An Algebraic Attack on Rank Metric Code-Based Cryptosystems

The Rank metric decoding problem is the main problem considered in cryptography based on codes in the rank metric. Very efficient schemes based on this problem or quasi-cyclic versions of it have been proposed recently, such as those in the submissions ROLLO and RQC currently at the second round of the NIST Post-Quantum Cryptography Standardization Process. While combinatorial attacks on this problem have been extensively studied and seem now well understood, the situation is not as satisfactory for algebraic attacks, for which previous work essentially suggested that they were ineffective for cryptographic parameters. In this paper, starting from Ourivski and Johansson's algebraic modelling of the problem into a system of polynomial equations, we show how to augment this system with easily computed equations so that the augmented system is solved much faster via Groebner bases. This happens because the augmented system has solving degree $r$, $r+1$ or $r+2$ depending on the parameters, where $r$ is the rank weight, which we show by extending results from Verbel et al. (PQCrypto 2019) on systems arising from the MinRank problem; with target rank $r$, Verbel et al. lower the solving degree to $r+2$, and even less for some favorable instances that they call superdetermined. We give complexity bounds for this approach as well as practical timings of an implementation using Magma. This improves upon the previously known complexity estimates for both Groebner basis and (non-quantum) combinatorial approaches, and for example leads to an attack in 200 bits on ROLLO-I-256 whose claimed security was 256 bits.

[1]  J. Hopcroft,et al.  Triangular Factorization and Inversion by Fast Matrix Multiplication , 1974 .

[2]  Daniel Lazard,et al.  Gröbner-Bases, Gaussian elimination and resolution of systems of algebraic equations , 1983, EUROCAL.

[3]  Ernst M. Gabidulin,et al.  Ideals over a Non-Commutative Ring and thier Applications in Cryptology , 1991, EUROCRYPT.

[4]  David A. Cox,et al.  Ideals, Varieties, and Algorithms: An Introduction to Computational Algebraic Geometry and Commutative Algebra, 3/e (Undergraduate Texts in Mathematics) , 2007 .

[5]  Jeffrey Shallit,et al.  The Computational Complexity of Some Problems of Linear Algebra , 1996, J. Comput. Syst. Sci..

[6]  David A. Cox,et al.  Ideals, Varieties, and Algorithms , 1997 .

[7]  Joseph H. Silverman,et al.  NTRU: A Ring-Based Public Key Cryptosystem , 1998, ANTS.

[8]  Adi Shamir,et al.  Cryptanalysis of the HFE Public Key Cryptosystem by Relinearization , 1999, CRYPTO.

[9]  J. Faugère A new efficient algorithm for computing Gröbner bases (F4) , 1999 .

[10]  A. Storjohann Algorithms for matrix canonical forms , 2000 .

[11]  N. Courtois,et al.  Efficient Algorithms for Solving Overdefined Systems of Multivariate Polynomial Equations , 2000, EUROCRYPT.

[12]  Jean Charles Faugère,et al.  A new efficient algorithm for computing Gröbner bases without reduction to zero (F5) , 2002, ISSAC '02.

[13]  Thomas Johansson,et al.  New Technique for Decoding Codes in the Rank Metric and Its Cryptography Applications , 2002, Probl. Inf. Transm..

[14]  Magali Bardet,et al.  Étude des systèmes algébriques surdéterminés. Applications aux codes correcteurs et à la cryptographie , 2004 .

[15]  Hideki Imai,et al.  Comparison Between XL and Gröbner Basis Algorithms , 2004, ASIACRYPT.

[16]  Raphael Overbeck,et al.  A New Structural Attack for GPT and Variants , 2005, Mycrypt.

[17]  Antoine Joux,et al.  Inverting HFE Is Quasipolynomial , 2006, CRYPTO.

[18]  Ludovic Perret,et al.  Cryptanalysis of MinRank , 2008, CRYPTO.

[19]  Jean-Charles Faugère,et al.  Computing loci of rank defects of linear matrices using Gröbner bases and applications to cryptology , 2010, ISSAC.

[20]  Nicolas Gama,et al.  The Degree of Regularity of HFE Systems , 2010, ASIACRYPT.

[21]  Jintai Ding,et al.  Inverting HFE Systems Is Quasi-Polynomial for All Fields , 2011, CRYPTO.

[22]  Mohab Safey El Din,et al.  Gröbner bases of bihomogeneous ideals generated by polynomials of bidegree (1, 1): Algorithms and complexity , 2010, J. Symb. Comput..

[23]  Jintai Ding,et al.  Degree of regularity for HFE- , 2011, IACR Cryptol. ePrint Arch..

[24]  Jintai Ding,et al.  Solving Degree and Degree of Regularity for Polynomial Systems over a Finite Fields , 2013, Number Theory and Cryptography.

[25]  Paulo S. L. M. Barreto,et al.  MDPC-McEliece: New McEliece variants from Moderate Density Parity-Check codes , 2013, 2013 IEEE International Symposium on Information Theory.

[26]  Gilles Zémor,et al.  RankSign: An Efficient Signature Algorithm Based on the Rank Metric , 2014, PQCrypto.

[27]  Gilles Zémor,et al.  Low Rank Parity Check codes and their application to cryptography , 2013 .

[28]  Bo-Yin Yang,et al.  Degree of Regularity for HFEv and HFEv- , 2013, PQCrypto.

[29]  François Le Gall,et al.  Powers of tensors and fast matrix multiplication , 2014, ISSAC.

[30]  Gilles Zémor,et al.  New Results for Rank-Based Cryptography , 2014, AFRICACRYPT.

[31]  Jean-Charles Faugère,et al.  On the complexity of the F5 Gröbner basis algorithm , 2013, J. Symb. Comput..

[32]  Philippe Gaborit,et al.  On the Complexity of the Rank Syndrome Decoding Problem , 2013, IEEE Transactions on Information Theory.

[33]  Charles Bouillaguet,et al.  Sparse Gaussian Elimination Modulo p: An Update , 2016, CASC.

[34]  Jean-Charles Faugère,et al.  GBLA: Gröbner Basis Linear Algebra Package , 2016, ISSAC.

[35]  Gilles Zémor,et al.  On the Hardness of the Decoding and the Minimum Distance Problems for Rank Codes , 2016, IEEE Transactions on Information Theory.

[36]  Jean-Charles Faugère,et al.  A survey on signature-based algorithms for computing Gröbner bases , 2017, J. Symb. Comput..

[37]  Adrien Hauteville,et al.  LOCKER - LOw rank parity ChecK codes EncRyption , 2017 .

[38]  Daniel Smith-Tone,et al.  Key Recovery Attack for ZHFE , 2017, PQCrypto.

[39]  Pierre Loidreau,et al.  A New Rank Metric Codes Based Encryption Scheme , 2017, PQCrypto.

[40]  Adrien Hauteville,et al.  LAKE - Low rAnk parity check codes Key Exchange , 2017 .

[41]  Adrien Hauteville,et al.  A New Algorithm for Solving the Rank Syndrome Decoding Problem , 2018, 2018 IEEE International Symposium on Information Theory (ISIT).

[42]  Jean-Pierre Tillich,et al.  Two attacks on rank metric code-based schemes: RankSign and an Identity-Based-Encryption scheme , 2018, 1804.02556.

[43]  Jean-Pierre Tillich,et al.  Two Attacks on Rank Metric Code-Based Schemes: RankSign and an IBE Scheme , 2018, ASIACRYPT.

[44]  Adrien Hauteville,et al.  Durandal: a rank metric based signature scheme , 2019, IACR Cryptol. ePrint Arch..

[45]  Ayoub Otmani,et al.  Improved cryptanalysis of rank metric schemes based on Gabidulin codes , 2018, Des. Codes Cryptogr..

[46]  John Baena,et al.  On the Complexity of "Superdetermined" Minrank Instances , 2019, PQCrypto.

[47]  Ray A. Perlner,et al.  Algebraic attacks for solving the Rank Decoding and MinRank problems without Gröbner basis , 2020, ArXiv.

[48]  Ray A. Perlner,et al.  Improvements of Algebraic Attacks for Solving the Rank Decoding and MinRank Problems , 2020, ASIACRYPT.