A Reaction Attack against Cryptosystems based on LRPC Codes Gustavo Banegas joint work with Simona Samardjiska, Paolo Santini and Edoardo Persichetti Latincrypt 2019 October 3rd, 2019 A Reaction Attack against Cryptosystems based on LRPC Codes Gustavo Banegas 1
Outline Introduction Reaction Attack Our Result Conclusion A Reaction Attack against Cryptosystems based on LRPC Codes Gustavo Banegas 2
Post-quantum cryptography Why do we need post-quantum cryptography? Shor’s Algorithm solves in polynomial time: ◮ Integer factorization; RSA is dead. ◮ The discrete-logarithm problem in finite fields; DSA is dead. ◮ The discrete-logarithm problem on elliptic curves; ECDSA is dead. A Reaction Attack against Cryptosystems based on LRPC Codes Gustavo Banegas 3
Post-quantum cryptography What is post-quantum cryptography? A Reaction Attack against Cryptosystems based on LRPC Codes Gustavo Banegas 4
Post-quantum cryptography Timeline ◮ 2016: NIST calls for submissions to “Post-Quantum Cryptography Standardization Project”. ◮ 2017: NIST receives 69 proper submissions. ◮ 2018-19: NIST 2nd round of proposals with 26 proposals. ◮ 17 code-based in the 1st round; 7 code-based in 2nd round. A Reaction Attack against Cryptosystems based on LRPC Codes Gustavo Banegas 5
Code-based Cryptography Code-based cryptography in a nutshell Linear transformation Add errors Codeword Ciphertext Plaintext Inverse transformation Remove errors ◮ Originally proposed by McEliece in 1978; ◮ It uses a linear code: ◮ Goppa codes; ◮ LDPC/MDPC; ◮ Rank Metric (LRPC); ◮ Several others. A Reaction Attack against Cryptosystems based on LRPC Codes Gustavo Banegas 6
Rank Metric Codes A Low-Rank Parity-Check (LRPC) code A LRPC C over F q m of length n , dimension k and rank d is described by an ( n − k ) × n parity-check matrix H = { h i , j } ∈ F ( n − k ) × n , q m ◮ Each coefficient h i , j can be written as d � h i , j = h i , j , l F l , h i , j , l ∈ F q , l = 1 each F i ∈ F q m , and F = � F 1 , F 2 , · · · , F d � is a F q subspace of F q m . A Reaction Attack against Cryptosystems based on LRPC Codes Gustavo Banegas 7
Decoding LRPC codes How to decode LRPC codes? be the syndrome of e , i.e. He ⊤ = s . Let s = ( s 1 , . . . , s n − k ) ∈ F n − k q m Decoding: Recover e from the knowledge of s . Crucial facts: ◮ If h i , j ∈ F = � F 1 , F 2 , · · · , F d � and e ∈ E = � E 1 , E 2 , · · · , E r � then s i ∈ � F 1 E 1 , F 1 E 2 , . . . , F d E r � ◮ Assume S = � s 1 , s 2 , . . . , s n − k � = � F 1 E 1 , F 1 E 2 , . . . , F d E r � then: 1. Set S i = F − 1 . S . Then i S i = F − 1 . � . . . F i E 1 , F i E 2 , . . . , F i E r ... � ⇒ E = � E 1 , E 2 , · · · , E r � ⊂ S i i 2. Find E = S 1 ∩ S 2 ∩ · · · ∩ S d 3. Find e by solving He ⊤ = s A Reaction Attack against Cryptosystems based on LRPC Codes Gustavo Banegas 8
Decoding of LRPC codes When do decoding failures happen? � � 1. When Dim � EF � < rd : this happens with probability d P 1 = q m − rd 2. When E � = � d i = 1 S i : when m > rd + 8, this happens with probability P 2 ≪ 2 − 30 � � 3. When Dim S < rd this happens with probability 1 P 3 = q n − k + 1 − rd ◮ In practice usually P 1 , P 2 ≪ P 3 . A Reaction Attack against Cryptosystems based on LRPC Codes Gustavo Banegas 9
LRPC cryptosystems What is a LRPC cryptosystem? Basically any cryptosystem that ◮ uses LRPC codes (low rank of H secret ) ◮ uses RH secret = H to hide the secret H secret ◮ relies on the Rank syndrome decoding problem: Find e such that He ⊤ = s and | e | � r . ◮ LRPC cryptosystem [Gaborit et al.’13] ◮ McNie [Kim et al.’17] (NIST 1st round candidate) ◮ ROLLO (Rank-Ouroboros, LAKE and LOCKER) [Aguilar Melchor et al. ’17] (NIST 2nd round candidate) ◮ Durandal [Aragon et al.’19] A Reaction Attack against Cryptosystems based on LRPC Codes Gustavo Banegas 10
Reaction attack A Reaction Attack against Cryptosystems based on LRPC Codes Gustavo Banegas 11
Reaction attack m 1 , e 1 , c 1 = m 1 G + e 1 A Reaction Attack against Cryptosystems based on LRPC Codes Gustavo Banegas 11
Reaction attack c 1 m 1 , e 1 , c 1 = m 1 G + e 1 A Reaction Attack against Cryptosystems based on LRPC Codes Gustavo Banegas 11
Reaction attack c 1 m 1 , e 1 , c 1 = m 1 G + e 1 � ← Decode ( c 1 ) A Reaction Attack against Cryptosystems based on LRPC Codes Gustavo Banegas 11
Reaction attack c 1 m 1 , e 1 , c 1 = m 1 G + e 1 � ← Decode ( c 1 ) m 2 , e 2 , c 2 A Reaction Attack against Cryptosystems based on LRPC Codes Gustavo Banegas 11
Reaction attack c 1 m 1 , e 1 , c 1 = m 1 G + e 1 � ← Decode ( c 1 ) c 2 m 2 , e 2 , c 2 A Reaction Attack against Cryptosystems based on LRPC Codes Gustavo Banegas 11
Reaction attack c 1 m 1 , e 1 , c 1 = m 1 G + e 1 � ← Decode ( c 1 ) c 2 m 2 , e 2 , c 2 � ← Decode ( c 2 ) A Reaction Attack against Cryptosystems based on LRPC Codes Gustavo Banegas 11
Reaction attack c 1 m 1 , e 1 , c 1 = m 1 G + e 1 � ← Decode ( c 1 ) c 2 m 2 , e 2 , c 2 � ← Decode ( c 2 ) . . . A Reaction Attack against Cryptosystems based on LRPC Codes Gustavo Banegas 11
Reaction attack c 1 m 1 , e 1 , c 1 = m 1 G + e 1 � ← Decode ( c 1 ) c 2 m 2 , e 2 , c 2 � ← Decode ( c 2 ) . . . m t , e t , c t A Reaction Attack against Cryptosystems based on LRPC Codes Gustavo Banegas 11
Reaction attack c 1 m 1 , e 1 , c 1 = m 1 G + e 1 � ← Decode ( c 1 ) c 2 m 2 , e 2 , c 2 � ← Decode ( c 2 ) . . . c t m t , e t , c t A Reaction Attack against Cryptosystems based on LRPC Codes Gustavo Banegas 11
Reaction attack c 1 m 1 , e 1 , c 1 = m 1 G + e 1 � ← Decode ( c 1 ) c 2 m 2 , e 2 , c 2 � ← Decode ( c 2 ) . . . c t m t , e t , c t X ← Decode ( c t ) A Reaction Attack against Cryptosystems based on LRPC Codes Gustavo Banegas 11
Reaction attack c 1 m 1 , e 1 , c 1 = m 1 G + e 1 � ← Decode ( c 1 ) c 2 m 2 , e 2 , c 2 � ← Decode ( c 2 ) . . . c t m t , e t , c t X ← Decode ( c t ) Pls resend! A Reaction Attack against Cryptosystems based on LRPC Codes Gustavo Banegas 11
Reaction attack c 1 m 1 , e 1 , c 1 = m 1 G + e 1 � ← Decode ( c 1 ) c 2 m 2 , e 2 , c 2 � ← Decode ( c 2 ) . . . c t m t , e t , c t X ← Decode ( c t ) Pls resend! A Reaction Attack against Cryptosystems based on LRPC Codes Gustavo Banegas 11
Key recovery attack When does a decoding failure happen? (A closer look at) the syndrome equation for LRPC: H secret e ⊤ = s � d � � r n n � � � � � s i = h i , j e j = h i , j , l F l e j , u E u j = 1 j = 1 l = 1 v = 1 d r n � � � , = F l E u h i , j , l e j , u ∀ i ∈ { 1 , . . . , n − k } . l = 1 u = 1 j = 1 In matrix form: s = ( F 1 E 1 , F 1 E 2 . . . , F d E r ) · ¯ A h , e � � Recall: Decoding fails when Dim S < rd ¯ A h , e is not of full rank A Reaction Attack against Cryptosystems based on LRPC Codes Gustavo Banegas 12
Our Attack What to do with the errors? v e 1 · ¯ A e 1 ( h ) = 0 1 × n − k v e 2 · ¯ A e 2 ( h ) = 0 1 × n − k . . . v e t · ¯ A e t ( h ) = 0 1 × n − k A Reaction Attack against Cryptosystems based on LRPC Codes Gustavo Banegas 13
Our Attack What to do with the errors? v e 1 · ¯ A e 1 ( h ) = 0 1 × n − k v e 2 · ¯ A e 2 ( h ) = 0 1 × n − k . . . v e t · ¯ A e t ( h ) = 0 1 × n − k High level attack idea: 0: Collect errors e 1 , e 2 , . . . , e t from decryption failures 0: repeat h ← SolveSystem ( v e 1 , v e 2 , . . . , v e t , e 1 , e 2 , . . . , e t ) 0: if h � = ⊥ then 0: Collect ℓ messages, errors, ciphertexts ( m i , e i , c i ) 0: F , success ← FindBasis ( h , { ( m i , e i , c i ) } ℓ i = 1 ) 0: else success ← ⊥ 0: 0: until success 0: H ← ReconstructMatrix ( h , F ) return H of small rank d =0 A Reaction Attack against Cryptosystems based on LRPC Codes Gustavo Banegas 13
Our Attack How to solve the system? v e 1 · ¯ A e 1 ( h ) = 0 1 × n − k v e 2 · ¯ A e 2 ( h ) = 0 1 × n − k . . . v e t · ¯ A e t ( h ) = 0 1 × n − k ◮ Kernel method ◮ n − k equations for each error e i ◮ nd unknown coefficients in h ◮ guess v e i in kernel of ¯ A e t ( h ) ◮ ⇒ linear system only in the nd h -variables ◮ need to collect t � nd n − k errors from DF A Reaction Attack against Cryptosystems based on LRPC Codes Gustavo Banegas 14
Our Attack How to solve the system? v e 1 · ¯ A e 1 ( h ) = 0 1 × n − k v e 2 · ¯ A e 2 ( h ) = 0 1 × n − k . . . v e t · ¯ A e t ( h ) = 0 1 × n − k ◮ Kernel method ◮ n − k equations for each error e i ◮ nd unknown coefficients in h ◮ guess v e i in kernel of ¯ A e t ( h ) ◮ ⇒ linear system only in the nd h -variables ◮ need to collect t � nd n − k errors from DF ◮ Probability of guessing v e i correctly: P e i = q K e i q rd , where q K e i = | Ker (¯ A e i ( h )) | . A Reaction Attack against Cryptosystems based on LRPC Codes Gustavo Banegas 14
Recommend
More recommend