Improved Cryptanalysis of HFEv- via Projection

Transcription

1 Improved Cryptanalysis of HFEv- via Projection Jintai Ding, Ray Perlner, Albrecht Petzoldt, Daniel Smith-Tone PQ Crypto 2018 Fort Lauderdale, Florida 04/10/2018 A. Petzoldt Cryptanalysis of HFEv- via Projection PQ Crypto / 25

2 Outline 1 Multivariate Cryptography 2 The HFEv- Signature Scheme 3 Notations and Previous Work 4 Our three new Attacks against HFEv- 5 Conclusion A. Petzoldt Cryptanalysis of HFEv- via Projection PQ Crypto / 25

3 Multivariate Cryptography p (1) (x 1,..., x n ) = p (2) (x 1,..., x n ) = p (m) (x 1,..., x n ) = n n i=1 j=i n n i=1 j=i n n i=1 j=i p (1) ij x i x j + p (2) ij x i x j + p (m) ij x i x j +. n i=1 n i=1 n i=1 p (1) i x i + p (1) 0 p (2) i x i + p (2) 0 p (m) i x i + p (m) 0 The security of multivariate schemes is based on the Problem MQ: Given m multivariate quadratic polynomials p (1) (x),..., p (m) (x), find a vector x = ( x 1,..., x n ) such that p (1) ( x) =... = p (m) ( x) = 0. A. Petzoldt Cryptanalysis of HFEv- via Projection PQ Crypto / 25

4 Construction Decryption / Signature Generation w F m T x F m F y F n U z F n P Encryption / Signature Verification Easily invertible quadratic map F : F n F m Two invertible linear maps T : F m F m and U : F n F n Public key: P = T F U supposed to look like a random system Private key: T, F, U allows to invert the public key A. Petzoldt Cryptanalysis of HFEv- via Projection PQ Crypto / 25

5 Big Field Signature Schemes w F n T 1 x F n F 1 y F n U 1 z F n Signature Generation X E F 1 Y E Φ Φ 1 P Signature Verification A. Petzoldt Cryptanalysis of HFEv- via Projection PQ Crypto / 25

6 HFEv - Key Generation BigField + Minus Equations + Vinegar Variation central map F : F v E E, F(X) = q i +q j D 0 i j q i D α ij X qi +q j + F = Φ 1 F Φ quadratic i=0 β i (v 1,..., v v ) X qi + γ(v 1,..., v v ) linear maps T : F n F n a and U : F n+v F n+v of maximal rank public key: P = T F U : F n+v F n a private key: T, F, U A. Petzoldt Cryptanalysis of HFEv- via Projection PQ Crypto / 25

7 Signature Generation Given: message (hash value) w F n a 1 Compute x = T 1 (w) F n and X = Φ(x) E 2 Choose random values for the vinegar variables v 1,..., v v Solve F v1,...,v v (Y ) = X over E via Berlekamps algorithm 3 Compute y = Φ 1 (Y ) F n and z = U 1 (y v 1... v v ) Signature: z F n+v. A. Petzoldt Cryptanalysis of HFEv- via Projection PQ Crypto / 25

8 Signature Verification Given: signature z F n+v, message (hash value) w F n a Compute w = P(z) F n a Accept the signature z w = w. A. Petzoldt Cryptanalysis of HFEv- via Projection PQ Crypto / 25

9 Direct Attack ( ) 2 ( ) n a n a Complexity direct = 3 2 d reg Experiments: HFEv- systems can be solved faster than random systems Reason: low degree of regularity d reg { (q 1) (r+a+v 1) q even and r + a odd, (q 1) (r+a+v) otherwise. with r = log q (D 1) + 1. Experiments: d reg r+a+v+7 3 for HFEv- systems over GF(2)., A. Petzoldt Cryptanalysis of HFEv- via Projection PQ Crypto / 25

10 Q-Rank Definition Let E be a degree n extension of the field F q. The Q-rank of a quadratic map F(x) on F n q is the rank of the quadratic form φ F φ 1 in E[X 0,..., X n 1 ] via the identification X i = X qi. F: n quadratic polynomials f (1),... f (n) in F q [x o,..., x n 1 ] Interpolation F : n 1 n 1 i=0 j=i α ji X qi X qj in E[X] X i =X qi ˆF : n 1 n 1 i=0 j=i α ij X i X j in E[X 0,..., X n 1 ] ˆF : (X 0,..., X n 1 ) M (X 0,... X n 1 ) T Q-rank(F) = Rank(M) Q-Rank is invariant under invertible affine transformations F F T, but not under isomorphisms F S F T A. Petzoldt Cryptanalysis of HFEv- via Projection PQ Crypto / 25

11 Q-Rank (2) Definition Let E be a degree d < n extension field of F q. The min-q-rank of a quadratic map F : F n q F m q over E is min-q-rank(f) = min S max {Q-rank (S F T )}, T where S : F d q F m q and T : F n q F d q are nonzero linear transformations. The min-q-rank of a multivariate quadratic system is invariant under isomorphisms of polynomials. A. Petzoldt Cryptanalysis of HFEv- via Projection PQ Crypto / 25

12 The KS-attack on HFE Idea: Use the low min-q-rank of the central map F to recover an equivalent private key Lift public map P to the extension field E (polynomial interpolation) Solve a MinRank Problem to find linear map N with N P of low rank Later Improvement (Minors Modelling): N can be found by computing a Gröbner basis over F (and computing the variety over E) (( ) ω ) n + r + 1 Complexity MinRank = O r with 2 < ω 3. A. Petzoldt Cryptanalysis of HFEv- via Projection PQ Crypto / 25

13 The algebra A E: degree n extension field of F, θ: primitive element of E φ : F n E, φ(x 0,..., x n 1 ) = n 1 i=0 x iα i isomorphism Φ : E A, Φ(a) = (a, a q,..., a qn 1 ) A E n We can pass between elements (x 0,..., x n 1 ) F n and (X, X q,..., X qn 1 ) A by right multiplication with M n and M 1 n, where θ θ q... θ qn 1 M n = θ 2 θ 2q... θ 2qn 1.. θ n 1 θ (n 1)q... θ (n 1)qn 1 A. Petzoldt Cryptanalysis of HFEv- via Projection PQ Crypto / 25

14 The algebra A (cont.) To cover the vinegar variables v 1,..., v v, we define ( ) Mn 0 M n = n v 0 v n I v lifting a vector (x 0,..., x n 1, v 1,..., v v ) F n to an element of A F v. A. Petzoldt Cryptanalysis of HFEv- via Projection PQ Crypto / 25

15 MinRank then Projection We find (P 1,..., P n )T 1 M n = (U M n F 0 M n T U T,..., U M n F (n 1) M n T U T ), where U, T and P i are the matrix representations of the affine transformations U and T and the public polynomials P i, and F i is the i-th Frobenius power of F over A F v. We find that F 0 has the form Rank(F 0 ) = r + a + v A. Petzoldt Cryptanalysis of HFEv- via Projection PQ Crypto / 25

16 MinRank then Projection (2) 1 Apply a MinRank attack on the matrices P i (with target rank r + a + v) equivalent output transformation T matrix L representing the low Q-rank quadratic form L = U MnF 0 M n T U T. 2 Find the vinegar subspace of L. project L to the orthogonal complement of a codimension 1 subspace of ker(l). Denote the result by ˆL. Apply a further codimension one projection π to ˆL. If there is a nontrivial intersection between ker(π) and the vinegar subspace, the rank of ˆL will drop. ( ) 2 ( ) Comp MP = O n + r + v n a + (r + a + v + 1) 3 q r+a+1. r + a + v 2 A. Petzoldt Cryptanalysis of HFEv- via Projection PQ Crypto / 25

17 Project then MinRank 1 Apply a projection π, projecting the plaintext space to a codimension k subspace 2 Apply the MinRank attack If there is a nontrivial intersection between ker(π) and the vinegar subspace, we can find a quadratic form of degree less then r + a + v. ( ) 2 ( ) Comp PM = O q c(r+a+ n a) ( c+1 2 ) n + r + v c n a. r + a + v c 2 A. Petzoldt Cryptanalysis of HFEv- via Projection PQ Crypto / 25

18 The Distinguisher Observation 1: Two HFEv- public keys P 1 and P 2 with same values for n, D and a but different values v 1 and v 2 Fix variables to get determined systems and solve the systems with F 4 The step degrees of the F 4 algorithm will be different This also holds when guessing (not too many) additional variables (hybrid approach) A. Petzoldt Cryptanalysis of HFEv- via Projection PQ Crypto / 25

19 The Distinguisher (2) Observation 2: HFEv-(n, D, a, v) public key P Define V = span(t n+1,..., T n+v ) Append l V to the system P and apply F 4 The so obtained system P behaves exactly like an public key. HFEv (n 1, D, a, v 1) A. Petzoldt Cryptanalysis of HFEv- via Projection PQ Crypto / 25

20 The Distinguisher (3) Consider an HFEv-(n, D, a, v) public key P Add the field equations {xi 2 x i = 0} to P Add randomly chosen linear equations l 1,..., l k to P Solve the system with F 4 By looking at the F 4 step degrees, we can distinguish the two cases 1) span(l 1,..., l k ) V = and 2) span(l 1,..., l k ) V. A. Petzoldt Cryptanalysis of HFEv- via Projection PQ Crypto / 25

21 The Attack Having found l 1,..., l k such that span(l 1,..., l k ) V = { l}, we can recover the private HFEv- key as follows 1 Recover the exact form of l = k i=1 λ i l i Remove l1 from the system. If the distinguisher still works, the coefficient λ 1 is zero. Otherwise, λ 1 = 1. Continue this step to find all the coefficients λ i 2 Add l to the HFEv- system and run the distinguisher again to find another linear equation ˆl V. After having recovered v of these linear equations the system will behave like an HFE- system. 3 Apply any attack against HFE- (e.g [VS, PQCrypto2017]) to complete the attack. A. Petzoldt Cryptanalysis of HFEv- via Projection PQ Crypto / 25

22 Complexity of the Distinguisher Complexity of the Distinguisher (finding l V) depends on number of distinguisher runs Pr(l V) = 2 n Pr(span(l 1,..., l k ) V ) = 1 (1 2 n ) 2 k cost of a single run (= 1 run of F 4 ) ( ) 2 ( ) Comp F4 = O n + v k n + v k 2 d reg 2 k n A. Petzoldt Cryptanalysis of HFEv- via Projection PQ Crypto / 25

23 Complexity of the Distinguisher Comp Distinguisher; classical = O 2 n k Comp Distinguisher; quantum = O 2 (n k)/2 ( ) 2 ( ) n + v k n + v k 2 d reg ( ) 2 ( ) n + v k n + v k. 2 The cost of the remaining steps (finding the exact form of l and removing the other Vinegar variables from the system, breaking the remaining HFEsystem) is much smaller. d reg A strategy to estimate k and d reg for concrete HFEv- systems can be found in our paper. A. Petzoldt Cryptanalysis of HFEv- via Projection PQ Crypto / 25

24 Conclusion We presented three new attacks against HFEv- using the idea of projection MinRank then Projection Projection then MinRank Distinguishing based attack Better performance than existing attacks against some HFEv- systems (see example in the paper) Less memory consumption than all known attacks (for all parameter sets) New insights in the security of HFEv- Restrictions for the parameter choice of HFEv- based schemes A. Petzoldt Cryptanalysis of HFEv- via Projection PQ Crypto / 25

25 The End Thank you for your attention Questions? A. Petzoldt Cryptanalysis of HFEv- via Projection PQ Crypto / 25