Attacks in code based cryptography: a survey, new results and open - PowerPoint PPT Presentation

Attacks in code based cryptography: a survey, new results and open problems J.-P. Tillich Inria, team-project SECRET April 9, 2018

introduction 1. Code based cryptography Difficult problem in coding theory Problem 1. [Decoding] Input: n, r, t with r < n , parity-check matrix H ∈ F r × n , s ∈ F r q q Question: ∃ ? e such that � He ⊺ s ⊺ = | e | t � where | e | = hamming weight of e = # { i ∈ � 1 , n � , e i � = 0 } . Problem NP -complete 1/52

introduction The dual problem � q : Hc ⊺ = 0 � def c ∈ F n Code C = dim C = n − r = k Input: t , C subspace of dim k of F n q , y ∈ F n q Question: ∃ ? c ∈ C such that | y − c | � t . ⊺ = Hy ⊺ = s ⊺ H ( y − c ) � �� � e = the word that we want to decode y = y − c = the error we want to find e 2/52

introduction A long-studied problem O (2 α ( k n , t Correct. t errors in a code of length n and dim. k has cost ˜ n ) n ) Author(s) Year max R,τ α ( R, τ ) Prange 1962 0.1207 Stern 1988 0.1164 Dumer 1991 0.1162 Bernstein, Lange, Peters 2011 May, Meurer and Thomae 2011 0.1114 Becker, Joux, May, Meurer 2012 0.1019 May, Ozerov 2015 0.0966 Both, May 2017 0.0953 Both, May 2018 0.0885 3/52

introduction Complexities collapse when t = o ( n ) ◮ [CantoTorres, Sendrier, 2016] complexity 2 − log(1 − R ) t (1+ o (1)) when t = o ( n ) and where R = k/n 4/52

introduction Code-based cryptography def q : Hc ⊺ = 0 } = { c ∈ F n Code C ◮ Take a code that has an efficient decoding algorithm ◮ Public key: random parity-check matrix of the code H rand = QH where Q is a random invertible matrix in F r × r q ◮ Private key: trapdoor to the efficient decoding algorithm 5/52

introduction Two approaches ◮ Pick up your favorite code (that has an efficient decoder) ◮ Choose a code/scheme with a reduction to decoding a generic linear code 6/52

introduction History ◮ 1978 McEliece: binary Goppa codes ◮ 1986 Niederreiter variant based on GRS codes ◮ 1991 Gabidulin, Paramonov, Tretjakov: Gabidulin codes ◮ 1994 Sidelnikov: Reed-Muller codes ◮ 1996 Janwa-Moreno: algebraic geometric codes ◮ 199* a zillion propositions with LDPC codes ◮ 2003 Alekhnovich: Alekhnovich system ◮ 2005 Berger-Loidreau: subcodes of GRS codes ◮ 2006 Wieschebrink, GRS codes + random columns in the generator matrix 7/52

◮ 2008 Baldi-Bodrato-Chiaraluce: LDPC based MDPC codes ◮ 2010 Bernstein, Lange, Peters: non-binary wild Goppa codes ◮ 2012 Misoczki-Tillich-Barreto-Sendrier: MDPC codes ◮ 2012 L¨ ondahl-Johansson: convolutional codes ◮ 2013 Gaborit, Murat, Ruatta, Z´ emor: LRPC codes ◮ 2014 Shrestha, Kim: polar codes ◮ 2014 Hooshmand, Shooshtari, Eghlidos, Aref: subcodes of polar codes 8/52

Code based NIST submissions in Hamming metric Algebraic codes binary Goppa codes m=1 DAGS m=2 BIG QUAKE m=3 Classic McEliece NTS−KEM RLCE−KEM pqsigRM Reed−Muller related 9/52

Code based NIST submissions in Hamming metric Non-algebraic codes • BIKE • HQC • LEDAkem • LEDApkc • Lepton • QC-MDPC • RaCoSS 10/52

Code based NIST submissions in the rank metric • Edon-K • LAKE • LOCKER • McNie • Ourobouros-R • RankSign • RQC 11/52

2. The main cryptanalytic techniques for attacking the key ◮ Finding small weight codewords in C or in C ⊥ that reveal the underlying structure ◮ Algebraic attacks ◮ Product considerations ◮ Folding techniques ◮ Computing the hull C ∩ C ⊥ 12/52

product 3. Product considerations 13/52

product Square code attacks Definition 1. [Componentwise product] Given two vectors a = ( a 1 , . . . , a n ) and b = ( b 1 , . . . , b n ) ∈ F n q , we denote by a ⋆ b the componentwise product def a ⋆ b = ( a 1 b 1 , . . . , a n b n ) Definition 2. [Product of codes & square code] The star product code denoted by A ⋆ B of A and B is the vector space spanned by all products a ⋆ b where a and b range over A and B respectively. When B = A , A ⋆ A is called the square code of A and is rather denoted by A 2 . 14/52

product Dimension of the square code A and B codes with respective bases ( a i ) and ( b j ) . 1. dim( A ⋆ B ) � dim( A ) dim( B ) (generated by the a i ⋆ b j ’s) � dim( A ) + 1 � 2. dim( A 2 ) � (generated by the a i ⋆ a j ’s with i � j ) 2 15/52

product Generalized Reed-Solomon (GRS) codes Definition 3. [Generalized Reed-Solomon code] Let k and n be integers such that 1 � k < n � q where q is a power of a prime number. The generalized Reed-Solomon code GRS k ( x , y ) of dimension k is associated to a pair ( x , y ) ∈ F n q × F n q where x is an n -tuple of distinct elements of F q and the entries y i are arbitrary nonzero elements in F q . GRS k ( x , y ) is defined as: � � def GRS k ( x , y ) = ( y 1 p ( x 1 ) , . . . , y n p ( x n )) : p ∈ F q [ X ] , deg p < k . x is the support and y the multiplier. 16/52

product GRS codes, alternant codes ◮ A GRS code corrects n − k errors. 2 Let x ∈ ( F q m ) n , y ∈ ( F q m ) n be as in the definition Definition 1. of GRS codes. The alternant code Alt r ( x , y ) is defined by def = GRS r ( x , y ) ⊥ ∩ ( F q ) n Alt r ( x , y ) � �� � GRS n − r ( x , y ′ ) Proposition 1. dim Alt r ( x , y ) n − mr � d min Alt r ( x , y ) r + 1 � 17/52

product What is wrong with generalized Reed-Solomon codes ? When C is a random code of length n , with high probability [Cascudo, Cramer, Mirandola, Z´ emor] �� dim( C ) + 1 � � dim( C 2 ) = min , n 2 When C is a generalized Reed-Solomon code dim( C 2 ) = min { 2 dim( C ) − 1 , n } 18/52

product The explanation c = ( y 1 p ( x 1 ) , . . . , y n p ( x n )) , c ′ = ( y 1 q ( x 1 ) , . . . , y n q ( x n )) ∈ GRS k ( x , y ) where p and q are two polynomials of degree at most k − 1 . c ⋆ c ′ = � � � � y 2 1 p ( x 1 ) q ( x 1 ) , . . . , y 2 y 2 1 r ( x 1 ) , . . . , y 2 n p ( x n ) q ( x n ) = n r ( x n ) where r is a polynomial of degree � 2 k − 2 . ⇒ c ⋆ c ′ ∈ GRS 2 k − 1 ( x , y 2 ) = 19/52

product The Wieschebrink attack on the Berger-Loidreau cryptosystem • known: a subcode C ⊂ GRS k ( x , y ) • unknown: x and y . If the codimension of C is small enough C ⋆ C = GRS k ( x , y ) ⋆ GRS k ( x , y ) = GRS 2 k − 1 ( x , y ′ ) The Wieschebrink attack 1. Compute C ⋆ C = GRS 2 k − 1 ( x , y ′ ) 2. Recover x and y ′ by using the Sidelnikov-Shestakov algorithm. 20/52

product Filtration attack [Couvreur, Otmani, T 2014]: Attack on wild Goppa codes when m = 2 . 21/52

product A filtration for GRS codes A new attack on McEliece based on GRS codes. known : C 0 = GRS k ( x , y ) unknown : x , y . C 0 = GRS k ( x , y ) ⊇ C 1 = GRS k − 1 ( x , y ) ⊇ · · · ⊇ C k − 1 = GRS 1 ( x , y ) The point: • C k − 1 = { α y , α ∈ F q } • y known ⇒ x by solving a linear system. 22/52

product The fundamental induction C i ⋆ C i − 2 = C i − 1 ⋆ C i − 1 C i ⋆ C i − 2 = GRS k − i ( x , y ) ⋆ GRS k − i +2 ( x , y ) = GRS 2 k − 2 i +1 ( x , y ⋆ y ) = GRS k − i +1 ( x , y ) ⋆ GRS k − i +1 ( x , y ) = C i − 1 ⋆ C i − 1 23/52

product The picture Alternant codes GRS codes m=1 m=2 m=3 Goppa codes binary Goppa codes wild Goppa codes 24/52

Code based NIST submissions in Hamming metric Algebraic codes binary Goppa codes m=1 DAGS m=2 BIG QUAKE m=3 Classic McEliece NTS−KEM RLCE−KEM pqsigRM Reed−Muller related 25/52

folding 4. Folding operation, the “Origami attack” 26/52

folding Origami attack ◮ Related to Gentry attack on NTRU-composite ◮ Applies to codes with a non trivial permutation group For σ ∈ S n , def c σ = ( c σ ( i ) ) i ∈ � 1 ,n � { c σ : c ∈ C } def C σ = σ is a permutation automorphism of C iff C σ = C 27/52

folding Examples   B (1 n ′ ) B (11) . . . . . B ( ij )   . . Parity-check matrix has a block form H = . .   B ( r ′ 1) B ( r ′ n ′ ) . . . with blocks of some size ℓ of the form     a 0 a 1 a 2 a 3 a 0 a 1 · · · a ℓ − 1     a 1 a 0 a 3 a 2 a ℓ − 1 a 0 · · · a ℓ − 2 B ( ij ) = B ( ij ) =     . . ... ...  . .    . . a 2 a 3 a 0 a 1     a 1 a 2 · · · a 0 a 3 a 2 a 1 a 0 quasi-cyclic case B ( ij ) quasidyadic case B ( ij ) s,t = a t − s (mod ℓ ) s,t = a t ⊖ s 28/52

folding Folding ◮ Folding x = w.r. to σ adding the coordinates in a same orbit of σ σ = (123)(456)(678) = ( x 1 , x 2 , x 3 , . . . , x 7 , x 8 , x 9 ) x � �� � � �� � orbit orbit x σ = ( x 1 + x 2 + x 3 , . . . , x 7 + x 8 + x 8 ) σ def = { c σ : c ∈ C } . C 29/52

folding Why is this an interesting operation ? Orbits of σ of size ℓ ◮ Code gets smaller = code of length n dim. k C code of length n/ℓ and dim. k σ → C = ℓ ◮ Words do not increase their weight | c | = w ⇒ | c σ | � w 30/52

folding Folding quasi- ∗ alternant codes/ Goppa codes ◮ [Faug` ere, Otmani, Perret, Portzamparc, T 2014] Folding the dual of a Q*-alternant or Q*-Goppa code ⇒ dual of an alternant or a Goppa code ◮ [Barelli-Couvreur 2017] Folding a Q*-alternant or a Q*-Goppa code ⇒ alternant or a Goppa code 31/52