CryptoDB
Maxime Bros
Publications
Year
Venue
Title
2024
EUROCRYPT
Practical Attack on All Parameters of the DME Signature Scheme
Abstract
DME is a multivariate scheme submitted to the call for additional signatures recently launched by NIST. Its performance is one of the best among all the candidates. The public key is constructed from the alternation of very structured linear and non-linear components that constitute the private key, the latter being defined over an extension field. We exploit these structures by proposing an algebraic attack which is practical on all DME parameters.
2020
EUROCRYPT
An Algebraic Attack on Rank Metric Code-Based Cryptosystems
📺
Abstract
The Rank metric decoding problem is the main problem considered in
cryptography based on codes in the rank metric. Very efficient schemes based
on this problem or quasi-cyclic versions of it have been proposed recently,
such as those in the submissions ROLLO and RQC currently at the second round
of the NIST Post-Quantum Cryptography Standardization Process. While
combinatorial attacks on this problem have been extensively studied and seem
now well understood, the situation is not as satisfactory for algebraic
attacks, for which previous work essentially suggested that they were
ineffective for cryptographic parameters.
In this paper, starting from Ourivski and Johansson's algebraic modelling of
the problem into a system of polynomial equations, we show how to augment
this system with easily computed equations so that the augmented system is
solved much faster via Gröbner bases. This happens because the augmented
system has solving degree $r$, $r+1$ or $r+2$ depending on the parameters,
where $r$ is the rank weight, which we show by extending results from Verbel
\emph{et al.} (PQCrypto 2019) on systems arising from the MinRank problem;
with target rank $r$, Verbel \emph{et al.} lower the solving degree to $r+2$,
and even less for some favorable instances that they call
``superdetermined''. We give complexity bounds for this approach as well as
practical timings of an implementation using \texttt{magma}. This improves
upon the previously known complexity estimates for both Gröbner basis and
(non-quantum) combinatorial approaches, and for example leads to an attack in
200 bits on ROLLO-I-256 whose claimed security was 256 bits.
2020
ASIACRYPT
Improvements of Algebraic Attacks for solving the Rank Decoding and MinRank problems
📺
Abstract
In this paper, we show how to significantly improve algebraic techniques for solving the MinRank problem, which is ubiquitous in multivariate and rank metric code based cryptography. In the case of the structured MinRank instances arising in the latter, we build upon a recent breakthrough in Bardet et al. (EUROCRYPT 2020) showing that algebraic attacks outperform the combinatorial ones that were considered state of the art up until now. Through a slight modification of this approach, we completely avoid Gr\¨obner bases computations for certain parameters and are left only with solving linear systems. This does not only substantially improve the complexity, but also gives a convincing argument as to why algebraic techniques work in this case. When used against the second round NIST-PQC candidates ROLLO-I-128/192/256, our new attack has bit complexity respectively 71, 87, and 151, to be compared to 117, 144, and 197 as obtained in Bardet et al. (EUROCRYPT 2020). The linear systems arise from the nullity of the maximal minors of a certain matrix associated to the algebraic modeling. We also use a similar approach to improve the algebraic MinRank solvers for the usual MinRank problem. When applied against the second round NIST-PQC candidates GeMSS and Rainbow, our attack has a complexity that is very close to or even slightly better than those of the best known attacks so far. Note that these latter attacks did not rely on MinRank techniques since the MinRank approach used to give complexities that were far away from classical security levels.
Coauthors
- Magali Bardet (2)
- Pierre Briaud (2)
- Maxime Bros (3)
- Daniel Cabarcas (1)
- Philippe Gaborit (2)
- Vincent Neiger (1)
- Ray Perlner (2)
- Olivier Ruatta (1)
- Daniel Smith-Tone (2)
- Jean-Pierre Tillich (2)
- Javier Verbel (1)