Asiacrypt 2018 27 / 28

Complexity and implementation

Second approach using polynomial system solving

Brute force search can be replaced by the resolution of a system of polynomial equations of degree 2. Claimed 1st approach 2nd approach security q |G| Work Running times factor DAGS_1 128 bits 25 24 270 ≈ 20mn DAGS_3 192 bits 26 25 280

• DAGS_5

256 bits 26 26 258 < 1mn

• Note. Magma implementation on personal computer.
• E. Barelli, A. Couvreur

Structural attack on DAGS Asiacrypt 2018 27 / 28

Complexity and implementation

Second approach using polynomial system solving

Brute force search can be replaced by the resolution of a system of polynomial equations of degree 2. Claimed 1st approach 2nd approach security q |G| Work Running times factor DAGS_1 128 bits 25 24 270 ≈ 20mn DAGS_3 192 bits 26 25 280

• DAGS_5

256 bits 26 26 258 < 1mn

• Note. Magma implementation on personal computer.

Note 1. DAGS authors changed their proposal to be out of reach of the first version of the attack (see DAGS’ website).

• E. Barelli, A. Couvreur

Structural attack on DAGS Asiacrypt 2018 27 / 28

Complexity and implementation

Second approach using polynomial system solving

Brute force search can be replaced by the resolution of a system of polynomial equations of degree 2. Claimed 1st approach 2nd approach security q |G| Work Running times factor DAGS_1 128 bits 25 24 270 ≈ 20mn DAGS_3 192 bits 26 25 280

• DAGS_5

256 bits 26 26 258 < 1mn

• Note. Magma implementation on personal computer.

Note 1. DAGS authors changed their proposal to be out of reach of the first version of the attack (see DAGS’ website). Note 2. Bardet, Bertin and Otmani, are currently working on improving the 2nd version. They are able to break original DAGS_3 in < 20mn.

• E. Barelli, A. Couvreur

Structural attack on DAGS Asiacrypt 2018 27 / 28

Complexity and implementation

Questions?

• E. Barelli, A. Couvreur

Structural attack on DAGS Asiacrypt 2018 28 / 28