Multivariate Public Key Cryptography or Why is there a rainbow hidden behind fields full of oil and vinegar?

Similar documents
Inoculating Multivariate Schemes Against Differential Attacks

MI-T-HFE, a New Multivariate Signature Scheme

Key Recovery on Hidden Monomial Multivariate Schemes

Multivariate Public Key Cryptography

Hidden Field Equations

Simple Matrix Scheme for Encryption (ABC)

Multivariate Quadratic Public-Key Cryptography Part 1: Basics

Algebraic Cryptanalysis of MQQ Public Key Cryptosystem by MutantXL

Cryptanalysis of the Oil & Vinegar Signature Scheme

Oil-Vinegar signature cryptosystems

TOT, a Fast Multivariate Public Key Cryptosystem with Basic Secure Trapdoor

Little Dragon Two: An efficient Multivariate Public Key Cryptosystem

A Polynomial-Time Key-Recovery Attack on MQQ Cryptosystems

Cryptanalysis of Simple Matrix Scheme for Encryption

Linearity Measures for MQ Cryptography

Gröbner Bases in Public-Key Cryptography

New Directions in Multivariate Public Key Cryptography

Cryptanalysis of the HFE Public Key Cryptosystem by Relinearization

New candidates for multivariate trapdoor functions

A Classification of Differential Invariants for Multivariate Post-Quantum Cryptosystems

On the Complexity of the Hybrid Approach on HFEv-

Poly Dragon: An efficient Multivariate Public Key Cryptosystem

Cryptanalysis of Patarin s 2-Round Public Key System with S Boxes (2R)

Analysis of Hidden Field Equations Cryptosystem over Odd-Characteristic Fields

MutantXL: Solving Multivariate Polynomial Equations for Cryptanalysis

Key Recovery on Hidden Monomial Multivariate Schemes

Improved Cryptanalysis of HFEv- via Projection

Improved Cryptanalysis of HFEv- via Projection

Hidden Pair of Bijection Signature Scheme

Differential Cryptanalysis for Multivariate Schemes

Gröbner Bases Techniques in Post-Quantum Cryptography

Isomorphism of Polynomials : New Results

RGB, a Mixed Multivariate Signature Scheme

The Shortest Signatures Ever

Quantum-resistant cryptography

Small Public Keys and Fast Verification for Multivariate Quadratic Public Key Systems

A Classification of Differential Invariants for Multivariate Post-Quantum Cryptosystems

On Enumeration of Polynomial Equivalence Classes and Their Application to MPKC

Cryptanalysis of the TTM Cryptosystem

Efficient variant of Rainbow using sparse secret keys

Algebraic Aspects of Symmetric-key Cryptography

Public key cryptography using Permutation P-Polynomials over Finite Fields

Public-Key Identification Schemes based on Multivariate Quadratic Polynomials

On the Security and Key Generation of the ZHFE Encryption Scheme

MaTRU: A New NTRU-Based Cryptosystem

Multivariate Public Key Cryptography

Rank Analysis of Cubic Multivariate Cryptosystems

Roots of Square: Cryptanalysis of Double-Layer Square and Square+

HFERP - A New Multivariate Encryption Scheme

Cryptanalysis of the Tractable Rational Map Cryptosystem

Hybrid Approach : a Tool for Multivariate Cryptography

Differential Algorithms for the Isomorphism of Polynomials Problem

Taxonomy of Public Key Schemes based on the problem of Multivariate Quadratic equations

Notes for Lecture 15

Introduction to Quantum Safe Cryptography. ENISA September 2018

Computing the RSA Secret Key is Deterministic Polynomial Time Equivalent to Factoring

Public Key Algorithms

Solving Underdetermined Systems of Multivariate Quadratic Equations Revisited

Lecture 1: Introduction to Public key cryptography

Algorithmic Number Theory and Public-key Cryptography

Lattices. A Lattice is a discrete subgroup of the additive group of n-dimensional space R n.

How Fast can be Algebraic Attacks on Block Ciphers?

MXL2 : Solving Polynomial Equations over GF(2) Using an Improved Mutant Strategy

Résolution de systèmes polynomiaux structurés et applications en Cryptologie

b = 10 a, is the logarithm of b to the base 10. Changing the base to e we obtain natural logarithms, so a = ln b means that b = e a.

A brief survey of post-quantum cryptography. D. J. Bernstein University of Illinois at Chicago

Comparison between XL and Gröbner Basis Algorithms

A Study of the Security of Unbalanced Oil and Vinegar Signature Schemes

Computational and Algebraic Aspects of the Advanced Encryption Standard

A Public Key Block Cipher Based on Multivariate Quadratic Quasigroups

An Algebraic Approach to NTRU (q = 2 n ) via Witt Vectors and Overdetermined Systems of Nonlinear Equations

On the Security of HFE, HFEv- and Quartz

Essential Algebraic Structure Within the AES

Quadratic Equations from APN Power Functions

An Asymptotically Optimal Structural Attack on the ABC Multivariate Encryption Scheme

Computers and Electrical Engineering

Cryptography. Course 1: Remainder: RSA. Jean-Sébastien Coron. September 21, Université du Luxembourg

8 Elliptic Curve Cryptography

Etude d hypothèses algorithmiques et attaques de primitives cryptographiques

From 5-pass MQ-based identification to MQ-based signatures

Differential Security of the HF Ev Signiture Primitive

The XL and XSL attacks on Baby Rijndael. Elizabeth Kleiman. A thesis submitted to the graduate faculty

An Efficient Broadcast Attack against NTRU

Faster Satisfiability Algorithms for Systems of Polynomial Equations over Finite Fields and ACC^0[p]

Solving Underdefined Systems of Multivariate Quadratic Equations

Chapter 1 Vector Spaces

Ideal Lattices and NTRU

Lattice Reduction Attack on the Knapsack

Public Key Cryptography. All secret key algorithms & hash algorithms do the same thing but public key algorithms look very different from each other.

Cryptanalysis of a Fast Public Key Cryptosystem Presented at SAC 97

Post-Quantum Cryptography & Privacy. Andreas Hülsing

New Insight into the Isomorphism of Polynomial Problem IP1S and its Use in Cryptography

Lecture Notes, Week 6

Lattice Cryptography

An Improved Affine Equivalence Algorithm for Random Permutations

Hidden pairings and trapdoor DDH groups. Alexander W. Dent Joint work with Steven D. Galbraith

CIS 551 / TCOM 401 Computer and Network Security

PIT problems in the light of and the noncommutative rank algorithm

ASYMMETRIC ENCRYPTION

Looking back at lattice-based cryptanalysis

Transcription:

Multivariate Public Key Cryptography or Why is there a rainbow hidden behind fields full of oil and vinegar? Christian Eder, Jean-Charles Faugère and Ludovic Perret Seminar on Fundamental Algorithms, University of Kaiserslautern June 25, 2015 1 / 36

1 Introduction to public key cryptography 2 Construction of MPKC 3 Examples of MPKC schemes: Hidden fields 4 Examples of MPKC schemes: Oil & Vinegar 2 / 36

General idea of public key cryptography complete key (set of data) 3 / 36

General idea of public key cryptography complete key (set of data) public key P (subset of complete key) private key Q (complete key \ public key) 3 / 36

General idea of public key cryptography complete key (set of data) public key P (subset of complete key) private key Q (complete key \ public key) message M ciphertext C 3 / 36

General idea of public key cryptography complete key (set of data) public key P (subset of complete key) private key Q (complete key \ public key) message M ciphertext C original message M 3 / 36

General idea of signature schemes original message M 4 / 36

General idea of signature schemes original message M hash function h: H = h(m) 4 / 36

General idea of signature schemes original message M hash function h: H = h(m) signature S = Q(H) with private key Q send tuple (M,S) 4 / 36

General idea of signature schemes compute hash H = h(m) of message M original message M hash function h: H = h(m) signature S = Q(H) with private key Q compute H = P(S) with public key P send tuple (M,S) 4 / 36

General idea of signature schemes compute hash H = h(m) of message M original message M hash function h: H = h(m) verify sender via testing H = H signature S = Q(H) with private key Q compute H = P(S) with public key P send tuple (M,S) 4 / 36

1 Introduction to public key cryptography 2 Construction of MPKC 3 Examples of MPKC schemes: Hidden fields 4 Examples of MPKC schemes: Oil & Vinegar 5 / 36

Trapdoors of MPKC PKC depends on the existence of a class of trapdoor one-way functions 6 / 36

Trapdoors of MPKC PKC depends on the existence of a class of trapdoor one-way functions Example Elliptic curve crypto depends on the elliptic curve group. NTRU depends on the structure of an integral lattice. 6 / 36

Trapdoors of MPKC PKC depends on the existence of a class of trapdoor one-way functions Example Elliptic curve crypto depends on the elliptic curve group. NTRU depends on the structure of an integral lattice. In MPKC the trapdoor one-way function is of the form of a multivariate non-linear polynomial map over a finite field. 6 / 36

Trapdoors of MPKC PKC depends on the existence of a class of trapdoor one-way functions Example Elliptic curve crypto depends on the elliptic curve group. NTRU depends on the structure of an integral lattice. In MPKC the trapdoor one-way function is of the form of a multivariate non-linear polynomial map over a finite field. Note Usually non-linear means quadratic. Thus people often speak about MQ systems referring to multivariate quadratic. 6 / 36

Basis of security of MPKC MQ Problem Given m quadratic polynomials p 1 (x 1,...,x n ),..., p m (x 1,...,x n ) in n variables x = x 1,...,x n over a finite field F q, find a vector x such that p 1 (x ) =... = p m (x ) = 0. 7 / 36

Basis of security of MPKC MQ Problem Given m quadratic polynomials p 1 (x 1,...,x n ),..., p m (x 1,...,x n ) in n variables x = x 1,...,x n over a finite field F q, find a vector x such that p 1 (x ) =... = p m (x ) = 0. Solving MQ polynomial systems is worst case NP-hard and in general doubly exponential over any finite field. 7 / 36

Construction of the MPKC F 1. Get a trapdoor, e.g. non-linear function F : F n q F n q, easily invertible. 2. Represent F as multivariate polynomials F over F q. 8 / 36

Construction of the MPKC T F S 1. Get a trapdoor, e.g. non-linear function F : F n q F n q, easily invertible. 2. Represent F as multivariate polynomials F over F q. 3. Take invertible secret matrices S and T. 8 / 36

Construction of the MPKC P = T F S 1. Get a trapdoor, e.g. non-linear function F : F n q F n q, easily invertible. 2. Represent F as multivariate polynomials F over F q. 3. Take invertible secret matrices S and T. 4. Distribute your public key P = T F S as polynomials P. 8 / 36

We use a MQ polynomial map over F q : P : F n q F m q P = ( p 1 (x),...,p m (x) ) with p k (x) = 1 i j n for x = (x 1,...,x n ), α ijk,β ik,γ k F q. Public keys of MPKC α ijk x i x j + β ik x i + γ k, i 9 / 36

We use a MQ polynomial map over F q : P : F n q F m q P = ( p 1 (x),...,p m (x) ) with p k (x) = 1 i j n for x = (x 1,...,x n ), α ijk,β ik,γ k F q. Public keys of MPKC α ijk x i x j + β ik x i + γ k, i Note The constant and linear terms of the p k do not provide any further security, so we can neglect them in our discussion: 9 / 36

We use a MQ polynomial map over F q : P : F n q F m q P = ( p 1 (x),...,p m (x) ) with p k (x) = 1 i j n for x = (x 1,...,x n ), α ijk,β ik,γ k F q. Public keys of MPKC α ijk x i x j + β ik x i + γ k, i Note The constant and linear terms of the p k do not provide any further security, so we can neglect them in our discussion: p k (x) = 1 i j n α ijk x i x j, 9 / 36

Public keys of MPKC In other words: p k (n n) matrix P k (x 1,...,x n ) P k (x 1,...,x n ) T 10 / 36

Public keys of MPKC In other words: p k (n n) matrix P k (x 1,...,x n ) P k (x 1,...,x n ) T p k (x) = 1 i j n α ijk x i x j = xp k x T 10 / 36

Public keys of MPKC In other words: p k (n n) matrix P k (x 1,...,x n ) P k (x 1,...,x n ) T p k (x) = 1 i j n α ijk x i x j = xp k x T Clearly, P should be a random (mostly dense) system of MQ polynomial equations. But is it really? 10 / 36

Main ideas for attacking MPKC Try to retrieve secret S and T in order to get F. The used MPKC variant is known, thus try to exploit knowledge of general trapdoor / shape of private map. 11 / 36

Main ideas for attacking MPKC Try to retrieve secret S and T in order to get F. The used MPKC variant is known, thus try to exploit knowledge of general trapdoor / shape of private map. What are possible instantiations of MPKC? or What settings for F, S and T are used? 11 / 36

1 Introduction to public key cryptography 2 Construction of MPKC 3 Examples of MPKC schemes: Hidden fields 4 Examples of MPKC schemes: Oil & Vinegar 12 / 36

Matsumoto-Imai scheme (MI or C ) 1988 In general: Utilize vector space and hidden field structure of (F q ) n. Instead of searching for invertible maps over the vector space (F q ) n Look for invertible maps on the extension field F q n (F ). Transform to an invertible map over (F q ) n applying secret S and T (P). A single univariate polynomial F over F q n is represented by n multivariate polynomials P = (p i (x 1,...,x n )) 1 i n over F q. 13 / 36

Matsumoto-Imai scheme (MI or C ) 1988 In general: Utilize vector space and hidden field structure of (F q ) n. Instead of searching for invertible maps over the vector space (F q ) n Look for invertible maps on the extension field F q n (F ). Transform to an invertible map over (F q ) n applying secret S and T (P). A single univariate polynomial F over F q n is represented by n multivariate polynomials P = (p i (x 1,...,x n )) 1 i n over F q. Note For C let us assume q = 2 or q = 2 k for some k. Makes the following discussion easier, generalization is rather trivial. 13 / 36

Matsumoto-Imai scheme (MI or C ) 1988 In particular: E = F q [x]/g(x) for an irreducible polynomial g(x) F q [x] of degree n. 14 / 36

Matsumoto-Imai scheme (MI or C ) 1988 In particular: E = F q [x]/g(x) for an irreducible polynomial g(x) F q [x] of degree n. φ : E (F q ) n an F q -linear isomorphism given by φ(a o + a 1 x + + a n 1 x n 1 ) = (a 0,...,a n 1 ). 14 / 36

Matsumoto-Imai scheme (MI or C ) 1988 In particular: E = F q [x]/g(x) for an irreducible polynomial g(x) F q [x] of degree n. φ : E (F q ) n an F q -linear isomorphism given by φ(a o + a 1 x + + a n 1 x n 1 ) = (a 0,...,a n 1 ). Choose 0 < θ < n such that gcd(q θ + 1,q n 1) = 1. Define map F in E[X] via F (X) = X 1+qθ. 14 / 36

Matsumoto-Imai scheme (MI or C ) 1988 In particular: E = F q [x]/g(x) for an irreducible polynomial g(x) F q [x] of degree n. φ : E (F q ) n an F q -linear isomorphism given by φ(a o + a 1 x + + a n 1 x n 1 ) = (a 0,...,a n 1 ). Choose 0 < θ < n such that gcd(q θ + 1,q n 1) = 1. Define map F in E[X] via F (X) = X 1+qθ. Choice of θ ensures F being invertible: ξ (1 + q θ ) 1 mod (q n 1) = F 1 (X) = X ξ. 14 / 36

Matsumoto-Imai scheme (MI or C ) 1988 In particular: E = F q [x]/g(x) for an irreducible polynomial g(x) F q [x] of degree n. φ : E (F q ) n an F q -linear isomorphism given by φ(a o + a 1 x + + a n 1 x n 1 ) = (a 0,...,a n 1 ). Choose 0 < θ < n such that gcd(q θ + 1,q n 1) = 1. Define map F in E[X] via F (X) = X 1+qθ. Choice of θ ensures F being invertible: ξ (1 + q θ ) 1 mod (q n 1) = F 1 (X) = X ξ. Go back to (F q ) n : P = φ F φ 1 (x 1,...,x n ) = (p 1 (x),...,p n(x)). Apply secret transformations S and T : P = T P S = T φ F φ 1 S. 14 / 36

Matsumoto-Imai scheme (MI or C ) 1988 Note 1 Raising X to a power of the form q i is linear in E. P is a system of MQ polynomials over F q. 15 / 36

Matsumoto-Imai scheme (MI or C ) 1988 Note 1 Raising X to a power of the form q i is linear in E. P is a system of MQ polynomials over F q. Note 2 There are not so many choices for θ thus we can assume θ to be publicly known. 15 / 36

Matsumoto-Imai scheme (MI or C ) 1988 Broken by Patarin (1995): 16 / 36

Matsumoto-Imai scheme (MI or C ) 1988 Broken by Patarin (1995): If Y = X qθ +1 XY qθ = X q2θ Y. 16 / 36

Matsumoto-Imai scheme (MI or C ) 1988 Broken by Patarin (1995): If Y = X qθ +1 XY qθ = X q2θ Y. From this one receives a system of equations of type α ij x i y j + β i x i + γ i y i + δ = 0. 16 / 36

Matsumoto-Imai scheme (MI or C ) 1988 Broken by Patarin (1995): If Y = X qθ +1 XY qθ = X q2θ Y. From this one receives a system of equations of type α ij x i y j + β i x i + γ i y i + δ = 0. Taking enough cipher texts from the original system one can determine the coefficients. 16 / 36

Matsumoto-Imai scheme (MI or C ) 1988 Broken by Patarin (1995): If Y = X qθ +1 XY qθ = X q2θ Y. From this one receives a system of equations of type α ij x i y j + β i x i + γ i y i + δ = 0. Taking enough cipher texts from the original system one can determine the coefficients. For a given y (cipher text) we can then solve the linear equations to get x (plain text). 16 / 36

(C ) or SFLASH Construction Remove r public polys: P = (p 1 (x),...,p n r (x)) = R T P S. 17 / 36

(C ) or SFLASH Construction Remove r public polys: P = (p 1 (x),...,p n r (x)) = R T P S. How to attack this? (Dubious, Fouque, Shamir, Stern; 2007) T randomly samples linear space V spanned by the n quadratic equations generated via P S. Only n r of the n samples Recover the missing ones? 17 / 36

(C ) or SFLASH Construction Remove r public polys: P = (p 1 (x),...,p n r (x)) = R T P S. How to attack this? (Dubious, Fouque, Shamir, Stern; 2007) T randomly samples linear space V spanned by the n quadratic equations generated via P S. Only n r of the n samples Recover the missing ones? Transform T : T = T A applying matrices A. Several samples of V, several different linearly independent equations! 17 / 36

(C ) or SFLASH Construction Remove r public polys: P = (p 1 (x),...,p n r (x)) = R T P S. How to attack this? (Dubious, Fouque, Shamir, Stern; 2007) T randomly samples linear space V spanned by the n quadratic equations generated via P S. Only n r of the n samples Recover the missing ones? Transform T : T = T A applying matrices A. Several samples of V, several different linearly independent equations! Only have the public polynomials How to compute T A? 17 / 36

(C ) or SFLASH Construction Remove r public polys: P = (p 1 (x),...,p n r (x)) = R T P S. How to attack this? (Dubious, Fouque, Shamir, Stern; 2007) T randomly samples linear space V spanned by the n quadratic equations generated via P S. Only n r of the n samples Recover the missing ones? Transform T : T = T A applying matrices A. Several samples of V, several different linearly independent equations! Only have the public polynomials How to compute T A? Multiply input of F by α multiply output by β := F (α) = α qθ + 1. 17 / 36

(C ) or SFLASH Construction Remove r public polys: P = (p 1 (x),...,p n r (x)) = R T P S. How to attack this? (Dubious, Fouque, Shamir, Stern; 2007) T randomly samples linear space V spanned by the n quadratic equations generated via P S. Only n r of the n samples Recover the missing ones? Transform T : T = T A applying matrices A. Several samples of V, several different linearly independent equations! Only have the public polynomials How to compute T A? Multiply input of F by α multiply output by β := F (α) = α qθ + 1. Find matrix B such that R T A P S = R T P S B. 17 / 36

How to get B? (C ) or SFLASH W = linear space spanned by all possible quadratic expressions V = linear space spanned by quadratic expressions of T P S V R = linear space spanned by quadratic expressions of R T P S 18 / 36

How to get B? (C ) or SFLASH W = linear space spanned by all possible quadratic expressions V = linear space spanned by quadratic expressions of T P S V R = linear space spanned by quadratic expressions of R T P S Example: SFLASHv3 n = 67, r = 11 dim(v R ) = 56, dim(v) = 67, dim(w) = 2278. 18 / 36

How to get B? (C ) or SFLASH W = linear space spanned by all possible quadratic expressions V = linear space spanned by quadratic expressions of T P S V R = linear space spanned by quadratic expressions of R T P S Example: SFLASHv3 n = 67, r = 11 dim(v R ) = 56, dim(v) = 67, dim(w) = 2278. Not so many good choices for B. 18 / 36

How to get B? (C ) or SFLASH W = linear space spanned by all possible quadratic expressions V = linear space spanned by quadratic expressions of T P S V R = linear space spanned by quadratic expressions of R T P S Example: SFLASHv3 n = 67, r = 11 dim(v R ) = 56, dim(v) = 67, dim(w) = 2278. Not so many good choices for B. In particular q n2 possible matrices over F q but only q n elements in E. good matrices corresponding to extension field multiplication form tiny linear subspace. 18 / 36

(C ) or SFLASH Last step Find good matrices using the fact that they preserve the membership of the output quadratic equations in V. ( Bad matrices are extremely unlikely to have this property as V is very sparse in W.) 19 / 36

(C ) or SFLASH Last step Find good matrices using the fact that they preserve the membership of the output quadratic equations in V. ( Bad matrices are extremely unlikely to have this property as V is very sparse in W.) Either solve quadratic equations in n 2 variables, not so efficient. Or use the differential operator to get bivariate bilinear equations from univariate quadratic ones (working since F (X) = X qθ +1 ): DF (a,x) = F (a + X) F (a) F (X) + F (0) = ax qθ + a qθ X. 19 / 36

Other generalizations of C Generalize F to a univariate polynomial of a given degree d (HFE). F (X) = i,q θ i +q η i d Broken by Faugère and Joux in 2002. HFE with removing equations (HFE-). α i X qθ i +q η i Use more than one polynomial for F (multi-c, multi-hfe). Use intermediate field equations (IFS). Perturb polynomials or add some auxiliary variable Y (vinegar variable).... 20 / 36

Other generalizations of C Generalize F to a univariate polynomial of a given degree d (HFE). F (X) = i,q θ i +q η i d Broken by Faugère and Joux in 2002. HFE with removing equations (HFE-). α i X qθ i +q η i Use more than one polynomial for F (multi-c, multi-hfe). Use intermediate field equations (IFS). Perturb polynomials or add some auxiliary variable Y (vinegar variable).... All those schemes are based on hidden fields and extensions. 20 / 36

1 Introduction to public key cryptography 2 Construction of MPKC 3 Examples of MPKC schemes: Hidden fields 4 Examples of MPKC schemes: Oil & Vinegar 21 / 36

In general: Oil and Vinegar scheme (OV) Trapdoor achieved by special structure of private polynomials, not by field extensions. Structure given by distinguishing set of variables: n = v + o variables, V := {u 1,...,u v } (vinegar) and O := {u v+1,...,u n } (oil) 22 / 36

In general: Oil and Vinegar scheme (OV) Trapdoor achieved by special structure of private polynomials, not by field extensions. Structure given by distinguishing set of variables: n = v + o variables, V := {u 1,...,u v } (vinegar) and O := {u v+1,...,u n } (oil) V and O are balanced: v = o, n = 2v = 2o. There are v = o private polynomials in F. 22 / 36

In general: Oil and Vinegar scheme (OV) Trapdoor achieved by special structure of private polynomials, not by field extensions. Structure given by distinguishing set of variables: n = v + o variables, V := {u 1,...,u v } (vinegar) and O := {u v+1,...,u n } (oil) V and O are balanced: v = o, n = 2v = 2o. There are v = o private polynomials in F. Structure of private polynomials f k (u) = i V,j V i j α ijk u i u j + β ijk u i u j. i V,j O There are no quadratic terms in two oil variables. 22 / 36

Oil and Vinegar scheme (OV) In matrix representation the private polynomials look like the following: V V V O F k = for 1 k o O V O m m 23 / 36

Oil and Vinegar scheme (OV) In matrix representation the private polynomials look like the following: V V V O F k = for 1 k o O V O m m Having a message of length v we fix variables u 1,...,u v in F and receive linear equations in the remaining o variables. 23 / 36

Oil and Vinegar scheme (OV) In matrix representation the private polynomials look like the following: V V V O F k = for 1 k o O V O m m Having a message of length v we fix variables u 1,...,u v in F and receive linear equations in the remaining o variables. Those linear equations are invertible with high probability. 23 / 36

Oil and Vinegar scheme (OV) In matrix representation the private polynomials look like the following: V V V O F k = for 1 k o O V O m m Having a message of length v we fix variables u 1,...,u v in F and receive linear equations in the remaining o variables. Those linear equations are invertible with high probability. Public polynomials Apply secret transformations S and T to receive P as random MQ polynomials. In this setting T does not add any further security, so we can assume the identity. 23 / 36

Attacking OV (Kipnis, Shamir; 1998) Try to separate vinegar and oil variables in the public polynomials. Search for an equivalent representation F S = P = F S. 24 / 36

Attacking OV (Kipnis, Shamir; 1998) Try to separate vinegar and oil variables in the public polynomials. Search for an equivalent representation F S = P = F S. Exploit balance between v and o: v = o. Due to this each F i maps the oil subspace u 1 =... = u v = 0 to the vinegar subspace u v+1 =... = u n = 0. 24 / 36

Attacking OV (Kipnis, Shamir; 1998) Try to separate vinegar and oil variables in the public polynomials. Search for an equivalent representation F S = P = F S. Exploit balance between v and o: v = o. Due to this each F i maps the oil subspace u 1 =... = u v = 0 to the vinegar subspace u v+1 =... = u n = 0. If F j is invertible (high probability) then F i F 1 j on itself. maps the vinegar space 24 / 36

Attacking OV (Kipnis, Shamir; 1998) Try to separate vinegar and oil variables in the public polynomials. Search for an equivalent representation F S = P = F S. Exploit balance between v and o: v = o. Due to this each F i maps the oil subspace u 1 =... = u v = 0 to the vinegar subspace u v+1 =... = u n = 0. If F j is invertible (high probability) then F i F 1 j on itself. maps the vinegar space Thus the image V of the vinegar subspace under S is a common eigenspace for each P i P 1 j, 1 i < j o. 24 / 36

Attacking OV (Kipnis, Shamir; 1998) Try to separate vinegar and oil variables in the public polynomials. Search for an equivalent representation F S = P = F S. Exploit balance between v and o: v = o. Due to this each F i maps the oil subspace u 1 =... = u v = 0 to the vinegar subspace u v+1 =... = u n = 0. If F j is invertible (high probability) then F i F 1 j on itself. maps the vinegar space Thus the image V of the vinegar subspace under S is a common eigenspace for each P i P 1 j, 1 i < j o. Efficient algorithms for computing eigenspaces by Kipnis and Shamir Get V, find O such that O + V = F n q (separating vinegar and oil). Get (F,S ) isomorphic to (F,S). 24 / 36

Unbalancing OV UOV This attack works due to v = o unbalance v and o: v > o. In general: n = v + o, m = n v, v > m, m polynomials. 25 / 36

Unbalancing OV UOV This attack works due to v = o unbalance v and o: v > o. In general: n = v + o, m = n v, v > m, m polynomials. Be careful The previous attack works in a probabilistic fashion also for v > o. It has complexity O(q v m 1 m 4 ) = O(q n 2m 1 m 4 ). Thus one should take at least v 3m. 25 / 36

Unbalancing OV UOV This attack works due to v = o unbalance v and o: v > o. In general: n = v + o, m = n v, v > m, m polynomials. Be careful The previous attack works in a probabilistic fashion also for v > o. It has complexity O(q v m 1 m 4 ) = O(q n 2m 1 m 4 ). Thus one should take at least v 3m. Size problem Enlarging v and o the key sizes get, at some point, too big for practical applications. 25 / 36

Why do we need big values for v and o? Due to another attack by Kipnis and Shamir that we can interpret as a Minrank problem (NP-complete). Minrank (n, k, r) problem Given M 0,...,M k M n n (F q ), find (λ 1,...,λ k ) F k q such that rank ( k i=1λ i Mi M0 ) r. 26 / 36

Why do we need big values for v and o? Due to another attack by Kipnis and Shamir that we can interpret as a Minrank problem (NP-complete). Minrank (n, k, r) problem Given M 0,...,M k M n n (F q ), find (λ 1,...,λ k ) F k q such that rank ( k i=1λ i Mi M0 ) r. Often the rank of the matrices corresponding to F is restricted (e.g. in HFE via degree, in UOV by the choice of v and o.) 26 / 36

Why do we need big values for v and o? Due to another attack by Kipnis and Shamir that we can interpret as a Minrank problem (NP-complete). Minrank (n, k, r) problem Given M 0,...,M k M n n (F q ), find (λ 1,...,λ k ) F k q such that rank ( k i=1λ i Mi M0 ) r. Often the rank of the matrices corresponding to F is restricted (e.g. in HFE via degree, in UOV by the choice of v and o.) rank ( m i=1λ i P i ) r. 26 / 36

Somewhere over the Rainbow... Try to improve security by using several layers of UOV 27 / 36

Somewhere over the Rainbow... Try to improve security by using several layers of UOV Rainbow scheme with L layers Defined by a tuple (q,v 1,...,v L+1 ) Preset 0 < v 1 < v 2 <... < v L+1 = n, # vinegar variables of the different layers. # oil variables o l = v l+1 v l for 1 l L. Each layer l consists of o l polynomials f vl v 1 +1,...,f vl+1 v 1 where we set m := L l=1 o l. For each such level we have vinegar variables V l = {u 1,...,u vl } and oil variables O l = {u vl +1,...,u vl+1 }. 27 / 36

Rainbow (q,6,12,17,22,33) 4-layered Rainbow with m = (12 6) + (17 12) + (22 17) + (33 22) = 27 polynomials. Classical Minrank attack 6 polynomials in first layer of rank r = 12. Prob(random vector in ker( m i=1 λ i P i )) = 1 q r. For such a vector w we have ( m i=1 λ i P i )w = 0. Linear in λ 1,...,λ m. Since n > m we can just use linear algebra. Complexity O(q r m 3 ) = O(q 12 27 3 ). 28 / 36

Improved attack (Billet, Gilbert; 2006) 6 Rainbow (q,6,12,17,22,33) For 1 k 6 : Fk =

Improved attack (Billet, Gilbert; 2006) 6 Rainbow (q,6,12,17,22,33) For 1 k 6 : Fk = w = 6 27

Improved attack (Billet, Gilbert; 2006) 6 Rainbow (q,6,12,17,22,33) For 1 k 6 : Fk = w = 6 27 w1 = F1w T,...,w6 = F6w T ˆ= 6 27 T

Improved attack (Billet, Gilbert; 2006) 6 Rainbow (q,6,12,17,22,33) For 1 k 6 : Fk = w = 6 27 6 27 w1 = F1w T,...,w6 = F6w T T ˆ= Prob(w i linearly independent) = 5 i=0 (1 qi q 6 ) < 1 1 q.

Rainbow (q,6,12,17,22,33) Improved attack (Billet, Gilbert; 2006) 6 For 1 k 6 : Fk = w = 6 27 w1 = F1w T,...,w6 = F6w T ˆ= 6 27 Prob(w i linearly independent) = 5 i=0 Prob (( 6 i=1 λ if i ) w = 0 ) > 1 q. T (1 qi q 6 ) < 1 1 q.

Improved attack (Billet, Gilbert; 2006) 6 Rainbow (q,6,12,17,22,33) For 1 k 6 : Fk = w = 6 27 w1 = F1w T,...,w6 = F6w T ˆ= 6 27 Prob(w i linearly independent) = 5 i=0 (1 qi < 1 1 q. (( Prob 6 i=1 λ ) ) if i w = 0 > 1 q. Prob(random vector of type w) = 1 q 6 ( Afterwards linear algebra as in standard Minrank attack: O 27 3) T q 6 ) 29 / 36

Improved attack (Billet, Gilbert; 2006) 6 Rainbow (q,6,12,17,22,33) For 1 k 6 : Fk = w = 6 27 w1 = F1w T,...,w6 = F6w T ˆ= 6 27 Prob(w i linearly independent) = 5 i=0 (1 qi < 1 1 q. (( Prob 6 i=1 λ ) ) if i w = 0 > 1 q. Prob(random vector of type w) = 1 q 6 ( Afterwards linear algebra as in standard Minrank attack: O 27 3) T q 6 ) O ( q 7 27 3) 29 / 36

Rainbow (2 8,18,30,42) O18 12 F k = O12 12 O12 12 F k = O12 18 O12 12 O12 12 O12 12 for 1 k 12 (first layer) for 13 k 24 (second layer) 30 / 36

Rainbow (2 8,18,30,42) O18 12 F k = O12 12 O12 12 F k = O12 18 O12 12 O12 12 O12 12 for 1 k 12 (first layer) for 13 k 24 (second layer) Direct key recovery attack 24 random public polynomials, need to find S Mat(42 42,F q ) and T Mat(24 24,F q ). Structure of F = System of polynomial equations in entries of S and T for corresponding zero coefficients. (v 1 + o 1 + o 2 ) 2 + (o 1 + o 2 ) 2 = 42 2 + 24 2 = 2340 variables. (o 1 + o 2 ) O 2 O 2 + o 1 ( (V 1 O 1 ) O 2 )+ o 1 ( O 1 O 1 ) = 7128 (non-linear )equations. Complexity: O ( 2 3608) (or: forget it!) 30 / 36

Again idea of equivalent keys Rainbow (2 8,18,30,42) 31 / 36

Again idea of equivalent keys Rainbow (2 8,18,30,42) 118 18 112 12 S = O12 12 112 12 T = O12 12 112 12 O12 18 O12 12 112 12 31 / 36

Again idea of equivalent keys Rainbow (2 8,18,30,42) 118 18 112 12 S = O12 12 112 12 T = O12 12 112 12 O12 18 O12 12 112 12 Equivalent key attack (T F S = P = T F S ) 24 random public polynomials, need to find S Mat(42 42,F q ) and T Mat(24 24,F q ). v 1 o 1 + v 1 o 2 + o 1 o 2 + o 1 o 2 = 720 variables. # equations stays the same, but o 1 V 1 O 2 are no longer cubic, but quadratic (first v 1 variables in S are set!) 2592 quadratic (bihomogeneous in s ij and t kl ) and 4536 cubic equations. Complexity: O ( 2 374) (or: still, forget it!) 31 / 36

Rainbow (2 8,18,30,42) Remove information: good keys resp. Rainbow band separation attack 32 / 36

Rainbow (2 8,18,30,42) Remove information: good keys resp. Rainbow band separation attack 118 18 O18 12 O18 11 112 12 O11 12 S n = O12 12 112 12 O12 11 T 1 = O12 12 112 12 O12 18 O12 12 112 12 32 / 36

Rainbow (2 8,18,30,42) Remove information: good keys resp. Rainbow band separation attack 118 18 O18 12 O18 11 112 12 O11 12 S n = O12 12 112 12 O12 11 T 1 = O12 12 112 12 O12 18 O12 12 112 12 We can only recover zero coefficients for xn 2 terms (for all private polynomials) and for x k x n terms (for 1 k n 1 and only for first private polynomial). 32 / 36

Rainbow (2 8,18,30,42) Remove information: good keys resp. Rainbow band separation attack 118 18 O18 12 O18 11 112 12 O11 12 S n = O12 12 112 12 O12 11 T 1 = O12 12 112 12 O12 18 O12 12 112 12 We can only recover zero coefficients for xn 2 terms (for all private polynomials) and for x k x n terms (for 1 k n 1 and only for first private polynomial). (v 1 + o 1 ) + o 2 = 42 variables (n,n,1) 1 cubic equation. (n,n,k) o 1 + o 2 1 quadratic equations for 2 k o 1 + o 2 (k,n,1) v 1 + o 1 + o 2 1 quadratic equations for 1 k n 1 32 / 36

Rainbow (2 8,18,30,42) Remove information: good keys resp. Rainbow band separation attack 118 18 O18 12 O18 11 112 12 O11 12 S n = O12 12 112 12 O12 11 T 1 = O12 12 112 12 O12 18 O12 12 112 12 We can only recover zero coefficients for xn 2 terms (for all private polynomials) and for x k x n terms (for 1 k n 1 and only for first private polynomial). (v 1 + o 1 ) + o 2 = 42 variables (n,n,1) 1 cubic equation. (n,n,k) o 1 + o 2 1 quadratic equations for 2 k o 1 + o 2 (k,n,1) v 1 + o 1 + o 2 1 quadratic equations for 1 k n 1 = 42 variables in 65 equations? 32 / 36

Rainbow (2 8,18,30,42) Metacryptography Not breaking a system, but breaking an attack :) 33 / 36

Rainbow (2 8,18,30,42) Metacryptography Not breaking a system, but breaking an attack :) We can recover zero coefficients for x 2 n terms only for the last o 2 private polynomials and for x k x n terms only for 1 k v 1 and only for the first private polynomial. 33 / 36

Rainbow (2 8,18,30,42) Metacryptography Not breaking a system, but breaking an attack :) We can recover zero coefficients for x 2 n terms only for the last o 2 private polynomials and for x k x n terms only for 1 k v 1 and only for the first private polynomial. (v 1 + o 1 ) + o 2 = 42 variables (n,n,1) 1 cubic equation. (n,n,k) o 2 quadratic equations for o 1 + 1 k o 1 + o 2 (k,n,1) v 1 quadratic equations for 1 k v 1 = 42 variables in 31 equations. 33 / 36

Rainbow (2 8,18,30,42) Fix attack by adding more rows to T : 34 / 36

Rainbow (2 8,18,30,42) Fix attack by adding more rows to T : Minimal system received with 3 rows in T and S n. v 1 + o 1 + 3 o 2 = 66 variables. 3 cubic equations, 66 quadratic equations. Complexity: Still O ( 2 231) (or: well, you know) 34 / 36

Rainbow (2 8,18,30,42) Metametacryptography Not breaking a system, but breaking the attack on an attack :) 35 / 36

Rainbow (2 8,18,30,42) Metametacryptography Not breaking a system, but breaking the attack on an attack :) The Rainbow band separation attack is really working out! 35 / 36

Rainbow (2 8,18,30,42) Metametacryptography Not breaking a system, but breaking the attack on an attack :) The Rainbow band separation attack is really working out! (v 1 + o 1 ) + o 2 = 42 variables (n,n,1) 1 cubic equation. (n,n,k) o 1 + o 2 1 quadratic equations for 2 k o 1 + o 2 (k,n,1) v 1 + o 1 + o 2 1 quadratic equations for 1 k n 1 65 equations in 42 variables ( Complexity: O 2 95) 35 / 36

Rainbow (2 8,18,30,42) Metametacryptography Not breaking a system, but breaking the attack on an attack :) The Rainbow band separation attack is really working out! (v 1 + o 1 ) + o 2 = 42 variables (n,n,1) 1 cubic equation. (n,n,k) o 1 + o 2 1 quadratic equations for 2 k o 1 + o 2 (k,n,1) v 1 + o 1 + o 2 1 quadratic equations for 1 k n 1 65 equations in 42 variables ( Complexity: O 2 95) Still not feasible, but now we have new ideas. 35 / 36

References [1] Bettale, L., Faugère, J.-C., and Perret, L. Cryptanalysis of HFE, Multi-HFE and Variants for Odd and Even Characteristic, 2011. PKC 2011 [2] Billet, O. and Gilbert, H. Cryptanalysis of Rainbow, 2006. Security and Cryptography for Networks [3] Ding, J. and Schmidt, D. Rainbow, a new multivariable polynomial signature scheme, 2005. Conference on Applied Cryptography and Network Security [4] Ding, J. and Yang, B.-Y. Multivariate Public Key Cryptography, 2009. [5] Kipnis, A. and Shamir, A. Cryptanalysis of the Oil and Vinegar Signature Scheme, 1998. Crypto 1998 [6] Matsumoto, T. and Imai, H. Public Quadratic Polynomial Tuples for Efficient Signature Verification and Message Encryption, 1988. Eurocrypt 1988 [7] Patarin, J. Cryptanalysis of the Matsumoto and Imai Public Key Scheme of Eurocrypt 88, 1995. Crypto 1995 [8] Patarin, J. Hidden Field Equations (HFE) and Isomorphisms of Polynomials, 1996. Eurocrypt 1996 [9] Patarin, J. The Oil and Vinegar Algorithm for Signatures, 1997. presented at Dagstuhl workshop on Cryptography 1997 [10] Thomae, E. About the Security of Multivariate Quadratic Public Key Schemes, 2013. PhD thesis, Ruhr Universtiy Bochum, Germany [11] Wolf, C. and Preneel, B. Superfluous keys in Multivariate Quadratic asymmetric systems, 2004. PKC 2004 36 / 36

2024 © sciencedocbox.com Privacy Policy | Terms of Service | Feedback