Roots of Square: Cryptanalysis of Double-Layer Square and Square - Post-Quantum Cryptography

Cryptography Reference

In-Depth Information

enough for our attack that such a linear combination exists. In order to eciently

obtain this solution using (3) we also need the rank of the whole matrix from

fig. 4 to be rank( A )+ n . This is true with overwhelming probability in our case.

Otherwise we would obtain parasitic solutions by (3).

Up to this point, the overall complexity of the MinRank attack is

q ( n + )(2 n + ) 3

2 n

q until A becomes singular. We need

to repeat this sampling until we have recovered ( n + ) linearly independent

equations of small rank. Solving (3) requires Gaussian elimination in (2 n + )

variables.

Now we have to deal with the problem that S is not a (2 n + )

as we expect to sample q vectors ω

∈ F

(2 n + )square

matrix but a rectangular (2 n + )

2 n matrix. Obviously equation (4) and (5)

are not equivalent any longer, but it holds

n +

2 n +

n +

2 n +

( i )

λ i S F

( i )

λ i S G

( i )

λ i F

Sω +

λ i G

Sω =0

Sω +

Sω =0 .

⇒

i =1

i = n + +1

i =1

i = n + +1

I.e. the probability of choosing ω in the kernel of low-rank matrices is still 1 /q .

This argument hides a slight heuristic. If we choose ω

2 n

∈ R F

, Sω is not a

2 n +

q any longer and thus the rows of the matrix in fig. 4

are not randomly chosen. Nevertheless they are independent and thus formula

(6) should be a good approximation. Our experiments in table 1 confirm this.

The backward direction is not true, as 2 n + vectors of lenght 2 n are always

linearly dependent and thus we obtain q parasitic solutions. The overall attack

cost is therefore

random element in

( n + ) q +1 (2 n + ) 3 .

Unfortunately, the authors of [9] did not provide concrete security parameters.

However, using their security analysis, we derived q =31 ,n =17 , =4fora

claimed security level of 2 80 . Using our attack, this reduces to 2 45 to separate

the upper from the lower level. We have broken this set of parameters in about 1

day, see Table 1. Moreover, we can ignore the embedding modifier, as explained

in [2, Sect. 5]. In a nutshell, we work on the maximal rank of the corresponding

matrices. However, the embedding modifier will only decrease the rank and hence

not increase its maximum. Hence, the difference from fig. 3 still holds. Once we

have separated these layers, the rest of the attack is equal to Billet/Macario-Rat

[4], although we have to take the Double-Layer structure into account. First,

we separate out the two layers

. Using the algorithm of Billet/Macario-

Rat, we can separate the variables of the F -layer into x 1 ,...,x n + (output of

Billet/Macario-Rat) and x n + +1 ,...,x 2 n + (others). Using these, we have the

variable mixing S , the equation mixing T , and the inner layer X 2

and

for the first

layer

. For the second, i.e. the

-layer, it is a bit more complicated as we are

dealing with

αX 2 + β ( x 1 ,...,x n + ) X + γ ( x 1 ,...,x n + ) .

Post-Quantum Cryptography

Search WWH ::

Custom Search

Home