An Algebraic Attack on Rank Metric Code-Based Cryptosystems
Saved in:
| Title: | An Algebraic Attack on Rank Metric Code-Based Cryptosystems |
|---|---|
| Authors: | Bardet, Magali, Briaud, Pierre, Bros, Maxime, Gaborit, Philippe, Neiger, Vincent, Ruatta, Olivier, Tillich, Jean-Pierre |
| Contributors: | Equipe Combinatoire et algorithmes (LITIS - CA), Laboratoire d'Informatique, de Traitement de l'Information et des Systèmes (LITIS), Université Le Havre Normandie (ULH), Normandie Université (NU)-Normandie Université (NU)-Université de Rouen Normandie (UNIROUEN), Normandie Université (NU)-Institut national des sciences appliquées Rouen Normandie (INSA Rouen Normandie), Institut National des Sciences Appliquées (INSA)-Normandie Université (NU)-Institut National des Sciences Appliquées (INSA)-Université Le Havre Normandie (ULH), Institut National des Sciences Appliquées (INSA)-Normandie Université (NU)-Institut National des Sciences Appliquées (INSA), Cryptologie symétrique, cryptologie fondée sur les codes et information quantique (COSMIQ), Centre Inria de Paris, Institut National de Recherche en Informatique et en Automatique (Inria)-Institut National de Recherche en Informatique et en Automatique (Inria), Mathématiques & Sécurité de l'information (XLIM-MATHIS), XLIM (XLIM), Université de Limoges (UNILIM)-Centre National de la Recherche Scientifique (CNRS)-Université de Limoges (UNILIM)-Centre National de la Recherche Scientifique (CNRS), This work was supported by the ANR CBCRYPT project, grant ANR-17-CE39-0007 of the French Agence Nationale de la Recherche, and the MOUSTIC project with the support from the European Regional Development Fund (ERDF) and the Regional Council of Normandie., ANR-17-CE39-0007,CBCRYPT,Cryptographie basée sur les codes(2017) |
| Source: | EUROCRYPT 2020 - 39th Annual International Conference on the Theory and Applications of Cryptographic Techniques ; https://unilim.hal.science/hal-02303015 ; EUROCRYPT 2020 - 39th Annual International Conference on the Theory and Applications of Cryptographic Techniques, May 2020, Zagreb / Virtual, Croatia. pp.64--93, ⟨10.1007/978-3-030-45727-3_3⟩ |
| Publisher Information: | CCSD Springer |
| Publication Year: | 2020 |
| Subject Terms: | Gröbner basis, NIST-PQC candidates, Post-quantum cryptography, Rank metric code-based cryptography, [INFO.INFO-CR]Computer Science [cs]/Cryptography and Security [cs.CR] |
| Subject Geographic: | Zagreb / Virtual, Croatia |
| Description: | International audience ; The Rank metric decoding problem is the main problem considered in cryptography based on codes in the rank metric. Very efficient schemes based on this problem or quasi-cyclic versions of it have been proposed recently, such as those in the submissions ROLLO and RQC currently at the second round of the NIST Post-Quantum Cryptography Standardization Process. While combinatorial attacks on this problem have been extensively studied and seem now well understood, the situation is not as satisfactory for algebraic attacks, for which previous work essentially suggested that they were ineffective for cryptographic parameters. In this paper, starting from Ourivski and Johansson's algebraic modelling of the problem into a system of polynomial equations, we show how to augment this system with easily computed equations so that the augmented system is solved much faster via Groebner bases. This happens because the augmented system has solving degree $r$, $r+1$ or $r+2$ depending on the parameters, where $r$ is the rank weight, which we show by extending results from Verbel et al. (PQCrypto 2019) on systems arising from the MinRank problem; with target rank $r$, Verbel et al. lower the solving degree to $r+2$, and even less for some favorable instances that they call superdetermined. We give complexity bounds for this approach as well as practical timings of an implementation using Magma. This improves upon the previously known complexity estimates for both Groebner basis and (non-quantum) combinatorial approaches, and for example leads to an attack in 200 bits on ROLLO-I-256 whose claimed security was 256 bits. |
| Document Type: | conference object |
| Language: | English |
| DOI: | 10.1007/978-3-030-45727-3_3 |
| Availability: | https://unilim.hal.science/hal-02303015 https://unilim.hal.science/hal-02303015v3/document https://unilim.hal.science/hal-02303015v3/file/algebraic_attack_rankcbc%20%281%29.pdf https://doi.org/10.1007/978-3-030-45727-3_3 |
| Rights: | info:eu-repo/semantics/OpenAccess |
| Accession Number: | edsbas.4F4EE88B |
| Database: | BASE |
Nájsť tento článok vo Web of Science | Abstract: | International audience ; The Rank metric decoding problem is the main problem considered in cryptography based on codes in the rank metric. Very efficient schemes based on this problem or quasi-cyclic versions of it have been proposed recently, such as those in the submissions ROLLO and RQC currently at the second round of the NIST Post-Quantum Cryptography Standardization Process. While combinatorial attacks on this problem have been extensively studied and seem now well understood, the situation is not as satisfactory for algebraic attacks, for which previous work essentially suggested that they were ineffective for cryptographic parameters. In this paper, starting from Ourivski and Johansson's algebraic modelling of the problem into a system of polynomial equations, we show how to augment this system with easily computed equations so that the augmented system is solved much faster via Groebner bases. This happens because the augmented system has solving degree $r$, $r+1$ or $r+2$ depending on the parameters, where $r$ is the rank weight, which we show by extending results from Verbel et al. (PQCrypto 2019) on systems arising from the MinRank problem; with target rank $r$, Verbel et al. lower the solving degree to $r+2$, and even less for some favorable instances that they call superdetermined. We give complexity bounds for this approach as well as practical timings of an implementation using Magma. This improves upon the previously known complexity estimates for both Groebner basis and (non-quantum) combinatorial approaches, and for example leads to an attack in 200 bits on ROLLO-I-256 whose claimed security was 256 bits. |
|---|---|
| DOI: | 10.1007/978-3-030-45727-3_3 |