 Hello, I'm Ryan Perlmer and I'm here to speak about cryptanalysis of LitaCrypt joint work with Daniel A. Pond, Angela Robinson, and Paolo Santini. So we're going to be talking about an attack on an IST PQC candidate in the second round called LitaCrypt, and it's based on an older scheme called quasi-cyclic low-density parody check, Nicholas. Prior to our attack this construction had been around about 12 years without major breaks. Our attack was a major factor in why it didn't make it to the third round. LitaCrypt did publish a new spec which avoided the attack. However, NIST decided that the attack was too large a tweak and made it too similar to its competitor bike based on the quasi-cyclic moderate density parody check, Michael Lee's scheme from 2012. So conceptually the two schemes are quite similar. In both cases, the private key is a sparse binary quasi-cyclic parody check matrix which we've denoted as L here. The public key is just the systematic form of a quasi-cyclic parody check matrix for the same code. And the cyclic box of dimension P can also be treated as polynomials. Important thing to know is that you can get a key recovery on this scheme by getting any row of L from the public key M. What's unique about the unpatched version of LitaCrypt and the QCLDPC scheme is that the private key factors into two sparser matrices H and Q. So let's look at the parameters because we'll refer back to these throughout the rest of the presentation. So N0 is the number of cyclic blocks in H, L, and M which might be two, three, or four. P is the dimension of the cyclic blocks. D sub B is the row hamming weight of each block of H and M gives row weights of the blocks of Q. And which M's go to which weights is diagrammed in the matrix below with the colors. Finally, there's another parameter T which is not terribly important to our attack. So these are the actual parameters, numbers that are given in the second round LitaCrypt spec. And in particular, we will be focusing on the parameters targeting 256 bits of security in this category 5 with N0 equals 2. So to summarize our attacks, the most important version of our attack is a weak key attack. And this applies to all parameter sets. So the idea here is that we run some sort of an attack for computation equivalent to 2 to the YAS operations and this recovers keys that are chosen with probably 2 to the minus X by LitaCrypt's key generation procedure. As long as X and Y add up to less than the security parameter, this constitutes a real attack. So for example, with category 5 CPA parameters with N0 equals 2, which is where our attack is strongest relative to the claim security level, we have one in 2 to the 47.72 keys being found in time equivalent to 2 to the 49.22 AS operations. And there X plus Y is 96.94. Which is significantly less than the 256 claimed by the submission. Now we can also apply this attack in settings that are less advantageous. So probably the worst setting is where the security level claim is quite low, category 1, and where N0 is chosen to be the largest value 4, but even there we expect to have X plus Y something like 90, which is less than the claim security level of 128. Now there's also an average case version of the attack. We can think of the fraction of weak keys approaching 1 and then as long as the attack is cheaper than standard attack, there's an advantage there. Now it's a little difficult to estimate exactly how much of an advantage we're getting with concrete parameters, but we do suspect there will be some significant advantage by the time you reach category 5 as long as we've chosen the more favorable N0 equals 2. So our attack is an extension of the standard attack, which is information set decoding. So the basic idea here is that we're just going to guess P bits of a low weight row of L and these rows are going to be in the row space of M. So that means we can linearly solve for the rest of the row. And the P bits that we're guessing are called the information set. In more detail what we do is we choose a permutation. We hope that the first P bits of a row are say a 1 and a bunch of zeros, and if so we can just take the inverse of the first block of the permuted public key and multiply it through and the top row of that is going to be the permuted top row of L. Now there's more advanced versions of this, but they have the same asymptotic complexity given by the formula at the bottom of the slide. So how is our attack different? We can look at the attack that LitaCrypt analyzed and there's one thing about it we can change. So recall that we chose P columns to guess of the parity check matrix or P bits of a row and these P bits in the analysis used to set the parameters of LitaCrypt were chosen randomly. So our idea is we pick the bits that we guess non-randomly. So recall that we want to find P bits of a row of L that are more likely than average to be something that we're going to guess which is going to be mostly zeros because there's more zeros than ones. Equivalently we want almost all the non-zero bits of the row of L to be outside the information set and we can think of this set as the support of a polynomial that we've designed to mirror the structure of the polynomials that make up the private key of LitaCrypt. So we generate an h' with the same structure as h, a q' with the same structure of q, we have them be less sparse, we have them over the integers, but then we multiply just like we multiply to get L, so we have this L' and if the support of h' contains the support of h, the support of q' contains the support of q, then the support of L will be contained in the support of L' and we can use the complement of that support as an information set and recover the key. Unfortunately this attack is not very good for concrete parameters unless h' and q' are chosen carefully. So we need some significant fraction of the bits of L' to be zeros so that we can use that as an information set, but generally when we take two polynomials, the weights of polynomials multiply and so we would need h' and q' to be very sparse, which makes the probability that they will contain the support of h and q pretty low. In contrast, if we choose the coefficients, the non-zero coefficients of these polynomials, to be consecutive, then the weights only add in the product and so we can use much less sparse h' and q' and have a much higher probability of guessing the support of h and q with it. So now we will examine an example using these principles. So here we're going to use the simplest possible form of the information set. We're just going to have h' and q' be polynomials, which have all the non-zero coefficients up to degree p over 4 and zero for the rest. So the products will have the proper weight so that we can choose an information set. So the probability that each non-zero bit of h or q is contained in the support of h' and q' is about one-fourth and so the total number of non-zero bits that need to fall in this quarter of the coefficients is 11 times 2 plus 7 times 2 plus 6 times 2 which is 48. So we might guess that a single iteration of information set decoding with this information set would recover 1 in 4 to the 48 or 1 in 2 to the 96 private keys and this would already be an attack, but there is in fact more. In fact, there are a large number of possible private keys that will produce the same public key and recovering any of these private keys will be sufficient to attack the scheme and we can parametrize these with numbers alpha, beta, and gamma. Now in fact, changing alpha, beta, and gamma by a little bit is usually going to just get you a key that you would have gotten anyway or that you wouldn't have gotten if you didn't get it with this similar value of a alpha, beta, and gamma, but there's still enough freedom in there to increase the number of keys broken by a single information set up to about 1 to the 80, but there's more. So we also have freedom in how we interpret which H prime and which Q prime were used to produce a given information set. If we take the degree of H prime up a bit and a degree of Q prime down a bit or vice versa, we will produce the same information set and as long as any H and Q is contained in the support of any H prime and Q prime, the key will be recovered. So this consideration brings the number of keys broken by a single iteration up to 1 into the 72.8, but there's more. So we were just using the simplest version of information set decoding. There's been lots of progress in making these algorithms a little bit more efficient and trying multiple guesses at once effectively. So advanced information set decoding algorithms can tolerate something like six non-zero bits in the information set without increasing how much an iteration costs. And we can model this by thinking of the support of H and Q as being contained in higher weight polynomials, H prime and Q prime. And if we think of it in these terms, we expect the non-zero bits of H and Q to be distributed in this triangular pattern where only the tails will fall inside the information set. As long as there's no more than six non-zero bits in these tails, we still recover the key. And so this consideration brings the number of keys broken by a single iteration of information set decoding all the way up to 1 into the 62.66. So that's one iteration. How many can we get by multiple iterations? Well, so we have to choose a different information set that's equally good. One way we can do this is by looking at the pattern of the information set, which is the blank bits on this diagram. So half of L is outside the information set, half of each block. So we can change which half of one of the blocks, we can shift one of the blocks around. There's also another way we can generate new information sets, which we'll talk about later, which is changing how the ring is represented. So first thing we can do is we change the offset as in the diagram here. Note that if you shift both blocks, this doesn't really do anything for us. We're in fact recovering exactly the same keys. And even if you shift one of the blocks by a small amount, that doesn't help you all that much because usually if you move it a little bit, you're not going to get anything you didn't get already. But we still think that you can do about 24 different offsets without too much overlap. Then there's ring representations. So there's a bunch of ring isomorphisms that take the ring that's equivalent to a cyclic matrix to itself, where you just take the polynomial variable x and replace it with x to the k. And if the coefficients are consecutive under any of these representations, then the same additivity thing happens. Now there is one factor that makes our attack not quite as good, which is rejection sampling. So our calculation above was assuming that any h and q with the correct weights would be a valid key. But this is not really the case because in the litacrypt key generation procedure, any key where the weight of L is not the maximum value it can be is rejected. This results in the rejection of about 39.2% of keys, but 67.4% of the weakest keys. However, this only results in about one bit of security difference from the simple way of calculating how effective our attack is. So when we put this all together, we have an attack that consists of two to the 18.72 iterations. Each iteration costs something like two to the 30 and a half AS operations. And we recover at least one in two to the 47.74 private keys. And so we find when we multiply those out, the net cost of the attack is two to the 49.2 AS operations as promised. So now I'll talk a bit about what you do when N0 is not two. So naively you might think this makes the attack much less effective because while the number of blocks in h only increases linearly, the number of blocks in q increases quadratically. However, we can instead of attacking the whole public key and private key, we can simply look at the first two blocks of each. And when we do that, we're only guessing linearly more polynomials. So there's only linearly many more nonzero bits that need to fall inside the information set. And then we'll talk about one other extension of the attack, which is we can attack a broader set than the weak keys we've been looking at. Now the downside of this is that our h' and q' will need to be somewhat sparser because we can't just use a single block of consecutive coefficients, but we can use a small number of blocks of consecutive coefficients in each block of the public key. And we did out an example, which was too long and not quite rigorous enough to put in the paper, but we were trying to overestimate slightly the complexity. And we found that probably you're reducing the security level of the CPA parameters from 256 bits of security to 248 or perhaps even a little bit less. What we do know for sure is that asymptotically, the attack must work even without considering weak keys because for the standard attack, the cost of key recovery is exponential in the square root of the size of the key, whereas our attack is exponential in the fourth root of the size of the key. That said, there's another simpler attack that does this, which is you just guess all the bits of h' and q. That is considered in the submission document, but the concrete complexity was significantly too high to affect the parameters. And we think our attack is much closer to affecting the parameters if it doesn't impact the fact. So in conclusion, our attack shows that LitaCrypt's product structure is a security problem, both asymptotically and concretely. And the weak key attacks are actually pretty close to being of practical relevance. The fact that the weak key attacks grade smoothly into the more expensive attacks that attack a larger class of keys or all the keys makes security analysis and patching the scheme quite difficult, except with what the LitaCrypt team chose to do, which is replace q with an identity matrix, which simply makes the LDPC construction the same as the MDPC construction. Thank you.