Algebraic Algorithm for the Alternating Trilinear Form Equivalence Problem

The Alternating Trilinear Form Equivalence (ATFE) problem was recently used by Tang et al. as a hardness assumption in the design of a Fiat-Shamir digital signature scheme ALTEQ. The scheme was submitted to the additional round for digital signatures of the NIST standardization process for post-quantum cryptography. ATFE is a hard equivalence problem known to be in the class of equivalence problems that includes, for instance, the Tensor Isomorphism (TI), Quadratic Maps Linear Equivalence (QMLE) and the Matrix Code Equivalence (MCE) problems. Due to the increased cryptographic interest, the understanding of its practical hardness has also increased in the last couple of years. Currently, there are several combinatorial and algebraic algorithms for solving it, the best of which is a graph-theoretic algorithm that also includes an algebraic subroutine. In this paper, we take a purely algebraic approach to the ATFE problem, but we use a coding theory perspective to model the problem. This modelling was introduced earlier for the MCE problem. Using it, we improve the cost of algebraic attacks against ATFE compared to previously known ones. Taking into account the algebraic structure of alternating trilinear forms, we show that the obtained system has less variables but also less equations than for MCE and gives rise to structural degree-3 syzygies. Under the assumption that outside of these syzygies the system behaves semi-regularly, we provide a concrete, non-asymptotic complexity estimate of the performance of our algebraic attack. Our results show that the complexity of our attack is below the estimated security levels of ALTEQ by more than 20 bits for NIST level I (and more for the others), thus the scheme requires re-parametrization for all three NIST security levels

A Simple Deterministic Algorithm for Systems of Quadratic Polynomials over F2\mathbb{F}_2

This article discusses a simple deterministic algorithm for solving quadratic Boolean systems which is essentially a special case of more sophisticated methods. The main idea fits in a single sentence: guess enough variables so that the remaining quadratic equations can be solved by linearization (i.e. by considering each remaining monomial as an independent variable and solving the resulting linear system) and restart until the solution is found. Under strong heuristic assumptions, this finds all the solutions of $m$ quadratic polynomials in $n$ variables with $\mathcal{\tilde O}({2^{n-\sqrt{2m}}})$ operations. Although the best known algorithms require exponentially less time, the present technique has the advantage of being simpler to describe and easy to implement. In strong contrast with the state-of-the-art, it is also quite efficient in practice

A SAT-based approach for index calculus on binary elliptic curves

Logical cryptanalysis, first introduced by Massacci in 2000, is a viable alternative to common algebraic cryptanalysis techniques over boolean fields. With XOR operations being at the core of many cryptographic problems, recent research in this area has focused on handling XOR clauses efficiently. In this paper, we investigate solving the point decomposition step of the index calculus method for prime degree extension fields $\mathbb{F}_{2^n}$, using SAT solving methods. We experimented with different SAT solvers and decided on using WDSat, a solver dedicated to this specific problem. We extend this solver by adding a novel breaking symmetry technique and optimizing the time complexity of the point decomposition step by a factor of $m!$ for the $(m+1)$\textsuperscript{th} Semaev\u27s summation polynomial. While asymptotically solving the point decomposition problem with this method has exponential worst time complexity in the dimension $l$ of the vector space defining the factor base, experimental running times show that the the presented SAT solving technique is significantly faster than current algebraic methods based on Gröbner basis computation. For the values $l$ and $n$ considered in the experiments, the WDSat solver coupled with our breaking symmetry technique is up to 300 times faster then MAGMA\u27s F4 implementation, and this factor grows with $l$ and $n$

Time-Memory Trade-offs for Parallel Collision Search Algorithms

Parallel versions of collision search algorithms require a significant amount of memory to store a proportion of the points computed by the pseudo-random walks. Implementations available in the literature use a hash table to store these points and allow fast memory access. We provide theoretical evidence that memory is an important factor in determining the runtime of this method. We propose to replace the traditional hash table by a simple structure, inspired by radix trees, which saves space and provides fast look-up and insertion. In the case of many-collision search algorithms, our variant has a constant-factor improved runtime. We give benchmarks that show the linear parallel performance of the attack on elliptic curves discrete logarithms and improved running times for meet-in-the-middle applications

Hardness estimates of the Code Equivalence Problem in the Rank Metric

In this paper, we analyze the hardness of the Matrix Code Equivalence (MCE) problem for matrix codes endowed with the rank metric, and provide the first algorithms for solving it. We do this by making a connection to another well-known equivalence problem from multivariate cryptography - the Isomorphism of Polynomials (IP). Under mild assumptions, we give tight reductions from MCE to the homogenous version of the Quadratic Maps Linear Equivalence (QMLE) problem, and vice versa. Furthermore, we present reductions to and from similar problems in the sum-rank metric, showing that MCE is at the core of code equivalence problems. On the practical side, using birthday techniques known for IP, we present two algorithms: a probabilistic algorithm for MCE running in time $\mathcal{O}^*( q^{\frac{2}{3}(n+m)})$, and a deterministic algorithm for MCE with roots, running in time $\mathcal{O}^*(q^{m})$. Lastly, to confirm these findings, we solve randomly-generated instances of MCE using these two algorithms

Practical key-recovery attack on MQ-Sign

This note describes a polynomial-time key-recovery attack on the UOV-based signature scheme called MQ-Sign. The scheme is a first-round candidate in the Korean Post-Quantum Cryptography Competition. Our attack exploits the sparsity of the secret central polynomials in combination with the specific structure of the secret linear map $S$. We provide a verification script that recovers the secret key in less than seven seconds for security level 5

Take your MEDS: Digital Signatures from Matrix Code Equivalence

In this paper, we show how to use the Matrix Code Equivalence (MCE) problem as a new basis to construct signature schemes. This extends previous work on using isomorphism problems for signature schemes, a trend that has recently emerged in post-quantum cryptography. Our new formulation leverages a more general problem and allows for smaller data sizes, achieving competitive performance and great flexibility. Using MCE, we construct a zero-knowledge protocol which we turn into a signature scheme named Matrix Equivalence Digital Signature (MEDS). We provide an initial choice of parameters for MEDS, tailored to NIST\u27s Category 1 security level, yielding public keys as small as 2.8 kB and signatures ranging from 18 kB to just around 6.5 kB, along with a reference implementation in C

Report on evaluation of KpqC candidates

This report analyzes the 16 submissions to the Korean post-quantum cryptography (KpqC) competition

Combinatoire en cryptanalyse algébrique et logique

In this thesis, we explore the use of combinatorial techniques, such as graph-based algorithms and constraint satisfaction, in cryptanalysis. Our main focus is on the elliptic curve discrete logarithm problem. First, we tackle this problem in the case of elliptic curves defined over prime-degree binary extension fields, using the index calculus attack. A crucial step of this attack is solving the point decomposition problem, which consists in finding zeros of Semaev’s summation polynomials and can be reduced to the problem of solving a multivariate Boolean polynomial system. To this end, we encode the point decomposition problem as a logical formula and define it as an instance of the SAT problem. Then, we propose an original XOR-reasoning SAT solver, named WDSat, dedicated to this specific problem. As Semaev’s polynomials are symmetric, we extend the WDSat solver by adding a novel symmetry breaking technique that, in contrast to other symmetry breaking techniques, is not applied to the modelization or the choice of a factor base, but to the solving process. Experimental running times show that our SAT-based solving approach is significantly faster than current algebraic methods based on Gröbner basis computation. In addition, our solver outperforms other state-of-the-art SAT solvers, for this specific problem. Finally, we study the elliptic curve discrete logarithm problem in the general case. More specifically, we propose a new data structure for the Parallel Collision Search attack proposed by van Oorschot and Wiener, which has significant consequences on the memory and time complexity of this algorithm.Les attaques cryptographiques que nous décrivons dans cette thèse reposent sur des approches combinatoires, relevant notamment de la théorie des graphes et de la satisfaction sous contraintes.Notre objectif principal concerne l'étude du problème du logarithme discret sur courbes elliptiques. Dans un premier temps, nous nous concentrons sur l'attaque de calcul d'index pour le cas des courbes elliptiques définies sur des extensions de corps finis de degré premier. Ainsi, la première phase du calcul d'index, phase de recherche de relations, consiste à résoudre des systèmes d'équations obtenus à partir de polynômes de Semaev, dont les zéros représentent des coordonnées de points. La résolution de ces systèmes répond au problème de décomposition de points. Dans le cadre de cette attaque, premièrement, nous modélisons le problème de décomposition de points sous la forme d'une formule logique et nous le définissons comme une instance du problème SAT. En ajout de cela, nous développons un solveur SAT dédié à ce problème spécifique, nommé WDSat. Le solveur est muni d'une extension qui vise à éliminer les solutions symétriques des polynômes de Semaev sans agrandir le modèle SAT et sans introduire de coût de calcul supplémentaire. Les temps d'exécution expérimentaux montrent que notre approche de résolution utilisant WDSat est significativement plus rapide que les méthodes algébriques actuelles basées sur le calcul de bases de Gröbner. De plus, notre solveur a des meilleures performances que d’autres solveurs SAT couramment utilisés, pour ce problème spécifique.Au final, nous abordons le problème du logarithme discret sur courbes elliptiques dans le cas générique. Notamment, pour la mise en oeuvre de l'attaque de recherche de collisions en contexte parallèle de van Oorschot et Wiener, nous proposons une nouvelle structure de données, ayant des conséquences importantes sur la complexité en mémoire et en temps