an efficient structural attack on nist submission dags
play

An efficient structural attack on NIST submission DAGS lise Barelli 1 - PowerPoint PPT Presentation

May 27, 2023 •299 likes •822 views

An efficient structural attack on NIST submission DAGS lise Barelli 1 and Alain Couvreur 2,3 1 Universit de Versailles Saint Quentin 2 INRIA 3 LIX, cole polytechnique Asiacrypt 2018 E. Barelli, A. Couvreur Structural attack on DAGS

  1. An efficient structural attack on NIST submission DAGS Élise Barelli 1 and Alain Couvreur 2,3 1 Université de Versailles Saint Quentin 2 INRIA 3 LIX, École polytechnique Asiacrypt 2018 E. Barelli, A. Couvreur Structural attack on DAGS Asiacrypt 2018 1 / 28

  2. Context DAGS is a proposal to NIST call for post quantum cryptography. McEliece-like public key encryption scheme (+ conversion to a KEM). Based on quasi–dyadic alternant codes. Original parameters : Security Ground field Key size n dim C pub G ( Z / 2 Z ) 4 128 832 416 6.8 kB F 32 ( Z / 2 Z ) 5 192 1216 512 8.5 kB F 64 ( Z / 2 Z ) 6 256 2112 704 11.6 kB F 64 Note. Parameters have been updated (see further). E. Barelli, A. Couvreur Structural attack on DAGS Asiacrypt 2018 2 / 28

  3. Prerequisites 1 Description of the attack 2 Complexity and implementation 3 E. Barelli, A. Couvreur Structural attack on DAGS Asiacrypt 2018 3 / 28

  4. Prerequisites (Generalised) Reed–Solomon codes Definition 1 (Reed–Solomon codes) Let n , k be positive integers k � n . Let x = ( x 1 , . . . , x n ) ∈ F n q be a vector with distinct entries RS k ( x ) def = { ( f ( x 1 ) , . . . , f ( x n )) | deg( f ) < k } . E. Barelli, A. Couvreur Structural attack on DAGS Asiacrypt 2018 4 / 28

  5. Prerequisites (Generalised) Reed–Solomon codes Definition 1 (Reed–Solomon codes) Let n , k be positive integers k � n . Let x = ( x 1 , . . . , x n ) ∈ F n q be a vector with distinct entries RS k ( x ) def = { ( f ( x 1 ) , . . . , f ( x n )) | deg( f ) < k } . Definition 2 (Generalised Reed–Solomon codes) Let n , k be positive integers k � n . Let x = ( x 1 , . . . , x n ) ∈ F n q be a vector q ) n . with distinct entries and y = ( y 1 , . . . , y n ) ∈ ( F × GRS k ( x , y ) def = { ( y 1 f ( x 1 ) , . . . , y n f ( x n )) | deg( f ) < k } . E. Barelli, A. Couvreur Structural attack on DAGS Asiacrypt 2018 4 / 28

  6. Prerequisites (Generalised) Reed–Solomon codes Definition 1 (Reed–Solomon codes) Let n , k be positive integers k � n . Let x = ( x 1 , . . . , x n ) ∈ F n q be a vector with distinct entries RS k ( x ) def = { ( f ( x 1 ) , . . . , f ( x n )) | deg( f ) < k } . Definition 2 (Generalised Reed–Solomon codes) Let n , k be positive integers k � n . Let x = ( x 1 , . . . , x n ) ∈ F n q be a vector q ) n . with distinct entries and y = ( y 1 , . . . , y n ) ∈ ( F × GRS k ( x , y ) def = { ( y 1 f ( x 1 ) , . . . , y n f ( x n )) | deg( f ) < k } . Claim. For such codes one can correct up to n − k errors in polynomial 2 time. E. Barelli, A. Couvreur Structural attack on DAGS Asiacrypt 2018 4 / 28

  7. Prerequisites Alternant codes Definition 3 (Alternant codes) Let n , k be positive integers k � n . Let x = ( x 1 , . . . , x n ) ∈ F n q m be a vector q m ) n . An alternant code is a with distinct entries and y = ( y 1 , . . . , y n ) ∈ ( F × code of the form GRS r ( x , y ) ∩ F n q . E. Barelli, A. Couvreur Structural attack on DAGS Asiacrypt 2018 5 / 28

  8. Prerequisites Alternant codes Definition 3 (Alternant codes) Let n , k be positive integers k � n . Let x = ( x 1 , . . . , x n ) ∈ F n q m be a vector q m ) n . An alternant code is a with distinct entries and y = ( y 1 , . . . , y n ) ∈ ( F × code of the form GRS r ( x , y ) ∩ F n q . E. Barelli, A. Couvreur Structural attack on DAGS Asiacrypt 2018 5 / 28

  9. Prerequisites Alternant codes Definition 3 (Alternant codes) Let n , k be positive integers k � n . Let x = ( x 1 , . . . , x n ) ∈ F n q m be a vector q m ) n . An alternant code is a with distinct entries and y = ( y 1 , . . . , y n ) ∈ ( F × code of the form GRS r ( x , y ) ∩ F n q . Fact 1. Alternant codes inherit from generalised Reed–Solomon decoding algorithms. E. Barelli, A. Couvreur Structural attack on DAGS Asiacrypt 2018 5 / 28

  10. Prerequisites Alternant codes Definition 3 (Alternant codes) Let n , k be positive integers k � n . Let x = ( x 1 , . . . , x n ) ∈ F n q m be a vector q m ) n . An alternant code is a with distinct entries and y = ( y 1 , . . . , y n ) ∈ ( F × code of the form GRS r ( x , y ) ∩ F n q . Fact 1. Alternant codes inherit from generalised Reed–Solomon decoding algorithms. Fact 2. Their parameters are not as good as GRS codes, but they are much less structured which is interesting for cryptography. E. Barelli, A. Couvreur Structural attack on DAGS Asiacrypt 2018 5 / 28

  11. Prerequisites History – McEliece (1978) 1978 : McEliece’s original proposal based on binary Goppa codes (special case of alternant codes). Public key : 32kB for ≈ 80 bits of security 1 . 2018 : NIST proposal : Classic McEliece. Public key > 1 MB for > 256 bits of security. 1 With respect to Prange algorithm E. Barelli, A. Couvreur Structural attack on DAGS Asiacrypt 2018 6 / 28

  12. Prerequisites History – McEliece (1978) 1978 : McEliece’s original proposal based on binary Goppa codes (special case of alternant codes). Public key : 32kB for ≈ 80 bits of security 1 . 2018 : NIST proposal : Classic McEliece. Public key > 1 MB for > 256 bits of security. During these 40 years many attempts to get shorter keys. 1 With respect to Prange algorithm E. Barelli, A. Couvreur Structural attack on DAGS Asiacrypt 2018 6 / 28

  13. Prerequisites History – McEliece (1978) 1978 : McEliece’s original proposal based on binary Goppa codes (special case of alternant codes). Public key : 32kB for ≈ 80 bits of security 1 . 2018 : NIST proposal : Classic McEliece. Public key > 1 MB for > 256 bits of security. During these 40 years many attempts to get shorter keys. How? 1 With respect to Prange algorithm E. Barelli, A. Couvreur Structural attack on DAGS Asiacrypt 2018 6 / 28

  14. Prerequisites Idea 1 : Reducing the extension degree GRS k ( x , y ) F q m m GRS k ( x , y ) ∩ F n F q q Fact. The larger the m the worse the parameters. But: E. Barelli, A. Couvreur Structural attack on DAGS Asiacrypt 2018 7 / 28

  15. Prerequisites Idea 1 : Reducing the extension degree GRS k ( x , y ) F q m m GRS k ( x , y ) ∩ F n F q q Fact. The larger the m the worse the parameters. But: Case m = 1 is broken (Sidelnikov, Shestakov 1992); Some specific cases of m = 2 and 3 called wild Goppa codes are broken too: C., Otmani, Tillich, 2014; Faugère, Perret, de Portzamparc, 2014 E. Barelli, A. Couvreur Structural attack on DAGS Asiacrypt 2018 7 / 28

  16. Prerequisites Idea 2 : Using codes with a non trivial automorphism group Advantage. Permits to reduce the public key size with almost no incidence on the security E. Barelli, A. Couvreur Structural attack on DAGS Asiacrypt 2018 8 / 28

  17. Prerequisites Idea 2 : Using codes with a non trivial automorphism group Advantage. Permits to reduce the public key size with almost no incidence on the security w.r.t. message security attacks. E. Barelli, A. Couvreur Structural attack on DAGS Asiacrypt 2018 8 / 28

  18. Prerequisites Idea 2 : Using codes with a non trivial automorphism group Advantage. Permits to reduce the public key size with almost no incidence on the security w.r.t. message security attacks. But, may affect the security w.r.t. key recovery attacks. E. Barelli, A. Couvreur Structural attack on DAGS Asiacrypt 2018 8 / 28

  19. Prerequisites Idea 2 : Using codes with a non trivial automorphism group Advantage. Permits to reduce the public key size with almost no incidence on the security w.r.t. message security attacks. But, may affect the security w.r.t. key recovery attacks. Some tempting choices of using large groups lead to key recovery attacks: Otmani, Tillich, Dallot (2008); Faugère, Otmani, Perret, Tillich (2010); Faugère, Otmani, Perret, Tillich, de Portzamparc (2016). E. Barelli, A. Couvreur Structural attack on DAGS Asiacrypt 2018 8 / 28

  20. Prerequisites DAGS DAGS scheme’s public keys are Quasi–dyadic alternant codes. i.e. GRS k ( x , y ) ∩ F n q with an automorphism group acting as: E. Barelli, A. Couvreur Structural attack on DAGS Asiacrypt 2018 9 / 28

  21. Prerequisites DAGS DAGS scheme’s public keys are Quasi–dyadic alternant codes. i.e. GRS k ( x , y ) ∩ F n q with an automorphism group acting as: E. Barelli, A. Couvreur Structural attack on DAGS Asiacrypt 2018 10 / 28

  22. Prerequisites DAGS DAGS scheme’s public keys are Quasi–dyadic alternant codes. i.e. GRS k ( x , y ) ∩ F n q with an automorphism group acting as: E. Barelli, A. Couvreur Structural attack on DAGS Asiacrypt 2018 11 / 28

  23. Prerequisites DAGS DAGS scheme’s public keys are Quasi–dyadic alternant codes. i.e. GRS k ( x , y ) ∩ F n q with an automorphism group acting as: E. Barelli, A. Couvreur Structural attack on DAGS Asiacrypt 2018 12 / 28

  24. Prerequisites DAGS DAGS scheme’s public keys are Quasi–dyadic alternant codes. i.e. GRS k ( x , y ) ∩ F n q with an automorphism group acting as: E. Barelli, A. Couvreur Structural attack on DAGS Asiacrypt 2018 13 / 28

  25. Prerequisites DAGS DAGS scheme’s public keys are Quasi–dyadic alternant codes. i.e. GRS k ( x , y ) ∩ F n q with an automorphism group acting as: E. Barelli, A. Couvreur Structural attack on DAGS Asiacrypt 2018 14 / 28

  26. Prerequisites DAGS DAGS scheme’s public keys are Quasi–dyadic alternant codes. i.e. GRS k ( x , y ) ∩ F n q with an automorphism group acting as: E. Barelli, A. Couvreur Structural attack on DAGS Asiacrypt 2018 15 / 28

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

McNie NIST Submission Jon-Lark Kim Sogang University, S. Korea PQCRYPTO Workshop, Taipei June

McNie NIST Submission Jon-Lark Kim Sogang University, S. Korea PQCRYPTO Workshop, Taipei June

McNie NIST Submission Jon-Lark Kim Sogang University, S. Korea PQCRYPTO Workshop, Taipei June 29 2018 Outline McNie: a new code-based cryptography 1 General algorithm specification 2 Key generation Encryption Decryption Rank metric

457 views • 25 slides
THE 3 PRINCIPLES OF STRUCTURAL DESIGN FOR STRUCTURAL DETAILING DENIS H CAMILLERI BICC CPD 03/03

THE 3 PRINCIPLES OF STRUCTURAL DESIGN FOR STRUCTURAL DETAILING DENIS H CAMILLERI BICC CPD 03/03

THE 3 PRINCIPLES OF STRUCTURAL DESIGN FOR STRUCTURAL DETAILING DENIS H CAMILLERI BICC CPD 03/03 dhcamill@maltanet.net Structural Detailing in the DESIGN OFFICE 1 PRINCIPLE 1 EFFICIENT STRUCTURAL SYSTEMS Membrane stresses are under

425 views • 10 slides
Non-uniform Concrete security: an example cracks in the concrete: What is the best NIST P-256

Non-uniform Concrete security: an example cracks in the concrete: What is the best NIST P-256

Non-uniform Concrete security: an example cracks in the concrete: What is the best NIST P-256 the power of free precomputation discrete-log attack algorithm? D. J. Bernstein ECDL input: P-256 points P , University of Illinois at

1.13k views • 86 slides
Efficient Padding Oracle Attacks On Cryptographic Hardware or The Million Message Attack in 15

Efficient Padding Oracle Attacks On Cryptographic Hardware or The Million Message Attack in 15

Efficient Padding Oracle Attacks On Cryptographic Hardware or The Million Message Attack in 15 000 Messages Graham Steel joint work with R. Bardou, R. Focardi, Y. Kawamoto, L. Simionato, J. Kai-Tsay CRYPTO August 2012 BLUF (Bottom Line Up

584 views • 42 slides
Efficient Padding Oracle Attacks On Cryptographic Hardware or The Million Message Attack in 15

Efficient Padding Oracle Attacks On Cryptographic Hardware or The Million Message Attack in 15

Efficient Padding Oracle Attacks On Cryptographic Hardware or The Million Message Attack in 15 000 Messages Graham Steel joint work with R. Bardou, R. Focardi, Y. Kawamoto, L. Simionato, J.-K. Tsay CRYPTO August 2012 BLUF (Bottom Line Up

602 views • 19 slides
Secure and Efficient Metering Discussion Outline Clarifications Attack on Secure

Secure and Efficient Metering Discussion Outline Clarifications Attack on Secure

Secure and Efficient Metering Discussion Outline Clarifications Attack on Secure Metering Issues and Extensions Real World Other Directions Metering for General Access Structures Understanding the model Audit Agency

480 views • 35 slides
NIST Gaithersburgs Approach to a Solar PV Array Project John.R.Bollinger@nist.gov 2 NIST

NIST Gaithersburgs Approach to a Solar PV Array Project John.R.Bollinger@nist.gov 2 NIST

NIST Gaithersburgs Approach to a Solar PV Array Project John.R.Bollinger@nist.gov 2 NIST had awarded larger ESPC ($45M) with 4 ECMs the previous year (June 2015) Non-selected ECM was fixed-tilt, ground-mounted solar array on federal

559 views • 17 slides
AIQL : Enabling Efficient Attack Investigation from System Monitoring Data Peng Gao 1 , Xusheng

AIQL : Enabling Efficient Attack Investigation from System Monitoring Data Peng Gao 1 , Xusheng

AI AIQL : Enabling Efficient Attack Investigation from System Monitoring Data Peng Gao 1 , Xusheng Xiao 2 , Zhichun Li 3 , Kangkook Jee 3 , Fengyuan Xu 4 , Sanjeev R. Kulkarni 1 , Prateek Mittal 1 1 Princeton University 2 Case Western Reserve

800 views • 34 slides
ENERGY EFFICIENT SENSOR PLACEMENT FOR MONITORING STRUCTURAL HEALTH Mohammed Najeeb A 1, * and

ENERGY EFFICIENT SENSOR PLACEMENT FOR MONITORING STRUCTURAL HEALTH Mohammed Najeeb A 1, * and

ENERGY EFFICIENT SENSOR PLACEMENT FOR MONITORING STRUCTURAL HEALTH Mohammed Najeeb A 1, * and Vrinda Gupta 2 1 M.Tech Student, Department of Electronics and Communication Engineering, National Institute of Technology Kurukshetra, Haryana, India;

194 views • 15 slides
Efficient Structural Adder Pipelining in Transposed Form FIR Filters International Conference on

Efficient Structural Adder Pipelining in Transposed Form FIR Filters International Conference on

Efficient Structural Adder Pipelining in Transposed Form FIR Filters International Conference on Digital Signal Processing 23 July 2015 Mathias Faust , Martin Kumm * , Chip-Hong Chang and Peter Zipf * Nanyang Technological

476 views • 33 slides
Scheduling Multi-Periodic Mixed-Criticality DAGs on Multi-Core Architectures Roberto MEDINA

Scheduling Multi-Periodic Mixed-Criticality DAGs on Multi-Core Architectures Roberto MEDINA

Scheduling Multi-Periodic Mixed-Criticality DAGs on Multi-Core Architectures Roberto MEDINA Etienne BORDE Laurent PAUTET December 13, 2018 1/28 Outline Research Context Problem Statement Scheduling MC-DAGs on multi-cores Case Study

799 views • 31 slides
Efficient DHT attack mitigation through peers ID distribution Thibault Cholez, Isabelle

Efficient DHT attack mitigation through peers ID distribution Thibault Cholez, Isabelle

Introduction Analysis of IDs distribution DHT attacks detection &amp; mitigation Conclusion Efficient DHT attack mitigation through peers ID distribution Thibault Cholez, Isabelle Chrisment and Olivier Festor { thibault.cholez,

493 views • 25 slides
DAGs with NO TEARS Continuous Optimization for Structure Learning Xun Zheng Bryon Aragam

DAGs with NO TEARS Continuous Optimization for Structure Learning Xun Zheng Bryon Aragam

DAGs with NO TEARS Continuous Optimization for Structure Learning Xun Zheng Bryon Aragam Pradeep Ravikumar Eric Xing Machine Learning Department Carnegie Mellon University November 28, 2018 Xun Zheng (CMU) DAGs with NO TEARS November 28,

723 views • 11 slides
NIST Trustworthy Email Project High Assurance Domain Project Scott Rose, NIST scottr@nist.gov

NIST Trustworthy Email Project High Assurance Domain Project Scott Rose, NIST scottr@nist.gov

NIST Trustworthy Email Project High Assurance Domain Project Scott Rose, NIST scottr@nist.gov ICANN Meeting Oct. 15 th , 2014 Los Angeles CA First, A Bit of History 2011 USG DNSSEC Tiger Team has a 2 nd goal: authenticated email

308 views • 4 slides
Attack on Traffic Systems These attack examples have happened in the past. We will take an

Attack on Traffic Systems These attack examples have happened in the past. We will take an

From start to finish how a cyber attack would be performed on traffic system, we will go over first day &gt;&gt; exploitation of the device &gt;&gt; the real-world aftermath. Mission Secure, Inc. Attack on Traffic Systems These attack examples

556 views • 18 slides
Structural Object Programming Model: Enabling Efficient Development on Massively Parallel

Structural Object Programming Model: Enabling Efficient Development on Massively Parallel

Structural Object Programming Model: Enabling Efficient Development on Massively Parallel Architectures Mike Butts, Laurent Bonetto, Brad Budlong, Paul Wasson HPEC 2008 September 2008 Introduction HPEC systems run compute-intensive

553 views • 34 slides
A (truly) universal differential equation Amaury Pouly Joint work with Olivier Bournez and Daniel

A (truly) universal differential equation Amaury Pouly Joint work with Olivier Bournez and Daniel

A (truly) universal differential equation Amaury Pouly Joint work with Olivier Bournez and Daniel Graa Travel supported by NSF DMS-1952694 14 february 2020 1 / 24 What is a computer? 2 / 24 What is a computer? 2 / 24 What is a computer?

1.52k views • 123 slides
Tense MV-algebras and related functions Jan Paseka Michal Botur Department of Mathematics and

Tense MV-algebras and related functions Jan Paseka Michal Botur Department of Mathematics and

Introduction Basic notions and definitions Dyadic numbers and MV-terms Filters, ultrafilters and the term tr Semistates on MV-algebras Functions between MV-algebras and their construction The main theorem and its applications Tense MV-algebras

1.59k views • 121 slides
Computable dyadic subbases Arno Pauly and Hideki Tsuiki Second Workshop on Mathematical Logic and

Computable dyadic subbases Arno Pauly and Hideki Tsuiki Second Workshop on Mathematical Logic and

Computable dyadic subbases Arno Pauly and Hideki Tsuiki Second Workshop on Mathematical Logic and its Applications 5-9 March 2018, Kanazawa Arno Pauly and Hideki Tsuiki Computable dyadic subbases Kanazawa, March 2018 1 / 24 What is atomic

611 views • 45 slides
Vectors and Matrices Basilio Bona DAUIN Politecnico di Torino October 2013 B. Bona (DAUIN)

Vectors and Matrices Basilio Bona DAUIN Politecnico di Torino October 2013 B. Bona (DAUIN)

Vectors and Matrices Basilio Bona DAUIN Politecnico di Torino October 2013 B. Bona (DAUIN) Vectors and Matrices October 2013 1 / 40 1. Geometrical vectors A geometrical vector p represents a point P in space. The point P is an

512 views • 40 slides
600.405 Finite-State Methods in NLP Assignment 2: Semirings etc. Solution Set Prof. J.

600.405 Finite-State Methods in NLP Assignment 2: Semirings etc. Solution Set Prof. J.

600.405 Finite-State Methods in NLP Assignment 2: Semirings etc. Solution Set Prof. J. Eisner Fall 2000 1. (a) Assume a, b K are both identities for . Then a b = a because b is an identity, and a b = b because a is an

135 views • 9 slides
Theory of Computation Course note based on Computability, Complexity, and Languages: Fundamentals

Theory of Computation Course note based on Computability, Complexity, and Languages: Fundamentals

Context-Free Languages (10) Theory of Computation Course note based on Computability, Complexity, and Languages: Fundamentals of Theoretical Computer Science , 2nd edition, authored by Martin Davis, Ron Sigal, and Elaine J. Weyuker. course note

319 views • 30 slides
Sofic-Dyck shifts Marie-Pierre B eal, Michel Blockelet and C at alin Dima Universit

Sofic-Dyck shifts Marie-Pierre B eal, Michel Blockelet and C at alin Dima Universit

Sofic-Dyck shifts Marie-Pierre B eal, Michel Blockelet and C at alin Dima Universit e Paris-Est Laboratoire dinformatique Gaspard-Monge UMR 8049 Laboratoire dalgorithmique, complexit e et logique EQINOCS Meeting, January

615 views • 36 slides
Non-projective axioms for pregroup grammars as cut eliminations Denis B echet

Non-projective axioms for pregroup grammars as cut eliminations Denis B echet

Non-projective axioms for pregroup grammars as cut eliminations Denis B echet Denis.Bechet@univ-nantes.fr LINA, University of Nantes Joachim Lambek Mathematics, Logic and Language Chieti, 89 July 2011 p. 1 Non-projective

397 views • 24 slides

More recommend