OFFICIAL COMMENT: Edon-K
124 views
Skip to first unread message
Matthieu Lequesne
Feb 20, 2018, 10:30:07 AM2/20/18
to pqc-co...@nist.gov, pqc-...@list.nist.gov, tillich
Dear all,
We mentioned the existence of an attack on the Edon-K KEM on January 5th.
A detailed description of our attack is now available on arxiv:
https://arxiv.org/abs/1802.06157.
We also implemented the attack. Our script reads the public key and
ciphertext from the KAT file and successfully recovers the secret within
a minute.
You will find the Sage script attached. It is designed to work on the
reference version (named "edonk128ref"). It reads its input from the
file "PQCkemKAT.rst" (placed in the same directory) and successfully
recovers the shared secret for all examples. Just run "sage
edonk-attack.sage" to try it on the first example of the KAT file.
We would like to thank Danilo Gligoroski who answered all our questions
about his scheme.
Best regards,
Matthieu Lequesne and Jean-Pierre Tillich
We mentioned the existence of an attack on the Edon-K KEM on January 5th.
A detailed description of our attack is now available on arxiv:
https://arxiv.org/abs/1802.06157.
We also implemented the attack. Our script reads the public key and
ciphertext from the KAT file and successfully recovers the secret within
a minute.
You will find the Sage script attached. It is designed to work on the
reference version (named "edonk128ref"). It reads its input from the
file "PQCkemKAT.rst" (placed in the same directory) and successfully
recovers the shared secret for all examples. Just run "sage
edonk-attack.sage" to try it on the first example of the KAT file.
We would like to thank Danilo Gligoroski who answered all our questions
about his scheme.
Best regards,
Matthieu Lequesne and Jean-Pierre Tillich
Danilo Gligoroski
Feb 20, 2018, 12:33:19 PM2/20/18
to pqc-...@list.nist.gov
Hi,
I want to congratulate Matthieu and Jean-Pierre for their excellent job.
Although there are several other ways how to mitigate the attack on Edono-K that are not discussed in the paper (such as increasing the rank of the matrix H), I think that in this moment it would be better to focus our attention to other good submissions that have not yet received much attention.
I appreciate also NIST offer to describe the current scheme at the upcoming workshop, even it has been broken. NIST, so far is running the PQC standardization process with a lot of authority, credibility, and a fair treatment to all submitters.
I withdraw Edon-K from the standardization process.
Best regards,
Danilo!
I want to congratulate Matthieu and Jean-Pierre for their excellent job.
Although there are several other ways how to mitigate the attack on Edono-K that are not discussed in the paper (such as increasing the rank of the matrix H), I think that in this moment it would be better to focus our attention to other good submissions that have not yet received much attention.
I appreciate also NIST offer to describe the current scheme at the upcoming workshop, even it has been broken. NIST, so far is running the PQC standardization process with a lot of authority, credibility, and a fair treatment to all submitters.
I withdraw Edon-K from the standardization process.
Best regards,
Danilo!
Reply all
Reply to author
Forward
0 new messages