 Hi, I'm Chen. I will present the paper a new decrypted failure attack against HQC. This is a joint work with Thomas Janssen from Lund University. This is the outline of the talk. I will start with the introduction. Then I will give some background on the HQC proposal. Then I will discuss the new attacks in detail. As an instance, I will apply this attack to HQC 256-1, the first HQC parameter set for the secure level of beast 5. Then I will discuss the influence of this attack on other HQC parameters. Finally, I will conclude the paper and discuss the countermeasures to this attack. Now I will start the introduction section. We know our communication systems are facing threats from quantum computers. Peter Shaw has pointed out that quantum algorithms could break public key cryptosystems based on factoring and discrete block. This research can be dated back to 1994. Recently, we see rapid advances in building quantum computers. For instance, Google has claimed that they have achieved quantum supremacy. Post-quantum cryptography is a central research problem in our crypto community. We have this post-quantum standardization project, which is trying to find replacements for public key encryption and signature standards. This has already started the run-through selection and they characterized their candidates into two categories, the finalists and the category of alternate candidates. Generally speaking, post-quantum cryptography constructions can be characterized into several branches, lattice-based, co-based, multivariate-based, hash-based, and isogenic-based. Until recently, lattice-based crypto seems to be the most promising branch and the co-based crypto is the second most popular one. The first co-based crypto system was proposed by Michaelis in 1978 using random binary Gopal codes. Later, we have many different constructions, but the main harness assumption of co-based crypto is the decoding of random linear codes, a very famous NP-hard problem in the worst case. We know co-based construction are most suitable for encryption and we have different branches. For instance, based on random binary Gopal codes, the representative is a classic Michaelis, which is the finalist in the NIST post-quantum standardization project. We can also use LDPC and MDPC codes. We can alternate candidate in the NIST project bike and we can also use random quasi-cyclic codes. We have HQC, which is the main target of this paper. We can also use codes in rank metric, so this branch is also called rank-based cryptography. What is HQC? HQC is short for hamming quasi-cyclic, which means that they are using hamming quasi-cyclic codes. HQC is a submission to the NIST PQC project and it has advanced to round three in the category of alternate candidate. NIST commented on HQC that HQC presents a strong argument that its decryption failure rate is low enough to often choose in ciphertext security. This is the strongest argument at the present of CC security among the second round candidate code-based crypto systems. We want to study the CC security of HQC in details. Our main research focus is new key recovery codes in ciphertext attack on HQC. We will target the round two parameters in the NIST PQC standardization project because when we submit the paper, we only have the round two version. Next, I'll describe the detailed description of the HQC proposal. We see that R be an polynomial ring and the element Y X is a polynomial of degree at most and minus one. This is the description of HQC PQC from the official design document. First step in the setup, we generate the global parameter NKWR and WE. For K generation, we sample a random polynomial H, which corresponds to the generator matrix of the code. For S key, we generate the two random polynomials from R, which is X and Y with low weight, low weight W, and we set PK as H and S and returns the public key and the secret key. For encryption, we generate a random element E and another random R with R1 and R2. The weight of E is WE and the weight of R1 and R2 are WR. We compute U and V and the ciphertext is UV. For decryption, we compute this V minus U times V and feed it to a function called decode, which will be described in the next slide. This is HQC PKE aiming for NDCPE security. Actually, HQC also gave an NDCCE to CAM called HQC.CAM to do a variant of the Fujisaki or Komoto transform. Notice that there is no multi-target protection for this HQC CAM because randomness C is generated from a hash of N. As we are starting the decryption failure attacks, we need to elaborate how the HQC decryption failures can occur. In HQC, they use a tensor product code, which means that it is a tensor of two linear codes C1 and C2. If C1 has code parameter N1, K1, D1 here, N1 is code length, K is code dimension, and D is minimal distance. And C2 has parameter N2, K2, D2. So tensor product code is of parameters N1 times N2, K1 times K2, and D1 times D2. So we can view the length N1 times N2 codewords as N1 times N2 array where every row is a codeword in C1 and every column is a codeword in C2. In HQC, they pick C1 to be a BCH code and C2 to be a repetition code. So if we write this N1 times N2 codeword in a vector, then we see that we have N1 repetition codes with length N2. So for one decryption failure, we need to have at least delta R errors in each of at least delta plus one different chunks. So we see that error term E prime is X times R2 minus Y times R1 plus E here because the field characteristic is 2. So the summation and the subtraction operation are all the XOR operation. This is HQC round 2 parameter sets. So they have six parameter sets, one for security level 128 and two for security level 192 and three for security level 256. We will use HQC 256.1 as example to explain our attack since it has a high security level and a relatively high decryption failure rate. I will then talk about the details of the attack. We'll start with describing the basic ideas. So we know that even for HQC 256.1, the decryption error rate is below 2 to minus 128. So it is hard to obtain even N1 error if we submit only 2 to 64 ciphertext for decryption. That means that we have to increase BFR. Now let's look at this figure. X is a vector of small weight. Then we look at the contribution of X times R2 in the error part. In the error analysis, if R2 is a random vector of fixed weight, then we see that the errors will spread uniformly. However, now we assume that like the generated R2 vector contains an interval here or chunk of length L1 containing many ones. Then we see that some reputation codes such as here will have many errors. So this reputation decoding will be erroneous with very high probability. Then the overall DFR could be large. Next, we need to find the correlation between the partial key X and the collected decryption theories. Because X is first boss, and we know the value of R2. So if XR is one, then we have an interval of many ones in E prime as here. So the problem is to distinguish if such an interval occurs. So we know that the corresponding positioning X should be one, otherwise it should be zero. We next show how to distinguish these two types of intervals. The first type of interval, including many ones, we call it case one interval. An interval without such a chunk are called case two interval. The typos are one or two. E is known and the error E prime is of this form. Our observation is that the independent noise part E is helping out to make a decoding error. We consider the problem is that the J's position of E to be one conditioned on that decryption failure occurs. So let's denote the contribution of X times R2 to be Upsilon part. For this case two interval we know that reputation decoding will be erroneous with very low probability. So the value of E doesn't affect the decoding output very much. But for the case one interval, the corresponding reputation decoding will be erroneous with a higher probability. If Upsilon part is zero, then the probability that Ej is one is relatively higher. Otherwise, the probability of Ej to be one is low. Now we start to introduce attack model. We adopt the weak key decryption failure attack model published at PKC 2019. But here no weak key is assumed. This attack model consists of several steps. In the first step, we do pre-computation for weak ciphertext. We construct a special set A of weak ciphertext which are very likely to introduce decryption errors. In the second phase, we submit A for decryption so we can get subset A prime containing ciphertext introducing decryption failures. We then do statistical analysis on A prime to recover the partial key information. Last, we may also include a post-processing step as we have discussed in section of basic ideas. For weak ciphertext preparation, we pick weak ciphertext R1, R2E with R2 having a consecutive L1 positions with at least L0 ones in this chunk. So we need to estimate the complexity for getting such ciphertext. That AI denotes the event that this consecutive chunk exists and starts from the I's position. Then from combinatorial formulas, we estimate the probability of the event as this. So the overall probability of finding such chunk in a length n denoted as p can then be estimated as the union of these events. Thus, we could expect that we need the inverse of p computation hash cores to the hash function g to generate one weak ciphertext with the chosen form. The next question is to estimate the decryption failure rate. It is because the number of decryption error cores is usually limited. In the NIST PQC project, for instance, the limit is 2264. So we need to estimate the DFR to know the expected number of errors. Here we use the method called the convolution of probability distributions. That xi equals 1 denotes the event that the I's reputation decoding is erroneous. So we use Pi to denote its probability. If we assume that all the XIs are independent, then we can get this formula to estimate this error probability. The point is that Pi is relatively large and it can be efficiently estimated by simulation. We run simulations to test the accuracy of the convolution method. This table shows the comparison of the simulated DFR and the estimated DFR. The parameters are from HQC 256 and 1. So we see that this estimation method is accurate but slightly conservative. The reason is the independence assumption. This matches observations in lattice-based crypto. Well, removing the independence assumption could lead to a much larger DFR estimation. But in practice, each xi could be slightly dependent. So the actual DFR could be slightly larger. We then discuss the statistical analysis. Recall that the independent noise part E is helping out to make a decoding error. And also we have this probability that Ej is equal to one condition on decryption feedings. We denote this probability to be P. So we have P random corresponds to the case 2 interval. And P low and P high corresponds to the case 1 interval. So we develop Seward-Gauss-Metz to quantify the distinguishing property. These Seward-Gauss-Metz could explain this phenomenon well, but the estimated bias is much weaker than the simulated bias. For instance, this table contains the simulated probabilities versus the estimated probabilities on HQC 256 and 1. For this line we choose L1 to be 55 and L0 to be 38. EFR level is 2 to minus 14. So we see that the bias in simulation is 10 times stronger than the bias in estimation. And from this table we also see that the distinguishing property is stronger when DFR level drops. This also matches the intuition because if it is very difficult to get one decryption feeder, then this decryption feeder will contain much more information. The problem is then to know how many decryption failures are sufficient for key recovery when DFR is very low, say of size about 2 to minus 50. Our solution is to run simulation as large as possible. For instance, we use simulation data with DFR about 2 to minus 22. If we can do key recovery for fixed number of decryption failures with the same number of decryption failures, then we can do key recovery in the real attack with a much smaller DFR. There are also more tricks, for instance, we can have double distinguishing. It means that we can split the 2 to 64 unlike decryption oracle cores to two groups and one group to recover the partial information from X and the other to recover the partial information from Y. We can also include a post-processing step using plain IRD. Here IRD means information set decoding algorithm. So our conclusion is that for HQC 256-1, 2 to 16 decryption failures are sufficient for 4 key recovery with post-processing complexity smaller than the cost of the 2 to 64 unlike decryption oracle cores. Moreover, the required number of decryption failures could be even smaller when using a heavy post-processing step. We now summarize the attack complexity on HQC 256-1. The cost includes the cost of pre-computation, the cost of submitting 2 to 64,000 cipher attacks in the unlike phase and also the cost of post-processing. We see that the complexity of this attack can be controlled as 2 to 64 unlike decryption requests after a large pre-computation of 2 to 254. In this setting, we pick the post-processing complexity to be smaller than the unlike cost. The reason is that the large pre-computation needs to be performed once and then never again and the pre-computation cost can be advertised if one needs to break multiple keys. On the other hand, if a larger post-processing step is allowed, then the pre-computation cost can drop to 2 to 248 estimated by using simulation data or 2 to 246 using an extrapolation model. This main set in the next setting, HQC 256-1 is insufficient for its claimed security level. Next, we discuss the influence of this attack on other HQC parameters. We adopt the assumption that 2 to 16 decryption errors are sufficient for recovering the key with complexity smaller than the 2 to 64 unlike decryption oracle cost when dfr is about 2 to minus 48. This assumption is verifying simulation for HQC 192-1. This table shows the estimated decryption failure probability. We see that the pre-computation costs for HQC 128-1 and HQC 192-1 and HQC 192-2 are these values respectively. So the pre-computation costs are still higher than the claimed security levels. However, if 2 to 64 keys need to be recovered, then the amortized complexity can be estimated as these values respectively. These values are much smaller than the claimed security levels. Next, define their security levels by using the security levels of block cipher. For instance, this one is defined as any attack that breaks the relevant security definition must require computation resources comparable to or greater than those required for a pre-search on a block cipher with 128-bit key. For instance, a yes 128. This goes on that any attack must require computation resources comparable to or greater than the stated threshold with respect to all metrics that needs to be deemed to be potentially relevant to practical security. If NIST considers an attack model with pre-computation to be a relevant metric, for instance, the time-memory trade-off attacks on block ciphers, then HQC 128-1, HQC 192-1 and HQC 192-2 are all affected. We now conclude the paper. We have presented a novel CC attack while exploiting decryption failures. One main result is a successful attack on HQC 256-1 in the NIST setting. For HQC 128-1, HQC 192-1 and HQC 192-2, they could be affected in different attack models, for instance, when the pre-computation can be amortized or the pre-computation is free. For HQC 256-2 and HQC 256-3, they are still safe. To protect against this attack, we suggest to remove HQC 256-1, and we also suggest to include the multi-target protection, that is, using the hash of the pair public key and M message rather than only hash the message M. Note that this is not a weak key attack. So it is interesting to study the weak key behavior of HQC. Thank you very much for your attention.