Dear all,
We would like to inform you about our response to the recent attack on the Layered ROLLO scheme. After thorough analysis, we have determined that the new attacks pose a potential risk to the conventional Layered ROLLO scheme, which could compromise its security or even break the cryptosystem. In order to address this issue, we have made the following modifications to the Layered ROLLO scheme:
Firstly, to prevent new combinatorial and algebraic attacks, we have increased the rank weight 𝑟 of the error vector. It is important to note that this increase in 𝑟 may result in a slight decrease in processing speed. However, computer simulations has demonstrated that the overall performance advantage is still maintained.
Secondly, we have implemented a measure to avoid direct attacks using two public keys. This is achieved by selecting different modulus pairs from 𝑃 and 𝑃^𝑏. Such attacks were observed when the inverse (𝑃^′ )^(−1) of the modulus 𝑃^𝑏 could be reduced by (𝑃^′ )^(−1) on modulus 𝑃 after 𝑃-modulus reduction by equality 𝑃^′ (1+𝑃+…+𝑃^(𝑏−1) )(𝑃^′ )^(−1)=𝑃^𝑏−1 if 𝑃^′ (𝑃^′ )^(−1)=𝑃−1. we effectively mitigate this type of attack using the different moduli.
Lastly, we have addressed the error by enhancing the security level against conventional combinatorial attacks. This is achieved by increasing the degree of 𝑃_𝐼.
For more detailed information about our modifications, we have provided an attached document that outlines the revised schemes and suggests new parameters. Additionally, we have included the corresponding implementation code for your reference.
We would like to express our gratitude to the researchers for their valuable analysis and suggestions regarding the vulnerabilities in the Layered ROLLO scheme.
Sincerely,
Chanki Kim, Young-Sik Kim, and Jong-Seon No
Dear all,
We would like to inform you about our response to the recent analysis on the Layered ROLLO scheme. In the previous round, we modified the Layered ROLLO scheme in order to prevent the new attacks: Improved attack based on the RSD on rank weight r and direct attack by using two PKs P_H and P_P. However, the modified scheme still exhibited some vulnerabilities and we fixed those issues as follows.
For the first attack, we focused on a single attack scenario, but there are still several variants that can diminish security levels further. The positive aspect is that we can offset the reduction in security levels quite easily. In the proposed scheme, we further increase the rank weight 'r.' It is important to note that we have previously emphasized that decryption performance primarily depends on d rather than r.
For the second attack, we thought that using two co-prime moduli P^{(1)} and P^{(2)} can make a trapdoor for the proposed scheme. However, they found that low degree on P_I can be used to get an over-determined linear equation because the attacker knows that many zeros should be located in the higher degrees. In the key generation phase of the new scheme, the concept of polynomial masking is used, which was actually adopted in the initial submission. In detail, the PK P_P=P_IP_O is converted into P_P =P_O(P_I+P_NP^{(1)}), where
P_I+P_NP^{(1)} can have high degree and it makes an under-determined equation. With modified degree constraints, the remaining procedure of encapsulation and decapsulation remained unchanged. Another idea is exploiting P^{(1)} as SK, which hides the structure of P_H and the ideal LRPC codes. With the modified scheme, attack scenarios should be changed and written in the attached slide.
To this ends, we apply a slight change for the procedure and parameters of ROLLO based on our analysis. Accordingly, the implementation codes are also modified and newly uploaded in the web. New simulation shows that the performance gain is maintained. You may build and run a test. In addition, we found an error on the analyzed SL values originated from the typo in the sagemath codes. Thus, we modified the codes and recalculated the security level correctly.
We would like to express our gratitude to the researchers for their valuable analysis and suggestions regarding the vulnerabilities in the Layered ROLLO scheme.
Sincerely,
Chanki Kim, Young-Sik Kim, and Jong-Seon No
Dear all,
We would like to inform you about our response to the recent analysis on the
Layered ROLLO scheme. In the previous round, we modified the Layered ROLLO
scheme in order to prevent the attack using PK. On the contrary, new
attacks are based on the fixed location of the error polynomial 𝑃_(𝐸,1)
and 𝑃_(𝐸,2)
on the ciphertext, which can recover the error vector directly. Note that the
new attack uses information set decoding from CT and PK and it is different
from the previous attack using PK only. Nevertheless, both attacks actually
originated from the fixed nonzero element indices by the low-degree polynomials
and thus, the corresponding solutions are similarly induced.
For the modified schemes, polynomial masking on CT can be used, which makes it hard to find exact values without guessing the noise term P_(N,C). Accordingly, we apply a parameter change including increased PK sizes compared to the those of layered ROLLO submission.
Note that the implementation codes are also modified and newly uploaded in the web. We also fixed some issues of constant implementation and memory leaks commented from KPQClean.
We would like to express our gratitude to the researchers for their valuable
analysis and suggestions regarding the vulnerabilities in the Layered ROLLO
scheme.
Sincerely,
Chanki Kim,
Young-Sik Kim,
and Jong-Seon
No
Dear all,
We would like to inform you about our response to the 4th analysis on the
Layered ROLLO scheme. As in the response, the new scheme can successfully prevent
the new attack, which is achieved by using new PK regarding the inner modulus
P^{(1)}. However, The new PK can be used to additionally reveal some
information and new attacks can break the LROLLO-128 and LROLLO-192, where the
degree of error polynomials, represented by difference between n^{(1)} and
n^{(2)}, are small.
In the revised scheme, we increased the parameter of n^{(2)}, where the n^{(2)} increased nearly to 2n^{(1)} for LROLLO-128 and LROLLO-192. However, KEM scheme and parameter of LROLLO-256 are unchanged.
In
addition, we notice commented issues on the implementation on inner modulus
P^{(1)} , where P^{(1)} is declared as a fixed polynomial as in the initial
source code RBC in the ROLLO-I. In this case, the corresponding SL can be
lowered from the low-degree polynomial P_B/P^((1) ) when modulus polynomial P^((1) ) is
known by attacker. Therefore, We are trying to modify it with minimizing the
additional processing speed (i.e. processing cycle) until the end of 2nd submission. There seems to be some
options when considering the performance optimization.
We would like to express our gratitude to the researchers for their valuable
analysis and suggestions regarding the vulnerabilities in the Layered ROLLO
scheme.
Sincerely,
Chanki Kim, Young-Sik Kim, and Jong-Seon
No