We present an exponential-time key recovery attack on the public-key encryption scheme using matrix codes proposed by Aragon et al. [1] at Asiacrypt 2024. The secret key is a Gabidulin code expanded using an \(\mathbb {F}_q\) -basis of \(\mathbb {F}_{q^m}\) to obtain a matrix code, which is then hidden by appending random rows and columns and by left- and right-multiplication with invertible matrices. Our attack does not rely on the Gabidulin structure and hence applies to most \(\mathbb {F}_{q^m}\) -linear codes hidden by their transform. Its complexity is better than the previously best-known distinguisher and significantly better than the naive key recovery algorithm. Our attack breaks some of their proposed parameters. For example, a parameter set targeting 192-bit security is reduced to about 161 bits, and a 256-bit set to about 223 bits.

错误:搜索内容不能为空,请输入英文关键词
错误:关键词超出字数限制,请精简
高级检索

Key Attack on the ACDGV Matrix Encryption Scheme

  • Anmoal Porwal,
  • Antonia Wachter-Zeh,
  • Pierre Loidreau

摘要

We present an exponential-time key recovery attack on the public-key encryption scheme using matrix codes proposed by Aragon et al. [1] at Asiacrypt 2024. The secret key is a Gabidulin code expanded using an \(\mathbb {F}_q\) -basis of \(\mathbb {F}_{q^m}\) to obtain a matrix code, which is then hidden by appending random rows and columns and by left- and right-multiplication with invertible matrices. Our attack does not rely on the Gabidulin structure and hence applies to most \(\mathbb {F}_{q^m}\) -linear codes hidden by their transform. Its complexity is better than the previously best-known distinguisher and significantly better than the naive key recovery algorithm. Our attack breaks some of their proposed parameters. For example, a parameter set targeting 192-bit security is reduced to about 161 bits, and a 256-bit set to about 223 bits.