Keywords

1 Introduction

In 1978, in the seminal article [21], McEliece designed a public key encryption scheme relying on the hardness of the bounded decoding problem [7], i.e. on the hardness of decoding an arbitrary code. For a long time, this scheme was considered as unpractical because of the huge size of the public keys compared to public key encryption schemes relying on algorithmic number theoretic problems. The trend changed in the last decade because of the progress of quantum computing and the increasing threat of the existence in a near future of a quantum computer able to break usual cryptography primitives based on number theoretic problems. An evidence for this change of trend is the recent call of the National Institute for Standards and Technology (NIST) for post quantum cryptography. The majority of the submissions to this call are based either on codes or on lattices.

After forty years of research on code based cryptography, one can identify two general trends for instantiating McEliece’s scheme. The first one consists in using codes from probabilistic constructions such as MDPC codes [1, 23]. The other one consists in using algebraic codes such as Goppa codes or more generally alternant codes. A major difference between these two families of proposals is that the first one, based on MDPC codes benefits in some cases from clean security reductions to the decoding problem.

Concerning McEliece instantiations based on algebraic codes, which include McEliece’s original proposal based on binary Goppa codes, two approaches have been considered in order to address the drawback of the large of pubic key sizes. On the one hand, some proposals suggested to replace Goppa or alternant codes by more structured codes such as generalised Reed-Solomon (GRS) codes [24], their low dimensional subcodes [6], or GRS codes to which various transformations have been applied [2, 29, 30]. It turns out that most of these proposals have been subject to polynomial time key-recovery attacks [9, 13, 28, 31]. In addition, proposals based on Goppa codes which are close to GRS codes, namely Goppa code with a low extension degree m have been the target of some structural attacks [12, 17]. On the other hand, many proposals suggest the use of codes with a non trivial automorphism group [5, 18, 22, 26]. A part of these proposals has been either partially or completely broken [15, 16, 25]. In particular, in the design of such proposals, precautions should be taken since the knowledge of a non trivial automorphism group of the public code facilitates algebraic attacks by significantly reducing the degrees and number of variables of the algebraic system to solve in order to recover the secret key.

Among the recent submissions to NIST call for post quantum cryptography, a proposal called DAGS [3] is based on the use of quasi-dyadic (QD) generalised Srivastava codes with extension degree \(m = 2\). By quasi-dyadic we mean that the permutation group of the code is of the form \((\mathbb {Z}/ 2\mathbb {Z})^\gamma \) for some positive integer \(\gamma \). Moreover, generalised Srivastava codes form a proper subclass of alternant codes. DAGS proposal takes advantage of both usual techniques to reduce the size of the keys. First, by using alternant codes which are close to generalised Reed Solomon codes i.e. with an extension degree 2. Second, by using codes with a large permutation group. In terms of security with respect to key recovery attacks, DAGS parameters are chosen to be out of reach of the algebraic attacks [15, 16]. In addition, it should be emphasised that the choice of alternant codes which are not Goppa codes permits to be out of reach of the distinguisher by shortening and squaring used in [12].

Our Contribution. In this article, we present an attack breaking McEliece instantiations based on alternant codes with extension degree 2 and a large permutation group. This attack permits to recover the secret key in \(O\left( n^{3+\frac{2q}{|\mathcal {G}|}}\right) \) operations in \(\mathbb {F}_q\), where \(\mathcal {G}\) denotes the permutation group, n the code length and \(\mathbb {F}_q\) is the base field of the public code. The key step of the attack consists in finding some subcode of the public code referred to as \(\mathscr {D}\). From this code \(\mathscr {D}\) and using an operation we called conductor, the secret key can easily be recovered. For this main step, we present two ways to proceed, the first approach is based on a partial brute force search while the second one is based on the resolution of a polynomial system of degree 2. An analysis of the work factor of this attack using the first approach shows that DAGS keys with respective estimated security levels 128, 192 and 256 bits can be broken with respective approximate work factors \(2^{70}, 2^{80}\) and \(2^{58}\). For the second approach, we were not able to provide a complexity analysis. However, its practical implementation using Magma [8] is impressively efficient on some DAGS parameters. In particular, it permits to break claimed 256 bits security keys in less than one minute!

This attack is a novel and original manner to recover the structure of alternant codes by jointly taking advantage of the permutation group and the small size of the extension degree. Even if some variant of the attack reposes on the resolution of a polynomial system, this system has nothing to do with those of algebraic attacks of [15,16,17]. On the other hand, despite this attack shares some common points with that of [12] where the Schur product of codes (See Sect. 3 for a definition) plays a crucial role, the keys we break in the present article are out of reach of a distinguisher by shortening and squaring and hence our attack differs from filtration attacks as in [10, 12].

It is worth noting that reparing DAGS scheme in order to resist to the present attack is possible. Recently, the authors presented new parameter sets which are out of reach of the first version of the attack. These new parameters are available on the current version of the proposalFootnote 1.

2 Notation and Prerequisites

2.1 Subfield Subcodes and Trace Codes

Definition 1

Given a code \(\mathscr {C}\) of length n over \(\mathbb {F}_{q^m}\), its subfield subcode is the subcode of vectors whose entries all lie in \(\mathbb {F}_q\), that is the code:

$$\mathscr {C}\cap \mathbb {F}_q^n.$$

The trace code is the image of the code by the component wise trace map

Let us recall a classical and well-known result on subfield subcodes and trace codes.

Theorem 1

(Delsarte Theorem [14]). Let \(\mathscr {C}\subseteq \mathbb {F}_{q^m}^n\) be a code. Then

2.2 Generalised Reed-Solomon Codes and Alternant Codes

Notation 1

Let q be a power of prime and k a positive integer. We denote by \(\mathbb {F}_q[z]_{<k}\) the vector space of polynomials over \(\mathbb {F}_q\) whose degree is bounded from above by k. Let m be a positive integer, we will consider codes over \(\mathbb {F}_{q^m}\) with their subfield subcodes over \(\mathbb {F}_q\). In Sect. 3 and further, we will focus particularly on the case \(m=2\).

Definition 2

(Supports and multipliers). A vector \({\varvec{x}}\in \mathbb {F}_{q^m}^n\) whose entries are pairwise distinct is called a support. A vector \({\varvec{y}}\in \mathbb {F}_{q^m}^n\) whose entries are all nonzero is referred to as a multiplier.

Definition 3

(Generalised Reed-Solomon codes). Let n be a positive integer, \({\varvec{x}}\in \mathbb {F}_{q^m}^n\) be a support and \({\varvec{y}}\in \mathbb {F}_{q^m}^n\) be a multiplier. The generalised Reed-Solomon (GRS) code with support \({\varvec{x}}\) and multiplier \({\varvec{y}}\) of dimension k is defined as

When \({\varvec{y}}= {\varvec{1}}\), the code is a Reed-Solomon code and is denoted as \({\mathbf {RS}}_{k}({\varvec{x}})\).

The dual of a GRS code is a GRS code too. This is made explicit in Lemma 1 below. Let us first introduce an additional notation.

Notation 2

Let \({\varvec{x}}\subseteq \mathbb {F}_{q^m}^n\) be a support, we define the polynomial \(\pi _{{\varvec{x}}} \in \mathbb {F}_{q^m}[z]\) as

Lemma 1

Let \({\varvec{x}}, {\varvec{y}}\in \mathbb {F}_{q^m}^n\) be a support and a multiplier of length n and \(k \leqslant n\). Then

$$ {\mathbf {GRS}}_{k}({\varvec{x}},{\varvec{y}})^\perp = {\mathbf {GRS}}_{n-k}({\varvec{x}},{\varvec{y}}^{\perp }), $$

where

and \(\pi _{{\varvec{x}}}'\) denotes the derivative of the polynomial \(\pi _{{\varvec{x}}}\).

Definition 4

(Alternant code). Let \(m,\ n\) be positive integers such that \(n \leqslant q^m\). Let \({\varvec{x}}\in \mathbb {F}_{q^m}^n\) be a support, \({\varvec{y}}\in \mathbb {F}_{q^m}^n\) be a multiplier and r be a positive integer. The alternant code of support \({\varvec{x}}\), multiplier \({\varvec{y}}\) and degree r over \(\mathbb {F}_q\) is defined as

The integer m is referred to as the extension degree of the alternant code.

As a direct consequence of Lemma 1 and Definition 4, we get the following explicit description of an alternant code.

$$\begin{aligned} \mathscr {A}_{r}({\varvec{x}},{\varvec{y}}) = \left\{ \left. \left( \frac{1}{\pi _{{\varvec{x}}}'(x_i) y_i} f(x_i)\right) _{i = 1, \ldots , n} ~\right| ~ f \in \mathbb {F}_{q^m}[z]_{< n - r} \right\} \cap \mathbb {F}_q^n. \end{aligned}$$
(1)

Next, by duality and using Delsarte’s Theorem (Theorem 1), we have

$$\begin{aligned} \mathscr {A}_{r}({\varvec{x}},{\varvec{y}})^\perp = \text {Tr}_{\mathbb {F}_{q^m}/\mathbb {F}_q} \left( \left\{ \left. \left( y_i g(x_i)\right) _{i = 1, \ldots , n} ~\right| ~g \in \mathbb {F}_{q^m}[z]_{<r} \right\} \right) . \end{aligned}$$
(2)

We refer the reader to [20, Chap. 12] for further properties of alternant codes. Recall that the code \(\mathscr {A}_{r}({\varvec{x}},{\varvec{y}})\) defined in Definition 4 has dimension \(k \geqslant n-mr\) and equality holds in general. Moreover, these codes benefit from efficient decoding algorithms correcting up to \(\lfloor \frac{r}{2} \rfloor \) errors (see [20, Chap. 12 Sect. 9]).

Fully Non Degenerate Alternant Codes. We conclude this subsection on alternant codes by a definition which is useful in the sequel.

Definition 5

An alternant code \(\mathscr {A}_{r}({\varvec{x}},{\varvec{y}})\) is said to be fully non degenerate if it satisfies the two following conditions.

  1. (i)

    A generator matrix of \(\mathscr {A}_{r}({\varvec{x}},{\varvec{y}})\) has no zero column.

  2. (ii)

    \(\mathscr {A}_{r}({\varvec{x}},{\varvec{y}}) \ne \mathscr {A}_{r+1}({\varvec{x}},{\varvec{y}})\).

Most of the time, an alternant code is fully non degenerate.

2.3 Punctured and Shortened Codes

The notions of puncturing and shortening are classical ways to build new codes from existing ones. We recall here their definition.

Definition 6

Let \(\mathscr {C}\) be a code of length n and \(\mathcal {I}\subseteq \{1, \ldots , n\}\). The puncturing and the shortening of \(\mathscr {C}\) at \(\mathcal {I}\) are respectively defined as the codes

Let us finish by recalling the following classical result.

Notation 3

Let \({\varvec{x}}\in \mathbb {F}_{q^m}^n\) be a vector and \(\mathcal {I}\subseteq \{1, \ldots , n\}\). Then, the vector \({\varvec{x}}_{\mathcal {I}}\) denotes the vector obtained from \({\varvec{x}}\) be removing the entries whose indexes are in \(\mathcal {I}\).

Proposition 1

Let mr be positive integers. Let \({\varvec{x}}, {\varvec{y}}\in \mathbb {F}_{q^m}^n\) be as in Definition 4. Let \(\mathcal {I}\subseteq \{1, \ldots , n\}\). Then

$$ \mathcal {S}_{\mathcal {I}}\left( \mathscr {A}_{r}({\varvec{x}},{\varvec{y}})\right) = \mathscr {A}_{r}({\varvec{x}}_{\mathcal {I}},{\varvec{y}}_{\mathcal {I}}). $$

Proof

See for instance [12, Proposition 9].    \(\square \)

2.4 Quasi-dyadic Codes, Quasi-dyadic Alternant Codes

Quasi-dyadic (QD) codes are codes with a nontrivial permutation group isomorphic to \((\mathbb {Z}/2\mathbb {Z})^\gamma \) for some positive integer \(\gamma \). Such a code has length \(n = 2^\gamma n_0\). The permutation group of the code is composed of permutations, each one being a product of transpositions with disjoint supports. The example of interest in the present article is the case of QD-alternant codes. In what follows, we explain how to create them.

Notation 4

From now on, q denotes a power of 2 and \(\ell \) denotes the positive integer such that \(q = 2^\ell \).

  • Let \(\mathcal {G}\subset \mathbb {F}_{q^m}\) be an additive subgroup with \(\gamma \) generators, i.e. \(\mathcal {G}\) is an \(\mathbb {F}_2\)-vector subspace of \(\mathbb {F}_{q^m}\) of dimension \(\gamma \) with an \(\mathbb {F}_2\)-basis \(a_1, \ldots , a_\gamma \). Clearly, as an additive group, \(\mathcal {G}\) is isomorphic to \((\mathbb {Z}/2\mathbb {Z})^\gamma \). The group \(\mathcal {G}\) acts on \(\mathbb {F}_{q^m}\) by translation: for any \(a \in \mathcal {G}\), we denote by \(\tau _a\) the translation

    $$ \tau _a : \left\{ \begin{array}{ccc} \mathbb {F}_{q^m} &{} \longrightarrow &{} \mathbb {F}_{q^m} \\ x &{} \longmapsto &{} x+a \end{array} \right. . $$

  • Using the basis \((a_1, \ldots , a_\gamma )\), we fix an ordering in \(\mathcal {G}\) as follows. Any element \(u_1 a_1 + \cdots + u_\gamma a_\gamma \in \mathcal {G}\) can be regarded as an element \((u_1, \ldots , u_\gamma )\in (\mathbb {Z}/2\mathbb {Z})^\gamma \) and we sort them by lexicographic order. For instance, if \(\gamma =3\):

    $$ 0< a_1< a_2< a_1 + a_2< a_3< a_1 + a_3< a_2 + a_3 < a_1 + a_2 + a_3. $$

  • Let \(n = 2^\gamma n_0\) for some positive \(n_0\) and such that \(n \leqslant q^m\). Let \({\varvec{x}}\in \mathbb {F}_{q^m}^n\) be a support which splits into \(n_0\) blocks of \(2^\gamma \) elements of \(\mathbb {F}_{q^m}\), each block being an orbit under the action of \(\mathcal {G}\) by translation on \(\mathbb {F}_{q^m}\) sorted using the previously described ordering. For instance, suppose \(\gamma = 2\), then such an \({\varvec{x}}\) is of the form,

    $$\begin{aligned} \begin{array}{rl} {\varvec{x}}= &{} (t_1, t_1+a_1, t_1+a_2, t_1+a_1+a_2, \ldots ,\\ &{} \qquad \ldots , t_{n_0}, t_{n_0}+a_1, t_{n_0}+a_2, t_{n_0}+a_1+a_2), \end{array} \end{aligned}$$
    (3)

    where the \(t_i\)’s are chosen to have disjoint orbits under the action of \(\mathcal {G}\) by translation on \(\mathbb {F}_{q^m}\).

  • Let \({\varvec{y}}\in \mathbb {F}_{q^m}^n\) be a multiplier which also splits into \(n_0\) blocks of length \(2^\gamma \) whose entries are equal.

  • Let r be a positive integer and consider the code \(\mathscr {A}_{r}({\varvec{x}},{\varvec{y}})\).

  • The set of entries of \({\varvec{x}}\) is globally invariant under the action of \(\mathcal {G}\) by translation. In particular, for any \(a \in \mathcal {G}\), the translation \(\tau _a\) induces a permutation of the code \(\mathscr {A}_{r}({\varvec{x}},{\varvec{y}})\). We refer this permutation to as \(\sigma _a\). For instance, reconsidering Example (3), the permutations \(\sigma _{a_1}\) and \(\sigma _{a_1+a_2}\) are respectively of the form

    $$\begin{aligned} \sigma _{a_1}&= (1,2)(3,4) \cdots (n-3, n-2)(n-1, n)\\ \sigma _{a_1+a_2}&= (1, 4)(2, 3) \cdots (n-3, n)(n-2, n-1). \end{aligned}$$

    The group of permutations \(\{\sigma _a ~|~ a\in \mathcal {G}\}\) is isomorphic to \(\mathcal {G}\) and hence to \((\mathbb {Z}/2\mathbb {Z})^\gamma \). For convenience, we also denote this group of permutations by \(\mathcal {G}\).

Proposition 2

For any \(r >0\), the code \(\mathscr {A}_{r}({\varvec{x}},{\varvec{y}})\) is quasi-dyadic.

Proof

See for instance [27, Chap. 5].    \(\square \)

2.5 Invariant Subcode of a Quasi-dyadic Code

Definition 7

Given a code \(\mathscr {C}\) with a non-trivial permutation group \(\mathcal {G}\), we define the code \({\mathscr {C}}^{\mathcal {G}}\) as the subcode of \(\mathscr {C}\):

The invariant subcode has repeated entries since on any orbit of the support under the action of \(\mathcal {G}\), the entries of a codeword are equal. This motivates an alternative definition of the invariant code where repetitions have been removed.

Definition 8

In the context of Definition 7, let \(\varvec{c}\in \mathbb {F}_{q^m}^n\) be a vector such that for any \(\sigma \in \mathcal {G}\), \(\sigma (\varvec{c}) = \varvec{c}\). We denote by \(\overline{\varvec{c}}\) the vector obtained by keeping only one entry per orbit under the action of \(\mathcal {G}\) on the support. We define the invariant code with non repeated entries as

We are interested in the structure of invariant of QD alternant codes. To study this structure, we first need to recall some basic notions of additive polynomials.

Additive polynomials

Definition 9

An additive polynomial \(P\in \mathbb {F}_{q^m}[z]\) is a polynomial whose monomials are all of the form \(z^{2^i}\) for \(i \geqslant 0\). Such a polynomial satisfies \(P(a+b) = P(a)+ P(b)\) for any \(a, b \in \mathbb {F}_{q^m}\).

The zero locus of an additive polynomial in \(\mathbb {F}_{q^m}\) is an additive subgroup of \(\mathbb {F}_{q^m}\) and such polynomials satisfy some interpolation properties.

Proposition 3

Let \(\mathcal {G}\subset \mathbb {F}_{q^m}\) be an additive group of cardinality \(2^\gamma \). There exists a unique additive polynomial \(\psi _\mathcal {G}\in \mathbb {F}_{q^m}[z]\) which is monic of degree \(2^\gamma \) and vanishes at any element of \(\mathcal {G}\).

Proof

See [19, Proposition 1.3.5 & Lemma 1.3.6].    \(\square \)

Notation 5

From now on, given an additive subgroup \(\mathcal {G}\subseteq \mathbb {F}_{q^m}\), we always denote by \(\psi _\mathcal {G}\) the unique monic additive polynomial of degree \(|\mathcal {G}|\) in \(\mathbb {F}_{q^m}[z]\) that vanishes on \(\mathcal {G}\).

Invariant of a Quasi-dyadic Alternant Code. It turns out that the invariant code with non repeated entries of a QD alternant code is an alternant code too. This relies on the following classical result of invariant theory for which a simple proof can be found in [15].

Theorem 2

Let \(f \in \mathbb {F}_{q^m}[z]\) and \(\mathcal {G}\subset \mathbb {F}_{q^m}\) be an additive subgroup. Suppose that for any \(a \in \mathcal {G}\), \(f(z) = f(z+a)\). Then, there exists \(h \in \mathbb {F}_{q^m}[z]\) such that \(f(z) = h(\psi _\mathcal {G}(z))\), where \(\psi _\mathcal {G}\) is the monic additive polynomial of degree \(|\mathcal {G}|\) vanishing at any element of \(\mathcal {G}\).

This entails the following result on the structure of the invariant code of an alternant code. We refer to Definition 8 for the notation in the following statement.

Theorem 3

Let \(\mathscr {C}= \mathscr {A}_{r}({\varvec{x}},{\varvec{y}})\) be a QD-alternant code with permutation group \(\mathcal {G}\) of order \(2^\gamma \). Set \(r' = \left\lfloor \frac{r}{2^{\gamma }} \right\rfloor \). Then,

$$ \overline{\mathscr {C}}^{\mathcal {G}} = \mathscr {A}_{r'}(\overline{\psi _\mathcal {G}({\varvec{x}})}, \overline{{\varvec{y}}}), $$

Proof

See [4].   \(\square \)

2.6 DAGS

Among the schemes recently submitted to NIST, the submission DAGS [3] uses as a primitive a McEliece encryption scheme based on QD generalised Srivastava codes. It is well known that generalised Srivastava codes form a subclass of alternant codes [20, Chap. 12]. Therefore, this proposal lies in the scope of the attack presented in what follows.

Parameters proposed in DAGS submission are listed in Table 1.

Table 1. Parameters proposed in DAGS.
Full size table

Let us recall what do the parameters \(q, m, n, n_0, k, k_0, \gamma , r_0\) stand for:

  • q denotes the size of the base field of the alternant code;

  • m denotes the extension degree. Hence the GRS code above the alternant code is defined over \(\mathbb {F}_{q^m}\);

  • n denotes the length of the QD alternant code;

  • \(n_0\) denotes the length of the invariant code with non repeated entries \(\overline{\mathscr {A}_{r}({\varvec{x}},{\varvec{y}})}^{\mathcal {G}}\), where \(\mathcal {G}\) denotes the permutation group;

  • k denotes the dimension of the QD alternant code;

  • \(k_0\) denotes the dimension of the invariant code;

  • \(\gamma \) denotes the number of generators of \(\mathcal {G}\), i.e. \(\mathcal {G}\simeq (\mathbb {Z}/2\mathbb {Z})^{\gamma }\);

  • \(r_0\) denotes the degree of the invariant code with non repeated entries, which is alternant according to Theorem 3.

Remark 1

The indexes \(\mathtt{1}, \mathtt{3}\) and \(\mathtt{5}\) in the parameters names correspond to security levels according to NIST’s call. Level 1, corresponds to 128 bits security with a classical computer, Level 3 to 192 bits security and Level 5 to 256 bits security.

In addition to the set of parameters of Table 1, we introduce self chosen smaller parameters listed in Table 2. They do not correspond to claimed secure instantiations of the scheme but permitted to test some of our assumptions by computer aided calculations.

Table 2. Small scale parameters, not proposed in DAGS.
Full size table

3 Schur Products

From now on and unless otherwise specified, the extension degree m will be equal to 2. This is the context of any proposed parameters in DAGS.

3.1 Product of Vectors

The component wise product of two vectors in \(\mathbb {F}_q^n\) is denoted by

$$ \varvec{a}\star \varvec{b}{\mathop {=}\limits ^{\text {def}}}(a_1b_1, \ldots , a_n b_n). $$

Next, for any positive integer t we define \(\varvec{a}^{\star t}\) as

$$ \varvec{a}^{\star t} {\mathop {=}\limits ^{\text {def}}}\underbrace{\varvec{a}\star \cdots \star \varvec{a}}_{t\ \text {times}}. $$

More generally, given a polynomial \(P\in \mathbb {F}_q[z]\) we define \(P(\varvec{a})\) as the vector \((P(a_1), \ldots , P(a_n))\). In particular, given \(\varvec{a}\in \mathbb {F}_{q^2}^n\), we denote by \(\text {Tr}(\varvec{a})\) and \(\text {N}(\varvec{a})\) the vectors obtained by applying respectively the trace and the norm map component by component:

$$\begin{aligned} \text {Tr}(\varvec{a})&{\mathop {=}\limits ^{\text {def}}}(a_1 + a_1^q , \ldots , a_n + a_n^q)\\ \text {N}(\varvec{a})&{\mathop {=}\limits ^{\text {def}}}(a_1^{q+1}, \ldots , a_n^{q+1}). \end{aligned}$$

Finally, the all one vector \((1, \ldots , 1)\), which is the unit vector of the algebra \(\mathbb {F}_q^n\) with operations \(+\) and \(\star \) is denoted by \({\varvec{1}}\).

3.2 Schur Product of Codes

The Schur product of two codes \(\mathscr {A}\) and \(\mathscr {B} \subseteq \mathbb {F}_q^n\) is defined as

$$ \mathscr {A} \star \mathscr {B} {\mathop {=}\limits ^{\text {def}}}{\left\langle \varvec{a}\star \varvec{b}~|~ \varvec{a}\in \mathscr {A}, \ \varvec{b}\in \mathscr {B} \right\rangle }_{\mathbb {F}_q}. $$

In particular, \(\mathscr {A}^{\star 2}\) denotes the square code of a code \(\mathscr {A}\): \(\mathscr {A}^{\star 2}{\mathop {=}\limits ^{\text {def}}}\mathscr {A} \star \mathscr {A}\).

3.3 Schur Products of GRS and Alternant Codes

The behaviour of GRS and of some alternant codes with respect to the Schur product is very different from that of random codes. This provides a manner to distinguish GRS codes from random ones and leads to a cryptanalysis of GRS based encryption schemes [9, 13, 31]. Some alternant codes, namely Wild Goppa codes with extension degree 2 have been also subject to a cryptanalysis based on Schur products computations [11, 12].

Here we recall an elementary but crucial result.

Theorem 4

Let \({\varvec{x}}\in \mathbb {F}_{q^m}^n\) be a support and \({\varvec{y}}, {\varvec{y}}' \in \mathbb {F}_{q^m}^n\) be multipliers. Let \(k, k'\) be two positive integers, then

$$ {\mathbf {GRS}}_{k}({\varvec{x}},{\varvec{y}}) \star {\mathbf {GRS}}_{k'}({\varvec{x}},{\varvec{y}}') = {\mathbf {GRS}}_{k+k'-1}({\varvec{x}},{\varvec{y}}\star {\varvec{y}}'). $$

Proof

See for instance [9, Proposition 6].   \(\square \)

4 Conductors

In this section, we introduce a fundamental object in the attack to follow. This object was already used in [10, 12] without being named. We chose here to call it conductor. The rationale behind this terminology is explained in Remark 2.

Definition 10

Let \(\mathscr {C}\) and \(\mathscr {D}\) be two codes of length n over \(\mathbb {F}_q\). The conductor of \(\mathscr {D}\) into \(\mathscr {C}\) is defined as the largest code \(\mathscr {Z}\subseteq \mathbb {F}_q^n\) such that \(\mathscr {D}\star \mathscr {Z}\subseteq \mathscr {C}\). That is:

Proposition 4

Let \(\mathscr {D}, \mathscr {C}\subseteq \mathbb {F}_q^n\) be two codes, then

$$ \mathbf {Cond}(\mathscr {D}, \mathscr {C}) = {\left( \mathscr {D} \star \mathscr {C}^\perp \right) }^\perp . $$

Proof

See [10, 12].    \(\square \)

Remark 2

The terminology conductor has been borrowed from number theory in which the conductor of two subrings \(\mathcal O, \mathcal O'\) of the ring of integers \(\mathcal O_K\) of a number field K is the largest ideal \(\mathfrak P\) of \(\mathcal O_K\) such that \(\mathfrak P \cdot \mathcal O \subseteq \mathcal O'\).

4.1 Conductors of GRS Codes

Proposition 5

Let \({\varvec{x}}, {\varvec{y}}\in \mathbb {F}_{q^m}^n\) be a support and a multiplier. Let \(k \leqslant k'\) be two integers less than n. Then,

$$ \mathbf {Cond}({\mathbf {GRS}}_{k}({\varvec{x}},{\varvec{y}}), {\mathbf {GRS}}_{k'}({\varvec{x}},{\varvec{y}})) = {\mathbf {RS}}_{k'-k+1}({\varvec{x}}). $$

Proof

Let \(\mathscr {E}\) denote the conductor. From Proposition 4 and Lemma 1,

$$ \mathscr {E}^\bot = {\mathbf {GRS}}_{k}({\varvec{x}},{\varvec{y}}) \star {\mathbf {GRS}}_{n-k'}({\varvec{x}},{\varvec{y}}^\bot ) = {\mathbf {GRS}}_{n-k'+k-1}({\varvec{x}},{\varvec{y}} \star {\varvec{y}}^\bot ). $$

Note that

$$ {\varvec{y}} \star {\varvec{y}}^\bot = \left( \frac{1}{\pi _{{\varvec{x}}}' (x_1)}, \ldots , \frac{1}{\pi _{{\varvec{x}}}'(x_n)}\right) . $$

Then, using Lemma 1 again, we get

$$ \mathscr {E}= {\mathbf {GRS}}_{k'-k+1}({\varvec{x}},{({\varvec{y}} \star {\varvec{y}}^\bot )}^\bot ) = {\mathbf {RS}}_{k'-k+1}({\varvec{x}}). $$

   \(\square \)

Let us emphasize a very interesting aspect of Proposition 4. We considered the conductor of a GRS code into another one having the same support and multiplier. The point is that the conductor does not depend on \({\varvec{y}}\). Hence the computation of a conductor permits to get rid of the multiplier and to obtain a much easier code to study: a Reed-Solomon code.

4.2 An Illustrative Example: Recovering the Structure of GRS Codes Using Conductors

Before presenting the attack on QD-alternant codes, we propose first to describe a manner to recover the structure of a GRS code. This may help the reader to understand the spirit the attack to follow.

Suppose we know a generator matrix of a code \(\mathscr {C}_k = {\mathbf {GRS}}_{k}({\varvec{x}},{\varvec{y}})\) where \(({\varvec{x}}, {\varvec{y}})\) are unknown. In addition, suppose that we know a generator matrix of the subcode \(\mathscr {C}_{k-1} = {\mathbf {GRS}}_{k-1}({\varvec{x}},{\varvec{y}})\) which has codimension 1 in \(\mathscr {C}_k\). First compute the conductor

$$ \mathscr {X}= \mathbf {Cond}(\mathscr {C}_{k-1}, \mathscr {C}_k). $$

From Proposition 5, the conductor \(\mathscr {X}\) equals \({\mathbf {RS}}_{2}({\varvec{x}})\). This code has dimension 2 and is spanned by \({\varvec{1}}\) and \({\varvec{x}}\). We claim that, from the knowledge of \(\mathscr {X}\), a pair \(({\varvec{x}}', {\varvec{y}}')\) such that \(\mathscr {C}_k = {\mathbf {GRS}}_{k}({\varvec{x}}',{\varvec{y}}')\) can be found easily by using techniques which are very similar from those presented further in Sect. 6.6.

Of course, there is no reason that we could know both \({\mathbf {GRS}}_{k}({\varvec{x}},{\varvec{y}})\) and \({\mathbf {GRS}}_{k-1}({\varvec{x}},{\varvec{y}})\). However, we will see further that the quasi-dyadic structure permits to find interesting subcodes whose conductor may reveal the secret structure of the code.

4.3 Conductors of Alternant Codes

When dealing with alternant codes, having an exact description of the conductors like in Proposition 5 becomes difficult. We can at least prove the following theorem.

Proposition 6

Let \({\varvec{x}}, {\varvec{y}}\in \mathbb {F}_{q^2}^n\) be a support and a multiplier. Let \(r'\geqslant r\) be two positive integers. Then,

$$\begin{aligned} {\mathbf {RS}}_{r'-r+1}({\varvec{x}}) \cap \mathbb {F}_q^n \subseteq \mathbf {Cond}(\mathscr {A}_{r'}({\varvec{x}},{\varvec{y}}), \mathscr {A}_{r}({\varvec{x}},{\varvec{y}})). \end{aligned}$$
(4)

Proof

Consider the Schur product

$$\begin{aligned} \left( {\mathbf {RS}}_{r'-r+1}({\varvec{x}}) \cap \mathbb {F}_q^n \right) \star&\mathscr {A}_{r'}({\varvec{x}},{\varvec{y}}) \\&= \left( {\mathbf {RS}}_{r'-r+1}({\varvec{x}}) \cap \mathbb {F}_q^n \right) \star ({\mathbf {GRS}}_{n-r'}({\varvec{x}},{\varvec{y}}^\perp ) \cap \mathbb {F}_q^n)\\&\subseteq ({\mathbf {RS}}_{r'-r+1}({\varvec{x}}) \star {\mathbf {GRS}}_{n-r'}({\varvec{x}},{\varvec{y}}^\perp )) \cap \mathbb {F}_q^n. \end{aligned}$$

Next, using Theorem 4,

$$\begin{aligned} \left( {\mathbf {RS}}_{r'-r+1}({\varvec{x}}) \cap \mathbb {F}_q^n \right) \star \mathscr {A}_{r'}({\varvec{x}},{\varvec{y}})&\subseteq {\mathbf {GRS}}_{n-r}({\varvec{x}},{\varvec{y}}^\perp ) \cap \mathbb {F}_q^n\\&\subseteq \mathscr {A}_{r}({\varvec{x}},{\varvec{y}}). \end{aligned}$$

The last inclusion is a consequence of Lemma 1 and Definition 4.   \(\square \)

4.4 Why the Straightforward Generalisation Of the Illustrative Example Fails for Alternant Codes

Compared to Proposition 5, Proposition 6 provides only an inclusion. However, it turns out that we experimentally observed that the equality frequently holds.

On the other hand, even if inclusion (4) was an equality, the attack described in Sect. 3.2 could not be straightforwardly generalised to alternant codes. Indeed, suppose we know two alternant codes with consecutive degrees \(\mathscr {A}_{r+1}({\varvec{x}},{\varvec{y}})\) and \(\mathscr {A}_{r}({\varvec{x}},{\varvec{y}})\). Then, Proposition 6 would yield

$$\begin{aligned} {\mathbf {RS}}_{2}({\varvec{x}}) \cap \mathbb {F}_q^n \subseteq \mathbf {Cond}(\mathscr {A}_{r+1}({\varvec{x}},{\varvec{y}}), \mathscr {A}_{r}({\varvec{x}},{\varvec{y}})). \end{aligned}$$
(5)

Suppose that the above inclusion is actually an equality; as we just said this is in general what happens. The point is that as soon as \({\varvec{x}}\) has one entry in \(\mathbb {F}_{q^2}\setminus \mathbb {F}_q\), then \({\mathbf {RS}}_{2}({\varvec{x}}) \cap \mathbb {F}_q^n\) is reduced to the code spanned by \({\varvec{1}}\) and hence cannot provide any relevant information.

The previous discussion shows that, if we want to generalise the toy attack described in Sect. 4.2 to alternant codes, we cannot use a pair of alternant codes with consecutive degrees. In light of Proposition 6, the gap between the degrees r and \(r'\) of the two alternant codes should be large enough to provide a non trivial conductor. A sufficient condition for this is that \({\mathbf {RS}}_{r'-r+1}({\varvec{x}}) \cap \mathbb {F}_q^n\) is non trivial. This motivates the introduction of a code we called the norm trace code.

4.5 The Norm-Trace Code

Notation 6

In what follows, we fix \(\alpha \in \mathbb {F}_{q^2}\) such that \(\text {Tr}(\alpha ) = 1\). In particular, \((1, \alpha )\) forms an \(\mathbb {F}_q\)-basis of \(\mathbb {F}_{q^2}\).

Definition 11

(Norm trace code). Let \({\varvec{x}}\in \mathbb {F}_{q^2}^n\) be a support. The norm-trace code is defined as

This norm trace code turns out to be the code we will extract from the public key by conductor computations. To relate it with the previous discussions, we have the following statement whose proof is straightforward.

Proposition 7

Let \({\varvec{x}}\in \mathbb {F}_{q^2}^n\) be a support. Then, for any \(k > q+1\), we have

(6)

Remark 3

It addition to this statement, we observed experimentally that for \(2q+1> k > q+1\) inclusion (6) is in general an equality.

4.6 Summary and a Heuristic

First, let us summarise the previous discussions.

  • If we know a pair of alternant codes \(\mathscr {A}_{r}({\varvec{x}},{\varvec{y}})\) and \(\mathscr {A}_{r'}({\varvec{x}},{\varvec{y}})\) such that \(q < r'-r\), then \(\mathbf {Cond}(\mathscr {A}_{r'}({\varvec{x}},{\varvec{y}}), \mathscr {A}_{r}({\varvec{x}},{\varvec{y}}))\) is non trivial since, according to Proposition 6 and to (6), it contains the norm-trace code.

  • Experimentally, we observed that if \(q< r' - r < 2q\), then, almost every time, we have

  • One problem remains: given an alternant code \(\mathscr {A}_{r}({\varvec{x}},{\varvec{y}})\), how to get a subcode \(\mathscr {A}_{r'}({\varvec{x}},{\varvec{y}})\) in order to apply the previous results? This will be explained in Sects. 5 and 6 in which we show that for quasi-dyadic alternant codes it is possible to get a subcode \(\mathscr {D}\subseteq \mathscr {A}_{r}({\varvec{x}},{\varvec{y}})\) such that \(\mathscr {D}\subseteq \mathscr {A}_{r'}({\varvec{x}},{\varvec{y}})\) for some \(r'\) satisfying \(r'-r > q+1\).

    Moreover, it turns out that \(\mathscr {A}_{r'}({\varvec{x}},{\varvec{y}})\) can be replaced by a subcode without changing the result of the previous discussions. This is what is argued in the following heuristic.

Heuristic 1

In the context of Proposition 6, suppose that \(q< r-r' < 2q\). Let \(\mathscr {D}\) be a subcode of \(\mathscr {A}_{r'}({\varvec{x}},{\varvec{y}})\) such that

  1. (i)

    \(\dim \mathscr {D}\cdot \dim \mathscr {A}_{r}({\varvec{x}},{\varvec{y}})^\perp \geqslant n\);

  2. (ii)

    \(\mathscr {D}\not \subset \mathscr {A}_{r'+1}({\varvec{x}},{\varvec{y}})\);

  3. (iii)

    a generator matrix of \(\mathscr {D}\) has no zero column.

Then, with a high probability,

Let us give some evidences for this heuristic. From Proposition 4,

$$ \mathbf {Cond}(\mathscr {D}, \mathscr {A}_{r}({\varvec{x}},{\varvec{y}})) = {\left( \mathscr {D} \star \mathscr {A}_{r}({\varvec{x}},{\varvec{y}})^\perp \right) }^\perp . $$

From (2), we have \(\mathscr {A}_{r}({\varvec{x}},{\varvec{y}})^\perp = \text {Tr}_{\mathbb {F}_{q^2}/\mathbb {F}_q} ({\mathbf {GRS}}_{r}({\varvec{x}},{\varvec{y}})). \) Since \(\mathscr {D}\) is a code over \(\mathbb {F}_q\) and by the \(\mathbb {F}_q\)-linearity of the trace map, we get

$$ \mathscr {D} \star \mathscr {A}_{r}({\varvec{x}},{\varvec{y}})^\perp = \text {Tr}_{\mathbb {F}_{q^2}/\mathbb {F}_q} \left( \mathscr {D} \star {\mathbf {GRS}}_{r}({\varvec{x}},{\varvec{y}})\right) . $$

Since \(\mathscr {D}\subseteq \mathscr {A}_{r'}({\varvec{x}},{\varvec{y}})\) then, from (1), it is a subset of a GRS code. Namely,

$$ \mathscr {D}\subseteq {\mathbf {GRS}}_{n-r'}({\varvec{x}},{\varvec{y}}^\perp ),\quad \mathrm{where}\quad {\varvec{y}}^\perp = \left( \frac{1}{\pi _{{\varvec{x}}}'(x_1)y_1}, \ldots , \frac{1}{\pi _{{\varvec{x}}}'(x_n)y_n} \right) . $$

Therefore, thanks to Theorem 4, we get

$$\begin{aligned} \mathscr {D} \star \mathscr {A}_{r}({\varvec{x}},{\varvec{y}})^\perp \subseteq \text {Tr}_{\mathbb {F}_{q^2}/\mathbb {F}_q} \left( {\mathbf {GRS}}_{n-r'+r-1}({\varvec{x}},{\varvec{y}} \star {\varvec{y}}^\perp )\right) . \end{aligned}$$
(7)

Note that \(\mathscr {D} \star \mathscr {A}_{r}({\varvec{x}},{\varvec{y}})^\perp \) is spanned by \(\dim \mathscr {D}\cdot \dim \mathscr {A}_{r}({\varvec{x}},{\varvec{y}})^\perp \) generators which are obtained by computing the Schur products of elements of a basis of \(\mathscr {D}\) by elements of a basis of \(\mathscr {A}_{r}({\varvec{x}},{\varvec{y}})^\perp \). By (i), the number of such generators exceeds n. For this reason, it is reasonable to hope that this Schur product fills in the target code and that,

$$ \mathscr {D} \star \mathscr {A}_{r}({\varvec{x}},{\varvec{y}})^\perp = \text {Tr}_{\mathbb {F}_{q^2}/\mathbb {F}_q} \left( {\mathbf {GRS}}_{n-r'+r-1}({\varvec{x}},{\varvec{y}} \star {\varvec{y}}^\perp ) \right) . $$

Next, we have

$$ {\varvec{y}} \star {\varvec{y}}^\perp = \left( \frac{1}{\pi _{{\varvec{x}}}'(x_1)}, \ldots , \frac{1}{\pi _{{\varvec{x}}}'(x_n)} \right) . $$

Therefore, using Lemma 1, we conclude that

$$ \left( {\mathscr {D} \star \mathscr {A}_{r}({\varvec{x}},{\varvec{y}})^\perp }\right) ^\perp = {\mathbf {RS}}_{r'-r+1}({\varvec{x}}) \cap \mathbb {F}_q^n. $$

Using Remark 3, we get the result.

Remark 4

Assumption (ii) permits to avoid the situation where the conductor could be the subfield subcode of a larger Reed-Solomon code. Assumption (iii) permits to avoid the presence of words of weight 1 in the conductor that would not be elements of a Reed-Solomon code.

Further Discussion on the Heuristic. In all our computer experiments, we never observed any phenomenon contradicting this heuristic.

5 Fundamental Degree Properties of the Invariant Subcode of a QD Alternant Code

A crucial statement for the attack is:

Theorem 5

Let \({\varvec{x}}, {\varvec{y}}\in \mathbb {F}_{q^2}^n\) be a support and a multiplier. Let s be an integer of the form \(s = 2^\gamma s_0\). Suppose that \(\mathscr {A}_{s_0}(\overline{\psi _{\mathcal {G}}({\varvec{x}})},\overline{{\varvec{y}}})\) is fully non degenerate (see Definition 5 and Sect. 2.5 for notation \(\psi _\mathcal {G}\) and \(\overline{{\varvec{y}}}\)). Then,

  1. (a)

    \({\mathscr {A}_{s}({\varvec{x}},{\varvec{y}})}^{\mathcal {G}} \subseteq \mathscr {A}_{s + |\mathcal {G}| - 1}({\varvec{x}},{\varvec{y}});\)

  2. (b)

    \({\mathscr {A}_{s}({\varvec{x}},{\varvec{y}})}^{\mathcal {G}} \not \subseteq \mathscr {A}_{s + |\mathcal {G}|}({\varvec{x}},{\varvec{y}}).\)

Proof

From (1), we have

$$ \mathscr {A}_{s}({\varvec{x}},{\varvec{y}}) = \left\{ \left. \left( \frac{1}{y_i \pi _{{\varvec{x}}}'(x_i)}f(x_i)\right) _{i=1, \ldots , n} ~\right| ~f \in \mathbb {F}_{q^2}[z]_{< n - s} \right\} \cap \mathbb {F}_q^n. $$

This code is obtained by evaluation of polynomials of degree up to

$$n - s - 1 = (2^\gamma (n_0 - s_0) - 1).$$

From Theorem 2, the invariant codewords of \(\mathscr {A}_{s}({\varvec{x}},{\varvec{y}})\) come from evaluations of polynomials of the form \(h \circ \psi _\mathcal {G}\). Such polynomials have a degree that is a multiple of \(\deg \psi _\mathcal {G}= 2^\gamma \) and hence their degree cannot exceed \(2^\gamma (n_0 - s_0 - 1)\). Thus, they should lie in \(\mathbb {F}_{q^2}[z]_{\leqslant n-s -|\mathcal {G}|} = \mathbb {F}_{q^2}[z]_{<n-s-|\mathcal {G}|+1}\). This leads to

$$\begin{aligned} {\mathscr {A}_{s}({\varvec{x}},{\varvec{y}})}^{\mathcal {G}}&\subseteq \left\{ \left. \left( \frac{1}{y_i \pi _{{\varvec{x}}}'(x_i)} f(x_i)\right) _{i = 1, \ldots , n} ~\right| ~ f\in \mathbb {F}_{q^2}[z]_{<n-s-|\mathcal {G}|+1} \right\} \cap \mathbb {F}_q^n\\&\subseteq \mathscr {A}_{s + |\mathcal {G}| - 1}({\varvec{x}},{\varvec{y}}). \end{aligned}$$

This proves (a).

To prove (b), note that the assumption on \(\mathscr {A}_{s_0}(\overline{\psi _\mathcal {G}({\varvec{x}})},\overline{{\varvec{y}}})\) asserts the existence of \(f \in \mathbb {F}_{q^2}[z]_{< n_0 - s_0}\) such that \(\deg f = n_0 - s_0 - 1\) and \(f(\overline{\psi _\mathcal {G}({\varvec{x}})}) \in \mathbb {F}_q^{n_0}\). Thus, \(f(\psi _\mathcal {G}({\varvec{x}})) \in \mathbb {F}_q^n\) and \(\deg (f \circ \psi _\mathcal {G}) = n -s - |\mathcal {G}|\). Therefore \(f (\psi ({\varvec{x}})) \in {\mathscr {A}_{s}({\varvec{x}},{\varvec{y}})}^{\mathcal {G}}\) and \({\mathscr {A}_{s}({\varvec{x}},{\varvec{y}})}^{\mathcal {G}}\) contains an element of \(\mathscr {A}_{s+ |\mathcal {G}| -1}({\varvec{x}},{\varvec{y}})\) that is not in \(\mathscr {A}_{s+|\mathcal {G}|}({\varvec{x}},{\varvec{y}})\).   \(\square \)

6 Presentation of the Attack

6.1 Context

Recall that the extension degree is always \(m = 2\). The public code is the QD alternant code

$$ {\mathscr {C}_{\text {pub}}}{\mathop {=}\limits ^{\text {def}}}\mathscr {A}_{r}({\varvec{x}},{\varvec{y}}), $$

with a permutation group \(\mathcal {G}\) of cardinality \(|\mathcal {G}| = 2^\gamma \). As in Sect. 2.6, the code has a length \(n = n_0 2^\gamma \), dimension k and is defined over a field \(\mathbb {F}_q\) and \(q = 2^\ell \) for some positive integer \(\ell \). The degree r of the alternant code is also a multiple of \(|\mathcal {G}| = 2^\gamma \) and hence is of the form \(r = r_0 2^\gamma \). We suppose from now on that the classical lower bound on the dimension k is reached, i.e. \(k = n -2r\). This always holds in the parameters proposed in [3]. We finally set \(k_0 = k/2^\gamma \). In summary, we have the following notation

$$\begin{aligned} n = n_0 2^\gamma , \quad k = k_0 2^\gamma , \quad r = r_0 2^\gamma . \end{aligned}$$
(8)

6.2 The Subcode \(\mathscr {D}\)

We introduce a subcode \(\mathscr {D}\) of \({\mathscr {C}_{\text {pub}}}\) and prove that its knowledge permits to compute the norm trace code. This code \(\mathscr {D}\) is unknown by the attacker and we will see in Sect. 7 that the time consuming part of the attack consists in guessing it.

Definition 12

Suppose that \(|\mathcal {G}| \leqslant q\). We define the code \(\mathscr {D}\) as

Remark 5

For parameters suggested in DAGS, we always have \(|\mathcal {G}| \leqslant q\), with strict inequality for DAGS_1 and DAGS_3 and equality for DAGS_5.

Remark 6

The case \(q < |\mathcal {G}|\) which never holds in DAGS suggested parameters would be particularly easy to treat. In such a situation, replacing possibly \(\mathcal {G}\) by a subgroup, one can suppose that \(|\mathcal {G}| = 2q\). Next, according to Theorem 5, and Heuristic 1, we would have

which would provide a very simple manner to compute .

The following results are the key of the attack. Theorem 6 explains why this subcode \(\mathscr {D}\) is of deep interest and how it can be used to recover the norm-trace code, from which the secret key can be recovered (see Sect. 6.6). Theorem 7 explains why this subcode \(\mathscr {D}\) can be computed in a reasonable time thanks to the QD structure. Indeed, it shows that even if \(\mathscr {D}\) has a large codimension as a subcode of \({\mathscr {C}_{\text {pub}}}\) its codimension in \({({\mathscr {C}_{\text {pub}}})}^{\mathcal {G}}\) is much smaller. This is why the QD structure plays a crucial role in this attack (Table 3).

Theorem 6

Under Heuristic 1 and assuming that \(\overline{\mathscr {A}_{r+q}({\varvec{x}},{\varvec{y}})}^{\mathcal {G}}\) is fully non degenerate (see Definition 5), we have

Proof

It is a direct consequence of Theorem 5 and Heuristic 1.   \(\square \)

Theorem 7

The code \(\mathscr {D}\) has codimension \(\leqslant \frac{2q}{|\mathcal {G}|} = 2^{\ell - \gamma +1}\) in \({({\mathscr {C}_{\text {pub}}})}^{\mathcal {G}}\).

Proof

Using Theorem 3, we know that \(\mathscr {D}\) has the same dimension as \(\mathscr {A}_{r_0 + \frac{q}{|\mathcal {G}|}}(\overline{\psi _\mathcal {G}({\varvec{x}})},\overline{{\varvec{y}}})\). This code has dimension \(\geqslant n_0 - 2(r_0 + \frac{q}{|\mathcal {G}|})\). Since \(\dim {({\mathscr {C}_{\text {pub}}})}^{\mathcal {G}} = k_0 = n_0 - 2r_0\), we get the result.   \(\square \)

Remark 7

Actually the codimension equals \(2^{\ell - \gamma +1}\) almost all the time.

Table 3. Numerical values for the code \(\mathscr {D}\)
Full size table

6.3 Description of the Attack

The attack can be summarised as follows:

  1. (1)

    Compute \({({\mathscr {C}_{\text {pub}}})}^{\mathcal {G}}\);

  2. (2)

    Guess the subcode \(\mathscr {D}\) of \({({\mathscr {C}_{\text {pub}}})}^{\mathcal {G}}\) of codimension \(\frac{2q}{|\mathcal {G}|}\) such that

  3. (3)

    Determine \({\varvec{x}}\) from and then \({\varvec{y}}\) from \({\varvec{x}}\).

The difficult part is clearly the second one: how to guess \(\mathscr {D}\)? We present two manners to realise this guess.

  • The first one consists in performing exhaustive search on subcodes of codimension \(\frac{2q}{|\mathcal {G}|}\) of \({({\mathscr {C}_{\text {pub}}})}^{\mathcal {G}}\).

  • The second one consists in finding both \(\mathscr {D}\) and by solving a system of equations of degree 2 using Gröbner bases.

The first approach has a significant cost but which remains far below the expected security level of DAGS proposed parameters. For the second approach, we did not succeed to get a relevant estimate of the work factor but its practical implementation permits to break DAGS_1 in about 20 min and DAGS_5 in less than one minute (see Sect. 8 for further details on the implementation). We did not succeed to break DAGS_3 parameters using the second approach. On the other hand the first approach would have a work factor of \(\approx 2^{80}\) for keys with an expected security of 192 bits.

The remainder of this section is devoted to detail the different steps of the attack.

6.4 First Approach, Brute Force Search of \(\mathscr {D}\)

A first way of getting \(\mathscr {D}\) and then of obtaining consists in enumerating all the subspaces \(\mathscr {X}\subseteq {({\mathscr {C}_{\text {pub}}})}^{\mathcal {G}}\) of codimension \(\frac{2q}{|\mathcal {G}|}\) until we find one such that \(\mathbf {Cond}(\mathscr {X}, {\mathscr {C}_{\text {pub}}})\) has dimension 4. Indeed, for an arbitrary \(\mathscr {X}\) the conductor will have dimension 1 and be generated by \({\varvec{1}}\), while for \(\mathscr {X}= \mathscr {D}\) the conductor will be which has dimension 4.

The number of subspaces to enumerate is in \(O(q^{(2q/|\mathcal {G}|) (k_0 - 2q/|\mathcal {G}|)})\) which is in general much too large to make the attack practical. It is however possible to reduce the cost of brute force attack as follows.

Using Random Subcodes of Dimension 2. For any parameter set proposed in DAGS, the public code has a rate k / n less than 1 / 2. Hence, its dual has rate larger than 1 / 2. Therefore, according to Heuristic 1, given a random subcode \(\mathscr {D}_0\) of \(\mathscr {D}\) of dimension 2, then with a high probability.

Thus, one can proceed as follows

  • Pick two independent vectors \(\varvec{c}, \varvec{c}' \in {({\mathscr {C}_{\text {pub}}})}^{\mathcal {G}}\) at random and compute \(\mathbf {Cond}(\langle \varvec{c}, \varvec{c}' \rangle , {\mathscr {C}_{\text {pub}}})\);

  • If the conductor has dimension 4, you probably found , then pursue the attack as explained in Sect. 6.6.

  • Else, try again.

The probability that \(\varvec{c}, \varvec{c}' \in \mathscr {D}\) equals \(q^{-\frac{4q}{|\mathcal {G}|}}\). Therefore, one may have found after \(O(q^{\frac{4q}{|\mathcal {G}|}})\) computations of conductors.

Example 1

The average number of computations of conductors will be

  • \(O(q^8) = O(2^{40})\) for DAGS_1;

  • \(O(q^8) = O(2^{48})\) for DAGS_3;

  • \(O(q^4) = O(2^{24})\) for DAGS_5.

Using Shortened Codes. Another manner consists in replacing the public code by one of its shortenings. For that, we shorten \({\mathscr {C}_{\text {pub}}}= \mathscr {A}_{r}({\varvec{x}},{\varvec{y}})\) at a set of \(a = a_0 2^\gamma \) positions which is a union of blocks, so that the shortened code remains QD. We choose the integer a such that the invariant subcode of the shortened code has dimension \(2 + {\frac{2q}{|\mathcal {G}|}}\) and hence the shortening of \(\mathscr {D}\) has dimension 2. Let \(\mathcal {I}\) be such a subset of positions. To determine \(\mathcal {S}_{\mathcal {I}}\left( \mathscr {D}\right) \), we can enumerate any subspace \(\mathscr {X}\) of dimension 2 of \(\mathcal {S}_{\mathcal {I}}\left( {\mathscr {C}_{\text {pub}}}\right) \) and compute \(\mathbf {Cond}(\mathscr {X}, \mathcal {S}_{\mathcal {I}}\left( {\mathscr {C}_{\text {pub}}}\right) )\). In general, we get the trivial code spanned by the all-one codeword \({\varvec{1}}\). If the conductor has dimension 4 it is highly likely that we found \(\mathcal {S}_{\mathcal {I}}\left( \mathscr {D}\right) \) and that the computed conductor equals .

The number of such spaces we enumerate is in \(O (q^{\frac{4q}{|\mathcal {G}|}})\), which is very similar to the cost of the previous method.

6.5 Second Approach, Solving Polynomial System of Degree 2

An alternative approach to recover \(\mathscr {D}\) and consists in solving a polynomial system. We proceed as follows. Since \(\text {Tr}({\varvec{x}}) \in \mathbf {Cond}(\mathscr {D}, {\mathscr {C}_{\text {pub}}})\) and, from Proposition 4, \(\mathbf {Cond}(\mathscr {D}, {\mathscr {C}_{\text {pub}}}) = {(\mathscr {D} \star {\mathscr {C}_{\text {pub}}}^\perp )}^\perp \), then

$$ \varvec{G}_{\mathscr {D} \star {\mathscr {C}_{\text {pub}}}^\perp } \cdot \text {Tr}({\varvec{x}})^\top = 0, $$

where \(\varvec{G}_{\mathscr {D} \star {\mathscr {C}_{\text {pub}}}^\perp }\) denotes a generator matrix of \(\mathscr {D} \star {\mathscr {C}_{\text {pub}}}^\perp \). The above identity holds true when replacing \(\text {Tr}({\varvec{x}})\) by \(\text {Tr}(\beta {\varvec{x}})\) for any \(\beta \in \mathbb {F}_{q^2}\). Hence,

$$\begin{aligned} \varvec{G}_{\mathscr {D} \star {\mathscr {C}_{\text {pub}}}^\perp } \cdot {\varvec{x}}^\top = 0. \end{aligned}$$
(9)

The above identity provides the system we wish to solve. We have two type of unknowns: the code \(\mathscr {D}\) and the vector \({\varvec{x}}\). Set \(c {\mathop {=}\limits ^{\text {def}}}\frac{2q}{|\mathcal {G}|}\) the codimension of \(\mathscr {D}\) in \({({\mathscr {C}_{\text {pub}}})}^{\mathcal {G}}\). For \(\mathscr {D}\), let us introduce \((k_0-c)k_0\) formal variables \(U_{11}, \ldots , U_{1, c},\) \(\ldots , U_{k_0-c, 1}, \ldots , U_{k_0-c, c}\) and set

$$ \varvec{U} {\mathop {=}\limits ^{\text {def}}}\begin{pmatrix} U_{11} &{} \cdots &{} U_{1, c} \\ \vdots &{} &{} \vdots \\ U_{k_0-c, 1} &{} \cdots &{} U_{k_0-c, c} \end{pmatrix} \qquad \mathrm{and} \qquad \varvec{G}(U_{ij}) {\mathop {=}\limits ^{\text {def}}}\begin{pmatrix} ~\varvec{I}_{k_0 - c} ~|~ \varvec{U} ~ \end{pmatrix} \cdot \varvec{G}^\mathrm{inv}, $$

where \(\varvec{I}_{k_0 - c}\) denotes the \((k_0 - c) \times (k_0 - c)\) identity matrix and \(\varvec{G}^\mathrm{inv}\) denotes a \(k_0 \times n_0\) generator matrix of \({({\mathscr {C}_{\text {pub}}})}^{\mathcal {G}}\). It is probable that \(\mathscr {D}\) has a generator matrix of the form \(\varvec{G}(u_{ij})\) for some special values \(u_{11}, \ldots , u_{k_0-c, c} \in \mathbb {F}_q\). The case where \(\mathscr {D}\) has no generator matrix of this form is rare and can be addressed by choosing another generator matrix for \({({\mathscr {C}_{\text {pub}}})}^{\mathcal {G}}\).

Now, let \(\varvec{H}\) be a parity-check matrix of \({\mathscr {C}_{\text {pub}}}\). A generator matrix of \(\mathscr {D} \star {\mathscr {C}_{\text {pub}}}^\perp \) can be obtained by constructing a matrix whose rows list all the possible Schur products of one row of a generator matrix of \(\mathscr {D}\) by one row of a parity-check matrix of \({\mathscr {C}_{\text {pub}}}\). Therefore, let \(\varvec{R}(U_{ij})\) be a matrix with entries in \(\mathbb {F}_q[U_{1,1}, \ldots , U_{k_0-c, c}]\) whose rows list all the possible Schur products of one row of \(\varvec{G}(U_{i,j})\) and one row of \(\varvec{H}\). Hence, there is a specialisation \(u_{11}, \ldots , u_{k_0-c, c} \in \mathbb {F}_q\) of the variables \(U_{ij}\) such that \(\varvec{R} (u_{ij})\) is a generator matrix of \(\mathscr {D} \star {\mathscr {C}_{\text {pub}}}^\perp \).

The second set of variables \(X_1, \ldots , X_n\) corresponds to the entries of \({\varvec{x}}\). Using (9), the polynomial system we have to solve is nothing but

$$\begin{aligned} \varvec{R}(U_{ij}) \cdot \begin{pmatrix} X_1 \\ \vdots \\ X_n \end{pmatrix} = 0. \end{aligned}$$
(10)

Reducing the Number of Variables. Actually, it is possible to reduce the number of variables using three different tricks.

  1. 1.

    Since the code is QD, the vector \({\varvec{x}}\) is a union of orbits under the action of the additive group \(\mathcal {G}\). Therefore, one can introduce formal variables \(A_1, \ldots , A_\gamma \) corresponding to the generators of \(\mathcal {G}\). Then, one can replace \((X_1, \ldots , X_n)\) by

    $$\begin{aligned} (T_1,\ T_1 + A_1,\ \ldots \ ,\ T_1 + A_1 + \cdots + A_\gamma ,\ T_2, T_2+A_1,\ \ldots \ ). \end{aligned}$$
    (11)

    for some variables \(T_1, \ldots , T_{n_0}\).

  2. 2.

    Without loss of generality and because of the 2-transitive action of the affine group on \(\mathbb {F}_{q^2}\), one can suppose that the first entries of \({\varvec{x}}\) are 0 and 1 respectively (see for instance [12, Appendix A]). Therefore, in (11), one can replace \(T_1\) by 0 and \(A_1\) by 1.

  3. 3.

    Similarly to the approach of Sect. 6.4, one can shorten the codes so that \(\mathscr {D}\) has only dimension 2, which reduces the number of variables \(U_{ij}\) to 2c and also reduces the length of the support we seek and hence reduces the number of the variables \(T_i\).

On the Structure of the Polynomial System. The polynomial equations have all the following features:

  • Any equation is the sum of an affine and a bilinear form;

  • Any degree 2 monomial is either of the form \(U_{ij}A_k\) or of the form \(U_{ij}T_k\).

Table 4 lists for the different proposals the number of variables of type UA and T of the system when we use the previously described shortening trick.

Table 4. Number of variables of type UA and T of the system
Full size table

6.6 Finishing the Attack

When the previous step of the attack is over, then, if we used the first approach based on a brute force search of \(\mathscr {D}\), we know at least or for some set \(\mathcal {I}\) of positions. If we used the second approach, then \({\varvec{x}}\) is already computed, or at least \({\varvec{x}}_{\mathcal {I}}\) for some set of indexes \(\mathcal {I}\). Thus, there remains to be able to

  1. (1)

    recover \({\varvec{x}}\) from or \({\varvec{x}}_\mathcal {I}\) from ;

  2. (2)

    recover \({\varvec{y}}\) from \({\varvec{x}}\) or \({\varvec{y}}_\mathcal {I}\) from \({\varvec{x}}_\mathcal {I}\);

  3. (3)

    recover \({\varvec{x}}, {\varvec{y}}\) from \({\varvec{x}}_\mathcal {I}, {\varvec{y}}_\mathcal {I}\).

Recovering \({\varvec{x}}\) from . The code has dimension 4 over \(\mathbb {F}_q\) and is spanned by \({\varvec{1}}, \text {Tr}({\varvec{x}}), \text {Tr}(\alpha {\varvec{x}}), \text {N}({\varvec{x}})\). It is not difficult to prove that

where denotes the \(\mathbb {F}_{q^2}\)-linear code contained in \(\mathbb {F}_{q^2}^n\) and spanned over \(\mathbb {F}_{q^2}\) by the elements of .

Because of the 2-transitivity of the affine group on \(\mathbb {F}_{q^2}\), without loss of generality, one can suppose that the first entry of \({\varvec{x}}\) is 0 and the second one is 1 (see for instance [12, Appendix A]). Therefore, after shortening we get a code that we call \(\mathscr {S}\), which is of the form

Next, a simple calculation shows that

$$ \mathscr {S}\cap \mathscr {S}^{\star 2} = \langle {\varvec{x}}^{\star (q+1)}\rangle . $$

Since, the second entry of \({\varvec{x}}\) has been set to 1, we can deduce the value of \({\varvec{x}}^{\star (q+1)}\).

Remark 8

Actually, both \(\mathscr {S}\) and have a basis defined over \(\mathbb {F}_q\), therefore, to get \(\langle {\varvec{x}}^{\star (q+1)}\rangle _{\mathbb {F}_q}\) it is sufficient to perform any computation on codes defined over \(\mathbb {F}_q\).

Now, finding \({\varvec{x}}\) is easy: enumerate the affine subspace of of vectors whose first entry is 0 and second entry is 1 (or equivalently, the affine subspace of vectors of \(\mathscr {S}\) whose first entry equals 1). For any such vector \(\varvec{c}\), compute \(\varvec{c}^{\star (q+1)}\). If \(\varvec{c}^{\star (q+1)} = {\varvec{x}}^{\star (q+1)}\), then \(\varvec{c}\) equals either \({\varvec{x}}\) or \({\varvec{x}}^{\star q}\). Since \(\mathscr {A}_{r}({\varvec{x}},{\varvec{y}}) = \mathscr {A}_{r}({\varvec{x}}^{\star q},{\varvec{y}}^{\star q})\) (see for instance [12, Lemma 39]), taking \({\varvec{x}}\) or \({\varvec{x}}^{\star q}\) has no importance. Thus, without loss of generality, one can suppose \({\varvec{x}}\) has been found.

Recovering \({\varvec{y}}\) from \({\varvec{x}}\) . This is very classical calculation. The public code \({\mathscr {C}_{\text {pub}}}\) is alternant, and hence is well-known to have a parity-check matrix defined over \(\mathbb {F}_{q^2}\) of the form

$$\begin{aligned} \varvec{H}_\mathrm{pub} = \begin{pmatrix} y_1 &{} \cdots &{} y_n \\ x_1 y_1 &{} \cdots &{} x_n y_n \\ \vdots &{} &{} \vdots \\ x_1^{r-1}y_1 &{} \cdots &{} x_n^{r-1}y_n \end{pmatrix}. \end{aligned}$$
(12)

Denote by \(\varvec{G}_\mathrm{pub}\) a generator matrix of \({\mathscr {C}_{\text {pub}}}\). Then, since the \(x_i\)’s are known, then the \(y_i's\) can be computed by solving the linear system

$$ \varvec{H}_\mathrm{pub} \cdot \varvec{G}_\mathrm{pub}^{\top } = 0. $$

Recovering \({\varvec{x}}\mathbf , {\varvec{y}}\) from \({{\varvec{x}}}_{\varvec{\mathcal {I}}}, {{\varvec{y}}}_{\varvec{\mathcal {I}}}\) . After a suitable reordering of the indexes, one can suppose that \(\mathcal {I}= \{s, s+1, \ldots , n\}\). Hence, the entries \(x_1, \ldots , x_{s-1}\) of \({\varvec{x}}\) and \(y_1, \ldots , y_{s-1}\) are known. Set \(\mathcal {I}' {\mathop {=}\limits ^{\text {def}}}\mathcal {I}\setminus \{s\}\). Thus, let \(\varvec{G}(\mathcal {I}')\) be a generator matrix of \(\mathscr {A}_{r}({\varvec{x}}_{\mathcal {I}'}, {\varvec{y}}_{\mathcal {I}'})\), which is nothing by \(\mathcal {S}_{\mathcal {I}'}\left( {\mathscr {C}_{\text {pub}}}\right) \). Using (12), we have

$$ \begin{pmatrix} y_1 &{} \cdots &{} y_s \\ x_1 y_1 &{} \cdots &{} x_s y_s \\ \vdots &{} &{} \vdots \\ x_1^{r-1}y_1 &{} \cdots &{} x_s^{r-1}y_s \end{pmatrix} \cdot \varvec{G}(\mathcal {I}') = 0. $$

In the above identity, all the \(x_i's\) and \(y_i's\) are known but \(x_s, y_s\). The entry \(y_s\) can be found by solving the linear system

$$ \begin{pmatrix} y_1&\cdots&y_s \end{pmatrix} \cdot \varvec{G}(\mathcal {I}') = 0. $$

Then, \(x_s\) can be deduced by solving the linear system

$$ \begin{pmatrix} x_1y_1&\cdots&x_sy_s \end{pmatrix} \cdot \varvec{G}(\mathcal {I}') = 0. $$

By this manner, we can iteratively recover the entries \(x_{s+1}, \ldots , x_n\) and \(y_{s+1}, \ldots , y_n\). The only constraint is that \(\mathcal {I}\) should be small enough so that \(\mathcal {S}_{\mathcal {I}}\left( {\mathscr {C}_{\text {pub}}}\right) \) is nonzero. But this always holds true for the choices of \(\mathcal {I}\) we made in the previous sections.

6.7 Comparison with a Previous Attack

First, let us recall the attack on Wild Goppa codes over quadratic extensions [12]. This attack concerns some subclass of alternant codes called wild Goppa codes. For such codes a distinguisher exists which permits to compute a filtration of the public code. Hence, after some computations, we obtain the subcode \(\mathscr {A}_{r+q+1}({\varvec{x}},{\varvec{y}})\) of the public code \(\mathscr {A}_{r}({\varvec{x}},{\varvec{y}})\). Then, according to Heuristic 1, the computation of a conductor permits to get the code . As soon as is known, the recovery of the secret is easy. Note that, the use of the techniques of Sect. 6.6 can significantly simplify the end of the attack of [12] which was rather technical.

We emphasise that, out of the calculation of by computing a conductor which appears in our attack so that in [12], the two attacks remain very different. Indeed, the way one gets a subcode whose conductor into the public code provides is based in [12] on a distinguisher which does not work for general alternant codes which are not Goppa codes. In addition, in the present attack, the use of the permutation group is crucial, while it was useless in [12].

7 Complexity of the First Version of the Attack

As explained earlier, we have not been able to provide a complexity analysis of the approach based on polynomial system solving. In particular because the Macaulay matrix in degree 2 of the system turned out to have a surprisingly low rank, showing that this polynomial system was far from being generic. Consequently, we limit our analysis to the first approach based on performing a brute force search on the subcode \(\mathscr {D}\).

Since we look for approximate work factors, we will discuss an upper bound on the complexity and not only a big O.

7.1 Complexity of Calculation of Schur Products

A Schur product \(\mathscr {A} \star \mathscr {B}\) of two codes \(\mathscr {A}, \mathscr {B}\) of length n and respective dimensions \(k_a, k_b\) is computed as follows.

  1. 1.

    Take bases \(\varvec{a}_1, \ldots , \varvec{a}_{k_a}\) and \(\varvec{b}_1, \ldots , \varvec{b}_{k_b}\) of \(\mathscr {A}\) and \(\mathscr {B}\) respectively and construct a matrix \(\varvec{M}\) whose rows are all the possible products \(\varvec{a}_i \star \varvec{b}_j\), for \(1 \leqslant i \leqslant k_a\) and \(1 \leqslant j \leqslant k_b\). This matrix has \(k_a k_b\) rows and n columns.

  2. 2.

    Perform Gaussian elimination to get a reduced echelon form of \(\varvec{M}\).

The cost of the computation of a reduced echelon form of a \(s \times n\) matrix is \(ns\min (n,s)\) operations in the base field. The cost of the computation of the matrix \(\varvec{M}\) is the cost of \(k_a k_b\) Schur products of vectors, i.e. \(n k_a k_b\) operations in the base field. This leads to an overall calculation of the Schur product equal to

$$ n k_a k_b + nk_a k_b \min (n, k_a k_b) $$

operations in the base field. When \(k_a k_b \geqslant n\), the cost of the Schur product can be reduced using a probabilistic shortcut described in [10]. It consists in computing an \(n \times n\) submatrix of \(\varvec{M}\) by choosing some random subset of products \(\varvec{a}_i \star \varvec{b}_j\). This permits to reduce the cost of computing a generator matrix in row echelon form of \(\mathscr {A} \star \mathscr {B}\) to \(2n^3\) operations in the base field.

7.2 Cost of a Single Iteration of the Brute Force Search

Computing the conductor \(\mathbf {Cond}(\mathscr {X}, {\mathscr {C}_{\text {pub}}})\) consists in computing the code \({(\mathscr {X} \star {\mathscr {C}_{\text {pub}}}^\perp )}^\perp \). Since our attack consists in computing such conductors for various \(\mathscr {X}\)’s, one can compute a generator matrix of \({\mathscr {C}_{\text {pub}}}^\perp \) once for good. Hence, one can suppose a generator matrix for \({\mathscr {C}_{\text {pub}}}^\perp \) is known. Then, according to Sect. 7.1, the calculation of a generator matrix of \(\mathscr {X} \star {\mathscr {C}_{\text {pub}}}^\perp \) costs at most \(2n^3\) operations in \(\mathbb {F}_q\).

7.3 Complexity of finding \(\mathscr {D}\) and \(\mathscr {N}{\!\!}\mathscr {T} (\varvec{x})\)

According to Sect. 6.4, the average number of iterations of the brute force search is \(q^{2\mathrm{Codim} \mathscr {D}}\), that is \(q^{\frac{4q}{|\mathcal {G}|}}\). Thus, we get an overall cost of the first step bounded above by

$$ 2n^3 q^{\frac{4q}{|\mathcal {G}|}}\ \mathrm{operations\ in\ }\mathbb {F}_q. $$

Since, \(n = \varTheta (q^2)\), we get a complexity in \(O(n^{3+\frac{2q}{|\mathcal {G}|}})\) operations in \(\mathbb {F}_q\) for the computation of .

7.4 Complexity of deducing \({\varvec{x}}, {\varvec{y}}\) from \(\mathscr {N}{\!\!}\mathscr {T} (\varvec{x})\)

A simple analysis shows that the final part of the attack is negligible compared to the previous step. Indeed,

  • the computation of costs \(O(n^2)\) operations in \(\mathbb {F}_q\) (because of Remark 8, one can perform these computations over \(\mathbb {F}_q\)) since the code has dimension 4;

  • the computation of boils down to linear algebra and costs \(O(n^3)\) operations in \(\mathbb {F}_q\);

  • The enumeration of the subset of of elements whose first entry is 0 an second one is 1 and computation of their norm costs \(O(q^4 n) = O(n^3)\) operations in \(\mathbb {F}_{q^2}\). Indeed the affine subspace of which is enumerated has dimension 2 over \(\mathbb {F}_{q^2}\) and hence has \(q^4\) elements, while the computation of the component wise norm of a vector costs O(n) operations assuming that the Frobenius \(z \mapsto z^q\) can be computed in constant time in \(\mathbb {F}_{q^2}\).

  • The recovery of \({\varvec{y}}\) from \({\varvec{x}}\) boils down to linear algebra and hence can also be done in \(O(n^3)\) operations in \(\mathbb {F}_{q^2}\). If we have to recover \({\varvec{x}}, {\varvec{y}}\) from \({\varvec{x}}_\mathcal {I}, {\varvec{y}}_\mathcal {I}\), it can be done iteratively by solving a system of a constant number of equations, hence the cost of one iteration is in \(O(n^2)\) operations in \(\mathbb {F}_{q^2}\).

Thus, the overall cost remains in \(O(n^3)\) operations in \(\mathbb {F}_{q^2}\).

7.5 Overall Complexity

As a conclusion, the attack has an approximate work factor of

$$\begin{aligned} 2n^3q^{\frac{4q}{|\mathcal {G}|}} \mathrm{operations\ in\ }\mathbb {F}_q. \end{aligned}$$
(13)

7.6 Approximate Work Factors of the First Variant Of the Attack on DAGS Parameters

We assume that operations in \(\mathbb {F}_q\) can be done in constant time. Indeed, the base fields of the public keys of DAGS proposal are \(\mathbb {F}_{32}\) and \(\mathbb {F}_{64}\). For such a field, it is reasonable to store a multiplication and inversion table.

Therefore, we list in Table 5 some approximate work factors for DAGS according to (13). The second column recalls the security levels claimed in [3] for the best possible attack. The last column gives the approximate work factors for the first variant of our attack.

Table 5. Work factors of the first variant of the attack
Full size table
Table 6. Average times for the second variant of the attack.
Full size table

8 Implementation

Tests have been done using Magma [8] on an Intel® Xeon 2.27 GHz.

Since the first variant of the attack had too significant costs to be tested on our machines, we tested it on the toy parameters DAGS_0. We performed 20 tests, which succeeded in an average time of 2 h.

On the other hand, we tested the second variant based on solving a polynomial system on DAGS_1, _3 and _5. We have not been able to break DAGS_3 keys using this variant of the attack, on the other hand about 100 tests have been performed for DAGS_1 and DAGS_5. The average running times are listed in Table 6.