Paper 2024/196

Subfield attack: leveraging composite-degree extensions in the Quotient Ring transform

Pierre Pébereau, Laboratoire de Recherche en Informatique de Paris 6, Thales (France)
Abstract

In this note, we show that some of the parameters of the Quotient-Ring transform proposed for VOX are vulnerable. More precisely, they were chosen to defeat an attack in the field extension $\mathbb F_{q^l}$ obtained by quotienting $\mathbb F_q[X]$ by an irreducible polynomial of degree $l$. We observe that we may use a smaller extension $\mathbb F_{q^{l'}}$ for any $l'|l$, in which case the attacks apply again. We also introduce a simple algebraic attack without the use of the MinRank problem to attack the scheme. These attacks concern a subset of the parameter sets proposed for VOX: I, Ic, III, IIIa, V, Vb. We estimate the cost of our attack on these parameter sets and find costs of at most $2^{67}$ gates, and significantly lower in most cases. In practice, our attack requires $0.3s, 1.35s, 0.56s$ for parameter sets I,III,V for the initial VOX parameters, and $56.7s, 6.11s$ for parameter sets IIIa, Vb proposed after the rectangular MinRank attack.

Metadata
Available format(s)
PDF
Category
Attacks and cryptanalysis
Publication info
Preprint.
Keywords
Multivariate cryptography
Contact author(s)
pierre pebereau @ lip6 fr
History
2024-02-12: approved
2024-02-09: received
See all versions
Short URL
https://ia.cr/2024/196
License
Creative Commons Attribution
CC BY

BibTeX 

@misc{cryptoeprint:2024/196,
      author = {Pierre Pébereau},
      title = {Subfield attack: leveraging composite-degree extensions in the Quotient Ring transform},
      howpublished = {Cryptology ePrint Archive, Paper 2024/196},
      year = {2024},
      note = {\url{https://eprint.iacr.org/2024/196}},
      url = {https://eprint.iacr.org/2024/196}
}
Note: In order to protect the privacy of readers, eprint.iacr.org does not use cookies or embedded third party content.