Multivariate Public Key Cryptography or Why is there a rainbow hidden behind fields full of oil and vinegar? Christian Eder, Jean-Charles Faugère and Ludovic Perret Seminar on Fundamental Algorithms, University of Kaiserslautern June 25, 2015 1 / 36
1 Introduction to public key cryptography 2 Construction of MPKC 3 Examples of MPKC schemes: Hidden fields 4 Examples of MPKC schemes: Oil & Vinegar 2 / 36
General idea of public key cryptography complete key (set of data) 3 / 36
General idea of public key cryptography complete key (set of data) public key P (subset of complete key) private key Q (complete key \ public key) 3 / 36
General idea of public key cryptography complete key (set of data) public key P (subset of complete key) private key Q (complete key \ public key) message M ciphertext C 3 / 36
General idea of public key cryptography complete key (set of data) public key P (subset of complete key) private key Q (complete key \ public key) message M ciphertext C original message M 3 / 36
General idea of signature schemes original message M 4 / 36
General idea of signature schemes original message M hash function h: H = h(m) 4 / 36
General idea of signature schemes original message M hash function h: H = h(m) signature S = Q(H) with private key Q send tuple (M,S) 4 / 36
General idea of signature schemes compute hash H = h(m) of message M original message M hash function h: H = h(m) signature S = Q(H) with private key Q compute H = P(S) with public key P send tuple (M,S) 4 / 36
General idea of signature schemes compute hash H = h(m) of message M original message M hash function h: H = h(m) verify sender via testing H = H signature S = Q(H) with private key Q compute H = P(S) with public key P send tuple (M,S) 4 / 36
1 Introduction to public key cryptography 2 Construction of MPKC 3 Examples of MPKC schemes: Hidden fields 4 Examples of MPKC schemes: Oil & Vinegar 5 / 36
Trapdoors of MPKC PKC depends on the existence of a class of trapdoor one-way functions 6 / 36
Trapdoors of MPKC PKC depends on the existence of a class of trapdoor one-way functions Example Elliptic curve crypto depends on the elliptic curve group. NTRU depends on the structure of an integral lattice. 6 / 36
Trapdoors of MPKC PKC depends on the existence of a class of trapdoor one-way functions Example Elliptic curve crypto depends on the elliptic curve group. NTRU depends on the structure of an integral lattice. In MPKC the trapdoor one-way function is of the form of a multivariate non-linear polynomial map over a finite field. 6 / 36
Trapdoors of MPKC PKC depends on the existence of a class of trapdoor one-way functions Example Elliptic curve crypto depends on the elliptic curve group. NTRU depends on the structure of an integral lattice. In MPKC the trapdoor one-way function is of the form of a multivariate non-linear polynomial map over a finite field. Note Usually non-linear means quadratic. Thus people often speak about MQ systems referring to multivariate quadratic. 6 / 36
Basis of security of MPKC MQ Problem Given m quadratic polynomials p 1 (x 1,...,x n ),..., p m (x 1,...,x n ) in n variables x = x 1,...,x n over a finite field F q, find a vector x such that p 1 (x ) =... = p m (x ) = 0. 7 / 36
Basis of security of MPKC MQ Problem Given m quadratic polynomials p 1 (x 1,...,x n ),..., p m (x 1,...,x n ) in n variables x = x 1,...,x n over a finite field F q, find a vector x such that p 1 (x ) =... = p m (x ) = 0. Solving MQ polynomial systems is worst case NP-hard and in general doubly exponential over any finite field. 7 / 36
Construction of the MPKC F 1. Get a trapdoor, e.g. non-linear function F : F n q F n q, easily invertible. 2. Represent F as multivariate polynomials F over F q. 8 / 36
Construction of the MPKC T F S 1. Get a trapdoor, e.g. non-linear function F : F n q F n q, easily invertible. 2. Represent F as multivariate polynomials F over F q. 3. Take invertible secret matrices S and T. 8 / 36
Construction of the MPKC P = T F S 1. Get a trapdoor, e.g. non-linear function F : F n q F n q, easily invertible. 2. Represent F as multivariate polynomials F over F q. 3. Take invertible secret matrices S and T. 4. Distribute your public key P = T F S as polynomials P. 8 / 36
We use a MQ polynomial map over F q : P : F n q F m q P = ( p 1 (x),...,p m (x) ) with p k (x) = 1 i j n for x = (x 1,...,x n ), α ijk,β ik,γ k F q. Public keys of MPKC α ijk x i x j + β ik x i + γ k, i 9 / 36
We use a MQ polynomial map over F q : P : F n q F m q P = ( p 1 (x),...,p m (x) ) with p k (x) = 1 i j n for x = (x 1,...,x n ), α ijk,β ik,γ k F q. Public keys of MPKC α ijk x i x j + β ik x i + γ k, i Note The constant and linear terms of the p k do not provide any further security, so we can neglect them in our discussion: 9 / 36
We use a MQ polynomial map over F q : P : F n q F m q P = ( p 1 (x),...,p m (x) ) with p k (x) = 1 i j n for x = (x 1,...,x n ), α ijk,β ik,γ k F q. Public keys of MPKC α ijk x i x j + β ik x i + γ k, i Note The constant and linear terms of the p k do not provide any further security, so we can neglect them in our discussion: p k (x) = 1 i j n α ijk x i x j, 9 / 36
Public keys of MPKC In other words: p k (n n) matrix P k (x 1,...,x n ) P k (x 1,...,x n ) T 10 / 36
Public keys of MPKC In other words: p k (n n) matrix P k (x 1,...,x n ) P k (x 1,...,x n ) T p k (x) = 1 i j n α ijk x i x j = xp k x T 10 / 36
Public keys of MPKC In other words: p k (n n) matrix P k (x 1,...,x n ) P k (x 1,...,x n ) T p k (x) = 1 i j n α ijk x i x j = xp k x T Clearly, P should be a random (mostly dense) system of MQ polynomial equations. But is it really? 10 / 36
Main ideas for attacking MPKC Try to retrieve secret S and T in order to get F. The used MPKC variant is known, thus try to exploit knowledge of general trapdoor / shape of private map. 11 / 36
Main ideas for attacking MPKC Try to retrieve secret S and T in order to get F. The used MPKC variant is known, thus try to exploit knowledge of general trapdoor / shape of private map. What are possible instantiations of MPKC? or What settings for F, S and T are used? 11 / 36
1 Introduction to public key cryptography 2 Construction of MPKC 3 Examples of MPKC schemes: Hidden fields 4 Examples of MPKC schemes: Oil & Vinegar 12 / 36
Matsumoto-Imai scheme (MI or C ) 1988 In general: Utilize vector space and hidden field structure of (F q ) n. Instead of searching for invertible maps over the vector space (F q ) n Look for invertible maps on the extension field F q n (F ). Transform to an invertible map over (F q ) n applying secret S and T (P). A single univariate polynomial F over F q n is represented by n multivariate polynomials P = (p i (x 1,...,x n )) 1 i n over F q. 13 / 36
Matsumoto-Imai scheme (MI or C ) 1988 In general: Utilize vector space and hidden field structure of (F q ) n. Instead of searching for invertible maps over the vector space (F q ) n Look for invertible maps on the extension field F q n (F ). Transform to an invertible map over (F q ) n applying secret S and T (P). A single univariate polynomial F over F q n is represented by n multivariate polynomials P = (p i (x 1,...,x n )) 1 i n over F q. Note For C let us assume q = 2 or q = 2 k for some k. Makes the following discussion easier, generalization is rather trivial. 13 / 36
Matsumoto-Imai scheme (MI or C ) 1988 In particular: E = F q [x]/g(x) for an irreducible polynomial g(x) F q [x] of degree n. 14 / 36
Matsumoto-Imai scheme (MI or C ) 1988 In particular: E = F q [x]/g(x) for an irreducible polynomial g(x) F q [x] of degree n. φ : E (F q ) n an F q -linear isomorphism given by φ(a o + a 1 x + + a n 1 x n 1 ) = (a 0,...,a n 1 ). 14 / 36
Matsumoto-Imai scheme (MI or C ) 1988 In particular: E = F q [x]/g(x) for an irreducible polynomial g(x) F q [x] of degree n. φ : E (F q ) n an F q -linear isomorphism given by φ(a o + a 1 x + + a n 1 x n 1 ) = (a 0,...,a n 1 ). Choose 0 < θ < n such that gcd(q θ + 1,q n 1) = 1. Define map F in E[X] via F (X) = X 1+qθ. 14 / 36
Matsumoto-Imai scheme (MI or C ) 1988 In particular: E = F q [x]/g(x) for an irreducible polynomial g(x) F q [x] of degree n. φ : E (F q ) n an F q -linear isomorphism given by φ(a o + a 1 x + + a n 1 x n 1 ) = (a 0,...,a n 1 ). Choose 0 < θ < n such that gcd(q θ + 1,q n 1) = 1. Define map F in E[X] via F (X) = X 1+qθ. Choice of θ ensures F being invertible: ξ (1 + q θ ) 1 mod (q n 1) = F 1 (X) = X ξ. 14 / 36
Matsumoto-Imai scheme (MI or C ) 1988 In particular: E = F q [x]/g(x) for an irreducible polynomial g(x) F q [x] of degree n. φ : E (F q ) n an F q -linear isomorphism given by φ(a o + a 1 x + + a n 1 x n 1 ) = (a 0,...,a n 1 ). Choose 0 < θ < n such that gcd(q θ + 1,q n 1) = 1. Define map F in E[X] via F (X) = X 1+qθ. Choice of θ ensures F being invertible: ξ (1 + q θ ) 1 mod (q n 1) = F 1 (X) = X ξ. Go back to (F q ) n : P = φ F φ 1 (x 1,...,x n ) = (p 1 (x),...,p n(x)). Apply secret transformations S and T : P = T P S = T φ F φ 1 S. 14 / 36
Matsumoto-Imai scheme (MI or C ) 1988 Note 1 Raising X to a power of the form q i is linear in E. P is a system of MQ polynomials over F q. 15 / 36
Matsumoto-Imai scheme (MI or C ) 1988 Note 1 Raising X to a power of the form q i is linear in E. P is a system of MQ polynomials over F q. Note 2 There are not so many choices for θ thus we can assume θ to be publicly known. 15 / 36
Matsumoto-Imai scheme (MI or C ) 1988 Broken by Patarin (1995): 16 / 36
Matsumoto-Imai scheme (MI or C ) 1988 Broken by Patarin (1995): If Y = X qθ +1 XY qθ = X q2θ Y. 16 / 36
Matsumoto-Imai scheme (MI or C ) 1988 Broken by Patarin (1995): If Y = X qθ +1 XY qθ = X q2θ Y. From this one receives a system of equations of type α ij x i y j + β i x i + γ i y i + δ = 0. 16 / 36
Matsumoto-Imai scheme (MI or C ) 1988 Broken by Patarin (1995): If Y = X qθ +1 XY qθ = X q2θ Y. From this one receives a system of equations of type α ij x i y j + β i x i + γ i y i + δ = 0. Taking enough cipher texts from the original system one can determine the coefficients. 16 / 36
Matsumoto-Imai scheme (MI or C ) 1988 Broken by Patarin (1995): If Y = X qθ +1 XY qθ = X q2θ Y. From this one receives a system of equations of type α ij x i y j + β i x i + γ i y i + δ = 0. Taking enough cipher texts from the original system one can determine the coefficients. For a given y (cipher text) we can then solve the linear equations to get x (plain text). 16 / 36
(C ) or SFLASH Construction Remove r public polys: P = (p 1 (x),...,p n r (x)) = R T P S. 17 / 36
(C ) or SFLASH Construction Remove r public polys: P = (p 1 (x),...,p n r (x)) = R T P S. How to attack this? (Dubious, Fouque, Shamir, Stern; 2007) T randomly samples linear space V spanned by the n quadratic equations generated via P S. Only n r of the n samples Recover the missing ones? 17 / 36
(C ) or SFLASH Construction Remove r public polys: P = (p 1 (x),...,p n r (x)) = R T P S. How to attack this? (Dubious, Fouque, Shamir, Stern; 2007) T randomly samples linear space V spanned by the n quadratic equations generated via P S. Only n r of the n samples Recover the missing ones? Transform T : T = T A applying matrices A. Several samples of V, several different linearly independent equations! 17 / 36
(C ) or SFLASH Construction Remove r public polys: P = (p 1 (x),...,p n r (x)) = R T P S. How to attack this? (Dubious, Fouque, Shamir, Stern; 2007) T randomly samples linear space V spanned by the n quadratic equations generated via P S. Only n r of the n samples Recover the missing ones? Transform T : T = T A applying matrices A. Several samples of V, several different linearly independent equations! Only have the public polynomials How to compute T A? 17 / 36
(C ) or SFLASH Construction Remove r public polys: P = (p 1 (x),...,p n r (x)) = R T P S. How to attack this? (Dubious, Fouque, Shamir, Stern; 2007) T randomly samples linear space V spanned by the n quadratic equations generated via P S. Only n r of the n samples Recover the missing ones? Transform T : T = T A applying matrices A. Several samples of V, several different linearly independent equations! Only have the public polynomials How to compute T A? Multiply input of F by α multiply output by β := F (α) = α qθ + 1. 17 / 36
(C ) or SFLASH Construction Remove r public polys: P = (p 1 (x),...,p n r (x)) = R T P S. How to attack this? (Dubious, Fouque, Shamir, Stern; 2007) T randomly samples linear space V spanned by the n quadratic equations generated via P S. Only n r of the n samples Recover the missing ones? Transform T : T = T A applying matrices A. Several samples of V, several different linearly independent equations! Only have the public polynomials How to compute T A? Multiply input of F by α multiply output by β := F (α) = α qθ + 1. Find matrix B such that R T A P S = R T P S B. 17 / 36
How to get B? (C ) or SFLASH W = linear space spanned by all possible quadratic expressions V = linear space spanned by quadratic expressions of T P S V R = linear space spanned by quadratic expressions of R T P S 18 / 36
How to get B? (C ) or SFLASH W = linear space spanned by all possible quadratic expressions V = linear space spanned by quadratic expressions of T P S V R = linear space spanned by quadratic expressions of R T P S Example: SFLASHv3 n = 67, r = 11 dim(v R ) = 56, dim(v) = 67, dim(w) = 2278. 18 / 36
How to get B? (C ) or SFLASH W = linear space spanned by all possible quadratic expressions V = linear space spanned by quadratic expressions of T P S V R = linear space spanned by quadratic expressions of R T P S Example: SFLASHv3 n = 67, r = 11 dim(v R ) = 56, dim(v) = 67, dim(w) = 2278. Not so many good choices for B. 18 / 36
How to get B? (C ) or SFLASH W = linear space spanned by all possible quadratic expressions V = linear space spanned by quadratic expressions of T P S V R = linear space spanned by quadratic expressions of R T P S Example: SFLASHv3 n = 67, r = 11 dim(v R ) = 56, dim(v) = 67, dim(w) = 2278. Not so many good choices for B. In particular q n2 possible matrices over F q but only q n elements in E. good matrices corresponding to extension field multiplication form tiny linear subspace. 18 / 36
(C ) or SFLASH Last step Find good matrices using the fact that they preserve the membership of the output quadratic equations in V. ( Bad matrices are extremely unlikely to have this property as V is very sparse in W.) 19 / 36
(C ) or SFLASH Last step Find good matrices using the fact that they preserve the membership of the output quadratic equations in V. ( Bad matrices are extremely unlikely to have this property as V is very sparse in W.) Either solve quadratic equations in n 2 variables, not so efficient. Or use the differential operator to get bivariate bilinear equations from univariate quadratic ones (working since F (X) = X qθ +1 ): DF (a,x) = F (a + X) F (a) F (X) + F (0) = ax qθ + a qθ X. 19 / 36
Other generalizations of C Generalize F to a univariate polynomial of a given degree d (HFE). F (X) = i,q θ i +q η i d Broken by Faugère and Joux in 2002. HFE with removing equations (HFE-). α i X qθ i +q η i Use more than one polynomial for F (multi-c, multi-hfe). Use intermediate field equations (IFS). Perturb polynomials or add some auxiliary variable Y (vinegar variable).... 20 / 36
Other generalizations of C Generalize F to a univariate polynomial of a given degree d (HFE). F (X) = i,q θ i +q η i d Broken by Faugère and Joux in 2002. HFE with removing equations (HFE-). α i X qθ i +q η i Use more than one polynomial for F (multi-c, multi-hfe). Use intermediate field equations (IFS). Perturb polynomials or add some auxiliary variable Y (vinegar variable).... All those schemes are based on hidden fields and extensions. 20 / 36
1 Introduction to public key cryptography 2 Construction of MPKC 3 Examples of MPKC schemes: Hidden fields 4 Examples of MPKC schemes: Oil & Vinegar 21 / 36
In general: Oil and Vinegar scheme (OV) Trapdoor achieved by special structure of private polynomials, not by field extensions. Structure given by distinguishing set of variables: n = v + o variables, V := {u 1,...,u v } (vinegar) and O := {u v+1,...,u n } (oil) 22 / 36
In general: Oil and Vinegar scheme (OV) Trapdoor achieved by special structure of private polynomials, not by field extensions. Structure given by distinguishing set of variables: n = v + o variables, V := {u 1,...,u v } (vinegar) and O := {u v+1,...,u n } (oil) V and O are balanced: v = o, n = 2v = 2o. There are v = o private polynomials in F. 22 / 36
In general: Oil and Vinegar scheme (OV) Trapdoor achieved by special structure of private polynomials, not by field extensions. Structure given by distinguishing set of variables: n = v + o variables, V := {u 1,...,u v } (vinegar) and O := {u v+1,...,u n } (oil) V and O are balanced: v = o, n = 2v = 2o. There are v = o private polynomials in F. Structure of private polynomials f k (u) = i V,j V i j α ijk u i u j + β ijk u i u j. i V,j O There are no quadratic terms in two oil variables. 22 / 36
Oil and Vinegar scheme (OV) In matrix representation the private polynomials look like the following: V V V O F k = for 1 k o O V O m m 23 / 36
Oil and Vinegar scheme (OV) In matrix representation the private polynomials look like the following: V V V O F k = for 1 k o O V O m m Having a message of length v we fix variables u 1,...,u v in F and receive linear equations in the remaining o variables. 23 / 36
Oil and Vinegar scheme (OV) In matrix representation the private polynomials look like the following: V V V O F k = for 1 k o O V O m m Having a message of length v we fix variables u 1,...,u v in F and receive linear equations in the remaining o variables. Those linear equations are invertible with high probability. 23 / 36
Oil and Vinegar scheme (OV) In matrix representation the private polynomials look like the following: V V V O F k = for 1 k o O V O m m Having a message of length v we fix variables u 1,...,u v in F and receive linear equations in the remaining o variables. Those linear equations are invertible with high probability. Public polynomials Apply secret transformations S and T to receive P as random MQ polynomials. In this setting T does not add any further security, so we can assume the identity. 23 / 36
Attacking OV (Kipnis, Shamir; 1998) Try to separate vinegar and oil variables in the public polynomials. Search for an equivalent representation F S = P = F S. 24 / 36
Attacking OV (Kipnis, Shamir; 1998) Try to separate vinegar and oil variables in the public polynomials. Search for an equivalent representation F S = P = F S. Exploit balance between v and o: v = o. Due to this each F i maps the oil subspace u 1 =... = u v = 0 to the vinegar subspace u v+1 =... = u n = 0. 24 / 36
Attacking OV (Kipnis, Shamir; 1998) Try to separate vinegar and oil variables in the public polynomials. Search for an equivalent representation F S = P = F S. Exploit balance between v and o: v = o. Due to this each F i maps the oil subspace u 1 =... = u v = 0 to the vinegar subspace u v+1 =... = u n = 0. If F j is invertible (high probability) then F i F 1 j on itself. maps the vinegar space 24 / 36
Attacking OV (Kipnis, Shamir; 1998) Try to separate vinegar and oil variables in the public polynomials. Search for an equivalent representation F S = P = F S. Exploit balance between v and o: v = o. Due to this each F i maps the oil subspace u 1 =... = u v = 0 to the vinegar subspace u v+1 =... = u n = 0. If F j is invertible (high probability) then F i F 1 j on itself. maps the vinegar space Thus the image V of the vinegar subspace under S is a common eigenspace for each P i P 1 j, 1 i < j o. 24 / 36
Attacking OV (Kipnis, Shamir; 1998) Try to separate vinegar and oil variables in the public polynomials. Search for an equivalent representation F S = P = F S. Exploit balance between v and o: v = o. Due to this each F i maps the oil subspace u 1 =... = u v = 0 to the vinegar subspace u v+1 =... = u n = 0. If F j is invertible (high probability) then F i F 1 j on itself. maps the vinegar space Thus the image V of the vinegar subspace under S is a common eigenspace for each P i P 1 j, 1 i < j o. Efficient algorithms for computing eigenspaces by Kipnis and Shamir Get V, find O such that O + V = F n q (separating vinegar and oil). Get (F,S ) isomorphic to (F,S). 24 / 36
Unbalancing OV UOV This attack works due to v = o unbalance v and o: v > o. In general: n = v + o, m = n v, v > m, m polynomials. 25 / 36
Unbalancing OV UOV This attack works due to v = o unbalance v and o: v > o. In general: n = v + o, m = n v, v > m, m polynomials. Be careful The previous attack works in a probabilistic fashion also for v > o. It has complexity O(q v m 1 m 4 ) = O(q n 2m 1 m 4 ). Thus one should take at least v 3m. 25 / 36
Unbalancing OV UOV This attack works due to v = o unbalance v and o: v > o. In general: n = v + o, m = n v, v > m, m polynomials. Be careful The previous attack works in a probabilistic fashion also for v > o. It has complexity O(q v m 1 m 4 ) = O(q n 2m 1 m 4 ). Thus one should take at least v 3m. Size problem Enlarging v and o the key sizes get, at some point, too big for practical applications. 25 / 36
Why do we need big values for v and o? Due to another attack by Kipnis and Shamir that we can interpret as a Minrank problem (NP-complete). Minrank (n, k, r) problem Given M 0,...,M k M n n (F q ), find (λ 1,...,λ k ) F k q such that rank ( k i=1λ i Mi M0 ) r. 26 / 36
Why do we need big values for v and o? Due to another attack by Kipnis and Shamir that we can interpret as a Minrank problem (NP-complete). Minrank (n, k, r) problem Given M 0,...,M k M n n (F q ), find (λ 1,...,λ k ) F k q such that rank ( k i=1λ i Mi M0 ) r. Often the rank of the matrices corresponding to F is restricted (e.g. in HFE via degree, in UOV by the choice of v and o.) 26 / 36
Why do we need big values for v and o? Due to another attack by Kipnis and Shamir that we can interpret as a Minrank problem (NP-complete). Minrank (n, k, r) problem Given M 0,...,M k M n n (F q ), find (λ 1,...,λ k ) F k q such that rank ( k i=1λ i Mi M0 ) r. Often the rank of the matrices corresponding to F is restricted (e.g. in HFE via degree, in UOV by the choice of v and o.) rank ( m i=1λ i P i ) r. 26 / 36
Somewhere over the Rainbow... Try to improve security by using several layers of UOV 27 / 36
Somewhere over the Rainbow... Try to improve security by using several layers of UOV Rainbow scheme with L layers Defined by a tuple (q,v 1,...,v L+1 ) Preset 0 < v 1 < v 2 <... < v L+1 = n, # vinegar variables of the different layers. # oil variables o l = v l+1 v l for 1 l L. Each layer l consists of o l polynomials f vl v 1 +1,...,f vl+1 v 1 where we set m := L l=1 o l. For each such level we have vinegar variables V l = {u 1,...,u vl } and oil variables O l = {u vl +1,...,u vl+1 }. 27 / 36
Rainbow (q,6,12,17,22,33) 4-layered Rainbow with m = (12 6) + (17 12) + (22 17) + (33 22) = 27 polynomials. Classical Minrank attack 6 polynomials in first layer of rank r = 12. Prob(random vector in ker( m i=1 λ i P i )) = 1 q r. For such a vector w we have ( m i=1 λ i P i )w = 0. Linear in λ 1,...,λ m. Since n > m we can just use linear algebra. Complexity O(q r m 3 ) = O(q 12 27 3 ). 28 / 36
Improved attack (Billet, Gilbert; 2006) 6 Rainbow (q,6,12,17,22,33) For 1 k 6 : Fk =
Improved attack (Billet, Gilbert; 2006) 6 Rainbow (q,6,12,17,22,33) For 1 k 6 : Fk = w = 6 27
Improved attack (Billet, Gilbert; 2006) 6 Rainbow (q,6,12,17,22,33) For 1 k 6 : Fk = w = 6 27 w1 = F1w T,...,w6 = F6w T ˆ= 6 27 T
Improved attack (Billet, Gilbert; 2006) 6 Rainbow (q,6,12,17,22,33) For 1 k 6 : Fk = w = 6 27 6 27 w1 = F1w T,...,w6 = F6w T T ˆ= Prob(w i linearly independent) = 5 i=0 (1 qi q 6 ) < 1 1 q.
Rainbow (q,6,12,17,22,33) Improved attack (Billet, Gilbert; 2006) 6 For 1 k 6 : Fk = w = 6 27 w1 = F1w T,...,w6 = F6w T ˆ= 6 27 Prob(w i linearly independent) = 5 i=0 Prob (( 6 i=1 λ if i ) w = 0 ) > 1 q. T (1 qi q 6 ) < 1 1 q.
Improved attack (Billet, Gilbert; 2006) 6 Rainbow (q,6,12,17,22,33) For 1 k 6 : Fk = w = 6 27 w1 = F1w T,...,w6 = F6w T ˆ= 6 27 Prob(w i linearly independent) = 5 i=0 (1 qi < 1 1 q. (( Prob 6 i=1 λ ) ) if i w = 0 > 1 q. Prob(random vector of type w) = 1 q 6 ( Afterwards linear algebra as in standard Minrank attack: O 27 3) T q 6 ) 29 / 36
Improved attack (Billet, Gilbert; 2006) 6 Rainbow (q,6,12,17,22,33) For 1 k 6 : Fk = w = 6 27 w1 = F1w T,...,w6 = F6w T ˆ= 6 27 Prob(w i linearly independent) = 5 i=0 (1 qi < 1 1 q. (( Prob 6 i=1 λ ) ) if i w = 0 > 1 q. Prob(random vector of type w) = 1 q 6 ( Afterwards linear algebra as in standard Minrank attack: O 27 3) T q 6 ) O ( q 7 27 3) 29 / 36
Rainbow (2 8,18,30,42) O18 12 F k = O12 12 O12 12 F k = O12 18 O12 12 O12 12 O12 12 for 1 k 12 (first layer) for 13 k 24 (second layer) 30 / 36
Rainbow (2 8,18,30,42) O18 12 F k = O12 12 O12 12 F k = O12 18 O12 12 O12 12 O12 12 for 1 k 12 (first layer) for 13 k 24 (second layer) Direct key recovery attack 24 random public polynomials, need to find S Mat(42 42,F q ) and T Mat(24 24,F q ). Structure of F = System of polynomial equations in entries of S and T for corresponding zero coefficients. (v 1 + o 1 + o 2 ) 2 + (o 1 + o 2 ) 2 = 42 2 + 24 2 = 2340 variables. (o 1 + o 2 ) O 2 O 2 + o 1 ( (V 1 O 1 ) O 2 )+ o 1 ( O 1 O 1 ) = 7128 (non-linear )equations. Complexity: O ( 2 3608) (or: forget it!) 30 / 36
Again idea of equivalent keys Rainbow (2 8,18,30,42) 31 / 36
Again idea of equivalent keys Rainbow (2 8,18,30,42) 118 18 112 12 S = O12 12 112 12 T = O12 12 112 12 O12 18 O12 12 112 12 31 / 36
Again idea of equivalent keys Rainbow (2 8,18,30,42) 118 18 112 12 S = O12 12 112 12 T = O12 12 112 12 O12 18 O12 12 112 12 Equivalent key attack (T F S = P = T F S ) 24 random public polynomials, need to find S Mat(42 42,F q ) and T Mat(24 24,F q ). v 1 o 1 + v 1 o 2 + o 1 o 2 + o 1 o 2 = 720 variables. # equations stays the same, but o 1 V 1 O 2 are no longer cubic, but quadratic (first v 1 variables in S are set!) 2592 quadratic (bihomogeneous in s ij and t kl ) and 4536 cubic equations. Complexity: O ( 2 374) (or: still, forget it!) 31 / 36
Rainbow (2 8,18,30,42) Remove information: good keys resp. Rainbow band separation attack 32 / 36
Rainbow (2 8,18,30,42) Remove information: good keys resp. Rainbow band separation attack 118 18 O18 12 O18 11 112 12 O11 12 S n = O12 12 112 12 O12 11 T 1 = O12 12 112 12 O12 18 O12 12 112 12 32 / 36
Rainbow (2 8,18,30,42) Remove information: good keys resp. Rainbow band separation attack 118 18 O18 12 O18 11 112 12 O11 12 S n = O12 12 112 12 O12 11 T 1 = O12 12 112 12 O12 18 O12 12 112 12 We can only recover zero coefficients for xn 2 terms (for all private polynomials) and for x k x n terms (for 1 k n 1 and only for first private polynomial). 32 / 36
Rainbow (2 8,18,30,42) Remove information: good keys resp. Rainbow band separation attack 118 18 O18 12 O18 11 112 12 O11 12 S n = O12 12 112 12 O12 11 T 1 = O12 12 112 12 O12 18 O12 12 112 12 We can only recover zero coefficients for xn 2 terms (for all private polynomials) and for x k x n terms (for 1 k n 1 and only for first private polynomial). (v 1 + o 1 ) + o 2 = 42 variables (n,n,1) 1 cubic equation. (n,n,k) o 1 + o 2 1 quadratic equations for 2 k o 1 + o 2 (k,n,1) v 1 + o 1 + o 2 1 quadratic equations for 1 k n 1 32 / 36
Rainbow (2 8,18,30,42) Remove information: good keys resp. Rainbow band separation attack 118 18 O18 12 O18 11 112 12 O11 12 S n = O12 12 112 12 O12 11 T 1 = O12 12 112 12 O12 18 O12 12 112 12 We can only recover zero coefficients for xn 2 terms (for all private polynomials) and for x k x n terms (for 1 k n 1 and only for first private polynomial). (v 1 + o 1 ) + o 2 = 42 variables (n,n,1) 1 cubic equation. (n,n,k) o 1 + o 2 1 quadratic equations for 2 k o 1 + o 2 (k,n,1) v 1 + o 1 + o 2 1 quadratic equations for 1 k n 1 = 42 variables in 65 equations? 32 / 36
Rainbow (2 8,18,30,42) Metacryptography Not breaking a system, but breaking an attack :) 33 / 36
Rainbow (2 8,18,30,42) Metacryptography Not breaking a system, but breaking an attack :) We can recover zero coefficients for x 2 n terms only for the last o 2 private polynomials and for x k x n terms only for 1 k v 1 and only for the first private polynomial. 33 / 36
Rainbow (2 8,18,30,42) Metacryptography Not breaking a system, but breaking an attack :) We can recover zero coefficients for x 2 n terms only for the last o 2 private polynomials and for x k x n terms only for 1 k v 1 and only for the first private polynomial. (v 1 + o 1 ) + o 2 = 42 variables (n,n,1) 1 cubic equation. (n,n,k) o 2 quadratic equations for o 1 + 1 k o 1 + o 2 (k,n,1) v 1 quadratic equations for 1 k v 1 = 42 variables in 31 equations. 33 / 36
Rainbow (2 8,18,30,42) Fix attack by adding more rows to T : 34 / 36
Rainbow (2 8,18,30,42) Fix attack by adding more rows to T : Minimal system received with 3 rows in T and S n. v 1 + o 1 + 3 o 2 = 66 variables. 3 cubic equations, 66 quadratic equations. Complexity: Still O ( 2 231) (or: well, you know) 34 / 36
Rainbow (2 8,18,30,42) Metametacryptography Not breaking a system, but breaking the attack on an attack :) 35 / 36
Rainbow (2 8,18,30,42) Metametacryptography Not breaking a system, but breaking the attack on an attack :) The Rainbow band separation attack is really working out! 35 / 36
Rainbow (2 8,18,30,42) Metametacryptography Not breaking a system, but breaking the attack on an attack :) The Rainbow band separation attack is really working out! (v 1 + o 1 ) + o 2 = 42 variables (n,n,1) 1 cubic equation. (n,n,k) o 1 + o 2 1 quadratic equations for 2 k o 1 + o 2 (k,n,1) v 1 + o 1 + o 2 1 quadratic equations for 1 k n 1 65 equations in 42 variables ( Complexity: O 2 95) 35 / 36
Rainbow (2 8,18,30,42) Metametacryptography Not breaking a system, but breaking the attack on an attack :) The Rainbow band separation attack is really working out! (v 1 + o 1 ) + o 2 = 42 variables (n,n,1) 1 cubic equation. (n,n,k) o 1 + o 2 1 quadratic equations for 2 k o 1 + o 2 (k,n,1) v 1 + o 1 + o 2 1 quadratic equations for 1 k n 1 65 equations in 42 variables ( Complexity: O 2 95) Still not feasible, but now we have new ideas. 35 / 36
References [1] Bettale, L., Faugère, J.-C., and Perret, L. Cryptanalysis of HFE, Multi-HFE and Variants for Odd and Even Characteristic, 2011. PKC 2011 [2] Billet, O. and Gilbert, H. Cryptanalysis of Rainbow, 2006. Security and Cryptography for Networks [3] Ding, J. and Schmidt, D. Rainbow, a new multivariable polynomial signature scheme, 2005. Conference on Applied Cryptography and Network Security [4] Ding, J. and Yang, B.-Y. Multivariate Public Key Cryptography, 2009. [5] Kipnis, A. and Shamir, A. Cryptanalysis of the Oil and Vinegar Signature Scheme, 1998. Crypto 1998 [6] Matsumoto, T. and Imai, H. Public Quadratic Polynomial Tuples for Efficient Signature Verification and Message Encryption, 1988. Eurocrypt 1988 [7] Patarin, J. Cryptanalysis of the Matsumoto and Imai Public Key Scheme of Eurocrypt 88, 1995. Crypto 1995 [8] Patarin, J. Hidden Field Equations (HFE) and Isomorphisms of Polynomials, 1996. Eurocrypt 1996 [9] Patarin, J. The Oil and Vinegar Algorithm for Signatures, 1997. presented at Dagstuhl workshop on Cryptography 1997 [10] Thomae, E. About the Security of Multivariate Quadratic Public Key Schemes, 2013. PhD thesis, Ruhr Universtiy Bochum, Germany [11] Wolf, C. and Preneel, B. Superfluous keys in Multivariate Quadratic asymmetric systems, 2004. PKC 2004 36 / 36