New Directions in Multivariate Public Key Cryptography

Size: px

Start display at page:

Download "New Directions in Multivariate Public Key Cryptography"

Austin Atkinson
5 years ago
Views:

1 New Directions in Shuhong Gao Joint with Ray Heindl Clemson University The 4th International Workshop on Finite Fields and Applications Beijing University, May 28-30, 2010.

2 1 Public Key Cryptography in a nutshell Existing Systems 2 Example: MFE Cryptosystem Searching for polynomial identities 3 A new polynomial Identity Our system Analysis Open questions

3 Public Key Cryptography Public Key Cryptography in a nutshell Existing Systems Diffie and Hellman (1976) proposed the concept of public key cryptosystems with which users can communicate without sharing any prior secret key.

4 Public Key Cryptography Public Key Cryptography in a nutshell Existing Systems Diffie and Hellman (1976) proposed the concept of public key cryptosystems with which users can communicate without sharing any prior secret key. One-way function: easy to evaluate, but hard to invert (on average). Trapdoor one-way function: easy to evaluate, but hard to invert without knowledge of some trapdoor.

5 Public Key Cryptography Public Key Cryptography in a nutshell Existing Systems Diffie and Hellman (1976) proposed the concept of public key cryptosystems with which users can communicate without sharing any prior secret key. One-way function: easy to evaluate, but hard to invert (on average). Trapdoor one-way function: easy to evaluate, but hard to invert without knowledge of some trapdoor. A public key cryptosystem consists of a family of trapdoor one-way functions.

6 Examples Public Key Cryptography in a nutshell Existing Systems Candidate one-way function: Polynomials are easy to evaluate but NP-hard to invert, however, its average complexity is not known.

7 Examples Public Key Cryptography in a nutshell Existing Systems Candidate one-way function: Polynomials are easy to evaluate but NP-hard to invert, however, its average complexity is not known. Univariate: Given α F q, and a sparse polynomial f (x) = t f i x d i i=1 F q [x] where q is large (say q = ), d i s are as big as q, and t is small (say t = 500). Then it is easy to compute f (α), but it is NP-complete to decide, for a given β F q and a sparse f F q [x], whether there exists α F q such that f (α) = β.

8 Examples Public Key Cryptography in a nutshell Existing Systems Candidate trapdoor one-way functions: RSA cryptosystem encryption: f (x) = x e (modn) where n is a product two primes and gcd(e, φ(n)) = 1. Trapdoor : the factorization of n, or an integer d such that ed 1(modφ(n)).

9 Examples Public Key Cryptography in a nutshell Existing Systems Candidate trapdoor one-way functions: RSA cryptosystem encryption: f (x) = x e (modn) where n is a product two primes and gcd(e, φ(n)) = 1. Trapdoor : the factorization of n, or an integer d such that ed 1(modφ(n)). Discrete log based cryptosystems: G is a cyclic group generated by α of order n. Pick a random integer k {1, 2,..., n 1} as a trapdoor and let β = α k be public. The encryption function is then f (x) = (x β r, α r ) where r {1, 2,..., n 1}is random for each x.

10 Public key cryptosystems Public Key Cryptography in a nutshell Existing Systems Practical cryptosystems: RSA cryptosystem based on integer factorization and cryptosystems based on discrete log in finite fields and elliptic curves.

11 Public key cryptosystems Public Key Cryptography in a nutshell Existing Systems Practical cryptosystems: RSA cryptosystem based on integer factorization and cryptosystems based on discrete log in finite fields and elliptic curves. Main Problem: Quantum computers, if built, can factor integers and solve discrete logs in polynomial time (Shor 1997).

12 Public key cryptosystems Public Key Cryptography in a nutshell Existing Systems Practical cryptosystems: RSA cryptosystem based on integer factorization and cryptosystems based on discrete log in finite fields and elliptic curves. Main Problem: Quantum computers, if built, can factor integers and solve discrete logs in polynomial time (Shor 1997). Possible alternatives: Lattice-based cryptography Code-based cryptography Hash-based cryptography Multivariate cryptography

13 Public Key Cryptography in a nutshell Existing Systems NP-complete problem: Given a system of quadratic polynomials F = (f 1,..., f m ) F q [X 1,..., X n ] m and a point y = (y 1,..., y m ) F m q, decide whether there exists a point x = (x 1,..., x n ) F n q such that F (x) = y. To build a multivariate cryptosystem, we hope to disguise a nice polynomial system as an arbitrary quadratic polynomial system.

14 MPKC: Structure Public Key Cryptography in a nutshell Existing Systems Let k = F q be a finite field with q elements. Public Key: F : k n k m given by F (x 1,..., x n ) = where f i k[x 1,..., x n ] are quadratic. f 1 (x 1,..., x n ). f m (x 1,..., x n ) T

15 MPKC: Encryption/Decryption Public Key Cryptography in a nutshell Existing Systems Encryption: Decryption: (x 1,..., x n ) F (y 1,..., y m ) (y 1,..., y m ) F 1 (x 1,..., x n )

16 MPKC: Public Key Construction Public Key Cryptography in a nutshell Existing Systems We build the trapdoor one-way function F as F = L 1 F L 2, where F is a multivariate map that can be easily inverted, and L 1, L 2 are invertible affine transformations, which are secret. Evaluation: Inversion: (x 1,..., x n ) F (y 1,..., y m ) (y 1,..., y m ) L 1 1 F 1 L 1 2 (x 1,..., x n )

17 MPKC: Security Public Key Cryptography in a nutshell Existing Systems Public Private F = L 1 F L 2 Security is dependent on the known difficulty of Solving quadratic multivariate systems over finite fields. Factoring multivariate maps.

18 MPKC: Efficiency Public Key Cryptography in a nutshell Existing Systems Encryption: polynomial evaluation Decryption: depends on the system public Key: coefficients of quadratic systems

19 Goal: Construct secure MPKC Public Key Cryptography in a nutshell Existing Systems Difficult problem: Invertibility, security, and efficiency are interrelated, and a good system must satisfy all three requirements at the same time. Some past success, but mostly with signature schemes.

20 Existing Cryptosystems Public Key Cryptography in a nutshell Existing Systems Matsumoto-Imai (1988): generalizes of RSA using monomials Hidden Field Equations (Patarin 1996) Oil-Vinegar (Patarin 1997) Triangular (Fell and Diffie 1985, Shamir 1993, Moh 1999, Yang and Chen 2004) Other systems: Rainbow (Ding and Schmidt 2005), MFE (Wang et al. 2006), l-ic (Ding et al. 2007) Jintai Ding, Jason Gower, and Deiter Schmidt, Multivariate Public Key Cryptosystems, Springer (2006).

21 Triangular Systems Public Key Cryptography in a nutshell Existing Systems Central map: F (x 1,..., x n ) = x 1 x 2 + g 2 (x 1 ). x n 1 + g n 1 (x 1, x 2,..., x n 2 ) x n + g n (x 1, x 2,..., x n 2, x n 1 ) T

22 Triangular Systems Public Key Cryptography in a nutshell Existing Systems Central map: F (x 1,..., x n ) = x 1 x 2 + g 2 (x 1 ). x n 1 + g n 1 (x 1, x 2,..., x n 2 ) x n + g n (x 1, x 2,..., x n 2, x n 1 ) Inversion: iteratively solve for each component. T

23 Triangular Systems Public Key Cryptography in a nutshell Existing Systems Central map: F (x 1,..., x n ) = x 1 x 2 + g 2 (x 1 ). x n 1 + g n 1 (x 1, x 2,..., x n 2 ) x n + g n (x 1, x 2,..., x n 2, x n 1 ) Inversion: iteratively solve for each component. Weakness: triangular structure (first polynomial is linear, next few are too simple). T

24 Oil-Vinegar Systems (Patarin 1997) Public Key Cryptography in a nutshell Existing Systems Consider two sets of variables {ˇx 1,..., ˇx v } and {x 1,..., x o }. An oil-vinegar polynomial has the form aij ˇx i ˇx j + b ij ˇx i x j + c i ˇx i + d i x i + e.

25 Oil-Vinegar Systems (Patarin 1997) Public Key Cryptography in a nutshell Existing Systems Consider two sets of variables {ˇx 1,..., ˇx v } and {x 1,..., x o }. An oil-vinegar polynomial has the form aij ˇx i ˇx j + b ij ˇx i x j + c i ˇx i + d i x i + e. Given a system of o oil-vinegar polynomials, F = (f 1,..., f o ), if we substitute field values for ˇx 1,..., ˇx v, the result is an o o linear system, which is linear in the oil variables x 1,..., x o.

26 Oil-Vinegar Systems (Patarin 1997) Public Key Cryptography in a nutshell Existing Systems Consider two sets of variables {ˇx 1,..., ˇx v } and {x 1,..., x o }. An oil-vinegar polynomial has the form aij ˇx i ˇx j + b ij ˇx i x j + c i ˇx i + d i x i + e. Given a system of o oil-vinegar polynomials, F = (f 1,..., f o ), if we substitute field values for ˇx 1,..., ˇx v, the result is an o o linear system, which is linear in the oil variables x 1,..., x o. Signature generation: Given a document (y 1,..., y o ), choose (ˇx 1,..., ˇx v ) k v at random, and solve the resulting linear system for x 1,..., x o. The signature is then (ˇx 1,..., ˇx v, x 1,..., x o ).

27 Example: MFE Cryptosystem Searching for polynomial identities We propose a new framework for constructing central maps that combines ideas from Triangular and Oil-Vinegar Systems.

28 Example: MFE Cryptosystem Searching for polynomial identities We propose a new framework for constructing central maps that combines ideas from Triangular and Oil-Vinegar Systems. Benefits: Combine Triangular and Oil-Vinegar systems to build encryption schemes.

29 Example: MFE Cryptosystem Searching for polynomial identities We propose a new framework for constructing central maps that combines ideas from Triangular and Oil-Vinegar Systems. Benefits: Combine Triangular and Oil-Vinegar systems to build encryption schemes. Achieve invertibility more generally, then address the issues of security and efficiency.

30 Example: MFE Cryptosystem Searching for polynomial identities We propose a new framework for constructing central maps that combines ideas from Triangular and Oil-Vinegar Systems. Benefits: Combine Triangular and Oil-Vinegar systems to build encryption schemes. Achieve invertibility more generally, then address the issues of security and efficiency. Introduce flexibility in construction.

31 x 1,..., x n y 11,..., y 1n x 1 x 2 + g 2 (x 1 ). x n 1 + g n 1 (x 1, x 2,..., x n 2 ) x n + g n (x 1, x 2,..., x n 2, x n 1 ) first oil-vinegar system vinegar variables: x 1,..., x n oil variables: y 11,..., y 1n lock polynomials from oil-vinegar systems hide triangular structure. y l 1,1,..., y l 1,n l-th oil-vinegar system vinegar variables: x 1,..., x n,..., y l 1,1,..., y l 1,n oil variables: y l1,..., y ln

32 Example: MFE Cryptosystem Searching for polynomial identities Example: MFE Cryptosystem (Wang et al. 2006) It is based on the following identity. Let ( ) ( X1 X A(X ) = det 3 Y1 Y, A(Y ) = det 3 X 4 X 2 Y 4 Y 2 ), and ( X1 X 3 X 4 X 2 ) ( Y1 Y 3 Y 4 Y 2 ) ( f1 f = 3 f 4 f 2 Taking determinants on both sides gives the identity A(X )B(Y ) = f 1 f 2 f 3 f 4. ).

33 Example: MFE Cryptosystem (Wang et al. 2006) Input: (X 1, X 2, X 3, Y 1, Y 2, Y 3, Z 1, Z 2, Z 3 ) k 9 X 1 X 2 + φ(x 1 ) X 3 + φ(x 1, X 2 ) f 1 f 2 s.t. f 1 f 2 + f 3 f 4 = A(X )A(Y ) f 3 f 4 g 1 g 2 g 3 g 4 s.t. g 1 g 2 + g 3 g 4 = A(Y )A(Z) h 1 h 2 s.t. h 1 h 2 + h 3 h 4 = A(X )A(Z) h 3 h 4 Output: A vector in k 15

34 Example: MFE Cryptosystem (Wang et al. 2006) Input: (X 1, X 2, X 3, Y 1, Y 2, Y 3, Z 1, Z 2, Z 3 ) k 9 X 1, X 2, X 3 X 1 X 2 + φ(x 1 ) X 3 + φ(x 1, X 2 ) f 1 f 2 s.t. f 1 f 2 + f 3 f 4 = A(X )A(Y ) f 3 f 4 g 1 g 2 g 3 g 4 s.t. g 1 g 2 + g 3 g 4 = A(Y )A(Z) h 1 h 2 s.t. h 1 h 2 + h 3 h 4 = A(X )A(Z) h 3 h 4 Output: A vector in k 15

35 Example: MFE Cryptosystem (Wang et al. 2006) Input: (X 1, X 2, X 3, Y 1, Y 2, Y 3, Z 1, Z 2, Z 3 ) k 9 X 1, X 2, X 3 Y 1, Y 2, Y 3 X 1 X 2 + φ(x 1 ) X 3 + φ(x 1, X 2 ) f 1 f 2 s.t. f 1 f 2 + f 3 f 4 = A(X )A(Y ) f 3 f 4 g 1 g 2 g 3 g 4 s.t. g 1 g 2 + g 3 g 4 = A(Y )A(Z) h 1 h 2 s.t. h 1 h 2 + h 3 h 4 = A(X )A(Z) h 3 h 4 Output: A vector in k 15

36 Example: MFE Cryptosystem (Wang et al. 2006) X 1 + A(X ) X 2 + φ(x 1 ) X 3 + φ(x 1, X 2 ) A(X ) f 1 f 2 s.t. f 1 f 2 + f 3 f 4 = A(X )A(Y ) f 3 f 4 g 1 g 2 g 3 g 4 h 1 h 2 h 3 h 4 s.t. g 1 g 2 + g 3 g 4 = A(Y )A(Z) s.t. h 1 h 2 + h 3 h 4 = A(X )A(Z)

37 Example: MFE Cryptosystem (Wang et al. 2006) X 1 + A(X ) X 2 + φ(x 1 ) + A(Y ) X 3 + φ(x 1, X 2 ) f 1 f 2 s.t. f 1 f 2 + f 3 f 4 = A(X )A(Y ) f 3 f 4 g 1 g 2 g 3 g 4 h 1 h 2 h 3 h 4 s.t. g 1 g 2 + g 3 g 4 = A(Y )A(Z) s.t. h 1 h 2 + h 3 h 4 = A(X )A(Z) A(Y )

38 Example: MFE Cryptosystem (Wang et al. 2006) X 1 + A(X ) X 2 + φ(x 1 ) + A(Y ) X 3 + φ(x 1, X 2 ) + A(Z) f 1 f 2 s.t. f 1 f 2 + f 3 f 4 = A(X )A(Y ) f 3 f 4 g 1 g 2 g 3 g 4 h 1 h 2 h 3 h 4 s.t. g 1 g 2 + g 3 g 4 = A(Y )A(Z) s.t. h 1 h 2 + h 3 h 4 = A(X )A(Z) A(Z)

39 Example: MFE Cryptosystem (Wang et al. 2006) Input: (X 1, X 2, X 3, Y 1, Y 2, Y 3, Z 1, Z 2, Z 3 ) k 9 X 1 + A(X ) X 2 + φ(x 1 ) + A(Y ) X 3 + φ(x 1, X 2 ) + A(Z) f 1 f 2 s.t. f 1 f 2 + f 3 f 4 = A(X )A(Y ) f 3 f 4 g 1 g 2 g 3 g 4 s.t. g 1 g 2 + g 3 g 4 = A(Y )A(Z) h 1 h 2 s.t. h 1 h 2 + h 3 h 4 = A(X )A(Z) h 3 h 4 Output: A vector in k 15

40 Decryption Example: MFE Cryptosystem Searching for polynomial identities Decryption involves two steps: 1 Restoring the triangular structure and solving for the initial vinegar variables x 1,..., x n. 2 Iteratively solving the oil-vinegar systems for the remaining oil variables.

41 Decryption: Step 1 - Restore triangular structure X 1 + A(X ) X 2 + φ(x 1 ) + A(Y ) X 3 + φ(x 1, X 2 ) + A(Z) f 1 f 2 s.t. f 1 f 2 + f 3 f 4 = A(X )A(Y ) f 3 f 4 g 1 g 2 g 3 g 4 h 1 h 2 h 3 h 4 s.t. g 1 g 2 + g 3 g 4 = A(Y )A(Z) s.t. h 1 h 2 + h 3 h 4 = A(X )A(Z) ( ) 1/2 (f1 f 2 +f 3 f 4 )(h 1 h 2 +h 3 h 4 ) g 1 g 2 +g 3 g 4

42 Decryption: Step 1 - Restore triangular structure X 1 X 2 + φ(x 1 ) + A(Y ) X 3 + φ(x 1, X 2 ) + A(Z) f 1 f 2 s.t. f 1 f 2 + f 3 f 4 = A(X )A(Y ) f 3 f 4 g 1 g 2 g 3 g 4 h 1 h 2 h 3 h 4 s.t. g 1 g 2 + g 3 g 4 = A(Y )A(Z) s.t. h 1 h 2 + h 3 h 4 = A(X )A(Z) ( ) 1/2 (f1 f 2 +f 3 f 4 )(h 1 h 2 +h 3 h 4 ) g 1 g 2 +g 3 g 4

43 Decryption: Step 1 - Restore triangular structure X 1 X 2 + φ(x 1 ) X 3 + φ(x 1, X 2 ) + A(Z) f 1 f 2 s.t. f 1 f 2 + f 3 f 4 = A(X )A(Y ) f 3 f 4 g 1 g 2 g 3 g 4 h 1 h 2 h 3 h 4 s.t. g 1 g 2 + g 3 g 4 = A(Y )A(Z) s.t. h 1 h 2 + h 3 h 4 = A(X )A(Z) ( ) f 1 f (f1 2 +f f 23 +f f 4 1/2 3 f 4 )(h 1 h 2 +h 3 h 4 ) A(X ) g 1 g 2 +g 3 g 4

44 Decryption: Step 1 - Restore triangular structure X 1 X 2 + φ(x 1 ) X 3 + φ(x 1, X 2 ) f 1 f 2 s.t. f 1 f 2 + f 3 f 4 = A(X )A(Y ) f 3 f 4 g 1 g 2 g 3 g 4 h 1 h 2 h 3 h 4 s.t. g 1 g 2 + g 3 g 4 = A(Y )A(Z) s.t. h 1 h 2 + h 3 h 4 = A(X )A(Z) ( ) 1/2 (f1 f 2 +f 3 f 4 )(h 1 h 2 +h 3 h 4 ) g 1 g 2 +g 3 g 4 g 1 g 2 +g 3 g 4 A(Y )

45 Decryption: Step 2 - Solve oil-vinegar systems X 1, X 2, X 3 X 1 X 2 + φ(x 1 ) X 3 + φ(x 1, X 2 ) f 1 f 2 s.t. f 1 f 2 + f 3 f 4 = A(X )A(Y ) f 3 f 4 g 1 g 2 g 3 g 4 h 1 h 2 h 3 h 4 s.t. g 1 g 2 + g 3 g 4 = A(Y )A(Z) s.t. h 1 h 2 + h 3 h 4 = A(X )A(Z)

46 Decryption: Step 2 - Solve oil-vinegar systems X 1, X 2, X 3 Y 1, Y 2, Y 3 X 1 X 2 + φ(x 1 ) X 3 + φ(x 1, X 2 ) f 1 f 2 s.t. f 1 f 2 + f 3 f 4 = A(X )A(Y ) f 3 f 4 g 1 g 2 g 3 g 4 h 1 h 2 h 3 h 4 s.t. g 1 g 2 + g 3 g 4 = A(Y )A(Z) s.t. h 1 h 2 + h 3 h 4 = A(X )A(Z)

47 Constructing Polynomial Identities Example: MFE Cryptosystem Searching for polynomial identities Goal: construct identities of the form A(X )B(Y ) = f 1 f f m 1 f m over the polynomial ring k[x 1,..., X n, Y 1,..., Y n ]. Toolbox: 1 Parameterization 2 Gröbner Basis methods 3 Plücker coordinates 4 Matrix Determinants 5 Grassmann coordinates 6 Graph theory

48 A new polynomial Identity Our system Analysis Open questions Polynomial identity in k[x 1,..., X 8, Y 1,..., Y 8 ] A(X )B(Y ) = f 1 f 2 + f 3 f 4 + f 5 f 6 + f 7 f 8 + f 9 f 10, where A(X ) = X 1 X 2 + X 3 X 4 + X 5 X 6 + X 7 X 8 B(Y ) = Y 1 Y 2 + Y 3 Y 4 + Y 5 Y 6 + Y 7 Y 8 f 1 = X 4 Y 1 + X 8 Y 4 + (X 1 + X 4 )Y 5 + X 5 Y 8 f 2 = (X 2 + X 3 )Y 2 + X 7 Y 3 + X 2 Y 6 + X 6 Y 7 f 3 = X 8 Y 2 + X 4 Y 3 + X 5 Y 6 + (X 1 + X 4 )Y 7 f 4 = X 7 Y 1 + (X 2 + X 3 )Y 4 + X 6 Y 5 + X 2 Y 8 f 5 = X 2 Y 1 + X 6 Y 4 + (X 2 + X 3 )Y 5 + X 7 Y 8 f 6 = (X 1 + X 4 )Y 2 + X 5 Y 3 + X 4 Y 6 + X 8 Y 7 f 7 = X 6 Y 2 + X 2 Y 3 + X 7 Y 6 + (X 2 + X 3 )Y 7 f 8 = X 5 Y 1 + (X 1 + X 4 )Y 4 + X 8 Y 5 + X 4 Y 8 f 9 = Y 1 Y 7 + Y 2 Y 8 + Y 3 Y 5 + Y 4 Y 6 f 10 = X 1 X 7 + X 2 (X 5 + X 8 ) + X 3 X 5 + X 4 (X 6 + X 7 ).

49 Polynomial Identity A new polynomial Identity Our system Analysis Open questions We introduce the following notation: pxy ij = x i x j = x iy j x j y i, 1 i < j 4. y i y j Define Then xyzw = x 1 y 1 z 1 w 1 x 2 y 2 z 2 w 2 x 3 y 3 z 3 w 3 x 4 y 4 z 4 w 4. xyzw = p 12 xy p 34 zw p 13 xy p 24 zw + p 14 xy p 23 zw + p 23 xy p 14 zw p 24 xy p 13 zw + p 34 xy p 12 zw.

50 Polynomial Identity A new polynomial Identity Our system Analysis Open questions 0 = xyxw + xyxz + xyyw + xyyz + (1) zwxw + zwxz + zwyw + zwyz (2)

51 Polynomial Identity A new polynomial Identity Our system Analysis Open questions 0 = xyxw + xyxz + xyyw + xyyz + (1) zwxw + zwxz + zwyw + zwyz (2) Defining p ij = p ij xw + p ij xz + p ij yw + p ij yz, 1 i < j 4, (3) the four determinants of (1) can be regrouped as p 12 xy p 34 + p 13 xy p 24 + p 14 xy p 23 + p 23 xy p 14 + p 24 xy p 13 + p 34 xy p 12.

52 Polynomial Identity A new polynomial Identity Our system Analysis Open questions After performing a similar grouping for (2), we get the the identity 0 = (p 12 xy + p 12 zw )p 34 + (p 13 xy + p 13 zw )p 24 + (p 14 xy + p 14 zw )p 23 + (p 23 xy + p 23 zw )p 14 + (p 24 xy + p 24 zw )p 13 + (p 34 xy + p 34 zw )p 12. (4)

53 Polynomial Identity A new polynomial Identity Our system Analysis Open questions After performing a similar grouping for (2), we get the the identity 0 = (p 12 xy + p 12 zw )p 34 + (p 13 xy + p 13 zw )p 24 + (p 14 xy + p 14 zw )p 23 + (p 23 xy + p 23 zw )p 14 + (p 24 xy + p 24 zw )p 13 + (p 34 xy + p 34 zw )p 12. (4) After a slight modification and a change of variables, (4) becomes 0 = A(X )A(Y ) + f 1 f 2 + f 3 f 4 + f 5 f 6 + f 7 f 8 + f 9 f 10.

54 Our system A new polynomial Identity Our system Analysis Open questions A triangular system with 7 polynomials A chain of 7 oil-vinegar systems, each based on f 1, f 2, f 3, f 4, f 5, f 6, f 7, f 8 with f 9 and f 1 0 attached. Lock polynomials based on A(X ) and B(Y ).

55 Chain of Oil-Vinegar Systems A new polynomial Identity Our system Analysis Open questions The central map has input length 56: (X 1,..., X 24, Y 1,..., Y 32 ), and output length 74. Y 1,..., Y X 9,..., X 16 X 1,..., X 8 2 Y 9,..., Y 16 5 Y 17,..., Y 24 6 X 17,..., X 24 7 Y 25,..., Y 32

56 Security Analysis A new polynomial Identity Our system Analysis Open questions Gröbner basis attacks: F 4 (Faugére 1999), F 5 (Faugére 2002, Barget et al 2005), XL algorithm (Courtois et al 2000), G 2 V (Gao, Guan and Volny 2010).

57 Security Analysis A new polynomial Identity Our system Analysis Open questions Gröbner basis attacks: F 4 (Faugére 1999), F 5 (Faugére 2002, Barget et al 2005), XL algorithm (Courtois et al 2000), G 2 V (Gao, Guan and Volny 2010). The total number of operations in k is about (( ) n + ω ) dreg O, n where ω is the exponent in Gaussian reduction and d reg is the degree of regularity of the ideal formed by the polynomials in the system.

58 Security Analysis A new polynomial Identity Our system Analysis Open questions Attacks based on linear algebra: Minrank attack (Kipnis and Shamir 1999, Goubin and Courtois 2000). Each quadratic form is associated with a symmetric matrix and the rank of a matrix does not change under linear transforms. This attack explores the fact that some polynomials in the central map may have low rank. The complexity of this attack to our system is q d = q 16d.

59 Security Analysis A new polynomial Identity Our system Analysis Open questions Attacks based on linear algebra: Minrank attack (Kipnis and Shamir 1999, Goubin and Courtois 2000). Each quadratic form is associated with a symmetric matrix and the rank of a matrix does not change under linear transforms. This attack explores the fact that some polynomials in the central map may have low rank. The complexity of this attack to our system is q d = q 16d. Dual rank attack (Yang and Chen 2004). While minrank succeeds when an equation has too few variables, the dual rank attack is effective when a variable appears in too few equations. The complexity of the attack is (56d) 3 q 6d.

60 Security Analysis A new polynomial Identity Our system Analysis Open questions Attacks based on linear algebra: Separation of oil and vinegar variables attack (Kipnis and Shamir 1998, Kipnis, Patarin and Goubin 1999). The goal of this attack is to find the transformed oil space, so separate the oil and vinegar variables. The complexity is 20 4 q 15d.

61 Security Analysis A new polynomial Identity Our system Analysis Open questions Attacks based on linear algebra: Separation of oil and vinegar variables attack (Kipnis and Shamir 1998, Kipnis, Patarin and Goubin 1999). The goal of this attack is to find the transformed oil space, so separate the oil and vinegar variables. The complexity is 20 4 q 15d. Linearization equations attack. (Patarin 1996, Ding et al 2007). Computations using Magma verify that there are no first order linearization equations. Ding et al broke MFE using second order linearization equations which comes from the associativity of determinant. Our system avoids determinants, so their method does not apply. But there still might be some other second order linearization equations!

62 Security Analysis A new polynomial Identity Our system Analysis Open questions Claimed Input Output Complexity Key Size [kbytes] Security [bits] [bits] F 5 Rank/UOV Public Private

63 Efficiency A new polynomial Identity Our system Analysis Open questions System Input Output Decryption Encryption [bits] [bits] Central Map Total MFE ms 2ms 2.7ms Our System ms 1.4ms 2.3ms

64 Open Questions A new polynomial Identity Our system Analysis Open questions Find nontrivial solutions to the following equation: AB = CD + EF where A, B, C, D, E, F F 2 [x 1,..., x n, y 1,..., y n ] have degree two. MFE is based on solution with n = 4. Need solutions for 5 n 16.

65 Open Questions A new polynomial Identity Our system Analysis Open questions Find nontrivial solutions to the following equation: AB = CD + EF where A, B, C, D, E, F F 2 [x 1,..., x n, y 1,..., y n ] have degree two. MFE is based on solution with n = 4. Need solutions for 5 n 16. Can we characterize all quadratic solutions to the equations A(X )A(Y ) = CD + EF and A(X )A(Y ) = f 1 f 2 + f 3 f 4 + f 5 f 6 + f 7 f 8 + f 9 f 10?

66 Open Questions A new polynomial Identity Our system Analysis Open questions Using the tools from algebraic geometry and combinatorics, what other polynomial identities may be constructed to implement cryptosystems in the proposed framework?

67 Open Questions A new polynomial Identity Our system Analysis Open questions Using the tools from algebraic geometry and combinatorics, what other polynomial identities may be constructed to implement cryptosystems in the proposed framework? How to efficiently solve given systems of quadratic equations? G, Yinhua Guan, Frank Volny IV and Mingsheng Wang, A new algorithm for computing Grobner bases, which is both simpler and faster than F5.

68 Open Questions A new polynomial Identity Our system Analysis Open questions Using the tools from algebraic geometry and combinatorics, what other polynomial identities may be constructed to implement cryptosystems in the proposed framework? How to efficiently solve given systems of quadratic equations? G, Yinhua Guan, Frank Volny IV and Mingsheng Wang, A new algorithm for computing Grobner bases, which is both simpler and faster than F5. Thank you!

On the Complexity of the Hybrid Approach on HFEv-

On the Complexity of the Hybrid Approach on HFEv- Albrecht Petzoldt National Institute of Standards and Technology, Gaithersburg, Maryland, USA albrecht.petzoldt@gmail.com Abstract. The HFEv- signature