A Polynomial-Time Key-Recovery Attack on MQQ Cryptosystems

Size: px

Start display at page:

Download "A Polynomial-Time Key-Recovery Attack on MQQ Cryptosystems"

Chloe Gilmore
5 years ago
Views:

1 A Polynomial-Time Key-Recovery Attack on MQQ Cryptosystems Jean-Charles Faugère, Danilo Gligoroski, Ludovic Perret, Simona Samardjiska, Enrico Thomae PKC 2015, March 30 - April 1, Maryland, USA

2 2 Summary Cryptanalysis of the Multivariate cryptosystems MQQ-SIG MQQ-ENC [Gligoroski, Ødegård, Jensen, Perret, Faugère, Knapskog & Markovski '11] [Gligoroski & Samardjiska '12]

3 2 Summary Cryptanalysis of the Multivariate cryptosystems MQQ-SIG 80 bits security in less than 15 days MQQ-ENC 128 bits security in 9 days

4 2 Summary Cryptanalysis of the Multivariate cryptosystems MQQ-SIG 80 bits security in less than 15 days MQQ-ENC 128 bits security in 9 days Poly-time complexity O(n 10 )

5 2 Summary Cryptanalysis of the Multivariate cryptosystems MQQ-SIG 80 bits security in less than 15 days MQQ-ENC 128 bits security in 9 days Poly-time complexity O(n 10 ) The attack - Recovery of equivalent key MinRank + Good keys

6 2 Summary Cryptanalysis of the Multivariate cryptosystems MQQ-SIG 80 bits security in less than 15 days MQQ-ENC 128 bits security in 9 days Poly-time complexity O(n 10 ) The attack - Recovery of equivalent key MinRank + Good keys Solved problems of MinRank attacks over even characteristic Simultaneous MinRank Proven complexity bounds independent of the eld size

7 3 Multivariate (MQ) public key scheme: F n q F m q input x x = (x 1,, x n ) private: S private: F x public : P = T F S y private: T output y

8 3 Multivariate (MQ) public key scheme: F n q F m q input x x = (x 1,, x n ) private: S linear x public : P = T F S private: F quadratic private: T y linear output y

9 3 Multivariate (MQ) public key scheme: F n q F m q input x x = (x 1,, x n ) private: S linear x public : P = T F S private: F quadratic private: T y linear output y Public P p 1 (x 1,, x n ) p 2 (x 1,, x n ) p m (x 1,, x n )

10 3 Multivariate (MQ) public key scheme: F n q F m q input x Public P Matrix form: x = (x 1,, x n ) private: S linear x public : P = T F S private: F quadratic private: T y linear output y p 1 (x 1,, x n ) x P 1 x p 2 (x 1,, x n ) x P 2 x p m (x 1,, x n ) x P m x

11 3 Multivariate (MQ) public key scheme: F n q F m q input x Public P Matrix form: x = (x 1,, x n ) private: S linear x public : P = T F S private: F quadratic private: T y linear output y p 1 (x 1,, x n ) p 2 (x 1,, x n ) p m (x 1,, x n ) x P 1 x x P 2 x x P m x Matrices representing the quadratic part of the polynomials

12 3 Multivariate (MQ) public key scheme: F n q F m q input x x = (x 1,, x n ) private: S linear x public : P = T F S private: F quadratic private: T y linear output y Inverting P should be hard Underlying NP-complete problem PoSSo: Input: p 1, p 2,, p m F q [x 1,, x n ] Question: Find - if any - (u 1,, u n ) F n q st p 1 (u 1,, u n ) = 0 p 2 (u 1,, u n ) = 0 p m (u 1,, u n ) = 0

13 4 Research in MQ cryptography? Post - Quantum security

14 5 Research in MQ cryptography? MQ schemes are naturally parallelizable!

15 5 Research in MQ cryptography? MQ schemes are naturally parallelizable! up to 1000s times faster than classical amd64; HW+AES (306c3); 2013 Intel Xeon E V3; 4 x 3500MHz; titan0, supercop Cycles to sign 59 bytes ,60548 mqqsig224 11,86264 mqqsig256 11, rainbowbinary , tts

16 5 Research in MQ cryptography? MQ schemes are naturally parallelizable! up to 1000s times faster than classical amd64; HW+AES (306c3); 2013 Intel Xeon E V3; 4 x 3500MHz; titan0, supercop Cycles to sign 59 bytes ,60548 mqqsig224 11,86264 mqqsig256 11, rainbowbinary , tts MQQ-SIG fastest!!! Secure until now! 0

17 6 The MQQ family of cryptosystems MQQ (Multivariate Quadratic Quasigroups) [GMK08] Encryption scheme Direct algebraic attack [Mohamed et al'09, Faugère et al'10] MQQ-SIG [GØJPFKM11] n/2 equations removed - measure against the attack Recommended parameters: Security n MQQ-ENC [GS12] only r equations removed Left MQQs - less structure Recommended parameters for security level of : eld F 2 F 4 F 16 F 256 n r

18 6 The MQQ family of cryptosystems MQQ (Multivariate Quadratic Quasigroups) [GMK08] Encryption scheme Direct algebraic attack [Mohamed et al'09, Faugère et al'10] MQQ-SIG [GØJPFKM11] n/2 equations removed - measure against the attack Recommended parameters: Security n MQQ-ENC [GS12] only r equations removed Left MQQs - less structure Recommended parameters for security level of : eld F 2 F 4 F 16 F 256 n r

19 6 The MQQ family of cryptosystems MQQ (Multivariate Quadratic Quasigroups) [GMK08] Encryption scheme Direct algebraic attack [Mohamed et al'09, Faugère et al'10] MQQ-SIG [GØJPFKM11] n/2 equations removed - measure against the attack Recommended parameters: Security n MQQ-ENC [GS12] only r equations removed Left MQQs - less structure Recommended parameters for security level of : eld F 2 F 4 F 16 F 256 n r

20 7 Crucial for the security of MQ schemes MinRank MR(n, r, k, M 1,, M k ) Input: n, r, k N, and M 1,, M k M n (F q ) Question: Find if any a nonzero k-tuple (λ 1,, λ k ) F k q st: ( k ) Rank λ i M i r i=1 [Kipnis, Shamir '99], [Buss, Shallit '99] NP-hard!!! [Courtois '01], however, Instances in MQ crypto can be much easier, even polynomial! Underlays the security of HFE, STS, Rainbow, and more In this talk: Use MinRank to recover equivalent key of MQQ system

21 7 Crucial for the security of MQ schemes MinRank MR(n, r, k, M 1,, M k ) Input: n, r, k N, and M 1,, M k M n (F q ) Question: Find if any a nonzero k-tuple (λ 1,, λ k ) F k q st: ( k ) Rank λ i M i r i=1 [Kipnis, Shamir '99], [Buss, Shallit '99] NP-hard!!! [Courtois '01], however, Instances in MQ crypto can be much easier, even polynomial! Underlays the security of HFE, STS, Rainbow, and more In this talk: Use MinRank to recover equivalent key of MQQ system

22 7 Crucial for the security of MQ schemes MinRank MR(n, r, k, M 1,, M k ) Input: n, r, k N, and M 1,, M k M n (F q ) Question: Find if any a nonzero k-tuple (λ 1,, λ k ) F k q st: ( k ) Rank λ i M i r i=1 [Kipnis, Shamir '99], [Buss, Shallit '99] NP-hard!!! [Courtois '01], however, Instances in MQ crypto can be much easier, even polynomial! Underlays the security of HFE, STS, Rainbow, and more In this talk: Use MinRank to recover equivalent key of MQQ system

23 8 Solving MinRank - Minors modeling ( k ) ( k ) Rank λ i M i r all minors of size r + 1 of λ i M i vanish i=1 i=1 ( ) 2 n equations of degree r + 1, in k variables r + 1

24 8 Solving MinRank - Minors modeling ( k ) ( k ) Rank λ i M i r all minors of size r + 1 of λ i M i vanish i=1 i=1 ( ) 2 n equations of degree r + 1, in k variables r + 1 [Faugère & Levy-dit-Vehel & Perret '08], Cryptanalysis of MinRank authentication scheme [Courtois '01] [Faugère & Safey El Din & Spaenlehauer '13] Precise complexity bounds

25 9 Solving MinRank - Kipnis-Shamir modeling ( k ) ( k ) Rank λ i M i r x (1),, x (n r) Ker λ i M i i=1 1 x 1 1 x (1) r ( k ) λ i M i = 0 n n 1 x (n r) 1 x (n r) i=1 r n (n r) quadratic (bilinear) equations in r (n r) + k variables i=1

26 9 Solving MinRank - Kipnis-Shamir modeling ( k ) ( k ) Rank λ i M i r x (1),, x (n r) Ker λ i M i i=1 1 x 1 1 x (1) r ( k ) λ i M i = 0 n n 1 x (n r) 1 x (n r) i=1 r n (n r) quadratic (bilinear) equations in r (n r) + k variables Relinearization [Kipnis & Shamir '99] i=1

27 9 Solving MinRank - Kipnis-Shamir modeling ( k ) ( k ) Rank λ i M i r x (1),, x (n r) Ker λ i M i i=1 1 x 1 1 x (1) r ( k ) λ i M i = 0 n n 1 x (n r) 1 x (n r) i=1 r n (n r) quadratic (bilinear) equations in r (n r) + k variables Gröbner bases [Faugère & Levy-dit-Vehel & Perret '08] ( (n+dreg ) ω ) Complexity of F5 algorithm: O d reg [Faugère '02] with 2 ω 3 - the linear algebra constant i=1

28 9 Solving MinRank - Kipnis-Shamir modeling ( k ) ( k ) Rank λ i M i r x (1),, x (n r) Ker λ i M i i=1 1 x 1 1 x (1) r ( k ) λ i M i = 0 n n 1 x (n r) 1 x (n r) i=1 r n (n r) quadratic (bilinear) equations in r (n r) + k variables Gröbner bases [Faugère & Levy-dit-Vehel & Perret '08] ( (n+dreg ) ω ) Complexity of F5 algorithm: O d reg [Faugère '02] with 2 ω 3 - the linear algebra constant d reg min(n X, n Y ) + 2, for bilinear system in X, Y blocks of variables of sizes n X, n Y i=1

29 10 The central map of the MQQ cryptosystems f 1 f d+1 f 2d+1 f n d+1 f 2 f d+2 f 2d+2 f n d+2 f d f 2d f 3d Matrix notation of F f n

30 10 Crucial observation about the algebraic structure f 1 f d+1 f 2d+1 f n d+1 f 2 f d+2 f 2d+2 f n d+2 f d f 2d f 3d Matrix notation of F f n

31 10 Crucial observation about the algebraic structure f 1 f d+1 f 2d+1 f n d+1 f 2 f d+2 f 2d+2 f n d+2 fd d d f 2d f 3d P = T F S Matrix notation of F f n

32 10 Crucial observation about the algebraic structure f 1 f d+1 f 2d+1 f n d+1 f 2 f d+2 f 2d+2 f n d+2 fd d d f 2d f 3d P = T F S Matrix notation of F f n

33 10 Crucial observation about the algebraic structure f 1 f d+1 f 2d+1 f n d+1 f 2 f d+2 f 2d+2 f n d+2 fd d d f 2d f 3d d df n s P = T F S P = (T B 1 ) F (B 2 S) Matrix notation of F

34 11 = We obtain an equivalent central map f 1 f d+1 f 2d+1 f n d+1 f 2 f d+2 f 2d+2 f n d+2 f d f 2d f 3d Matrix notation of F f n

35 12 Initially, note f 1 f d+1 f 2d+1 f n d+1 f 2 f d+2 f 2d+2 f n d+2 f d f 2d f 3d f n

36 12 Initially, note f 1 f d+1 f 2d+1 f n d+1 x n does not occur quadratically! f 2 f d+2 f 2d+2 f n d+2 f d f 2d f 3d f n

37 12 Initially, note f 1 f d+1 f 2d+1 f n d+1 x n does not occur quadratically! f 2 f d+2 f 2d+2 f n d+2 f d f 2d f 3d f n n 1 1 n 1 1 Recover structure Transform S n = input space

38 12 Initially, note f 1 f d+1 f 2d+1 f n d+1 x n does not occur quadratically! f 2 f d+2 f 2d+2 f n d+2 f d f 2d f 3d f n n 1 1 n 1 1 Recover structure Transform S n = input space Solve: (m(n 1) linear equations in (n 1) variables) n P (k) yj s y,n = 0, 1 k m, 1 j < n y=1

39 13 Key Recovery Attack Input: n r public polynomials P in n variables for number of variables N := n down to r + 2 do Step N: Find a good key (S N, T N) Transform the public key as P T N P S N, end for; Output: An equivalent key S = S n S n 1 S r+2 and T = T r+2 T n 1 T n

40 13 Key Recovery Attack Input: n r public polynomials P in n variables for number of variables N := n down to r + 2 do Step N: Find a good key (S N, T N) Transform the public key as P T N P S N, end for; Output: An equivalent key S = S n S n 1 S r+2 and T = T r+2 T n 1 T n Essential structure preserved

41 13 Key Recovery Attack Input: n r public polynomials P in n variables for number of variables N := n down to r + 2 do The structure gradually revealed Step N: Find a good key (S N, T N) Transform the public key as P T N P S N, end for; Output: An equivalent key S = S n S n 1 S r+2 and T = T r+2 T n 1 T n Essential structure preserved

42 13 Key Recovery Attack Input: n r public polynomials P in n variables for number of variables N := n down to r + 2 do The structure gradually revealed Step N: Find a good key (S N, T one column at a time N) Transform the public key as P T N P S N, end for; Output: An equivalent key S = S n S n 1 S r+2 and T = T r+2 T n 1 T n Essential structure preserved

43 14 Step n f 1 f d+1 f 2d+1 f n d+1 x n does not occur quadratically! f 2 f d+2 f 2d+2 f n d+2 f d f 2d f 3d f n n 1 1 n 1 1 Recover structure Find good key S n = Solve: (m(n 1) linear equations in (n 1) variables) n P (k) yj s y,n = 0, 1 k m, 1 j < n y=1

44 14 Step N f 1 f d+1 f 2d+1 f n d+1 f 2 f d+2 f 2d+2 f n d+2 x N occurs quadratically in at most one polynomial! f d f 2d f 3d f n

45 14 Step N f 1 f d+1 f 2d+1 f n d+1 f 2 f d+2 f 2d+2 f n d+2 x N occurs quadratically in at most one polynomial! f d f 2d f 3d f n N N r 1 Find good key S N =, T N =

46 14 Theorem f 1 f d+1 f 2d+1 f n d+1 Step N The solution of the Simultaneous MinRank problems: f 2 f d+2 Find t f 2d+2 f k1 F q, 1 < n d+2 k N r + 1 such that ) ( (P (k) + t k1p (1) Rank gives the unknown columns of S N, T N f d f 2d f 3d x N occurs quadratically < N and s inker at most P (k) one + t k1p polynomial! (1)), k f n N N r 1 Find good key S N =, T N =

47 14 Theorem f 1 f d+1 f 2d+1 f n d+1 Step N The solution of the Simultaneous MinRank problems: f 2 f d+2 Find t f 2d+2 f k1 F q, 1 < n d+2 k N r + 1 such that ) ( (P (k) + t k1p (1) Rank gives the unknown columns of S N, T N f d f 2d f 3d x N occurs quadratically < N and s inker at most P (k) one + t k1p polynomial! (1)), k f n Kipnis-Shamir: N N r 1 ( Find good key S N =, s P (k) + t T N = k1p (1)) = 0 1 N, 1 < k N r + 1 [ N(N r + 1) equations in (N 1) + (N r 1) variables ]

48 15 Practical Key Recovery Key Recovery MQQ-ENC eld n r Security Theoretical (ω = 3) F F F F Practical time days Key Recovery MQQ-SIG n Security Theoretical (ω = 3) Practical time days Implemented in Magma on 32 core Intel Xeon 227GHz, 1TB RAM

49 16 Complexity Analysis over even characteristic Solving Simultaneous MinRank Find t k1 F q, 1 < k N r + 1 such that ) Rank (P (k) + t k1p (1) < N, and s Ker (P (k) + t k1p (1))

50 16 Complexity Analysis over even characteristic Solving Simultaneous MinRank Find t k1 F q, 1 < k N r + 1 such that ) Rank (P (k) + t k1p (1) < N, and s Ker (P (k) + t k1p (1)) q = O(n) Solve one MinRank and use exhaustion over F q Plausible to have small rank defect (for ex 1)

51 16 Complexity Analysis over even characteristic Solving Simultaneous MinRank Find t k1 F q, 1 < k N r + 1 such that ) Rank (P (k) + t k1p (1) < N, and s Ker (P (k) + t k1p (1)) q = O(n) Solve one MinRank and use exhaustion over F q Plausible to have small rank defect (for ex 1) Theorem Complexity: O ( n ω+3) with probability 1 1/q

52 16 Complexity Analysis over even characteristic Solving Simultaneous MinRank Find t k1 F q, 1 < k N r + 1 such that ) Rank (P (k) + t k1p (1) < N, and s Ker (P (k) + t k1p (1)) q = O(n) Solve one MinRank and use exhaustion over F q Plausible to have small rank defect (for ex 1) Any q Solve few of the MinRank(s) few=2 with high probability! Theorem Complexity: O ( n ω+3) with probability 1 1/q

53 16 Complexity Analysis over even characteristic Solving Simultaneous MinRank Find t k1 F q, 1 < k N r + 1 such that ) Rank (P (k) + t k1p (1) < N, and s Ker (P (k) + t k1p (1)) q = O(n) Solve one MinRank and use exhaustion over F q Plausible to have small rank defect (for ex 1) Theorem Complexity: O ( n ω+3) with probability 1 1/q Any q Solve few of the MinRank(s) few=2 with high probability! Theorem Complexity: O(n 3ω+1 ) with probability ( 1 1 q )( 1 1 q n 3 )

54 17 Practical Results Key Recovery MQQ-ENC eld n r Theoretical (ω = 3) Practical F F F F F F Key Recovery MQQ-SIG n r Theoretical (ω = 3) Practical Implemented in Magma on 32 core Intel Xeon 227GHz, 1TB RAM

55 17 Practical Results Key Recovery MQQ-ENC eld n r Theoretical (ω = 3) Practical F F F F F F Security time days Key Recovery MQQ-SIG n r Theoretical (ω = 3) Practical Security time days Implemented in Magma on 32 core Intel Xeon 227GHz, 1TB RAM

56 18 Conclusion Very hard to design a secure scheme based on easily invertible MQQ structure For any advancement deeper insights in quasigroup theory needed MinRank - fundamental for MQ security Our attack Works over characteristic 2 Independent of the eld size Works regardless of the number of removed equations Simultaneous MinRank a proper way to model MinRank in MQ crypto

57 18 Conclusion Very hard to design a secure scheme based on easily invertible MQQ structure For any advancement deeper insights in quasigroup theory needed MinRank - fundamental for MQ security Our attack Works over characteristic 2 Independent of the eld size Works regardless of the number of removed equations Simultaneous MinRank a proper way to model MinRank in MQ crypto

58 18 Conclusion Very hard to design a secure scheme based on easily invertible MQQ structure For any advancement deeper insights in quasigroup theory needed MinRank - fundamental for MQ security Our attack Works over characteristic 2 Independent of the eld size Works regardless of the number of removed equations Simultaneous MinRank a proper way to model MinRank in MQ crypto

59 18 Conclusion Very hard to design a secure scheme based on easily invertible MQQ structure For any advancement deeper insights in quasigroup theory needed MinRank - fundamental for MQ security Our attack Works over characteristic 2 Independent of the eld size Works regardless of the number of removed equations Simultaneous MinRank a proper way to model MinRank in MQ crypto

60 Thank you for listening!?

On the Complexity of the Hybrid Approach on HFEv-

On the Complexity of the Hybrid Approach on HFEv- Albrecht Petzoldt National Institute of Standards and Technology, Gaithersburg, Maryland, USA albrecht.petzoldt@gmail.com Abstract. The HFEv- signature