an efficient structural attack on nist submission dags
play

An efficient structural attack on NIST submission DAGS lise Barelli 1 - PowerPoint PPT Presentation

An efficient structural attack on NIST submission DAGS lise Barelli 1 and Alain Couvreur 2,3 1 Universit de Versailles Saint Quentin 2 INRIA 3 LIX, cole polytechnique Asiacrypt 2018 E. Barelli, A. Couvreur Structural attack on DAGS


  1. An efficient structural attack on NIST submission DAGS Élise Barelli 1 and Alain Couvreur 2,3 1 Université de Versailles Saint Quentin 2 INRIA 3 LIX, École polytechnique Asiacrypt 2018 E. Barelli, A. Couvreur Structural attack on DAGS Asiacrypt 2018 1 / 28

  2. Context DAGS is a proposal to NIST call for post quantum cryptography. McEliece-like public key encryption scheme (+ conversion to a KEM). Based on quasi–dyadic alternant codes. Original parameters : Security Ground field Key size n dim C pub G ( Z / 2 Z ) 4 128 832 416 6.8 kB F 32 ( Z / 2 Z ) 5 192 1216 512 8.5 kB F 64 ( Z / 2 Z ) 6 256 2112 704 11.6 kB F 64 Note. Parameters have been updated (see further). E. Barelli, A. Couvreur Structural attack on DAGS Asiacrypt 2018 2 / 28

  3. Prerequisites 1 Description of the attack 2 Complexity and implementation 3 E. Barelli, A. Couvreur Structural attack on DAGS Asiacrypt 2018 3 / 28

  4. Prerequisites (Generalised) Reed–Solomon codes Definition 1 (Reed–Solomon codes) Let n , k be positive integers k � n . Let x = ( x 1 , . . . , x n ) ∈ F n q be a vector with distinct entries RS k ( x ) def = { ( f ( x 1 ) , . . . , f ( x n )) | deg( f ) < k } . E. Barelli, A. Couvreur Structural attack on DAGS Asiacrypt 2018 4 / 28

  5. Prerequisites (Generalised) Reed–Solomon codes Definition 1 (Reed–Solomon codes) Let n , k be positive integers k � n . Let x = ( x 1 , . . . , x n ) ∈ F n q be a vector with distinct entries RS k ( x ) def = { ( f ( x 1 ) , . . . , f ( x n )) | deg( f ) < k } . Definition 2 (Generalised Reed–Solomon codes) Let n , k be positive integers k � n . Let x = ( x 1 , . . . , x n ) ∈ F n q be a vector q ) n . with distinct entries and y = ( y 1 , . . . , y n ) ∈ ( F × GRS k ( x , y ) def = { ( y 1 f ( x 1 ) , . . . , y n f ( x n )) | deg( f ) < k } . E. Barelli, A. Couvreur Structural attack on DAGS Asiacrypt 2018 4 / 28

  6. Prerequisites (Generalised) Reed–Solomon codes Definition 1 (Reed–Solomon codes) Let n , k be positive integers k � n . Let x = ( x 1 , . . . , x n ) ∈ F n q be a vector with distinct entries RS k ( x ) def = { ( f ( x 1 ) , . . . , f ( x n )) | deg( f ) < k } . Definition 2 (Generalised Reed–Solomon codes) Let n , k be positive integers k � n . Let x = ( x 1 , . . . , x n ) ∈ F n q be a vector q ) n . with distinct entries and y = ( y 1 , . . . , y n ) ∈ ( F × GRS k ( x , y ) def = { ( y 1 f ( x 1 ) , . . . , y n f ( x n )) | deg( f ) < k } . Claim. For such codes one can correct up to n − k errors in polynomial 2 time. E. Barelli, A. Couvreur Structural attack on DAGS Asiacrypt 2018 4 / 28

  7. Prerequisites Alternant codes Definition 3 (Alternant codes) Let n , k be positive integers k � n . Let x = ( x 1 , . . . , x n ) ∈ F n q m be a vector q m ) n . An alternant code is a with distinct entries and y = ( y 1 , . . . , y n ) ∈ ( F × code of the form GRS r ( x , y ) ∩ F n q . E. Barelli, A. Couvreur Structural attack on DAGS Asiacrypt 2018 5 / 28

  8. Prerequisites Alternant codes Definition 3 (Alternant codes) Let n , k be positive integers k � n . Let x = ( x 1 , . . . , x n ) ∈ F n q m be a vector q m ) n . An alternant code is a with distinct entries and y = ( y 1 , . . . , y n ) ∈ ( F × code of the form GRS r ( x , y ) ∩ F n q . E. Barelli, A. Couvreur Structural attack on DAGS Asiacrypt 2018 5 / 28

  9. Prerequisites Alternant codes Definition 3 (Alternant codes) Let n , k be positive integers k � n . Let x = ( x 1 , . . . , x n ) ∈ F n q m be a vector q m ) n . An alternant code is a with distinct entries and y = ( y 1 , . . . , y n ) ∈ ( F × code of the form GRS r ( x , y ) ∩ F n q . Fact 1. Alternant codes inherit from generalised Reed–Solomon decoding algorithms. E. Barelli, A. Couvreur Structural attack on DAGS Asiacrypt 2018 5 / 28

  10. Prerequisites Alternant codes Definition 3 (Alternant codes) Let n , k be positive integers k � n . Let x = ( x 1 , . . . , x n ) ∈ F n q m be a vector q m ) n . An alternant code is a with distinct entries and y = ( y 1 , . . . , y n ) ∈ ( F × code of the form GRS r ( x , y ) ∩ F n q . Fact 1. Alternant codes inherit from generalised Reed–Solomon decoding algorithms. Fact 2. Their parameters are not as good as GRS codes, but they are much less structured which is interesting for cryptography. E. Barelli, A. Couvreur Structural attack on DAGS Asiacrypt 2018 5 / 28

  11. Prerequisites History – McEliece (1978) 1978 : McEliece’s original proposal based on binary Goppa codes (special case of alternant codes). Public key : 32kB for ≈ 80 bits of security 1 . 2018 : NIST proposal : Classic McEliece. Public key > 1 MB for > 256 bits of security. 1 With respect to Prange algorithm E. Barelli, A. Couvreur Structural attack on DAGS Asiacrypt 2018 6 / 28

  12. Prerequisites History – McEliece (1978) 1978 : McEliece’s original proposal based on binary Goppa codes (special case of alternant codes). Public key : 32kB for ≈ 80 bits of security 1 . 2018 : NIST proposal : Classic McEliece. Public key > 1 MB for > 256 bits of security. During these 40 years many attempts to get shorter keys. 1 With respect to Prange algorithm E. Barelli, A. Couvreur Structural attack on DAGS Asiacrypt 2018 6 / 28

  13. Prerequisites History – McEliece (1978) 1978 : McEliece’s original proposal based on binary Goppa codes (special case of alternant codes). Public key : 32kB for ≈ 80 bits of security 1 . 2018 : NIST proposal : Classic McEliece. Public key > 1 MB for > 256 bits of security. During these 40 years many attempts to get shorter keys. How? 1 With respect to Prange algorithm E. Barelli, A. Couvreur Structural attack on DAGS Asiacrypt 2018 6 / 28

  14. Prerequisites Idea 1 : Reducing the extension degree GRS k ( x , y ) F q m m GRS k ( x , y ) ∩ F n F q q Fact. The larger the m the worse the parameters. But: E. Barelli, A. Couvreur Structural attack on DAGS Asiacrypt 2018 7 / 28

  15. Prerequisites Idea 1 : Reducing the extension degree GRS k ( x , y ) F q m m GRS k ( x , y ) ∩ F n F q q Fact. The larger the m the worse the parameters. But: Case m = 1 is broken (Sidelnikov, Shestakov 1992); Some specific cases of m = 2 and 3 called wild Goppa codes are broken too: C., Otmani, Tillich, 2014; Faugère, Perret, de Portzamparc, 2014 E. Barelli, A. Couvreur Structural attack on DAGS Asiacrypt 2018 7 / 28

  16. Prerequisites Idea 2 : Using codes with a non trivial automorphism group Advantage. Permits to reduce the public key size with almost no incidence on the security E. Barelli, A. Couvreur Structural attack on DAGS Asiacrypt 2018 8 / 28

  17. Prerequisites Idea 2 : Using codes with a non trivial automorphism group Advantage. Permits to reduce the public key size with almost no incidence on the security w.r.t. message security attacks. E. Barelli, A. Couvreur Structural attack on DAGS Asiacrypt 2018 8 / 28

  18. Prerequisites Idea 2 : Using codes with a non trivial automorphism group Advantage. Permits to reduce the public key size with almost no incidence on the security w.r.t. message security attacks. But, may affect the security w.r.t. key recovery attacks. E. Barelli, A. Couvreur Structural attack on DAGS Asiacrypt 2018 8 / 28

  19. Prerequisites Idea 2 : Using codes with a non trivial automorphism group Advantage. Permits to reduce the public key size with almost no incidence on the security w.r.t. message security attacks. But, may affect the security w.r.t. key recovery attacks. Some tempting choices of using large groups lead to key recovery attacks: Otmani, Tillich, Dallot (2008); Faugère, Otmani, Perret, Tillich (2010); Faugère, Otmani, Perret, Tillich, de Portzamparc (2016). E. Barelli, A. Couvreur Structural attack on DAGS Asiacrypt 2018 8 / 28

  20. Prerequisites DAGS DAGS scheme’s public keys are Quasi–dyadic alternant codes. i.e. GRS k ( x , y ) ∩ F n q with an automorphism group acting as: E. Barelli, A. Couvreur Structural attack on DAGS Asiacrypt 2018 9 / 28

  21. Prerequisites DAGS DAGS scheme’s public keys are Quasi–dyadic alternant codes. i.e. GRS k ( x , y ) ∩ F n q with an automorphism group acting as: E. Barelli, A. Couvreur Structural attack on DAGS Asiacrypt 2018 10 / 28

  22. Prerequisites DAGS DAGS scheme’s public keys are Quasi–dyadic alternant codes. i.e. GRS k ( x , y ) ∩ F n q with an automorphism group acting as: E. Barelli, A. Couvreur Structural attack on DAGS Asiacrypt 2018 11 / 28

  23. Prerequisites DAGS DAGS scheme’s public keys are Quasi–dyadic alternant codes. i.e. GRS k ( x , y ) ∩ F n q with an automorphism group acting as: E. Barelli, A. Couvreur Structural attack on DAGS Asiacrypt 2018 12 / 28

  24. Prerequisites DAGS DAGS scheme’s public keys are Quasi–dyadic alternant codes. i.e. GRS k ( x , y ) ∩ F n q with an automorphism group acting as: E. Barelli, A. Couvreur Structural attack on DAGS Asiacrypt 2018 13 / 28

  25. Prerequisites DAGS DAGS scheme’s public keys are Quasi–dyadic alternant codes. i.e. GRS k ( x , y ) ∩ F n q with an automorphism group acting as: E. Barelli, A. Couvreur Structural attack on DAGS Asiacrypt 2018 14 / 28

  26. Prerequisites DAGS DAGS scheme’s public keys are Quasi–dyadic alternant codes. i.e. GRS k ( x , y ) ∩ F n q with an automorphism group acting as: E. Barelli, A. Couvreur Structural attack on DAGS Asiacrypt 2018 15 / 28

Recommend


More recommend