IACR News item: 12 February 2024
Pierre Pébereau
ePrint Report
In this note, we show that some of the parameters of the Quotient-Ring transform proposed for VOX are vulnerable.
More precisely, they were chosen to defeat an attack in the field extension $\mathbb F_{q^l}$ obtained by quotienting $\mathbb F_q[X]$ by an irreducible polynomial of degree $l$.
We observe that we may use a smaller extension $\mathbb F_{q^{l'}}$ for any $l'|l$, in which case the attacks apply again.
We also introduce a simple algebraic attack without the use of the MinRank problem to attack the scheme.
These attacks concern a subset of the parameter sets proposed for VOX: I, Ic, III, IIIa, V, Vb.
We estimate the cost of our attack on these parameter sets and find costs of at most $2^{67}$ gates, and significantly lower in most cases.
In practice, our attack requires $0.3s, 1.35s, 0.56s$ for parameter sets I,III,V for the initial VOX parameters, and $56.7s, 6.11s$ for parameter sets IIIa, Vb proposed after the rectangular MinRank attack.
Additional news items may be found on the IACR news page.