# Practical Algebraic Attack on DAGS

**Authors:** Magali Bardet, Manon Bertin, Alain Couvreur, Ayoub Otmani

arXiv: 1905.03635 · 2021-03-05

## TL;DR

This paper enhances an algebraic attack on the DAGS cryptographic scheme by optimizing the ratio of equations to variables, enabling private key recovery in seconds and breaking updated parameters with feasible computational effort.

## Contribution

It introduces a hybrid algebraic attack that improves efficiency by adjusting the equation-variable ratio and demonstrates the vulnerability of DAGS' latest parameters.

## Key findings

- The attack can recover private keys in a few seconds.
- Updated DAGS parameters with 128-bit security are breakable with 2^83 operations.
- Increasing the ratio of equations to variables improves algebraic attack performance.

## Abstract

DAGS scheme is a key encapsulation mechanism (KEM) based on quasi-dyadic alternant codes that was submitted to NIST standardization process for a quantum resistant public key algorithm. Recently an algebraic attack was devised by Barelli and Couvreur (Asiacrypt 2018) that efficiently recovers the private key. It shows that DAGS can be totally cryptanalysed by solving a system of bilinear polynomial equations. However, some sets of DAGS parameters were not broken in practice. In this paper we improve the algebraic attack by showing that the original approach was not optimal in terms of the ratio of the number of equations to the number of variables. Contrary to the common belief that reducing at any cost the number of variables in a polynomial system is always beneficial, we actually observed that, provided that the ratio is increased and up to a threshold, the solving can be heavily improved by adding variables to the polynomial system. This enables us to recover the private keys in a few seconds. Furthermore, our experimentations also show that the maximum degree reached during the computation of the Gr\"obner basis is an important parameter that explains the efficiency of the attack. Finally, the authors of DAGS updated the parameters to take into account the algebraic cryptanalysis of Barelli and Couvreur. In the present article, we propose a hybrid approach that performs an exhaustive search on some variables and computes a Gr\"obner basis on the polynomial system involving the remaining variables. We then show that the updated set of parameters corresponding to 128-bit security can be broken with 2^83 operations.

## Full text

_Full body text omitted from this summary view._ Fetch the complete paper as Markdown: https://tomesphere.com/paper/1905.03635/full.md

## References

29 references — full list in the complete paper: https://tomesphere.com/paper/1905.03635/full.md

---
Source: https://tomesphere.com/paper/1905.03635