[Resource Topic] 2021/1677: Improving Support-Minors rank attacks: applications to G$e$MSS and Rainbow

Welcome to the resource topic for 2021/1677

Title:
Improving Support-Minors rank attacks: applications to G$e$MSS and Rainbow

Authors: John Baena, Pierre Briaud, Daniel Cabarcas, Ray Perlner, Daniel Smith-Tone, and Javier Verbel

Abstract:

The Support-Minors (SM) method has opened new routes to attack multivariate schemes with rank properties that were previ- ously impossible to exploit, as shown by the recent attacks of Tao at al. (CRYPTO 2021) and Beullens (EUROCRYPT 2021) on the Round 3 NIST candidates GeMSS and Rainbow respectively. In this paper, we study this SM approach more in depth and we propose a greatly improved attack on GeMSS based on this Support-Minors method. Even though GeMSS was already affected by Tao’s attack, our attack affects it even more and makes it completely unfeasible to repair the scheme by simply increasing the size of its parameters or even applying the recent projection technique from Øygarden et al. (PQCrypto 2021) whose purpose was to make GeMSS immune to Tao’s attack. For instance, our attack on the GeMSS128 parameter set has estimated time complexity 2^72 , and repairing the scheme by applying projection would result in a signature with slower signing time by an impractical factor of 2^14 . Another contribution is to suggest optimizations that can reduce memory access costs for an XL strategy on a large SM system using the Block-Wiedemann algorithm as subroutine when these costs are a concern. In a memory cost model based on the one provided by Bernstein et al. (https://ntruprime.cr.yp.to/nist/ntruprime-20201007.pdf), we show that the rectangular MinRank attack of Beullens may indeed reduce the security for all Round 3 Rainbow parameter sets below their targeted security strengths, contradicting the lower bound claimed by the Rainbow team using the same memory cost model (https://troll.iis.sinica.edu.tw/by-publ/recent/response-ward.pdf).

ePrint: https://eprint.iacr.org/2021/1677

See all topics related to this paper.

Feel free to post resources that are related to this paper below.

Example resources include: implementations, explanation materials, talks, slides, links to previous discussions on other websites.

For more information, see the rules for Resource Topics .