HFERP - A New Multivariate Encryption Scheme

Size: px

Start display at page:

Download "HFERP - A New Multivariate Encryption Scheme"

Agnes Nicholson
6 years ago
Views:

- A New Multivariate Encryption Scheme Yasuhiko

Smith-Tone (NIST, University of Louisville) Tsuyoshi

Louisville) 10 April, 2018 10 April, 2018 Ikematsu,

1 - A New Multivariate Encryption Scheme Yasuhiko Ikematsu (Kyushu University) Ray Perlner (NIST) Daniel Smith-Tone (NIST, University of Louisville) Tsuyoshi Takagi (Kyushi University) Jeremy Vates (University of Louisville) 10 April, April, 2018 Ikematsu, Perlner, Smith-Tone, Takagi & Vates - New Multivariate Encryption 1/34

2 Early History C Triangular Encryption schemes HFE 10 April, 2018 Ikematsu, Perlner, Smith-Tone, Takagi & Vates - New Multivariate Encryption 2/34

3 Early History C Triangular Encryption schemes HFE All of these are essentially broken. 10 April, 2018 Ikematsu, Perlner, Smith-Tone, Takagi & Vates - New Multivariate Encryption 2/34

4 More Recent Attempts ABC Simple Matrix Scheme (quad and cubic) ZHFE Extension Field Cancellation HFE- 10 April, 2018 Ikematsu, Perlner, Smith-Tone, Takagi & Vates - New Multivariate Encryption 3/34

5 Properties of Surviving Schemes Typically have twice as many equations as variables (roughly). 10 April, 2018 Ikematsu, Perlner, Smith-Tone, Takagi & Vates - New Multivariate Encryption 4/34

6 Properties of Surviving Schemes Typically have twice as many equations as variables (roughly). Question Can we have fewer equations with efficient key gen, encryption, decryption? 10 April, 2018 Ikematsu, Perlner, Smith-Tone, Takagi & Vates - New Multivariate Encryption 4/34

7 Idea for Constructing Encryption Scheme Idea Bootstrap the structure of successful signature schemes to achieve encryption. (Add some central equations that make the choice of vinegar variables in inversion deterministic.) 10 April, 2018 Ikematsu, Perlner, Smith-Tone, Takagi & Vates - New Multivariate Encryption 5/34

8 Idea for Constructing Encryption Scheme Idea Bootstrap the structure of successful signature schemes to achieve encryption. (Add some central equations that make the choice of vinegar variables in inversion deterministic.) Benefit: Security of the shell is well understood. 10 April, 2018 Ikematsu, Perlner, Smith-Tone, Takagi & Vates - New Multivariate Encryption 5/34

9 Idea for Constructing Encryption Scheme Idea Bootstrap the structure of successful signature schemes to achieve encryption. (Add some central equations that make the choice of vinegar variables in inversion deterministic.) Benefit: Security of the shell is well understood. Benefit: Do not need to add so many equations. 10 April, 2018 Ikematsu, Perlner, Smith-Tone, Takagi & Vates - New Multivariate Encryption 5/34

10 Idea for Constructing Encryption Scheme Idea Bootstrap the structure of successful signature schemes to achieve encryption. (Add some central equations that make the choice of vinegar variables in inversion deterministic.) Benefit: Security of the shell is well understood. Benefit: Do not need to add so many equations. Drawback: Not an original idea. (Usually weak!) 10 April, 2018 Ikematsu, Perlner, Smith-Tone, Takagi & Vates - New Multivariate Encryption 5/34

11 1 Use UOV (or Rainbow). 10 April, 2018 Ikematsu, Perlner, Smith-Tone, Takagi & Vates - New Multivariate Encryption 6/34

12 1 Use UOV (or Rainbow). 2 Use the plus modifier (adding random central equations). 10 April, 2018 Ikematsu, Perlner, Smith-Tone, Takagi & Vates - New Multivariate Encryption 6/34

13 1 Use UOV (or Rainbow). 2 Use the plus modifier (adding random central equations). 3 Drop in invertible central map *. 10 April, 2018 Ikematsu, Perlner, Smith-Tone, Takagi & Vates - New Multivariate Encryption 6/34

14 Constants and Structures Fix d, o, r, s Z +, n = d + o, and m = d + o + r + s, a finite field k = GF (q), a degree d extension K of k, a basis (θ 1,..., θ d ) of K/k, and a k-vector space isomorphism φ : k d K defined by φ(x) = d x i θ i. i=1 10 April, 2018 Ikematsu, Perlner, Smith-Tone, Takagi & Vates - New Multivariate Encryption 7/34

15 Critical Layer Use an efficiently invertible quadratic map F * : K K. 10 April, 2018 Ikematsu, Perlner, Smith-Tone, Takagi & Vates - New Multivariate Encryption 8/34

16 Rainbow Layer V = {1,..., d}, O = {d + 1,..., d + o = n} f 1 (x 1,..., x d, x d+1,, x n ) = f o+r (x 1,..., x d, x d+1,, x n ) =. i V,j O i V,j O a (1) i,j x ix j + i,j V b (1) i,j x ix j, a (o+r) i,j x i x j + b (o+r) i,j x i x j, i,j V F R = (f 1,..., f o+r ) : k n k o+r (quadratic map). 10 April, 2018 Ikematsu, Perlner, Smith-Tone, Takagi & Vates - New Multivariate Encryption 9/34

17 Plus Layer f 1(x 1,..., x n ) = f s (x 1,..., x n ) =. 1 i j n 1 i j n c (1) i,j x i x j, c (s) i,j x ix j, F P = (f 1,..., f s ) : k n k s (quadratic map). 10 April, 2018 Ikematsu, Perlner, Smith-Tone, Takagi & Vates - New Multivariate Encryption 10/34

18 Central Map F := (F *, F R, F P ) : k n k m K F * K φ φ 1 k n id k n F R k o+r id 2 k m id id 3 k n F P k s 10 April, 2018 Ikematsu, Perlner, Smith-Tone, Takagi & Vates - New Multivariate Encryption 11/34

19 F is easily invertible To solve F (x) = z, Solve F * φ(x 1,, x d ) = φ 1 (z 1,..., z d ) Solve F R = (f 1,..., f o+r ) : k n k o+r V = {1,..., d}, O = {d + 1,..., d + o} z d+1 =. z o+r = i V,j O i V,j O a (1) i,j x ix j + i,j V b (1) i,j x ix j, a (o+r) i,j x i x j + b (o+r) i,j x i x j, i,j V 10 April, 2018 Ikematsu, Perlner, Smith-Tone, Takagi & Vates - New Multivariate Encryption 12/34

20 Secret Key and Public Key S : k n k n : invertible linear map T : k m k m : invertible linear map Public key G : k n S k n F k m T k m. 10 April, 2018 Ikematsu, Perlner, Smith-Tone, Takagi & Vates - New Multivariate Encryption 13/34

21 Use F * = F S defined by F S (X ) = X 2. K φ F * K φ 1 k d f * k d (Note that f * is a quadratic map from k d to k d.) 10 April, 2018 Ikematsu, Perlner, Smith-Tone, Takagi & Vates - New Multivariate Encryption 14/34

22 A Relevant Algebra Let Φ : E A be the representation defined by Φ(X ) = (X, X q,..., X qn 1 ). Then we can represent G(X ) = i,j α i,jx qi +q j : [X X q X qn 1] α α 0,1 0,0 α 0,1 α 0,n 1 2 α 0,n α 2 α 1,1 1,n α 1,n 1 2 α n 1,n 1 X X q. X qn April, 2018 Ikematsu, Perlner, Smith-Tone, Takagi & Vates - New Multivariate Encryption 15/34

23 F S F S = April, 2018 Ikematsu, Perlner, Smith-Tone, Takagi & Vates - New Multivariate Encryption 16/34

24 MinRank Attack on min-q-rank(f S ) = 1. min-q-rank(g ) = 1. Theorem (Petzoldt,, 2017) The complexity of this attack on (q, d, o, r, s) is ( m + 1 O( ) 2 ( m 2 ) ), m = d + o + r + s. 10 April, 2018 Ikematsu, Perlner, Smith-Tone, Takagi & Vates - New Multivariate Encryption 17/34

25 Construction Security Analysis Parameter selections and Experiments HFE Fix a degree bound D. F HFE (X ) := a i,j X qi +q j = a i,j X qi X qj, (a i,j K). q i +q j D q i +q j D K φ F HFE K φ 1 k d f HFE k d (Note that F HFE is a quadratic map on k d. ) 10 April, 2018 Ikematsu, Perlner, Smith-Tone, Takagi & Vates - New Multivariate Encryption 18/34

26 Construction Security Analysis Parameter selections and Experiments HFE Part of Central Map [X X q X qn 1] α 2 0,r α 2 α 1,1 1,r α r,r α r 1,r α α 0,1 0,0 α 0,1 α 0,r 1 X X q. X qn 1 10 April, 2018 Ikematsu, Perlner, Smith-Tone, Takagi & Vates - New Multivariate Encryption 19/34

27 Construction Security Analysis Parameter selections and Experiments More on HFE Necessary Condition The positive integer D must be chosen such that F 0 (X ) = α, (α K), deg(f 0 ) D can be solved efficiently by Berlekamp s algorithm, of which the complexity is O(D 3 + dd 2 log q). 10 April, 2018 Ikematsu, Perlner, Smith-Tone, Takagi & Vates - New Multivariate Encryption 20/34

28 Construction Security Analysis Parameter selections and Experiments Central map of Central map F := (F HFE, F R, F P ) : k n k m Public Key G := T F S. 10 April, 2018 Ikematsu, Perlner, Smith-Tone, Takagi & Vates - New Multivariate Encryption 21/34

29 Construction Security Analysis Parameter selections and Experiments Attacks for 1 MinRank attack on HFE primitive 2 Direct attack 3 Attacks on UOV (Rainbow) structure 10 April, 2018 Ikematsu, Perlner, Smith-Tone, Takagi & Vates - New Multivariate Encryption 22/34

30 Construction Security Analysis Parameter selections and Experiments Lemma Assume char(k) 2. G = (G,1,, G,m ) (P 1, P 2,, P m ) G = (G,1,, G,m ) (Q 1, Q 2,, Q m ) 10 April, 2018 Ikematsu, Perlner, Smith-Tone, Takagi & Vates - New Multivariate Encryption 23/34

31 Construction Security Analysis Parameter selections and Experiments MinRank Attack on Theorem min-q-rank(f HFE ) = log q D. The complexity of this attack on (q, d, o, r, s) is ( m + logq D O( 1 + log q D ) 2 ( m 2 ) ), m = d + o + r + s. 10 April, 2018 Ikematsu, Perlner, Smith-Tone, Takagi & Vates - New Multivariate Encryption 24/34

32 Construction Security Analysis Parameter selections and Experiments Direct Attack on Theorem The degree of regularity d reg of (q, d, o, r, s) is bounded by { (q 1)( log d reg q D + 1)/2 + 2, (q : odd or log q D : odd) (q 1)( log q D + 2)/2 + 1, otherwise Theorem The complexity of the algebraic attack is given by ( ) n + 2 ( ) dreg n O( ), n = d + o. 2 d reg 10 April, 2018 Ikematsu, Perlner, Smith-Tone, Takagi & Vates - New Multivariate Encryption 25/34

33 Construction Security Analysis Parameter selections and Experiments Base Field Rank Attacks - MinRank MinRank Find one or more vectors w j satisfying m t i DG i (w j ) = 0. i=1 Comp MinRank = O ( q d m ω). 10 April, 2018 Ikematsu, Perlner, Smith-Tone, Takagi & Vates - New Multivariate Encryption 26/34

34 Construction Security Analysis Parameter selections and Experiments Base Field Rank Attacks - Dual Rank/HighRank HighRank Find linear combinations of the public polynomials in the span of the HFE maps and first layer Rainbow maps. ( Comp HighRank = O q m d n ω). 10 April, 2018 Ikematsu, Perlner, Smith-Tone, Takagi & Vates - New Multivariate Encryption 27/34

35 Construction Security Analysis Parameter selections and Experiments Parameter selections k = F 3 80-bit security parameters (A) (d = 42, o = 21, r = 15, s = 17, D = ) (B) (d = 63, o = 21, r = 11, s = 10, D = ) 128-bit security parameters (C) (d = 85, o 1 = o 2 = 70, r 1 = r 2 = 89, s = 61, D = ) (D) (d = 60, o 1 = o 2 = 40, r 1 = r 2 = 23, s = 40, D = ) 10 April, 2018 Ikematsu, Perlner, Smith-Tone, Takagi & Vates - New Multivariate Encryption 28/34

36 Construction Security Analysis Parameter selections and Experiments Environment Platform All the experiments were performed using Magma on a 2.6 GHz Intel Xeon CPU. (These are not optimized implementations. They are barely implementations.) 10 April, 2018 Ikematsu, Perlner, Smith-Tone, Takagi & Vates - New Multivariate Encryption 29/34

37 Construction Security Analysis Parameter selections and Experiments Experimental Results 1 Random (d, o, r, s, D) n m d reg sol. deg d reg sol. deg s.r.d. (8, 4, 3, 3, 2188) , 4, 4, 4, 4 4, 4, 4, 4, 4 4, 4, 4, 4, 4 4, 4, 4, 4, 4 4 (10, 5, 4, 3, 2188) , 5, 5, 5, 5 5, 5, 5, 5, 5 5, 5, 5, 5, 5 5, 5, 5, 5, 5 5 (12, 6, 5, 4, 2188) , 5, 5, 5, 5 5, 5, 5, 5, 5 5, 5, 5, 5, 5 5, 5, 5, 5, 5 5 (14, 7, 5, 5, 2188) , 5, 5, 5, 5 6, 6, 6, 6, 6 5, 5, 5, 5, 5 6, 6, 6, 6, 6 6 Table 2.A. Direct Attack, d = 2o, d + o 2(r + s), o = 4, 5, 6, 7 Random (d, o, r, s, D) n m d reg sol. deg d reg sol. deg s.r.d. (9, 3, 2, 2, 2188) , 5, 5, 5, 5 5, 5, 5, 5, 5 5, 5, 5, 5, 5 5, 5, 5, 5, 5 5 (12, 4, 2, 2, 2188) , 6, 6, 5, 5, 5, 6, 6, 6, 5 6, 5, 6, 6, 5 6, 6, 6, 6, 6 6 (15, 5, 3, 3, 2188) , 5, 5, 5, 5 6, 6, 6, 6, 6 5, 5, 5, 6, 5 6, 6, 6, 6, 6 6 (18, 6, 3, 3, 2188) , 5, 5, 5, 5 7, 7, 7, 7, 7 5, 5, 5, 5, 7 7, 7, 7, 7, 7 7 Table 2.B. Direct Attack, d = 3o, r + s o, o = 3, 4, 5, 6 10 April, 2018 Ikematsu, Perlner, Smith-Tone, Takagi & Vates - New Multivariate Encryption 30/34

38 Construction Security Analysis Parameter selections and Experiments Experimental Results 2 Random (d, o, r, s, D) n m d reg sol. deg d reg sol. deg s.r.d. (3, 3 2, 4 2, 2, 2188) , 3, 3, 3, 3 3, 3, 2, 3, 2 3, 3, 3, 3, 3 2, 3, 3, 2, 2 3 (7, 6 2, 7 2, 5, 2188) , 4, 4, 4, 4 4, 4, 4, 4, 4 5, 5, 5, 5, 5 5, 5, 5, 5, 5 5 (10, 8 2, 11 2, 7, 2188) , 5, 5, 5, 5 5, 5, 5, 5, 5 5, 5, 5, 5, 5 5, 5, 5, 5, 5 5 (14, 11 2, 14 2, 10, 2188) Table 2.C. Direct Attack, d 3.4a, o (2.8a, 2.8a), r (3.56a, 3.56a), s 2.44a, a = 1, 2, 3, 4 Random (d, o, r, s, D) n m d reg sol. deg d reg sol. deg s.r.d. (5, 3 2, 2 2, 3, ) , 4, 4, 4, 4 4, 4, 4, 4, 4 4, 4, 4, 4, 4 4, 4, 4, 3, 4 4 (7, 5 2, 3 2, 5, ) , 4, 4, 4, 4 4, 4, 4, 4, 4 5, 5, 5, 5, 5 5, 5, 5, 5, 5 5 (10, 6 2, 4 2, 6, ) , 5, 5, 5, 5 5, 5, 5, 5, 5 5, 5, 5, 5, 5 6, 6, 6, 6, 6 6 (12, 8 2, 5 2, 8, ) , 5, 5, 5, 5 6, 6, 5, 6, 5 5, 5, 5, 5, 5 6, 6, 6, 6, 6 6 Table 2.D. Direct Attack, d 2.4a, o (1.6a, 1.6a), r (0.92a, 0.92a), s 1.6a, a = 2, 3, 4, 5 Here 3 2 = (3, 3). 10 April, 2018 Ikematsu, Perlner, Smith-Tone, Takagi & Vates - New Multivariate Encryption 31/34

39 Construction Security Analysis Parameter selections and Experiments Experimental Results 3 80-bit 80-bit 128-bit 128-bit (A) (B) (C) (D) Key Generation s s s 3.43 s Encryption s s s s Decryption s s s s Secret Key Size 19.8KB 31.7KB KB 226.0KB Public Key Size 48.2KB 93.6KB KB 552.3KB 10 April, 2018 Ikematsu, Perlner, Smith-Tone, Takagi & Vates - New Multivariate Encryption 32/34

40 Construction Security Analysis Parameter selections and Experiments Future Improvements? How do we break this thing? 10 April, 2018 Ikematsu, Perlner, Smith-Tone, Takagi & Vates - New Multivariate Encryption 33/34

41 Construction Security Analysis Parameter selections and Experiments Coffee Break Coffee now. Questions later. 10 April, 2018 Ikematsu, Perlner, Smith-Tone, Takagi & Vates - New Multivariate Encryption 34/34

Improved Cryptanalysis of HFEv- via Projection

Improved Cryptanalysis of HFEv- via Projection Jintai Ding, Ray Perlner, Albrecht Petzoldt, Daniel Smith-Tone PQ Crypto 2018 Fort Lauderdale, Florida 04/10/2018 A. Petzoldt Cryptanalysis of HFEv- via Projection