DAGS: Key encapsulation using dyadic GS codes

Our contribution.

In this paper, we present DAGS^[1], a key encapsulation mechanism that follows the QD approach using GS codes. KEMs are the primitive favored by NIST for key exchange schemes, and can be used to build encryption schemes, for example using the hybrid encryption paradigm introduced by Cramer and Shoup [18]. To the best of our knowledge, this is the first code-based KEM that uses quasi-dyadic codes. Another NIST submission, named BIG QUAKE [44], proposes a scheme based on quasi-cyclic codes.

Our KEM achieves IND-CCA security, following the recent framework by Kiltz et al. [27], and features compact public keys and efficient encapsulation and decapsulation algorithms. We modulate our parameters to achieve an efficient scheme, while at the same time keeping out of range of the FOPT attack. We provide an initial performance analysis of our scheme as well as access to our reference code; the team is currently working at several additional, optimized implementations, using C++, assembly language, and hardware (FPGA).

Related work.

We show that our proposal compares well with other post-quantum KEMs. These include the classic McEliece approach [47], as well as more recent proposals such as BIKE [45] and the aforementioned BIG QUAKE.

The “Classic McEliece” project is an evolution of the well-known McBits [12] (based on the work of Persichetti [37]), and benefits from a well-understood security assessment but suffers from the usual public key size issue. BIKE, a protocol based on QC-MDPC codes, is the result of a merge between two independently published works with similar background, namely CAKE [7] and Ouroboros [19]. The scheme possesses some very nice features like compact keys and an easy implementation approach, but has currently some potential drawbacks. In fact, the QC-MDPC encryption scheme on which it is based is susceptible to a reaction attack by Guo, Johansson and Stankovski (GJS) [25], and thus the protocol is forced to employ ephemeral keys. Moreover, due to its non-trivial Decoding Failure Rate (DFR), achieving IND-CCA security becomes very hard, so that the BIKE protocol only claims to be IND-CPA secure.

Finally, BIG QUAKE continues the line of work of [9] and proposes to use quasi-cyclic Goppa codes. Due to the particular nature of the FOPT attack and its successors [21], it seems harder to provide security with this approach, and the protocol chooses very large parameters in order to do so. We will discuss attack and parameters in Section 5.

More distantly related are lattice-based schemes like NewHope [2] and Frodo [14], based respectively on LWE and its ring variant. While these schemes are not necessarily a direct comparison term, it is nice to observe that DAGS offers comparable performance.

Organization of the paper.

The paper is organized as follows. We start by giving some preliminary notions in Section 2. We describe the DAGS protocol in Section 3, and we discuss its provable security in Section 4, showing that DAGS is IND-CCA secure in the random oracle model as well as the quantum random oracle model. Section 5 features a discussion about practical security and known attacks, which include general decoding attacks (information set decoding and the like) as well as algebraic attacks; we then present parameters for the scheme. Performance details are given in Section 6. Finally, we conclude in Section 7.

2.1 Notation

We will use the following conventions throughout the rest of the paper:

1. a constant

2. a vector

3. a matrix

4. an algorithm or (hash) function

5. a set

6. the concatenation of vectors 𝒂 and 𝒃

7. the diagonal matrix formed by the vector 𝒂

8. the n×n identity matrix

9. choosing a random element from a set or distribution

10. the length of a shared symmetric key

2.2 Linear codes

We briefly recall some fundamental notions from coding theory. The Hamming weight of a vector 𝒙∈𝔽qn is given by the number wt⁡(𝒙) of its non-zero components. We define a linear code using the metric induced by the Hamming weight.

A linear code can be represented by means of a matrix G∈𝔽qk×n, called generator matrix, whose rows form a basis for the vector space defining the code. Alternatively, a linear code can also be represented as kernel of a matrix H∈𝔽q(n-k)×n, known as parity-check matrix, i.e. 𝖢={𝒄:H⁢𝒄T=0}. Thanks to the generator matrix, we can easily define the codeword corresponding to a vector 𝝁∈𝔽qk as 𝝁⁢G. Finally, we call syndrome of a vector 𝒄∈𝔽qn the vector H⁢𝒄T.

2.3 Structured matrices and GS codes

If n is a power of 2, then every 2l×2l dyadic matrix can be described recursively as

where each block is a 2l-1×2l-1 dyadic matrix. Note that by definition any 1 × 1 matrix is trivially dyadic.

The parameters for such a code are the length n≤qm-s, dimension k≥n-m⁢s⁢t and minimum distance d≥s⁢t+1. GS codes are part of the family of alternant codes, and therefore benefit of an efficient decoding algorithm; according to Sarwate [40, Corollary 2] the complexity of decoding is 𝒪⁢(n⁢log2⁡n), which is the same as for Goppa codes. Moreover, it can be easily proved that every GS code with t=1 is a Goppa code. More information about this class of codes can be found in [29, Chapter 12, Section 6].

3.1 Algorithms

We are now ready to introduce the three algorithms that form DAGS. System parameters are the code length n and dimension k, the values s and t which define a GS code, the cardinality of the base field q and the degree of the field extension m. In addition, we have k=k′+k′′, where k′ is arbitrary and is set to be “small”. In practice, the value of k′ depends on the base field and is such that a vector of length k′ provides at least 256 bits of entropy. This also makes the hash functions (see below) easy to compute, and ensures that the overhead due to the IND-CCA2 security in the QROM is minimal.

DAGS is a key encapsulation mechanism and as such it is composed of three algorithms – Key Generation, Encapsulation and Decapsulation – which will present below in the respective order.

The encapsulation and decapsulation algorithms follow the paradigm of [27] to obtain an IND-CCA secure KEM from a PKE, and as such, they make use of two functions 𝒢:𝔽qk′→𝔽qk and ℋ:𝔽qk′→𝔽qk′, respectively an expansion and a compression function, the former with the task of generating randomness for the scheme, the latter to provide “plaintext confirmation”. The shared symmetric key is obtained via a third function 𝒦:{0,1}*→{0,1}ℓ. For more details about randomness generation and how the functions are implemented in practice, see Section 6.2.

The decapsulation algorithm consists mainly of decoding the noisy codeword received as part of the ciphertext. This is done using the alternant decoding algorithm described in [29, Chapter 12, Section 9] and requires the parity-check matrix to be in alternant form.

DAGS is built upon the McEliece cryptosystem, with a notable exception. In fact, we incorporate the “randomized” version of McEliece by Nojima et al. [35] into our scheme. This is extremely beneficial for two distinct aspects: first of all, it allows us to use a much shorter vector 𝒎 to generate the remaining components of the scheme, greatly improving efficiency. Secondly, it allows us to get tighter security bounds. Note that our protocol differs slightly from the paradigm presented in [27], in the fact that we do not perform a full re-encryption in the decapsulation algorithm. Instead, we simply re-generate the randomness and compare it with the one obtained after decoding. This is possible since, unlike a generic PKE, McEliece decryption reveals the randomness used, in our case 𝒆 (and 𝝆). It is clear that if the re-generated randomness is equal to the retrieved one, the resulting encryption will also be equal. This allows us to further decrease computation time.

The selection of the parameters for the scheme will be discussed in Section 5.4.

5.1 Hard problems from coding theory

Most of the code-based cryptographic constructions are based on the hardness of the following problem, known as the (q-ary) Syndrome Decoding Problem (SDP).

The corresponding decision problem was proved to be NP-complete in 1978 [10], but only for binary codes. In 1994, Barg proved that this result holds for codes over all finite fields ([5], in Russian, and [6, Theorem 4.1]).

In addition, many schemes (including the original McEliece proposal) require the following computational assumption.

The assumption above is historically believed to be true, except for very particular cases. For instance, there exists a distinguisher (Faugère et al. [20]) for cryptographic protocols that make use of high-rate Goppa codes (like the CFS signature scheme [17]). Moreover, it is worth mentioning that the “classical” methods for obtaining an indistinguishable public matrix, such as the use of scrambling matrices S and P, are rather outdated and unpractical and can introduce vulnerabilities to the scheme as per the work of Strenzke et al. [42, 43]. Thus, traditionally, the safest method (Biswas and Sendrier, [13]) to obtain the public matrix is simply to compute the systematic form of the private matrix.

5.2 Decoding attacks

The main approach for solving SDP is the technique known as Information Set Decoding (ISD), first introduced by Prange [39], which targets directly the error vector and aims at decoding without knowing the underlying structure of the code (i.e. treating the code as truly random). Among several variants and generalizations, Peters showed [38] that it is possible to apply Prange’s approach to generic q-ary codes. Other approaches such as statistical decoding [1, 33] are usually considered less efficient. Thus, when choosing parameters, we will focus mainly on defeating attacks of the ISD family.

Hamdaoui and Sendrier in [26] provide non-asymptotic complexity estimates for ISD in the binary case. For codes over 𝔽q, instead, a bound is given in [34], which extends the work of Peters. For a practical evaluation of the ISD running times and corresponding security level, we used Peters’s ISDFQ script [46].

5.3 Algebraic attacks

While, as we discussed above, recovering a private matrix from a public one is in general a very difficult problem, the presence of special algebraic properties and additional structure in the code can have a considerable effect in lowering this difficulty. It turns out that, in the case of alternant codes for instance, there are indeed efficient methods that exploit this issue.

5.4 Parameter selection

To choose our parameters, we keep in mind all the remarks from the previous sections about decoding attacks and structural attacks. As we have just seen, we need to respect the condition m⁢t≥21 to guarantee security against FOPT. At the same time, to prevent the BC attack q has to be chosen large enough and s cannot be too big. Finally, for ISD to be computationally intensive, we require a sufficiently large number w of errors to decode. This is given by s⁢t/2 according to the minimum distance of GS codes.

In addition, we tune our parameters to optimize performance. In this regard, the best results are obtained when the extension degree m is as small as possible. This, however, requires the base field to be large enough to accommodate sufficiently big codes (against ISD attacks), since the maximum size for the code length n is capped by qm-s. Realistically, this means we want qm to be at least 212, and the optimal choice in this sense seems to be q=28 (see Section 6). Finally, note that s is constrained to be a power of 2, and that odd values of t seem to offer best performance.

Putting all the pieces together, we are able to present three sets of parameters, in Table 4. These correspond to three of the security levels indicated by NIST (first column), which are related to the hardness of performing a key search attack on three different variants of a block cipher, such as AES (with key length respectively 128, 192 and 256). As far as quantum attacks are concerned, we claim that ISD with Grover (see above) will usually require more resources than a Grover search attack on AES for the circuit depths suggested by NIST (parameter MAXDEPTH). Thus, classical security bits are the bottleneck in our case, and as such we choose our parameters to provide 128, 192 and 256 bits of classical security for security levels 1, 3 and 5 respectively. For practical reasons, during the rest of the paper we will refer to these parameters respectively as DAGS_1, DAGS_3 and DAGS_5.

For the above parameters, it is easy to observe that the value nY′ is always greater or equal to 21 (it is in fact 25 for DAGS_1), which keeps us clear of FOPT. With respect to the BC attack, the complexity analysis provided by the authors results in a value of ≈2126 for DAGS_1 and more than 2288 for the other two sets. Finally, the running cost of ISD (using Peters’ script) is estimated at 2128,2192 and 2256 respectively, as desired.

6.1 Components

DAGS operates on vectors of elements of the finite field 𝔽q, where q is a power of 2 as specified by the choice of parameters. Finite field elements are represented as bit strings using standard log/antilog tables (see for instance [29, Chapter 4, Section 5]) which are stored in the memory.

For DAGS_1, the finite field 𝔽26 is built using the polynomial x6+x+1 and then extended to 𝔽212 using the quadratic irreducible polynomial x2+α⁢x+α, where α is a primitive element of 𝔽26. In particular, using a well-known result on finite fields, we choose α=γ65 where γ is a primitive element of 𝔽212. This particular choice allows for more efficient arithmetic using a conversion matrix to switch between different field representations. Similarly, for DAGS_3 and DAGS_5, we build the base field using x8+x4+x3+x2+1 and the extension field 𝔽216 is obtained via x2+β50⁢x+β, where β is a primitive element of 𝔽28.

6.2 Randomness generation

The randomness used in our implementation is provided by the NIST API. It uses AES as a PNGR, where NIST chooses the seed in order to have a controlled environment for tests. We use this random generator to obtain our input message 𝒎, after which we calculate 𝒢⁢(𝒎) and ℋ⁢(𝒎), where 𝒢 is an expansion function and ℋ is a compression function. In practice, we compute both using the KangarooTwelve function [48] from the Keccak family. To generate a low-weight error vector, we take part of 𝒢⁢(𝒎) as a seed 𝝈. We use again KangarooTwelve to expand the seed into a string of length n, then transform the latter into a fixed-weight string using a deterministic function.

6.3 Efficient private key reconstruction and decoding

As mentioned in Section 3, in our scheme we use a standard alternant decoder (step (2) of Algorithm 3), which requires the input to be a matrix in alternant form, i.e. Hi⁢j′=yj⁢xji for i=0,…,s⁢t-1 and j=0,…,n-1. The first step consists of computing the syndrome of the received word, H′⁢𝒄T. Now, defining the whole alternant matrix H′ as private key would require storing stn elements of 𝔽qm, leading to huge key sizes. It would be possible to store as private key just the defining vectors 𝒖,𝒗 and 𝒛, and then compute the alternant form during decapsulation. Doing so would drastically reduce the private key size, but would also significantly slow down the decapsulation algorithm. Thus we came up with a neat idea, and implemented a hybrid approach. We use 𝒖,𝒗 and 𝒛 to compute the vector 𝒚 during key generation and store (𝒗,𝒚) as private key, which still results in a compact size. Then, we complete the computation of the alternant form in the decapsulation algorithm. To avoid an unnecessary overhead, we incorporate this computation together with the syndrome computation. The process is detailed as follows.

6.4 Measurements

The implementation is in ANSI C, as requested for a generic reference implementation. For the measurements, we used an x64 Intel Core i5-5300U processor at 2.30 GHz, 16 GiB of RAM and GCC version 6.3.0 20170516 without any optimization, running on Debian 9.2.

We start by considering space requirements. We recall the flow between two parties 𝖯1 and 𝖯2 in a generic key exchange protocol derived from a KEM:

(6.1)

When instantiated with DAGS, the public key is given by the generator matrix G. The non-identity block MT is k×(n-k)=k×m⁢s⁢t and is dyadic of order s, thus requires only k⁢m⁢s⁢t/s=k⁢m⁢t elements of the base field for storage. The private key is simply the pair (𝒗,𝒚), consisting of 2⁢n elements of 𝔽qm. Finally, the ciphertext is the pair (𝒄,𝒅), that is, a q-ary vector of length n plus 256 bits. This leads to the measurements (in bytes) given in Table 5 and Table 6.

We now move on to analyzing time measurements. We are using x64 architecture and our measurements use an assembly instruction to get the time counter. We do this by calling “rdtsc” before and after the instruction, which gives us the cycles used by each function. Table 7 gives the results of our measurements represented by the mean after running the code 50 times.

6.5 Comparison

We thought it useful to provide a comparison with other recently proposed code-based KEMs (and in particular, NIST submissions). In Table 8, we present data for Classic McEliece, BIKE and BIG QUAKE with regards to memory requirements, for the highest security level (256 bits classical). We did not deem necessary, on the other hand, to provide a comparison in terms of implementation timings, as reference implementations are designed for clarity, rather than performance.

It is easy to see that the public key is much smaller than Classic McEliece and BIG QUAKE, and similar to that of BIKE. With regards to the latter, note that, for the same security level, the total communication bandwidth is of the same order of magnitude. This is because DAGS uses much shorter codes, and as a consequence the ciphertext is considerably smaller than a BIKE ciphertext. Moreover, for the purposes of a fair comparison, we remark that BIKE uses ephemeral keys, has a non-negligible decoding failure rate and only claims IND-CPA security – all factors that can restrict its use in various applications.