Attacks in code based cryptography: a survey, new results and open problems

Transcription

1 Attacks in code based cryptography: a survey, new results and open problems J.-P. Tillich Inria, team-project SECRET April 9, 2018

2 1. Code based cryptography introduction Difficult problem in coding theory Problem 1. [Decoding] Input: n, r, t with r < n, parity-check matrix H F r n q, s F r q Question:? e such that { He = s e t where e = hamming weight of e = #{i 1, n, e i 0}. Problem N P -complete 1/52

3 The dual problem introduction Code C def = { c F n q : Hc = 0 } dim C = n r = k Input: t, C subspace of dim k of F n q, y F n q Question:? c C such that y c t. H(y }{{ c) } = Hy = s e y = the word that we want to decode e = y c = the error we want to find 2/52

4 A long-studied problem introduction Correct. t errors in a code of length n and dim. k has cost Õ(2α(k n, t n )n ) Author(s) Year max α(r, τ) R,τ Prange Stern Dumer Bernstein, Lange, Peters 2011 May, Meurer and Thomae Becker, Joux, May, Meurer May, Ozerov Both, May Both, May /52

5 Complexities collapse when t = o(n) introduction [CantoTorres, Sendrier, 2016] complexity 2 log(1 R)t(1+o(1)) when t = o(n) and where R = k/n 4/52

6 Code-based cryptography introduction Code C def = {c F n q : Hc = 0} Take a code that has an efficient decoding algorithm Public key: random parity-check matrix of the code H rand = QH where Q is a random invertible matrix in F r r q Private key: trapdoor to the efficient decoding algorithm 5/52

7 Two approaches introduction Pick up your favorite code (that has an efficient decoder) Choose a code/scheme with a reduction to decoding a generic linear code 6/52

8 History introduction 1978 McEliece: binary Goppa codes 1986 Niederreiter variant based on GRS codes 1991 Gabidulin, Paramonov, Tretjakov: Gabidulin codes 1994 Sidelnikov: Reed-Muller codes 1996 Janwa-Moreno: algebraic geometric codes 199* a zillion propositions with LDPC codes 2003 Alekhnovich: Alekhnovich system 2005 Berger-Loidreau: subcodes of GRS codes 2006 Wieschebrink, GRS codes + random columns in the generator matrix 7/52

9 2008 Baldi-Bodrato-Chiaraluce: LDPC based MDPC codes 2010 Bernstein, Lange, Peters: non-binary wild Goppa codes 2012 Misoczki-Tillich-Barreto-Sendrier: MDPC codes 2012 Löndahl-Johansson: convolutional codes 2013 Gaborit, Murat, Ruatta, Zémor: LRPC codes 2014 Shrestha, Kim: polar codes 2014 Hooshmand, Shooshtari, Eghlidos, Aref: subcodes of polar codes 8/52

10 Code based NIST submissions in Hamming metric Algebraic codes binary Goppa codes m=1 DAGS m=3 m=2 BIG QUAKE Classic McEliece NTS KEM RLCE KEM pqsigrm Reed Muller related 9/52

11 Code based NIST submissions in Hamming metric Non-algebraic codes BIKE HQC LEDAkem LEDApkc Lepton QC-MDPC RaCoSS 10/52

12 Code based NIST submissions in the rank metric Edon-K LAKE LOCKER McNie Ourobouros-R RankSign RQC 11/52

13 2. The main cryptanalytic techniques for attacking the key Finding small weight codewords in C or in C that reveal the underlying structure Algebraic attacks Product considerations Folding techniques Computing the hull C C 12/52

14 3. Product considerations product 13/52

15 Square code attacks product Definition 1. [Componentwise product] Given two vectors a = (a 1,..., a n ) and b = (b 1,..., b n ) F n q, we denote by a b the componentwise product a b def = (a 1 b 1,..., a n b n ) Definition 2. [Product of codes & square code] The star product code denoted by A B of A and B is the vector space spanned by all products a b where a and b range over A and B respectively. When B = A, A A is called the square code of A and is rather denoted by A 2. 14/52

16 Dimension of the square code product A and B codes with respective bases (a i ) and (b j ). 1. dim(a B) dim(a) dim(b) (generated by the a i b j s) ( ) dim(a) dim(a 2 ) (generated by the a i a j s with i j) 2 15/52

17 Generalized Reed-Solomon (GRS) codes product Definition 3. [Generalized Reed-Solomon code] Let k and n be integers such that 1 k < n q where q is a power of a prime number. The generalized Reed-Solomon code GRS k (x, y) of dimension k is associated to a pair (x, y) F n q F n q where x is an n-tuple of distinct elements of F q and the entries y i are arbitrary nonzero elements in F q. GRS k (x, y) is defined as: GRS k (x, y) def = { } (y 1 p(x 1 ),..., y n p(x n )) : p F q [X], deg p < k. x is the support and y the multiplier. 16/52

18 GRS codes, alternant codes product A GRS code corrects n k 2 errors. Definition 1. Let x (F q m) n, y (F q m) n be as in the definition of GRS codes. The alternant code Alt r (x, y) is defined by Proposition 1. Alt r (x, y) def = GRS } r {{ (x, y) } (F q ) n GRS n r (x,y ) dim Alt r (x, y) n mr d min Alt r (x, y) r /52

19 product What is wrong with generalized Reed-Solomon codes? When C is a random code of length n, with high probability [Cascudo, Cramer, Mirandola, Zémor] {( ) } dim(c) + 1 dim(c 2 ) = min, n 2 When C is a generalized Reed-Solomon code dim(c 2 ) = min {2 dim(c) 1, n} 18/52

20 The explanation product c = (y 1 p(x 1 ),..., y n p(x n )), c = (y 1 q(x 1 ),..., y n q(x n )) GRS k (x, y) where p and q are two polynomials of degree at most k 1. c c = ( y1p(x 2 1 )q(x 1 ),..., ynp(x 2 n )q(x n ) ) = ( y1r(x 2 1 ),..., ynr(x 2 n ) ) where r is a polynomial of degree 2k 2. = c c GRS 2k 1 (x, y 2 ) 19/52

21 product The Wieschebrink attack on the Berger-Loidreau cryptosystem known: a subcode C GRS k (x, y) unknown: x and y. If the codimension of C is small enough C C = GRS k (x, y) GRS k (x, y) = GRS 2k 1 (x, y ) The Wieschebrink attack 1. Compute C C = GRS 2k 1 (x, y ) 2. Recover x and y by using the Sidelnikov-Shestakov algorithm. 20/52

22 Filtration attack product [Couvreur, Otmani, T 2014]: m = 2. Attack on wild Goppa codes when 21/52

23 A filtration for GRS codes product A new attack on McEliece based on GRS codes. known : C 0 = GRS k (x, y) unknown : x,y. C 0 = GRS k (x, y) C 1 = GRS k 1 (x, y) C k 1 = GRS 1 (x, y) The point: C k 1 = {αy, α F q } y known x by solving a linear system. 22/52

24 The fundamental induction product C i C i 2 = C i 1 C i 1 C i C i 2 = GRS k i (x, y) GRS k i+2 (x, y) = GRS 2k 2i+1 (x, y y) = GRS k i+1 (x, y) GRS k i+1 (x, y) = C i 1 C i 1 23/52

25 The picture product Alternant codes GRS codes m=1 m=3 m=2 Goppa codes wild Goppa codes binary Goppa codes 24/52

26 Code based NIST submissions in Hamming metric Algebraic codes binary Goppa codes m=1 DAGS m=3 m=2 BIG QUAKE Classic McEliece NTS KEM RLCE KEM pqsigrm Reed Muller related 25/52

27 4. Folding operation, the Origami attack folding 26/52

28 Origami attack folding Related to Gentry attack on NTRU-composite Applies to codes with a non trivial permutation group For σ S n, c σ C σ def = (c σ(i) ) i 1,n def = {c σ : c C} σ is a permutation automorphism of C iff C σ = C 27/52

29 Examples folding Parity-check matrix has a block form H = with blocks of some size l of the form B (11)... B (1n ). B (ij).... B (r n ) B (r 1) B (ij) = a 0 a 1 a l 1 a l 1 a 0 a l a 1 a 2 a 0 B(ij) = a 0 a 1 a 2 a 3 a 1 a 0 a 3 a 2 a 2 a 3 a 0 a 1 a 3 a 2 a 1 a 0 quasi-cyclic case B (ij) s,t = a t s (mod l) quasidyadic case B (ij) s,t = a t s 28/52

30 Folding folding Folding x = w.r. to σ adding the coordinates in a same orbit of σ σ = (123)(456)(678) x = (x } 1, x {{ 2, x } 3,..., } x 7, x {{ 8, x } 9 ) orbit orbit x σ = (x 1 + x 2 + x 3,..., x 7 + x 8 + x 8 ) C σ def = {c σ : c C}. 29/52

31 Why is this an interesting operation? folding Orbits of σ of size l Code gets smaller C = code of length n dim. k C σ = code of length n/l and dim. k l Words do not increase their weight c = w c σ w 30/52

32 folding Folding quasi- alternant codes/ Goppa codes [Faugère, Otmani, Perret, Portzamparc, T 2014] Folding the dual of a Q*-alternant or Q*-Goppa code dual of an alternant or a Goppa code [Barelli-Couvreur 2017] Folding a Q*-alternant or a Q*-Goppa code alternant or a Goppa code 31/52

33 Message attacks folding { He = s { e t H σ (e σ ) = (s σ ) e σ t We recover e σ (say = e 0 ) and then solve the much easier problem H σ e = s e t e σ = e 0 32/52

34 5. Algebraic attacks algebraic Alternant code Alt r (x, y) parity-check matrix H of the form H = y 1 y y n y 1 x 1. y 2 x y n x n... y j x i j y 1 x1 r 1 y 2 x2 r y n x r 1 n Goppa code Gop(x, Γ) = Alt deg Γ (x, 1 Γ(x) ). 33/52

35 Algebraic attacks algebraic G = (g ij ) i 1,k j 1,n Unknowns: y 1,..., y n, x 1,..., x n 2n unknowns Algebraic system generator matrix of C = Alt r (x, y). n j=1 GH = 0 g ij y j x a j = 0 (i, a) 1, k 0, r 1 k r equations 34/52

36 When was this successful? algebraic [Faugère,Otmani,Perret,T ] Q*-alternant of Q*-Goppa codes [Faugère,Perret,Portzamparc 2014] Wild Goppa codes for certain parameters 35/52

37 Rank Metric rank Difficult problem in coding theory Problem 2. [Decoding] Input: n, r, t integers, r < n, parity-check matrix H F q m r n, syndrome s F r q Question:? e such that (i) He = s, (ii) e t where e R = rank weight of e. Randomized reduction to N P -complete problems. 36/52

38 Rank metric rank (β 1... β m ) basis of F q m over F q x = (x 1,..., x n ) F n q m Mat(x) = where x j = m i=1 x ijβ i. x 11 x 12 x 1n x 21 x 22 x 2n.... Fm n q x m1 x m2... x mn Rank metric = viewing an element of F n q m as an m n matrix. x y r def = Rank (Mat(x) Mat(y)). 37/52

39 Complexity of the best known algorithms Algebraic attacks (MinRank) Combinatorial attacks Õ ( q t(k+1) m) when m = n. 38/52

40 LRPC codes [Gaborit, Murat, Ruatta, Zémor 2013] Definition 4. An LRPC code over F q m of weight d is a code that admits an (n k) n parity-check matrix H with entries h ij that span an F q space of dimension d. x r = dim x 1,..., x n Fq all rows of H have weight d. Correct t errors when td n k. 39/52

41 RankSign Secret key H where H = [ H R ] P with H = (n k) n parity-check matrix of an LRPC code over F q m R = random (n k) t matrix over F q m P = (n + t) (n + t) invertible matrix over F q P isometry xp r = x r. LRPC code of weight d codewords of weight d + t in the dual code. 40/52

42 Attack on RankSign rank [Debris-Alazard, T 2018] Looking for low weight codewords in the dual code? 41/52

43 Attack on RankSign rank [Debris-Alazard, T 2018] Looking for low weight codewords in the code itself Product trick 42/52

44 Getting rid of R rank If there is a low weight codeword c LRPC in C LRPC low weight codeword c = (c LRPC, 0 t )(P 1 ) in the public code of parity-check matrix H pub = QH = [ H R ] P H pub c = Hpub P 1 (c LRPC, 0 t ) = Q [ H R ] P P 1 (c LRPC, 0 t ) = Q [ H R ] (c LRPC, 0 t ) = QHc LRPC ( R F (n k) t q m ) = 0 (c LRPC belongs to the code of parity-check matrix H) 43/52

45 Product trick rank F F q -space of dimension d generated by the entries of H parity-check of the [n, k] LRPC code C LRPC. U and V two subspaces of F q m, U V def = uv : u U, v V Fq. Lemma 1. It there exists an F q -subspace F of F q m such that (n k) dim(f F ) < n dim F. Then there exist nonzero codewords in the LRPC code of weight dim F. 44/52

46 Proof A codeword c of the LRPC code satisfies n i 1, n k H i,j c j = 0. (1) j=1 If its entries are in F then n j=1 H i,jc j F F unknowns coordinates c ij of c j in F = f 1,..., f d Fq : c j = i 1,d c ij f i rank # equations = (n k) dim F F #unknowns = n dim F 45/52

47 Consequence on RankSign rank Necessary condition for RankSign to work n = (n k)d Problem: typically dim F F = dim F dim F and therefore n dim F = n d = (n k)d d = (n k) dim F F F = f 1,..., f d Fq F def = f 1, f 2 Fq F F = x i x j : i 1, d, j 1, 2 Fq dim F F = 2d 1< dim F dim F codewords in C LRPC of weight 2 46/52

48 Consequence on LRPC in general? rank No direct attack on LRPC codes without the additional condition n = (n k)d 47/52

49 Conclusion conclusion Up to now all distinguishers of the public parity-check matrix / random matrix with the exception of high rate alternant/goppa codes. [Faugère,Gauthier,Otmani,Perret,T 2011], [Márquez-Corbella, Pellikaan 2012], when r is sufficiently small dim ( Alt r (x, y) Alt r (x, y) ) unusually small The problem, when x, y F n q m Alt r (x, y) = {(y j p(x j )) : deg p < n r} F n q {( ) } Alt r (x, y) = Tr Fq m F q (y j p(x j ) : deg p < r 48/52

50 Other open problems conclusion improving algebraic attacks in the rank metric Polynomial time attacks on Reed-Muller codes? other families of codes (MDPC,... )? 49/52

51 What about alternant/goppa codes? We have square Alt r (x, y) = GRS r (x, y) F n q = GRS n r (x, y ) F n q Alt r (x, y) 2 Alt 2r n+1 (x, y ) and Fact 1. dim Alt r (x, y) n mr. To distinguish we need 2r n + 1 > 0 = r n/2, however m > 1 = n mr 0. 50/52

52 square A miracle when m = 2 in the case of wild Goppa codes Theorem 1. [Couvreur, Otmani, Tillich] wild Goppa code (here r = (q 1)r ) When Alt r (x, y) is a Alt r (x, y) n 2r + r (r 2) and for r close to n/2 we may have wild Goppa codes of small dimension such that 2r n + 1 > 0 51/52

53 Shortening trick for other dimensions square A shortened alternant code is still an alternant code of the same degree r as the original alternant code. Leads to a distinguisher of wild Goppa codes when m = 2 Leads to an attack of the McEliece scheme based on wild Goppa codes when m = 2. First time that there is an attack working in polynomial time on a McEliece scheme based on Goppa codes. 52/52