Abstract
We present an efficient key recovery attack on code based encryption schemes using some quasi-dyadic alternant codes with extension degree 2. This attack permits to break the proposal DAGS recently submitted to NIST.
You have full access to this open access chapter, Download conference paper PDF
Similar content being viewed by others
Keywords
- Code-based cryptography
- McEliece encryption scheme
- Key recovery attack
- Alternant codes
- Quasi-dyadic codes
- Schur product of codes
1 Introduction
In 1978, in the seminal article [21], McEliece designed a public key encryption scheme relying on the hardness of the bounded decoding problem [7], i.e. on the hardness of decoding an arbitrary code. For a long time, this scheme was considered as unpractical because of the huge size of the public keys compared to public key encryption schemes relying on algorithmic number theoretic problems. The trend changed in the last decade because of the progress of quantum computing and the increasing threat of the existence in a near future of a quantum computer able to break usual cryptography primitives based on number theoretic problems. An evidence for this change of trend is the recent call of the National Institute for Standards and Technology (NIST) for post quantum cryptography. The majority of the submissions to this call are based either on codes or on lattices.
After forty years of research on code based cryptography, one can identify two general trends for instantiating McEliece’s scheme. The first one consists in using codes from probabilistic constructions such as MDPC codes [1, 23]. The other one consists in using algebraic codes such as Goppa codes or more generally alternant codes. A major difference between these two families of proposals is that the first one, based on MDPC codes benefits in some cases from clean security reductions to the decoding problem.
Concerning McEliece instantiations based on algebraic codes, which include McEliece’s original proposal based on binary Goppa codes, two approaches have been considered in order to address the drawback of the large of pubic key sizes. On the one hand, some proposals suggested to replace Goppa or alternant codes by more structured codes such as generalised Reed-Solomon (GRS) codes [24], their low dimensional subcodes [6], or GRS codes to which various transformations have been applied [2, 29, 30]. It turns out that most of these proposals have been subject to polynomial time key-recovery attacks [9, 13, 28, 31]. In addition, proposals based on Goppa codes which are close to GRS codes, namely Goppa code with a low extension degree m have been the target of some structural attacks [12, 17]. On the other hand, many proposals suggest the use of codes with a non trivial automorphism group [5, 18, 22, 26]. A part of these proposals has been either partially or completely broken [15, 16, 25]. In particular, in the design of such proposals, precautions should be taken since the knowledge of a non trivial automorphism group of the public code facilitates algebraic attacks by significantly reducing the degrees and number of variables of the algebraic system to solve in order to recover the secret key.
Among the recent submissions to NIST call for post quantum cryptography, a proposal called DAGS [3] is based on the use of quasi-dyadic (QD) generalised Srivastava codes with extension degree \(m = 2\). By quasi-dyadic we mean that the permutation group of the code is of the form \((\mathbb {Z}/ 2\mathbb {Z})^\gamma \) for some positive integer \(\gamma \). Moreover, generalised Srivastava codes form a proper subclass of alternant codes. DAGS proposal takes advantage of both usual techniques to reduce the size of the keys. First, by using alternant codes which are close to generalised Reed Solomon codes i.e. with an extension degree 2. Second, by using codes with a large permutation group. In terms of security with respect to key recovery attacks, DAGS parameters are chosen to be out of reach of the algebraic attacks [15, 16]. In addition, it should be emphasised that the choice of alternant codes which are not Goppa codes permits to be out of reach of the distinguisher by shortening and squaring used in [12].
Our Contribution. In this article, we present an attack breaking McEliece instantiations based on alternant codes with extension degree 2 and a large permutation group. This attack permits to recover the secret key in \(O\left( n^{3+\frac{2q}{|\mathcal {G}|}}\right) \) operations in \(\mathbb {F}_q\), where \(\mathcal {G}\) denotes the permutation group, n the code length and \(\mathbb {F}_q\) is the base field of the public code. The key step of the attack consists in finding some subcode of the public code referred to as \(\mathscr {D}\). From this code \(\mathscr {D}\) and using an operation we called conductor, the secret key can easily be recovered. For this main step, we present two ways to proceed, the first approach is based on a partial brute force search while the second one is based on the resolution of a polynomial system of degree 2. An analysis of the work factor of this attack using the first approach shows that DAGS keys with respective estimated security levels 128, 192 and 256 bits can be broken with respective approximate work factors \(2^{70}, 2^{80}\) and \(2^{58}\). For the second approach, we were not able to provide a complexity analysis. However, its practical implementation using Magma [8] is impressively efficient on some DAGS parameters. In particular, it permits to break claimed 256 bits security keys in less than one minute!
This attack is a novel and original manner to recover the structure of alternant codes by jointly taking advantage of the permutation group and the small size of the extension degree. Even if some variant of the attack reposes on the resolution of a polynomial system, this system has nothing to do with those of algebraic attacks of [15,16,17]. On the other hand, despite this attack shares some common points with that of [12] where the Schur product of codes (See Sect. 3 for a definition) plays a crucial role, the keys we break in the present article are out of reach of a distinguisher by shortening and squaring and hence our attack differs from filtration attacks as in [10, 12].
It is worth noting that reparing DAGS scheme in order to resist to the present attack is possible. Recently, the authors presented new parameter sets which are out of reach of the first version of the attack. These new parameters are available on the current version of the proposalFootnote 1.
2 Notation and Prerequisites
2.1 Subfield Subcodes and Trace Codes
Definition 1
Given a code \(\mathscr {C}\) of length n over \(\mathbb {F}_{q^m}\), its subfield subcode is the subcode of vectors whose entries all lie in \(\mathbb {F}_q\), that is the code:
The trace code is the image of the code by the component wise trace map
Let us recall a classical and well-known result on subfield subcodes and trace codes.
Theorem 1
(Delsarte Theorem [14]). Let \(\mathscr {C}\subseteq \mathbb {F}_{q^m}^n\) be a code. Then
2.2 Generalised Reed-Solomon Codes and Alternant Codes
Notation 1
Let q be a power of prime and k a positive integer. We denote by \(\mathbb {F}_q[z]_{<k}\) the vector space of polynomials over \(\mathbb {F}_q\) whose degree is bounded from above by k. Let m be a positive integer, we will consider codes over \(\mathbb {F}_{q^m}\) with their subfield subcodes over \(\mathbb {F}_q\). In Sect. 3 and further, we will focus particularly on the case \(m=2\).
Definition 2
(Supports and multipliers). A vector \({\varvec{x}}\in \mathbb {F}_{q^m}^n\) whose entries are pairwise distinct is called a support. A vector \({\varvec{y}}\in \mathbb {F}_{q^m}^n\) whose entries are all nonzero is referred to as a multiplier.
Definition 3
(Generalised Reed-Solomon codes). Let n be a positive integer, \({\varvec{x}}\in \mathbb {F}_{q^m}^n\) be a support and \({\varvec{y}}\in \mathbb {F}_{q^m}^n\) be a multiplier. The generalised Reed-Solomon (GRS) code with support \({\varvec{x}}\) and multiplier \({\varvec{y}}\) of dimension k is defined as
When \({\varvec{y}}= {\varvec{1}}\), the code is a Reed-Solomon code and is denoted as \({\mathbf {RS}}_{k}({\varvec{x}})\).
The dual of a GRS code is a GRS code too. This is made explicit in Lemma 1 below. Let us first introduce an additional notation.
Notation 2
Let \({\varvec{x}}\subseteq \mathbb {F}_{q^m}^n\) be a support, we define the polynomial \(\pi _{{\varvec{x}}} \in \mathbb {F}_{q^m}[z]\) as
Lemma 1
Let \({\varvec{x}}, {\varvec{y}}\in \mathbb {F}_{q^m}^n\) be a support and a multiplier of length n and \(k \leqslant n\). Then
where
and \(\pi _{{\varvec{x}}}'\) denotes the derivative of the polynomial \(\pi _{{\varvec{x}}}\).
Definition 4
(Alternant code). Let \(m,\ n\) be positive integers such that \(n \leqslant q^m\). Let \({\varvec{x}}\in \mathbb {F}_{q^m}^n\) be a support, \({\varvec{y}}\in \mathbb {F}_{q^m}^n\) be a multiplier and r be a positive integer. The alternant code of support \({\varvec{x}}\), multiplier \({\varvec{y}}\) and degree r over \(\mathbb {F}_q\) is defined as
The integer m is referred to as the extension degree of the alternant code.
As a direct consequence of Lemma 1 and Definition 4, we get the following explicit description of an alternant code.
Next, by duality and using Delsarte’s Theorem (Theorem 1), we have
We refer the reader to [20, Chap. 12] for further properties of alternant codes. Recall that the code \(\mathscr {A}_{r}({\varvec{x}},{\varvec{y}})\) defined in Definition 4 has dimension \(k \geqslant n-mr\) and equality holds in general. Moreover, these codes benefit from efficient decoding algorithms correcting up to \(\lfloor \frac{r}{2} \rfloor \) errors (see [20, Chap. 12 Sect. 9]).
Fully Non Degenerate Alternant Codes. We conclude this subsection on alternant codes by a definition which is useful in the sequel.
Definition 5
An alternant code \(\mathscr {A}_{r}({\varvec{x}},{\varvec{y}})\) is said to be fully non degenerate if it satisfies the two following conditions.
-
(i)
A generator matrix of \(\mathscr {A}_{r}({\varvec{x}},{\varvec{y}})\) has no zero column.
-
(ii)
\(\mathscr {A}_{r}({\varvec{x}},{\varvec{y}}) \ne \mathscr {A}_{r+1}({\varvec{x}},{\varvec{y}})\).
Most of the time, an alternant code is fully non degenerate.
2.3 Punctured and Shortened Codes
The notions of puncturing and shortening are classical ways to build new codes from existing ones. We recall here their definition.
Definition 6
Let \(\mathscr {C}\) be a code of length n and \(\mathcal {I}\subseteq \{1, \ldots , n\}\). The puncturing and the shortening of \(\mathscr {C}\) at \(\mathcal {I}\) are respectively defined as the codes
Let us finish by recalling the following classical result.
Notation 3
Let \({\varvec{x}}\in \mathbb {F}_{q^m}^n\) be a vector and \(\mathcal {I}\subseteq \{1, \ldots , n\}\). Then, the vector \({\varvec{x}}_{\mathcal {I}}\) denotes the vector obtained from \({\varvec{x}}\) be removing the entries whose indexes are in \(\mathcal {I}\).
Proposition 1
Let m, r be positive integers. Let \({\varvec{x}}, {\varvec{y}}\in \mathbb {F}_{q^m}^n\) be as in Definition 4. Let \(\mathcal {I}\subseteq \{1, \ldots , n\}\). Then
Proof
See for instance [12, Proposition 9]. \(\square \)
2.4 Quasi-dyadic Codes, Quasi-dyadic Alternant Codes
Quasi-dyadic (QD) codes are codes with a nontrivial permutation group isomorphic to \((\mathbb {Z}/2\mathbb {Z})^\gamma \) for some positive integer \(\gamma \). Such a code has length \(n = 2^\gamma n_0\). The permutation group of the code is composed of permutations, each one being a product of transpositions with disjoint supports. The example of interest in the present article is the case of QD-alternant codes. In what follows, we explain how to create them.
Notation 4
From now on, q denotes a power of 2 and \(\ell \) denotes the positive integer such that \(q = 2^\ell \).
-
Let \(\mathcal {G}\subset \mathbb {F}_{q^m}\) be an additive subgroup with \(\gamma \) generators, i.e. \(\mathcal {G}\) is an \(\mathbb {F}_2\)-vector subspace of \(\mathbb {F}_{q^m}\) of dimension \(\gamma \) with an \(\mathbb {F}_2\)-basis \(a_1, \ldots , a_\gamma \). Clearly, as an additive group, \(\mathcal {G}\) is isomorphic to \((\mathbb {Z}/2\mathbb {Z})^\gamma \). The group \(\mathcal {G}\) acts on \(\mathbb {F}_{q^m}\) by translation: for any \(a \in \mathcal {G}\), we denote by \(\tau _a\) the translation
$$ \tau _a : \left\{ \begin{array}{ccc} \mathbb {F}_{q^m} &{} \longrightarrow &{} \mathbb {F}_{q^m} \\ x &{} \longmapsto &{} x+a \end{array} \right. . $$ -
Using the basis \((a_1, \ldots , a_\gamma )\), we fix an ordering in \(\mathcal {G}\) as follows. Any element \(u_1 a_1 + \cdots + u_\gamma a_\gamma \in \mathcal {G}\) can be regarded as an element \((u_1, \ldots , u_\gamma )\in (\mathbb {Z}/2\mathbb {Z})^\gamma \) and we sort them by lexicographic order. For instance, if \(\gamma =3\):
$$ 0< a_1< a_2< a_1 + a_2< a_3< a_1 + a_3< a_2 + a_3 < a_1 + a_2 + a_3. $$ -
Let \(n = 2^\gamma n_0\) for some positive \(n_0\) and such that \(n \leqslant q^m\). Let \({\varvec{x}}\in \mathbb {F}_{q^m}^n\) be a support which splits into \(n_0\) blocks of \(2^\gamma \) elements of \(\mathbb {F}_{q^m}\), each block being an orbit under the action of \(\mathcal {G}\) by translation on \(\mathbb {F}_{q^m}\) sorted using the previously described ordering. For instance, suppose \(\gamma = 2\), then such an \({\varvec{x}}\) is of the form,
$$\begin{aligned} \begin{array}{rl} {\varvec{x}}= &{} (t_1, t_1+a_1, t_1+a_2, t_1+a_1+a_2, \ldots ,\\ &{} \qquad \ldots , t_{n_0}, t_{n_0}+a_1, t_{n_0}+a_2, t_{n_0}+a_1+a_2), \end{array} \end{aligned}$$(3)where the \(t_i\)’s are chosen to have disjoint orbits under the action of \(\mathcal {G}\) by translation on \(\mathbb {F}_{q^m}\).
-
Let \({\varvec{y}}\in \mathbb {F}_{q^m}^n\) be a multiplier which also splits into \(n_0\) blocks of length \(2^\gamma \) whose entries are equal.
-
Let r be a positive integer and consider the code \(\mathscr {A}_{r}({\varvec{x}},{\varvec{y}})\).
-
The set of entries of \({\varvec{x}}\) is globally invariant under the action of \(\mathcal {G}\) by translation. In particular, for any \(a \in \mathcal {G}\), the translation \(\tau _a\) induces a permutation of the code \(\mathscr {A}_{r}({\varvec{x}},{\varvec{y}})\). We refer this permutation to as \(\sigma _a\). For instance, reconsidering Example (3), the permutations \(\sigma _{a_1}\) and \(\sigma _{a_1+a_2}\) are respectively of the form
$$\begin{aligned} \sigma _{a_1}&= (1,2)(3,4) \cdots (n-3, n-2)(n-1, n)\\ \sigma _{a_1+a_2}&= (1, 4)(2, 3) \cdots (n-3, n)(n-2, n-1). \end{aligned}$$The group of permutations \(\{\sigma _a ~|~ a\in \mathcal {G}\}\) is isomorphic to \(\mathcal {G}\) and hence to \((\mathbb {Z}/2\mathbb {Z})^\gamma \). For convenience, we also denote this group of permutations by \(\mathcal {G}\).
Proposition 2
For any \(r >0\), the code \(\mathscr {A}_{r}({\varvec{x}},{\varvec{y}})\) is quasi-dyadic.
Proof
See for instance [27, Chap. 5]. \(\square \)
2.5 Invariant Subcode of a Quasi-dyadic Code
Definition 7
Given a code \(\mathscr {C}\) with a non-trivial permutation group \(\mathcal {G}\), we define the code \({\mathscr {C}}^{\mathcal {G}}\) as the subcode of \(\mathscr {C}\):
The invariant subcode has repeated entries since on any orbit of the support under the action of \(\mathcal {G}\), the entries of a codeword are equal. This motivates an alternative definition of the invariant code where repetitions have been removed.
Definition 8
In the context of Definition 7, let \(\varvec{c}\in \mathbb {F}_{q^m}^n\) be a vector such that for any \(\sigma \in \mathcal {G}\), \(\sigma (\varvec{c}) = \varvec{c}\). We denote by \(\overline{\varvec{c}}\) the vector obtained by keeping only one entry per orbit under the action of \(\mathcal {G}\) on the support. We define the invariant code with non repeated entries as
We are interested in the structure of invariant of QD alternant codes. To study this structure, we first need to recall some basic notions of additive polynomials.
Additive polynomials
Definition 9
An additive polynomial \(P\in \mathbb {F}_{q^m}[z]\) is a polynomial whose monomials are all of the form \(z^{2^i}\) for \(i \geqslant 0\). Such a polynomial satisfies \(P(a+b) = P(a)+ P(b)\) for any \(a, b \in \mathbb {F}_{q^m}\).
The zero locus of an additive polynomial in \(\mathbb {F}_{q^m}\) is an additive subgroup of \(\mathbb {F}_{q^m}\) and such polynomials satisfy some interpolation properties.
Proposition 3
Let \(\mathcal {G}\subset \mathbb {F}_{q^m}\) be an additive group of cardinality \(2^\gamma \). There exists a unique additive polynomial \(\psi _\mathcal {G}\in \mathbb {F}_{q^m}[z]\) which is monic of degree \(2^\gamma \) and vanishes at any element of \(\mathcal {G}\).
Proof
See [19, Proposition 1.3.5 & Lemma 1.3.6]. \(\square \)
Notation 5
From now on, given an additive subgroup \(\mathcal {G}\subseteq \mathbb {F}_{q^m}\), we always denote by \(\psi _\mathcal {G}\) the unique monic additive polynomial of degree \(|\mathcal {G}|\) in \(\mathbb {F}_{q^m}[z]\) that vanishes on \(\mathcal {G}\).
Invariant of a Quasi-dyadic Alternant Code. It turns out that the invariant code with non repeated entries of a QD alternant code is an alternant code too. This relies on the following classical result of invariant theory for which a simple proof can be found in [15].
Theorem 2
Let \(f \in \mathbb {F}_{q^m}[z]\) and \(\mathcal {G}\subset \mathbb {F}_{q^m}\) be an additive subgroup. Suppose that for any \(a \in \mathcal {G}\), \(f(z) = f(z+a)\). Then, there exists \(h \in \mathbb {F}_{q^m}[z]\) such that \(f(z) = h(\psi _\mathcal {G}(z))\), where \(\psi _\mathcal {G}\) is the monic additive polynomial of degree \(|\mathcal {G}|\) vanishing at any element of \(\mathcal {G}\).
This entails the following result on the structure of the invariant code of an alternant code. We refer to Definition 8 for the notation in the following statement.
Theorem 3
Let \(\mathscr {C}= \mathscr {A}_{r}({\varvec{x}},{\varvec{y}})\) be a QD-alternant code with permutation group \(\mathcal {G}\) of order \(2^\gamma \). Set \(r' = \left\lfloor \frac{r}{2^{\gamma }} \right\rfloor \). Then,
Proof
See [4]. \(\square \)
2.6 DAGS
Among the schemes recently submitted to NIST, the submission DAGS [3] uses as a primitive a McEliece encryption scheme based on QD generalised Srivastava codes. It is well known that generalised Srivastava codes form a subclass of alternant codes [20, Chap. 12]. Therefore, this proposal lies in the scope of the attack presented in what follows.
Parameters proposed in DAGS submission are listed in Table 1.
Let us recall what do the parameters \(q, m, n, n_0, k, k_0, \gamma , r_0\) stand for:
-
q denotes the size of the base field of the alternant code;
-
m denotes the extension degree. Hence the GRS code above the alternant code is defined over \(\mathbb {F}_{q^m}\);
-
n denotes the length of the QD alternant code;
-
\(n_0\) denotes the length of the invariant code with non repeated entries \(\overline{\mathscr {A}_{r}({\varvec{x}},{\varvec{y}})}^{\mathcal {G}}\), where \(\mathcal {G}\) denotes the permutation group;
-
k denotes the dimension of the QD alternant code;
-
\(k_0\) denotes the dimension of the invariant code;
-
\(\gamma \) denotes the number of generators of \(\mathcal {G}\), i.e. \(\mathcal {G}\simeq (\mathbb {Z}/2\mathbb {Z})^{\gamma }\);
-
\(r_0\) denotes the degree of the invariant code with non repeated entries, which is alternant according to Theorem 3.
Remark 1
The indexes \(\mathtt{1}, \mathtt{3}\) and \(\mathtt{5}\) in the parameters names correspond to security levels according to NIST’s call. Level 1, corresponds to 128 bits security with a classical computer, Level 3 to 192 bits security and Level 5 to 256 bits security.
In addition to the set of parameters of Table 1, we introduce self chosen smaller parameters listed in Table 2. They do not correspond to claimed secure instantiations of the scheme but permitted to test some of our assumptions by computer aided calculations.
3 Schur Products
From now on and unless otherwise specified, the extension degree m will be equal to 2. This is the context of any proposed parameters in DAGS.
3.1 Product of Vectors
The component wise product of two vectors in \(\mathbb {F}_q^n\) is denoted by
Next, for any positive integer t we define \(\varvec{a}^{\star t}\) as
More generally, given a polynomial \(P\in \mathbb {F}_q[z]\) we define \(P(\varvec{a})\) as the vector \((P(a_1), \ldots , P(a_n))\). In particular, given \(\varvec{a}\in \mathbb {F}_{q^2}^n\), we denote by \(\text {Tr}(\varvec{a})\) and \(\text {N}(\varvec{a})\) the vectors obtained by applying respectively the trace and the norm map component by component:
Finally, the all one vector \((1, \ldots , 1)\), which is the unit vector of the algebra \(\mathbb {F}_q^n\) with operations \(+\) and \(\star \) is denoted by \({\varvec{1}}\).
3.2 Schur Product of Codes
The Schur product of two codes \(\mathscr {A}\) and \(\mathscr {B} \subseteq \mathbb {F}_q^n\) is defined as
In particular, \(\mathscr {A}^{\star 2}\) denotes the square code of a code \(\mathscr {A}\): \(\mathscr {A}^{\star 2}{\mathop {=}\limits ^{\text {def}}}\mathscr {A} \star \mathscr {A}\).
3.3 Schur Products of GRS and Alternant Codes
The behaviour of GRS and of some alternant codes with respect to the Schur product is very different from that of random codes. This provides a manner to distinguish GRS codes from random ones and leads to a cryptanalysis of GRS based encryption schemes [9, 13, 31]. Some alternant codes, namely Wild Goppa codes with extension degree 2 have been also subject to a cryptanalysis based on Schur products computations [11, 12].
Here we recall an elementary but crucial result.
Theorem 4
Let \({\varvec{x}}\in \mathbb {F}_{q^m}^n\) be a support and \({\varvec{y}}, {\varvec{y}}' \in \mathbb {F}_{q^m}^n\) be multipliers. Let \(k, k'\) be two positive integers, then
Proof
See for instance [9, Proposition 6]. \(\square \)
4 Conductors
In this section, we introduce a fundamental object in the attack to follow. This object was already used in [10, 12] without being named. We chose here to call it conductor. The rationale behind this terminology is explained in Remark 2.
Definition 10
Let \(\mathscr {C}\) and \(\mathscr {D}\) be two codes of length n over \(\mathbb {F}_q\). The conductor of \(\mathscr {D}\) into \(\mathscr {C}\) is defined as the largest code \(\mathscr {Z}\subseteq \mathbb {F}_q^n\) such that \(\mathscr {D}\star \mathscr {Z}\subseteq \mathscr {C}\). That is:
Proposition 4
Let \(\mathscr {D}, \mathscr {C}\subseteq \mathbb {F}_q^n\) be two codes, then
Proof
Remark 2
The terminology conductor has been borrowed from number theory in which the conductor of two subrings \(\mathcal O, \mathcal O'\) of the ring of integers \(\mathcal O_K\) of a number field K is the largest ideal \(\mathfrak P\) of \(\mathcal O_K\) such that \(\mathfrak P \cdot \mathcal O \subseteq \mathcal O'\).
4.1 Conductors of GRS Codes
Proposition 5
Let \({\varvec{x}}, {\varvec{y}}\in \mathbb {F}_{q^m}^n\) be a support and a multiplier. Let \(k \leqslant k'\) be two integers less than n. Then,
Proof
Let \(\mathscr {E}\) denote the conductor. From Proposition 4 and Lemma 1,
Note that
Then, using Lemma 1 again, we get
\(\square \)
Let us emphasize a very interesting aspect of Proposition 4. We considered the conductor of a GRS code into another one having the same support and multiplier. The point is that the conductor does not depend on \({\varvec{y}}\). Hence the computation of a conductor permits to get rid of the multiplier and to obtain a much easier code to study: a Reed-Solomon code.
4.2 An Illustrative Example: Recovering the Structure of GRS Codes Using Conductors
Before presenting the attack on QD-alternant codes, we propose first to describe a manner to recover the structure of a GRS code. This may help the reader to understand the spirit the attack to follow.
Suppose we know a generator matrix of a code \(\mathscr {C}_k = {\mathbf {GRS}}_{k}({\varvec{x}},{\varvec{y}})\) where \(({\varvec{x}}, {\varvec{y}})\) are unknown. In addition, suppose that we know a generator matrix of the subcode \(\mathscr {C}_{k-1} = {\mathbf {GRS}}_{k-1}({\varvec{x}},{\varvec{y}})\) which has codimension 1 in \(\mathscr {C}_k\). First compute the conductor
From Proposition 5, the conductor \(\mathscr {X}\) equals \({\mathbf {RS}}_{2}({\varvec{x}})\). This code has dimension 2 and is spanned by \({\varvec{1}}\) and \({\varvec{x}}\). We claim that, from the knowledge of \(\mathscr {X}\), a pair \(({\varvec{x}}', {\varvec{y}}')\) such that \(\mathscr {C}_k = {\mathbf {GRS}}_{k}({\varvec{x}}',{\varvec{y}}')\) can be found easily by using techniques which are very similar from those presented further in Sect. 6.6.
Of course, there is no reason that we could know both \({\mathbf {GRS}}_{k}({\varvec{x}},{\varvec{y}})\) and \({\mathbf {GRS}}_{k-1}({\varvec{x}},{\varvec{y}})\). However, we will see further that the quasi-dyadic structure permits to find interesting subcodes whose conductor may reveal the secret structure of the code.
4.3 Conductors of Alternant Codes
When dealing with alternant codes, having an exact description of the conductors like in Proposition 5 becomes difficult. We can at least prove the following theorem.
Proposition 6
Let \({\varvec{x}}, {\varvec{y}}\in \mathbb {F}_{q^2}^n\) be a support and a multiplier. Let \(r'\geqslant r\) be two positive integers. Then,
Proof
Consider the Schur product
Next, using Theorem 4,
The last inclusion is a consequence of Lemma 1 and Definition 4. \(\square \)
4.4 Why the Straightforward Generalisation Of the Illustrative Example Fails for Alternant Codes
Compared to Proposition 5, Proposition 6 provides only an inclusion. However, it turns out that we experimentally observed that the equality frequently holds.
On the other hand, even if inclusion (4) was an equality, the attack described in Sect. 3.2 could not be straightforwardly generalised to alternant codes. Indeed, suppose we know two alternant codes with consecutive degrees \(\mathscr {A}_{r+1}({\varvec{x}},{\varvec{y}})\) and \(\mathscr {A}_{r}({\varvec{x}},{\varvec{y}})\). Then, Proposition 6 would yield
Suppose that the above inclusion is actually an equality; as we just said this is in general what happens. The point is that as soon as \({\varvec{x}}\) has one entry in \(\mathbb {F}_{q^2}\setminus \mathbb {F}_q\), then \({\mathbf {RS}}_{2}({\varvec{x}}) \cap \mathbb {F}_q^n\) is reduced to the code spanned by \({\varvec{1}}\) and hence cannot provide any relevant information.
The previous discussion shows that, if we want to generalise the toy attack described in Sect. 4.2 to alternant codes, we cannot use a pair of alternant codes with consecutive degrees. In light of Proposition 6, the gap between the degrees r and \(r'\) of the two alternant codes should be large enough to provide a non trivial conductor. A sufficient condition for this is that \({\mathbf {RS}}_{r'-r+1}({\varvec{x}}) \cap \mathbb {F}_q^n\) is non trivial. This motivates the introduction of a code we called the norm trace code.
4.5 The Norm-Trace Code
Notation 6
In what follows, we fix \(\alpha \in \mathbb {F}_{q^2}\) such that \(\text {Tr}(\alpha ) = 1\). In particular, \((1, \alpha )\) forms an \(\mathbb {F}_q\)-basis of \(\mathbb {F}_{q^2}\).
Definition 11
(Norm trace code). Let \({\varvec{x}}\in \mathbb {F}_{q^2}^n\) be a support. The norm-trace code is defined as
This norm trace code turns out to be the code we will extract from the public key by conductor computations. To relate it with the previous discussions, we have the following statement whose proof is straightforward.
Proposition 7
Let \({\varvec{x}}\in \mathbb {F}_{q^2}^n\) be a support. Then, for any \(k > q+1\), we have
Remark 3
It addition to this statement, we observed experimentally that for \(2q+1> k > q+1\) inclusion (6) is in general an equality.
4.6 Summary and a Heuristic
First, let us summarise the previous discussions.
-
If we know a pair of alternant codes \(\mathscr {A}_{r}({\varvec{x}},{\varvec{y}})\) and \(\mathscr {A}_{r'}({\varvec{x}},{\varvec{y}})\) such that \(q < r'-r\), then \(\mathbf {Cond}(\mathscr {A}_{r'}({\varvec{x}},{\varvec{y}}), \mathscr {A}_{r}({\varvec{x}},{\varvec{y}}))\) is non trivial since, according to Proposition 6 and to (6), it contains the norm-trace code.
-
Experimentally, we observed that if \(q< r' - r < 2q\), then, almost every time, we have
-
One problem remains: given an alternant code \(\mathscr {A}_{r}({\varvec{x}},{\varvec{y}})\), how to get a subcode \(\mathscr {A}_{r'}({\varvec{x}},{\varvec{y}})\) in order to apply the previous results? This will be explained in Sects. 5 and 6 in which we show that for quasi-dyadic alternant codes it is possible to get a subcode \(\mathscr {D}\subseteq \mathscr {A}_{r}({\varvec{x}},{\varvec{y}})\) such that \(\mathscr {D}\subseteq \mathscr {A}_{r'}({\varvec{x}},{\varvec{y}})\) for some \(r'\) satisfying \(r'-r > q+1\).
Moreover, it turns out that \(\mathscr {A}_{r'}({\varvec{x}},{\varvec{y}})\) can be replaced by a subcode without changing the result of the previous discussions. This is what is argued in the following heuristic.
Heuristic 1
In the context of Proposition 6, suppose that \(q< r-r' < 2q\). Let \(\mathscr {D}\) be a subcode of \(\mathscr {A}_{r'}({\varvec{x}},{\varvec{y}})\) such that
-
(i)
\(\dim \mathscr {D}\cdot \dim \mathscr {A}_{r}({\varvec{x}},{\varvec{y}})^\perp \geqslant n\);
-
(ii)
\(\mathscr {D}\not \subset \mathscr {A}_{r'+1}({\varvec{x}},{\varvec{y}})\);
-
(iii)
a generator matrix of \(\mathscr {D}\) has no zero column.
Then, with a high probability,
Let us give some evidences for this heuristic. From Proposition 4,
From (2), we have \(\mathscr {A}_{r}({\varvec{x}},{\varvec{y}})^\perp = \text {Tr}_{\mathbb {F}_{q^2}/\mathbb {F}_q} ({\mathbf {GRS}}_{r}({\varvec{x}},{\varvec{y}})). \) Since \(\mathscr {D}\) is a code over \(\mathbb {F}_q\) and by the \(\mathbb {F}_q\)-linearity of the trace map, we get
Since \(\mathscr {D}\subseteq \mathscr {A}_{r'}({\varvec{x}},{\varvec{y}})\) then, from (1), it is a subset of a GRS code. Namely,
Therefore, thanks to Theorem 4, we get
Note that \(\mathscr {D} \star \mathscr {A}_{r}({\varvec{x}},{\varvec{y}})^\perp \) is spanned by \(\dim \mathscr {D}\cdot \dim \mathscr {A}_{r}({\varvec{x}},{\varvec{y}})^\perp \) generators which are obtained by computing the Schur products of elements of a basis of \(\mathscr {D}\) by elements of a basis of \(\mathscr {A}_{r}({\varvec{x}},{\varvec{y}})^\perp \). By (i), the number of such generators exceeds n. For this reason, it is reasonable to hope that this Schur product fills in the target code and that,
Next, we have
Therefore, using Lemma 1, we conclude that
Using Remark 3, we get the result.
Remark 4
Assumption (ii) permits to avoid the situation where the conductor could be the subfield subcode of a larger Reed-Solomon code. Assumption (iii) permits to avoid the presence of words of weight 1 in the conductor that would not be elements of a Reed-Solomon code.
Further Discussion on the Heuristic. In all our computer experiments, we never observed any phenomenon contradicting this heuristic.
5 Fundamental Degree Properties of the Invariant Subcode of a QD Alternant Code
A crucial statement for the attack is:
Theorem 5
Let \({\varvec{x}}, {\varvec{y}}\in \mathbb {F}_{q^2}^n\) be a support and a multiplier. Let s be an integer of the form \(s = 2^\gamma s_0\). Suppose that \(\mathscr {A}_{s_0}(\overline{\psi _{\mathcal {G}}({\varvec{x}})},\overline{{\varvec{y}}})\) is fully non degenerate (see Definition 5 and Sect. 2.5 for notation \(\psi _\mathcal {G}\) and \(\overline{{\varvec{y}}}\)). Then,
-
(a)
\({\mathscr {A}_{s}({\varvec{x}},{\varvec{y}})}^{\mathcal {G}} \subseteq \mathscr {A}_{s + |\mathcal {G}| - 1}({\varvec{x}},{\varvec{y}});\)
-
(b)
\({\mathscr {A}_{s}({\varvec{x}},{\varvec{y}})}^{\mathcal {G}} \not \subseteq \mathscr {A}_{s + |\mathcal {G}|}({\varvec{x}},{\varvec{y}}).\)
Proof
From (1), we have
This code is obtained by evaluation of polynomials of degree up to
From Theorem 2, the invariant codewords of \(\mathscr {A}_{s}({\varvec{x}},{\varvec{y}})\) come from evaluations of polynomials of the form \(h \circ \psi _\mathcal {G}\). Such polynomials have a degree that is a multiple of \(\deg \psi _\mathcal {G}= 2^\gamma \) and hence their degree cannot exceed \(2^\gamma (n_0 - s_0 - 1)\). Thus, they should lie in \(\mathbb {F}_{q^2}[z]_{\leqslant n-s -|\mathcal {G}|} = \mathbb {F}_{q^2}[z]_{<n-s-|\mathcal {G}|+1}\). This leads to
This proves (a).
To prove (b), note that the assumption on \(\mathscr {A}_{s_0}(\overline{\psi _\mathcal {G}({\varvec{x}})},\overline{{\varvec{y}}})\) asserts the existence of \(f \in \mathbb {F}_{q^2}[z]_{< n_0 - s_0}\) such that \(\deg f = n_0 - s_0 - 1\) and \(f(\overline{\psi _\mathcal {G}({\varvec{x}})}) \in \mathbb {F}_q^{n_0}\). Thus, \(f(\psi _\mathcal {G}({\varvec{x}})) \in \mathbb {F}_q^n\) and \(\deg (f \circ \psi _\mathcal {G}) = n -s - |\mathcal {G}|\). Therefore \(f (\psi ({\varvec{x}})) \in {\mathscr {A}_{s}({\varvec{x}},{\varvec{y}})}^{\mathcal {G}}\) and \({\mathscr {A}_{s}({\varvec{x}},{\varvec{y}})}^{\mathcal {G}}\) contains an element of \(\mathscr {A}_{s+ |\mathcal {G}| -1}({\varvec{x}},{\varvec{y}})\) that is not in \(\mathscr {A}_{s+|\mathcal {G}|}({\varvec{x}},{\varvec{y}})\). \(\square \)
6 Presentation of the Attack
6.1 Context
Recall that the extension degree is always \(m = 2\). The public code is the QD alternant code
with a permutation group \(\mathcal {G}\) of cardinality \(|\mathcal {G}| = 2^\gamma \). As in Sect. 2.6, the code has a length \(n = n_0 2^\gamma \), dimension k and is defined over a field \(\mathbb {F}_q\) and \(q = 2^\ell \) for some positive integer \(\ell \). The degree r of the alternant code is also a multiple of \(|\mathcal {G}| = 2^\gamma \) and hence is of the form \(r = r_0 2^\gamma \). We suppose from now on that the classical lower bound on the dimension k is reached, i.e. \(k = n -2r\). This always holds in the parameters proposed in [3]. We finally set \(k_0 = k/2^\gamma \). In summary, we have the following notation
6.2 The Subcode \(\mathscr {D}\)
We introduce a subcode \(\mathscr {D}\) of \({\mathscr {C}_{\text {pub}}}\) and prove that its knowledge permits to compute the norm trace code. This code \(\mathscr {D}\) is unknown by the attacker and we will see in Sect. 7 that the time consuming part of the attack consists in guessing it.
Definition 12
Suppose that \(|\mathcal {G}| \leqslant q\). We define the code \(\mathscr {D}\) as
Remark 5
For parameters suggested in DAGS, we always have \(|\mathcal {G}| \leqslant q\), with strict inequality for DAGS_1 and DAGS_3 and equality for DAGS_5.
Remark 6
The case \(q < |\mathcal {G}|\) which never holds in DAGS suggested parameters would be particularly easy to treat. In such a situation, replacing possibly \(\mathcal {G}\) by a subgroup, one can suppose that \(|\mathcal {G}| = 2q\). Next, according to Theorem 5, and Heuristic 1, we would have
which would provide a very simple manner to compute .
The following results are the key of the attack. Theorem 6 explains why this subcode \(\mathscr {D}\) is of deep interest and how it can be used to recover the norm-trace code, from which the secret key can be recovered (see Sect. 6.6). Theorem 7 explains why this subcode \(\mathscr {D}\) can be computed in a reasonable time thanks to the QD structure. Indeed, it shows that even if \(\mathscr {D}\) has a large codimension as a subcode of \({\mathscr {C}_{\text {pub}}}\) its codimension in \({({\mathscr {C}_{\text {pub}}})}^{\mathcal {G}}\) is much smaller. This is why the QD structure plays a crucial role in this attack (Table 3).
Theorem 6
Under Heuristic 1 and assuming that \(\overline{\mathscr {A}_{r+q}({\varvec{x}},{\varvec{y}})}^{\mathcal {G}}\) is fully non degenerate (see Definition 5), we have
Proof
It is a direct consequence of Theorem 5 and Heuristic 1. \(\square \)
Theorem 7
The code \(\mathscr {D}\) has codimension \(\leqslant \frac{2q}{|\mathcal {G}|} = 2^{\ell - \gamma +1}\) in \({({\mathscr {C}_{\text {pub}}})}^{\mathcal {G}}\).
Proof
Using Theorem 3, we know that \(\mathscr {D}\) has the same dimension as \(\mathscr {A}_{r_0 + \frac{q}{|\mathcal {G}|}}(\overline{\psi _\mathcal {G}({\varvec{x}})},\overline{{\varvec{y}}})\). This code has dimension \(\geqslant n_0 - 2(r_0 + \frac{q}{|\mathcal {G}|})\). Since \(\dim {({\mathscr {C}_{\text {pub}}})}^{\mathcal {G}} = k_0 = n_0 - 2r_0\), we get the result. \(\square \)
Remark 7
Actually the codimension equals \(2^{\ell - \gamma +1}\) almost all the time.
6.3 Description of the Attack
The attack can be summarised as follows:
-
(1)
Compute \({({\mathscr {C}_{\text {pub}}})}^{\mathcal {G}}\);
-
(2)
Guess the subcode \(\mathscr {D}\) of \({({\mathscr {C}_{\text {pub}}})}^{\mathcal {G}}\) of codimension \(\frac{2q}{|\mathcal {G}|}\) such that
-
(3)
Determine \({\varvec{x}}\) from and then \({\varvec{y}}\) from \({\varvec{x}}\).
The difficult part is clearly the second one: how to guess \(\mathscr {D}\)? We present two manners to realise this guess.
-
The first one consists in performing exhaustive search on subcodes of codimension \(\frac{2q}{|\mathcal {G}|}\) of \({({\mathscr {C}_{\text {pub}}})}^{\mathcal {G}}\).
-
The second one consists in finding both \(\mathscr {D}\) and by solving a system of equations of degree 2 using Gröbner bases.
The first approach has a significant cost but which remains far below the expected security level of DAGS proposed parameters. For the second approach, we did not succeed to get a relevant estimate of the work factor but its practical implementation permits to break DAGS_1 in about 20 min and DAGS_5 in less than one minute (see Sect. 8 for further details on the implementation). We did not succeed to break DAGS_3 parameters using the second approach. On the other hand the first approach would have a work factor of \(\approx 2^{80}\) for keys with an expected security of 192 bits.
The remainder of this section is devoted to detail the different steps of the attack.
6.4 First Approach, Brute Force Search of \(\mathscr {D}\)
A first way of getting \(\mathscr {D}\) and then of obtaining consists in enumerating all the subspaces \(\mathscr {X}\subseteq {({\mathscr {C}_{\text {pub}}})}^{\mathcal {G}}\) of codimension \(\frac{2q}{|\mathcal {G}|}\) until we find one such that \(\mathbf {Cond}(\mathscr {X}, {\mathscr {C}_{\text {pub}}})\) has dimension 4. Indeed, for an arbitrary \(\mathscr {X}\) the conductor will have dimension 1 and be generated by \({\varvec{1}}\), while for \(\mathscr {X}= \mathscr {D}\) the conductor will be which has dimension 4.
The number of subspaces to enumerate is in \(O(q^{(2q/|\mathcal {G}|) (k_0 - 2q/|\mathcal {G}|)})\) which is in general much too large to make the attack practical. It is however possible to reduce the cost of brute force attack as follows.
Using Random Subcodes of Dimension 2. For any parameter set proposed in DAGS, the public code has a rate k / n less than 1 / 2. Hence, its dual has rate larger than 1 / 2. Therefore, according to Heuristic 1, given a random subcode \(\mathscr {D}_0\) of \(\mathscr {D}\) of dimension 2, then with a high probability.
Thus, one can proceed as follows
-
Pick two independent vectors \(\varvec{c}, \varvec{c}' \in {({\mathscr {C}_{\text {pub}}})}^{\mathcal {G}}\) at random and compute \(\mathbf {Cond}(\langle \varvec{c}, \varvec{c}' \rangle , {\mathscr {C}_{\text {pub}}})\);
-
If the conductor has dimension 4, you probably found , then pursue the attack as explained in Sect. 6.6.
-
Else, try again.
The probability that \(\varvec{c}, \varvec{c}' \in \mathscr {D}\) equals \(q^{-\frac{4q}{|\mathcal {G}|}}\). Therefore, one may have found after \(O(q^{\frac{4q}{|\mathcal {G}|}})\) computations of conductors.
Example 1
The average number of computations of conductors will be
-
\(O(q^8) = O(2^{40})\) for DAGS_1;
-
\(O(q^8) = O(2^{48})\) for DAGS_3;
-
\(O(q^4) = O(2^{24})\) for DAGS_5.
Using Shortened Codes. Another manner consists in replacing the public code by one of its shortenings. For that, we shorten \({\mathscr {C}_{\text {pub}}}= \mathscr {A}_{r}({\varvec{x}},{\varvec{y}})\) at a set of \(a = a_0 2^\gamma \) positions which is a union of blocks, so that the shortened code remains QD. We choose the integer a such that the invariant subcode of the shortened code has dimension \(2 + {\frac{2q}{|\mathcal {G}|}}\) and hence the shortening of \(\mathscr {D}\) has dimension 2. Let \(\mathcal {I}\) be such a subset of positions. To determine \(\mathcal {S}_{\mathcal {I}}\left( \mathscr {D}\right) \), we can enumerate any subspace \(\mathscr {X}\) of dimension 2 of \(\mathcal {S}_{\mathcal {I}}\left( {\mathscr {C}_{\text {pub}}}\right) \) and compute \(\mathbf {Cond}(\mathscr {X}, \mathcal {S}_{\mathcal {I}}\left( {\mathscr {C}_{\text {pub}}}\right) )\). In general, we get the trivial code spanned by the all-one codeword \({\varvec{1}}\). If the conductor has dimension 4 it is highly likely that we found \(\mathcal {S}_{\mathcal {I}}\left( \mathscr {D}\right) \) and that the computed conductor equals .
The number of such spaces we enumerate is in \(O (q^{\frac{4q}{|\mathcal {G}|}})\), which is very similar to the cost of the previous method.
6.5 Second Approach, Solving Polynomial System of Degree 2
An alternative approach to recover \(\mathscr {D}\) and consists in solving a polynomial system. We proceed as follows. Since \(\text {Tr}({\varvec{x}}) \in \mathbf {Cond}(\mathscr {D}, {\mathscr {C}_{\text {pub}}})\) and, from Proposition 4, \(\mathbf {Cond}(\mathscr {D}, {\mathscr {C}_{\text {pub}}}) = {(\mathscr {D} \star {\mathscr {C}_{\text {pub}}}^\perp )}^\perp \), then
where \(\varvec{G}_{\mathscr {D} \star {\mathscr {C}_{\text {pub}}}^\perp }\) denotes a generator matrix of \(\mathscr {D} \star {\mathscr {C}_{\text {pub}}}^\perp \). The above identity holds true when replacing \(\text {Tr}({\varvec{x}})\) by \(\text {Tr}(\beta {\varvec{x}})\) for any \(\beta \in \mathbb {F}_{q^2}\). Hence,
The above identity provides the system we wish to solve. We have two type of unknowns: the code \(\mathscr {D}\) and the vector \({\varvec{x}}\). Set \(c {\mathop {=}\limits ^{\text {def}}}\frac{2q}{|\mathcal {G}|}\) the codimension of \(\mathscr {D}\) in \({({\mathscr {C}_{\text {pub}}})}^{\mathcal {G}}\). For \(\mathscr {D}\), let us introduce \((k_0-c)k_0\) formal variables \(U_{11}, \ldots , U_{1, c},\) \(\ldots , U_{k_0-c, 1}, \ldots , U_{k_0-c, c}\) and set
where \(\varvec{I}_{k_0 - c}\) denotes the \((k_0 - c) \times (k_0 - c)\) identity matrix and \(\varvec{G}^\mathrm{inv}\) denotes a \(k_0 \times n_0\) generator matrix of \({({\mathscr {C}_{\text {pub}}})}^{\mathcal {G}}\). It is probable that \(\mathscr {D}\) has a generator matrix of the form \(\varvec{G}(u_{ij})\) for some special values \(u_{11}, \ldots , u_{k_0-c, c} \in \mathbb {F}_q\). The case where \(\mathscr {D}\) has no generator matrix of this form is rare and can be addressed by choosing another generator matrix for \({({\mathscr {C}_{\text {pub}}})}^{\mathcal {G}}\).
Now, let \(\varvec{H}\) be a parity-check matrix of \({\mathscr {C}_{\text {pub}}}\). A generator matrix of \(\mathscr {D} \star {\mathscr {C}_{\text {pub}}}^\perp \) can be obtained by constructing a matrix whose rows list all the possible Schur products of one row of a generator matrix of \(\mathscr {D}\) by one row of a parity-check matrix of \({\mathscr {C}_{\text {pub}}}\). Therefore, let \(\varvec{R}(U_{ij})\) be a matrix with entries in \(\mathbb {F}_q[U_{1,1}, \ldots , U_{k_0-c, c}]\) whose rows list all the possible Schur products of one row of \(\varvec{G}(U_{i,j})\) and one row of \(\varvec{H}\). Hence, there is a specialisation \(u_{11}, \ldots , u_{k_0-c, c} \in \mathbb {F}_q\) of the variables \(U_{ij}\) such that \(\varvec{R} (u_{ij})\) is a generator matrix of \(\mathscr {D} \star {\mathscr {C}_{\text {pub}}}^\perp \).
The second set of variables \(X_1, \ldots , X_n\) corresponds to the entries of \({\varvec{x}}\). Using (9), the polynomial system we have to solve is nothing but
Reducing the Number of Variables. Actually, it is possible to reduce the number of variables using three different tricks.
-
1.
Since the code is QD, the vector \({\varvec{x}}\) is a union of orbits under the action of the additive group \(\mathcal {G}\). Therefore, one can introduce formal variables \(A_1, \ldots , A_\gamma \) corresponding to the generators of \(\mathcal {G}\). Then, one can replace \((X_1, \ldots , X_n)\) by
$$\begin{aligned} (T_1,\ T_1 + A_1,\ \ldots \ ,\ T_1 + A_1 + \cdots + A_\gamma ,\ T_2, T_2+A_1,\ \ldots \ ). \end{aligned}$$(11)for some variables \(T_1, \ldots , T_{n_0}\).
-
2.
Without loss of generality and because of the 2-transitive action of the affine group on \(\mathbb {F}_{q^2}\), one can suppose that the first entries of \({\varvec{x}}\) are 0 and 1 respectively (see for instance [12, Appendix A]). Therefore, in (11), one can replace \(T_1\) by 0 and \(A_1\) by 1.
-
3.
Similarly to the approach of Sect. 6.4, one can shorten the codes so that \(\mathscr {D}\) has only dimension 2, which reduces the number of variables \(U_{ij}\) to 2c and also reduces the length of the support we seek and hence reduces the number of the variables \(T_i\).
On the Structure of the Polynomial System. The polynomial equations have all the following features:
-
Any equation is the sum of an affine and a bilinear form;
-
Any degree 2 monomial is either of the form \(U_{ij}A_k\) or of the form \(U_{ij}T_k\).
Table 4 lists for the different proposals the number of variables of type U, A and T of the system when we use the previously described shortening trick.
6.6 Finishing the Attack
When the previous step of the attack is over, then, if we used the first approach based on a brute force search of \(\mathscr {D}\), we know at least or for some set \(\mathcal {I}\) of positions. If we used the second approach, then \({\varvec{x}}\) is already computed, or at least \({\varvec{x}}_{\mathcal {I}}\) for some set of indexes \(\mathcal {I}\). Thus, there remains to be able to
-
(1)
recover \({\varvec{x}}\) from or \({\varvec{x}}_\mathcal {I}\) from ;
-
(2)
recover \({\varvec{y}}\) from \({\varvec{x}}\) or \({\varvec{y}}_\mathcal {I}\) from \({\varvec{x}}_\mathcal {I}\);
-
(3)
recover \({\varvec{x}}, {\varvec{y}}\) from \({\varvec{x}}_\mathcal {I}, {\varvec{y}}_\mathcal {I}\).
Recovering \({\varvec{x}}\) from . The code has dimension 4 over \(\mathbb {F}_q\) and is spanned by \({\varvec{1}}, \text {Tr}({\varvec{x}}), \text {Tr}(\alpha {\varvec{x}}), \text {N}({\varvec{x}})\). It is not difficult to prove that
where denotes the \(\mathbb {F}_{q^2}\)-linear code contained in \(\mathbb {F}_{q^2}^n\) and spanned over \(\mathbb {F}_{q^2}\) by the elements of .
Because of the 2-transitivity of the affine group on \(\mathbb {F}_{q^2}\), without loss of generality, one can suppose that the first entry of \({\varvec{x}}\) is 0 and the second one is 1 (see for instance [12, Appendix A]). Therefore, after shortening we get a code that we call \(\mathscr {S}\), which is of the form
Next, a simple calculation shows that
Since, the second entry of \({\varvec{x}}\) has been set to 1, we can deduce the value of \({\varvec{x}}^{\star (q+1)}\).
Remark 8
Actually, both \(\mathscr {S}\) and have a basis defined over \(\mathbb {F}_q\), therefore, to get \(\langle {\varvec{x}}^{\star (q+1)}\rangle _{\mathbb {F}_q}\) it is sufficient to perform any computation on codes defined over \(\mathbb {F}_q\).
Now, finding \({\varvec{x}}\) is easy: enumerate the affine subspace of of vectors whose first entry is 0 and second entry is 1 (or equivalently, the affine subspace of vectors of \(\mathscr {S}\) whose first entry equals 1). For any such vector \(\varvec{c}\), compute \(\varvec{c}^{\star (q+1)}\). If \(\varvec{c}^{\star (q+1)} = {\varvec{x}}^{\star (q+1)}\), then \(\varvec{c}\) equals either \({\varvec{x}}\) or \({\varvec{x}}^{\star q}\). Since \(\mathscr {A}_{r}({\varvec{x}},{\varvec{y}}) = \mathscr {A}_{r}({\varvec{x}}^{\star q},{\varvec{y}}^{\star q})\) (see for instance [12, Lemma 39]), taking \({\varvec{x}}\) or \({\varvec{x}}^{\star q}\) has no importance. Thus, without loss of generality, one can suppose \({\varvec{x}}\) has been found.
Recovering \({\varvec{y}}\) from \({\varvec{x}}\) . This is very classical calculation. The public code \({\mathscr {C}_{\text {pub}}}\) is alternant, and hence is well-known to have a parity-check matrix defined over \(\mathbb {F}_{q^2}\) of the form
Denote by \(\varvec{G}_\mathrm{pub}\) a generator matrix of \({\mathscr {C}_{\text {pub}}}\). Then, since the \(x_i\)’s are known, then the \(y_i's\) can be computed by solving the linear system
Recovering \({\varvec{x}}\mathbf , {\varvec{y}}\) from \({{\varvec{x}}}_{\varvec{\mathcal {I}}}, {{\varvec{y}}}_{\varvec{\mathcal {I}}}\) . After a suitable reordering of the indexes, one can suppose that \(\mathcal {I}= \{s, s+1, \ldots , n\}\). Hence, the entries \(x_1, \ldots , x_{s-1}\) of \({\varvec{x}}\) and \(y_1, \ldots , y_{s-1}\) are known. Set \(\mathcal {I}' {\mathop {=}\limits ^{\text {def}}}\mathcal {I}\setminus \{s\}\). Thus, let \(\varvec{G}(\mathcal {I}')\) be a generator matrix of \(\mathscr {A}_{r}({\varvec{x}}_{\mathcal {I}'}, {\varvec{y}}_{\mathcal {I}'})\), which is nothing by \(\mathcal {S}_{\mathcal {I}'}\left( {\mathscr {C}_{\text {pub}}}\right) \). Using (12), we have
In the above identity, all the \(x_i's\) and \(y_i's\) are known but \(x_s, y_s\). The entry \(y_s\) can be found by solving the linear system
Then, \(x_s\) can be deduced by solving the linear system
By this manner, we can iteratively recover the entries \(x_{s+1}, \ldots , x_n\) and \(y_{s+1}, \ldots , y_n\). The only constraint is that \(\mathcal {I}\) should be small enough so that \(\mathcal {S}_{\mathcal {I}}\left( {\mathscr {C}_{\text {pub}}}\right) \) is nonzero. But this always holds true for the choices of \(\mathcal {I}\) we made in the previous sections.
6.7 Comparison with a Previous Attack
First, let us recall the attack on Wild Goppa codes over quadratic extensions [12]. This attack concerns some subclass of alternant codes called wild Goppa codes. For such codes a distinguisher exists which permits to compute a filtration of the public code. Hence, after some computations, we obtain the subcode \(\mathscr {A}_{r+q+1}({\varvec{x}},{\varvec{y}})\) of the public code \(\mathscr {A}_{r}({\varvec{x}},{\varvec{y}})\). Then, according to Heuristic 1, the computation of a conductor permits to get the code . As soon as is known, the recovery of the secret is easy. Note that, the use of the techniques of Sect. 6.6 can significantly simplify the end of the attack of [12] which was rather technical.
We emphasise that, out of the calculation of by computing a conductor which appears in our attack so that in [12], the two attacks remain very different. Indeed, the way one gets a subcode whose conductor into the public code provides is based in [12] on a distinguisher which does not work for general alternant codes which are not Goppa codes. In addition, in the present attack, the use of the permutation group is crucial, while it was useless in [12].
7 Complexity of the First Version of the Attack
As explained earlier, we have not been able to provide a complexity analysis of the approach based on polynomial system solving. In particular because the Macaulay matrix in degree 2 of the system turned out to have a surprisingly low rank, showing that this polynomial system was far from being generic. Consequently, we limit our analysis to the first approach based on performing a brute force search on the subcode \(\mathscr {D}\).
Since we look for approximate work factors, we will discuss an upper bound on the complexity and not only a big O.
7.1 Complexity of Calculation of Schur Products
A Schur product \(\mathscr {A} \star \mathscr {B}\) of two codes \(\mathscr {A}, \mathscr {B}\) of length n and respective dimensions \(k_a, k_b\) is computed as follows.
-
1.
Take bases \(\varvec{a}_1, \ldots , \varvec{a}_{k_a}\) and \(\varvec{b}_1, \ldots , \varvec{b}_{k_b}\) of \(\mathscr {A}\) and \(\mathscr {B}\) respectively and construct a matrix \(\varvec{M}\) whose rows are all the possible products \(\varvec{a}_i \star \varvec{b}_j\), for \(1 \leqslant i \leqslant k_a\) and \(1 \leqslant j \leqslant k_b\). This matrix has \(k_a k_b\) rows and n columns.
-
2.
Perform Gaussian elimination to get a reduced echelon form of \(\varvec{M}\).
The cost of the computation of a reduced echelon form of a \(s \times n\) matrix is \(ns\min (n,s)\) operations in the base field. The cost of the computation of the matrix \(\varvec{M}\) is the cost of \(k_a k_b\) Schur products of vectors, i.e. \(n k_a k_b\) operations in the base field. This leads to an overall calculation of the Schur product equal to
operations in the base field. When \(k_a k_b \geqslant n\), the cost of the Schur product can be reduced using a probabilistic shortcut described in [10]. It consists in computing an \(n \times n\) submatrix of \(\varvec{M}\) by choosing some random subset of products \(\varvec{a}_i \star \varvec{b}_j\). This permits to reduce the cost of computing a generator matrix in row echelon form of \(\mathscr {A} \star \mathscr {B}\) to \(2n^3\) operations in the base field.
7.2 Cost of a Single Iteration of the Brute Force Search
Computing the conductor \(\mathbf {Cond}(\mathscr {X}, {\mathscr {C}_{\text {pub}}})\) consists in computing the code \({(\mathscr {X} \star {\mathscr {C}_{\text {pub}}}^\perp )}^\perp \). Since our attack consists in computing such conductors for various \(\mathscr {X}\)’s, one can compute a generator matrix of \({\mathscr {C}_{\text {pub}}}^\perp \) once for good. Hence, one can suppose a generator matrix for \({\mathscr {C}_{\text {pub}}}^\perp \) is known. Then, according to Sect. 7.1, the calculation of a generator matrix of \(\mathscr {X} \star {\mathscr {C}_{\text {pub}}}^\perp \) costs at most \(2n^3\) operations in \(\mathbb {F}_q\).
7.3 Complexity of finding \(\mathscr {D}\) and \(\mathscr {N}{\!\!}\mathscr {T} (\varvec{x})\)
According to Sect. 6.4, the average number of iterations of the brute force search is \(q^{2\mathrm{Codim} \mathscr {D}}\), that is \(q^{\frac{4q}{|\mathcal {G}|}}\). Thus, we get an overall cost of the first step bounded above by
Since, \(n = \varTheta (q^2)\), we get a complexity in \(O(n^{3+\frac{2q}{|\mathcal {G}|}})\) operations in \(\mathbb {F}_q\) for the computation of .
7.4 Complexity of deducing \({\varvec{x}}, {\varvec{y}}\) from \(\mathscr {N}{\!\!}\mathscr {T} (\varvec{x})\)
A simple analysis shows that the final part of the attack is negligible compared to the previous step. Indeed,
-
the computation of costs \(O(n^2)\) operations in \(\mathbb {F}_q\) (because of Remark 8, one can perform these computations over \(\mathbb {F}_q\)) since the code has dimension 4;
-
the computation of boils down to linear algebra and costs \(O(n^3)\) operations in \(\mathbb {F}_q\);
-
The enumeration of the subset of of elements whose first entry is 0 an second one is 1 and computation of their norm costs \(O(q^4 n) = O(n^3)\) operations in \(\mathbb {F}_{q^2}\). Indeed the affine subspace of which is enumerated has dimension 2 over \(\mathbb {F}_{q^2}\) and hence has \(q^4\) elements, while the computation of the component wise norm of a vector costs O(n) operations assuming that the Frobenius \(z \mapsto z^q\) can be computed in constant time in \(\mathbb {F}_{q^2}\).
-
The recovery of \({\varvec{y}}\) from \({\varvec{x}}\) boils down to linear algebra and hence can also be done in \(O(n^3)\) operations in \(\mathbb {F}_{q^2}\). If we have to recover \({\varvec{x}}, {\varvec{y}}\) from \({\varvec{x}}_\mathcal {I}, {\varvec{y}}_\mathcal {I}\), it can be done iteratively by solving a system of a constant number of equations, hence the cost of one iteration is in \(O(n^2)\) operations in \(\mathbb {F}_{q^2}\).
Thus, the overall cost remains in \(O(n^3)\) operations in \(\mathbb {F}_{q^2}\).
7.5 Overall Complexity
As a conclusion, the attack has an approximate work factor of
7.6 Approximate Work Factors of the First Variant Of the Attack on DAGS Parameters
We assume that operations in \(\mathbb {F}_q\) can be done in constant time. Indeed, the base fields of the public keys of DAGS proposal are \(\mathbb {F}_{32}\) and \(\mathbb {F}_{64}\). For such a field, it is reasonable to store a multiplication and inversion table.
Therefore, we list in Table 5 some approximate work factors for DAGS according to (13). The second column recalls the security levels claimed in [3] for the best possible attack. The last column gives the approximate work factors for the first variant of our attack.
8 Implementation
Tests have been done using Magma [8] on an Intel® Xeon 2.27 GHz.
Since the first variant of the attack had too significant costs to be tested on our machines, we tested it on the toy parameters DAGS_0. We performed 20 tests, which succeeded in an average time of 2 h.
On the other hand, we tested the second variant based on solving a polynomial system on DAGS_1, _3 and _5. We have not been able to break DAGS_3 keys using this variant of the attack, on the other hand about 100 tests have been performed for DAGS_1 and DAGS_5. The average running times are listed in Table 6.
References
Baldi, M., Bianchi, M., Chiaraluce, F.: Security and complexity of the McEliece cryptosystem based on QC-LDPC codes. IET Inf. Secur. 7(3), 212–220 (2013)
Baldi, M., Bianchi, M., Chiaraluce, F., Rosenthal, J., Schipani, D.: Enhanced public key security for the McEliece cryptosystem. J. Cryptol. 29(1), 1–27 (2016)
Banegas, G., et al.: DAGS : key encapsulation for dyadic GS codes, November 2017. First round submission to the NIST post-quantum cryptography call. https://csrc.nist.gov/CSRC/media/Projects/Post-Quantum-Cryptography/documents/round-1/submissions/DAGS.zip
Barelli, E.: On the security of some compact keys for McEliece scheme. In: WCC Workshop on Coding and Cryptography, September 2017. http://wcc2017.suai.ru/Proceedings_WCC2017.zip
Berger, T.P., Cayrel, P.-L., Gaborit, P., Otmani, A.: Reducing key length of the McEliece cryptosystem. In: Preneel, B. (ed.) AFRICACRYPT 2009. LNCS, vol. 5580, pp. 77–97. Springer, Heidelberg (2009). https://doi.org/10.1007/978-3-642-02384-2_6
Berger, T.P., Loidreau, P.: How to mask the structure of codes for a cryptographic use. Des. Codes Cryptogr. 35(1), 63–79 (2005)
Berlekamp, E., McEliece, R., van Tilborg, H.: On the inherent intractability of certain coding problems. IEEE Trans. Inf. Theory 24(3), 384–386 (1978)
Bosma, W., Cannon, J., Playoust, C.: The Magma algebra system I: the user language. J. Symbolic Comput. 24(3/4), 235–265 (1997)
Couvreur, A., Gaborit, P., Gauthier-Umaña, V., Otmani, A., Tillich, J.P.: Distinguisher-based attacks on public-key cryptosystems using Reed-Solomon codes. Des. Codes Cryptogr. 73(2), 641–666 (2014). https://doi.org/10.1007/s10623-014-9967-z
Couvreur, A., Márquez-Corbella, I., Pellikaan, R.: Cryptanalysis of McEliece cryptosystem based on algebraic geometry codes and their subcodes. IEEE Trans. Inf. Theory 63(8), 5404–5418 (2017)
Couvreur, A., Otmani, A., Tillich, J.P.: Polynomial time attack on wild McEliece over quadratic extensions. In: Nguyen, P.Q., Oswald, E. (eds.) EUROCRYPT 2014. LNCS, vol. 8441, pp. 17–39. Springer, Heidelberg (2014). https://doi.org/10.1007/978-3-642-55220-5_2
Couvreur, A., Otmani, A., Tillich, J.P.: Polynomial time attack on wild McEliece over quadratic extensions. IEEE Trans. Inf. Theory 63(1), 404–427 (2017). https://doi.org/10.1109/TIT.2016.2574841
Couvreur, A., Otmani, A., Tillich, J.-P., Gauthier–Umaña, V.: A polynomial-time attack on the BBCRS scheme. In: Katz, J. (ed.) PKC 2015. LNCS, vol. 9020, pp. 175–193. Springer, Heidelberg (2015). https://doi.org/10.1007/978-3-662-46447-2_8
Delsarte, P.: On subfield subcodes of modified Reed-Solomon codes. IEEE Trans. Inf. Theory 21(5), 575–576 (1975)
Faugère, J.C., Otmani, A., Perret, L., de Portzamparc, F., Tillich, J.P.: Folding alternant and Goppa Codes with non-trivial automorphism groups. IEEE Trans. Inform. Theory 62(1), 184–198 (2016). https://doi.org/10.1109/TIT.2015.2493539
Faugère, J.-C., Otmani, A., Perret, L., Tillich, J.-P.: Algebraic cryptanalysis of McEliece variants with compact keys. In: Gilbert, H. (ed.) EUROCRYPT 2010. LNCS, vol. 6110, pp. 279–298. Springer, Heidelberg (2010). https://doi.org/10.1007/978-3-642-13190-5_14
Faugère, J.-C., Perret, L., de Portzamparc, F.: Algebraic attack against variants of McEliece with goppa polynomial of a special form. In: Sarkar, P., Iwata, T. (eds.) ASIACRYPT 2014. LNCS, vol. 8873, pp. 21–41. Springer, Heidelberg (2014). https://doi.org/10.1007/978-3-662-45611-8_2
Gaborit, P.: Shorter keys for code based cryptography. In: Proceedings of the 2005 International Workshop on Coding and Cryptography (WCC 2005), Bergen, Norway, pp. 81–91, March 2005
Goss, D.: Basic Structures of Function Field arithmetic, Ergebnisse der Mathematik und ihrer Grenzgebiete (3) [Results in Mathematics and Related Areas (3)], vol. 35. Springer, Berlin (1996)
MacWilliams, F.J., Sloane, N.J.A.: The Theory of Error-Correcting Codes, 5th edn. North-Holland, Amsterdam (1986)
McEliece, R.J.: A Public-Key System Based on Algebraic Coding Theory, pp. 114–116. Jet Propulsion Lab (1978), dSN Progress Report 44
Misoczki, R., Barreto, P.: Compact McEliece keys from Goppa codes. In: Selected Areas in Cryptography, Calgary, Canada (2009)
Misoczki, R., Tillich, J.P., Sendrier, N., Barreto, P.S.L.M.: MDPC-McEliece: new McEliece variants from moderate density parity-check codes. In: Proceedings of the IEEE International Symposium on Information Theory - ISIT, pp. 2069–2073 (2013)
Niederreiter, H.: Knapsack-type cryptosystems and algebraic coding theory. Probl. Control. Inf. Theory 15(2), 159–166 (1986)
Otmani, A., Tillich, J.P., Dallot, L.: Cryptanalysis of McEliece cryptosystem based on quasi-cyclic LDPC codes. In: Proceedings of First International Conference on Symbolic Computation and Cryptography, pp. 69–81. LMIB Beihang University, Beijing, April 2008
Persichetti, E.: Compact McEliece keys based on quasi-dyadic Srivastava codes. J. Math. Cryptol. 6(2), 149–169 (2012)
de Portzamparc, F.U.: Algebraic and physical security in code-based cryptography. (Sécurités algébrique et physique en cryptographie fondée sur les codes correcteurs d’erreurs). Ph.D. thesis, Pierre and Marie Curie University, Paris, France (2015)
Sidelnikov, V.M., Shestakov, S.: On the insecurity of cryptosystems based on generalized Reed-Solomon codes. Discrete Math. Appl. 1(4), 439–444 (1992)
Wang, Y.: Quantum resistant random linear code based public key encryption scheme RLCE. In: Proceedings of the IEEE International Symposium on Information Theory - ISIT 2016, pp. 2519–2523. IEEE, Barcelona (2016). https://doi.org/10.1109/ISIT.2016.7541753
Wieschebrink, C.: Two NP-complete problems in coding theory with an application in code based cryptography. In: Proceedings of the IEEE International Symposium on Information Theory - ISIT, pp. 1733–1737 (2006)
Wieschebrink, C.: Cryptanalysis of the Niederreiter public key scheme based on GRS subcodes. In: Sendrier, N. (ed.) PQCrypto 2010. LNCS, vol. 6061, pp. 61–72. Springer, Heidelberg (2010). https://doi.org/10.1007/978-3-642-12929-2_5
Acknowledgements
The authors are supported by French Agence nationale de la recherche grants ANR-15-CE39-0013-01 Manta and ANR-17-CE39-0007 CBCrypt. Computer aided calculations have been performed using software Magma [8]. The authors express their deep gratitude to Jean-Pierre Tillich and Julien Lavauzelle for very helpful comments.
Author information
Authors and Affiliations
Corresponding author
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2018 International Association for Cryptologic Research
About this paper
Cite this paper
Barelli, É., Couvreur, A. (2018). An Efficient Structural Attack on NIST Submission DAGS. In: Peyrin, T., Galbraith, S. (eds) Advances in Cryptology – ASIACRYPT 2018. ASIACRYPT 2018. Lecture Notes in Computer Science(), vol 11272. Springer, Cham. https://doi.org/10.1007/978-3-030-03326-2_4
Download citation
DOI: https://doi.org/10.1007/978-3-030-03326-2_4
Published:
Publisher Name: Springer, Cham
Print ISBN: 978-3-030-03325-5
Online ISBN: 978-3-030-03326-2
eBook Packages: Computer ScienceComputer Science (R0)