Improved Cryptanalysis of HFEv- via Projection

Similar documents
Improved Cryptanalysis of HFEv- via Projection

On the Complexity of the Hybrid Approach on HFEv-

HFERP - A New Multivariate Encryption Scheme

Multivariate Quadratic Public-Key Cryptography Part 1: Basics

Multivariate Public Key Cryptography

A Classification of Differential Invariants for Multivariate Post-Quantum Cryptosystems

On the Security and Key Generation of the ZHFE Encryption Scheme

Inoculating Multivariate Schemes Against Differential Attacks

New candidates for multivariate trapdoor functions

Simple Matrix Scheme for Encryption (ABC)

MI-T-HFE, a New Multivariate Signature Scheme

The Shortest Signatures Ever

Oil-Vinegar signature cryptosystems

Multivariate Public Key Cryptography or Why is there a rainbow hidden behind fields full of oil and vinegar?

Rank Analysis of Cubic Multivariate Cryptosystems

A Polynomial-Time Key-Recovery Attack on MQQ Cryptosystems

Cryptanalysis of Simple Matrix Scheme for Encryption

New Directions in Multivariate Public Key Cryptography

Hidden Field Equations

Cryptanalysis of the TTM Cryptosystem

Differential Security of the HF Ev Signiture Primitive

An Asymptotically Optimal Structural Attack on the ABC Multivariate Encryption Scheme

Analysis of Hidden Field Equations Cryptosystem over Odd-Characteristic Fields

Algebraic Cryptanalysis of MQQ Public Key Cryptosystem by MutantXL

Linearity Measures for MQ Cryptography

Cryptanalysis of Patarin s 2-Round Public Key System with S Boxes (2R)

Efficient variant of Rainbow using sparse secret keys

Differential Cryptanalysis for Multivariate Schemes

RGB, a Mixed Multivariate Signature Scheme

MutantXL: Solving Multivariate Polynomial Equations for Cryptanalysis

TOT, a Fast Multivariate Public Key Cryptosystem with Basic Secure Trapdoor

Hybrid Approach : a Tool for Multivariate Cryptography

Key Recovery on Hidden Monomial Multivariate Schemes

Little Dragon Two: An efficient Multivariate Public Key Cryptosystem

A Classification of Differential Invariants for Multivariate Post-Quantum Cryptosystems

Gröbner Bases Techniques in Post-Quantum Cryptography

Gröbner Bases in Public-Key Cryptography

Taxonomy of Public Key Schemes based on the problem of Multivariate Quadratic equations

Cryptanalysis of the HFE Public Key Cryptosystem by Relinearization

Small Public Keys and Fast Verification for Multivariate Quadratic Public Key Systems

Lattices. A Lattice is a discrete subgroup of the additive group of n-dimensional space R n.

A brief survey of post-quantum cryptography. D. J. Bernstein University of Illinois at Chicago

Cryptanalysis of the Oil & Vinegar Signature Scheme

Introduction to Quantum Safe Cryptography. ENISA September 2018

Notes on Alekhnovich s cryptosystems

10 Concrete candidates for public key crypto

Linear Algebra. Workbook

Public key cryptography using Permutation P-Polynomials over Finite Fields

Quantum-resistant cryptography

Algebraic Aspects of Symmetric-key Cryptography

Developments in multivariate post quantum cryptography.

Poly Dragon: An efficient Multivariate Public Key Cryptosystem

CHAPMAN & HALL/CRC CRYPTOGRAPHY AND NETWORK SECURITY ALGORITHMIC CR YPTAN ALY51S. Ant nine J aux

Side-channel analysis in code-based cryptography

MXL2 : Solving Polynomial Equations over GF(2) Using an Improved Mutant Strategy

FPGA-based Niederreiter Cryptosystem using Binary Goppa Codes

Lecture 1: Introduction to Public key cryptography

Code-based Cryptography

McEliece type Cryptosystem based on Gabidulin Codes

Multivariate Public Key Cryptography

RSA Key Extraction via Low- Bandwidth Acoustic Cryptanalysis. Daniel Genkin, Adi Shamir, Eran Tromer

Résolution de systèmes polynomiaux structurés et applications en Cryptologie

Hidden Pair of Bijection Signature Scheme

Structural Cryptanalysis of SASAS

Lecture 15 & 16: Trapdoor Permutations, RSA, Signatures

Introduction to Arithmetic Geometry Fall 2013 Lecture #17 11/05/2013

Cryptographical Security in the Quantum Random Oracle Model

Etude d hypothèses algorithmiques et attaques de primitives cryptographiques

Notes for Lecture 15

Division Property: a New Attack Against Block Ciphers

Mathematical Foundations of Public-Key Cryptography

Public Key Cryptography. All secret key algorithms & hash algorithms do the same thing but public key algorithms look very different from each other.

From 5-pass MQ-based identification to MQ-based signatures

Algorithmic Number Theory and Public-key Cryptography

Asymmetric Encryption

Impossible Differential-Linear Cryptanalysis of Reduced-Round CLEFIA-128

Cryptanalysis of the Tractable Rational Map Cryptosystem

How Fast can be Algebraic Attacks on Block Ciphers?

Essential Algebraic Structure Within the AES

On multivariate signature-only public key cryptosystems

Background: Lattices and the Learning-with-Errors problem

High-speed cryptography, part 3: more cryptosystems. Daniel J. Bernstein University of Illinois at Chicago & Technische Universiteit Eindhoven

Public key cryptosystem MST 3 : cryptanalysis and realization

Open problems related to algebraic attacks on stream ciphers

Winter 2011 Josh Benaloh Brian LaMacchia

Key Recovery on Hidden Monomial Multivariate Schemes

Lecture 7: CPA Security, MACs, OWFs

Public-key Cryptography: Theory and Practice

On the Security of HFE, HFEv- and Quartz

Multiplicative complexity in block cipher design and analysis

A Brief Retrospective Look at the Cayley-Purser Public-key Cryptosystem, 19 Years Later

Diophantine equations via weighted LLL algorithm

Post-Quantum Cryptography & Privacy. Andreas Hülsing

Differential Algorithms for the Isomorphism of Polynomials Problem

Quadratic Equations from APN Power Functions

Analysis of Modern Stream Ciphers

An Algebraic Framework for Cipher Embeddings

Isomorphism of Polynomials : New Results

Ideals over a Non-Commutative Ring and their Application in Cryptology

MiMC: Efficient Encryption and Cryptographic Hashing with Minimal Multiplicative Complexity

Transcription:

Improved Cryptanalysis of HFEv- via Projection Jintai Ding, Ray Perlner, Albrecht Petzoldt, Daniel Smith-Tone PQ Crypto 2018 Fort Lauderdale, Florida 04/10/2018 A. Petzoldt Cryptanalysis of HFEv- via Projection PQ Crypto 2018 1 / 25

Outline 1 Multivariate Cryptography 2 The HFEv- Signature Scheme 3 Notations and Previous Work 4 Our three new Attacks against HFEv- 5 Conclusion A. Petzoldt Cryptanalysis of HFEv- via Projection PQ Crypto 2018 2 / 25

Multivariate Cryptography p (1) (x 1,..., x n ) = p (2) (x 1,..., x n ) = p (m) (x 1,..., x n ) = n n i=1 j=i n n i=1 j=i n n i=1 j=i p (1) ij x i x j + p (2) ij x i x j + p (m) ij x i x j +. n i=1 n i=1 n i=1 p (1) i x i + p (1) 0 p (2) i x i + p (2) 0 p (m) i x i + p (m) 0 The security of multivariate schemes is based on the Problem MQ: Given m multivariate quadratic polynomials p (1) (x),..., p (m) (x), find a vector x = ( x 1,..., x n ) such that p (1) ( x) =... = p (m) ( x) = 0. A. Petzoldt Cryptanalysis of HFEv- via Projection PQ Crypto 2018 3 / 25

Construction Decryption / Signature Generation w F m T x F m F y F n U z F n P Encryption / Signature Verification Easily invertible quadratic map F : F n F m Two invertible linear maps T : F m F m and U : F n F n Public key: P = T F U supposed to look like a random system Private key: T, F, U allows to invert the public key A. Petzoldt Cryptanalysis of HFEv- via Projection PQ Crypto 2018 4 / 25

Big Field Signature Schemes w F n T 1 x F n F 1 y F n U 1 z F n Signature Generation X E F 1 Y E Φ Φ 1 P Signature Verification A. Petzoldt Cryptanalysis of HFEv- via Projection PQ Crypto 2018 5 / 25

HFEv - Key Generation BigField + Minus Equations + Vinegar Variation central map F : F v E E, F(X) = q i +q j D 0 i j q i D α ij X qi +q j + F = Φ 1 F Φ quadratic i=0 β i (v 1,..., v v ) X qi + γ(v 1,..., v v ) linear maps T : F n F n a and U : F n+v F n+v of maximal rank public key: P = T F U : F n+v F n a private key: T, F, U A. Petzoldt Cryptanalysis of HFEv- via Projection PQ Crypto 2018 6 / 25

Signature Generation Given: message (hash value) w F n a 1 Compute x = T 1 (w) F n and X = Φ(x) E 2 Choose random values for the vinegar variables v 1,..., v v Solve F v1,...,v v (Y ) = X over E via Berlekamps algorithm 3 Compute y = Φ 1 (Y ) F n and z = U 1 (y v 1... v v ) Signature: z F n+v. A. Petzoldt Cryptanalysis of HFEv- via Projection PQ Crypto 2018 7 / 25

Signature Verification Given: signature z F n+v, message (hash value) w F n a Compute w = P(z) F n a Accept the signature z w = w. A. Petzoldt Cryptanalysis of HFEv- via Projection PQ Crypto 2018 8 / 25

Direct Attack ( ) 2 ( ) n a n a Complexity direct = 3 2 d reg Experiments: HFEv- systems can be solved faster than random systems Reason: low degree of regularity d reg { (q 1) (r+a+v 1) 2 + 2 q even and r + a odd, (q 1) (r+a+v) 2 + 2 otherwise. with r = log q (D 1) + 1. Experiments: d reg r+a+v+7 3 for HFEv- systems over GF(2)., A. Petzoldt Cryptanalysis of HFEv- via Projection PQ Crypto 2018 9 / 25

Q-Rank Definition Let E be a degree n extension of the field F q. The Q-rank of a quadratic map F(x) on F n q is the rank of the quadratic form φ F φ 1 in E[X 0,..., X n 1 ] via the identification X i = X qi. F: n quadratic polynomials f (1),... f (n) in F q [x o,..., x n 1 ] Interpolation F : n 1 n 1 i=0 j=i α ji X qi X qj in E[X] X i =X qi ˆF : n 1 n 1 i=0 j=i α ij X i X j in E[X 0,..., X n 1 ] ˆF : (X 0,..., X n 1 ) M (X 0,... X n 1 ) T Q-rank(F) = Rank(M) Q-Rank is invariant under invertible affine transformations F F T, but not under isomorphisms F S F T A. Petzoldt Cryptanalysis of HFEv- via Projection PQ Crypto 2018 10 / 25

Q-Rank (2) Definition Let E be a degree d < n extension field of F q. The min-q-rank of a quadratic map F : F n q F m q over E is min-q-rank(f) = min S max {Q-rank (S F T )}, T where S : F d q F m q and T : F n q F d q are nonzero linear transformations. The min-q-rank of a multivariate quadratic system is invariant under isomorphisms of polynomials. A. Petzoldt Cryptanalysis of HFEv- via Projection PQ Crypto 2018 11 / 25

The KS-attack on HFE Idea: Use the low min-q-rank of the central map F to recover an equivalent private key Lift public map P to the extension field E (polynomial interpolation) Solve a MinRank Problem to find linear map N with N P of low rank Later Improvement (Minors Modelling): N can be found by computing a Gröbner basis over F (and computing the variety over E) (( ) ω ) n + r + 1 Complexity MinRank = O r with 2 < ω 3. A. Petzoldt Cryptanalysis of HFEv- via Projection PQ Crypto 2018 12 / 25

The algebra A E: degree n extension field of F, θ: primitive element of E φ : F n E, φ(x 0,..., x n 1 ) = n 1 i=0 x iα i isomorphism Φ : E A, Φ(a) = (a, a q,..., a qn 1 ) A E n We can pass between elements (x 0,..., x n 1 ) F n and (X, X q,..., X qn 1 ) A by right multiplication with M n and M 1 n, where 1 1... 1 θ θ q... θ qn 1 M n = θ 2 θ 2q... θ 2qn 1.. θ n 1 θ (n 1)q... θ (n 1)qn 1 A. Petzoldt Cryptanalysis of HFEv- via Projection PQ Crypto 2018 13 / 25

The algebra A (cont.) To cover the vinegar variables v 1,..., v v, we define ( ) Mn 0 M n = n v 0 v n I v lifting a vector (x 0,..., x n 1, v 1,..., v v ) F n to an element of A F v. A. Petzoldt Cryptanalysis of HFEv- via Projection PQ Crypto 2018 14 / 25

MinRank then Projection We find (P 1,..., P n )T 1 M n = (U M n F 0 M n T U T,..., U M n F (n 1) M n T U T ), where U, T and P i are the matrix representations of the affine transformations U and T and the public polynomials P i, and F i is the i-th Frobenius power of F over A F v. We find that F 0 has the form Rank(F 0 ) = r + a + v A. Petzoldt Cryptanalysis of HFEv- via Projection PQ Crypto 2018 15 / 25

MinRank then Projection (2) 1 Apply a MinRank attack on the matrices P i (with target rank r + a + v) equivalent output transformation T matrix L representing the low Q-rank quadratic form L = U MnF 0 M n T U T. 2 Find the vinegar subspace of L. project L to the orthogonal complement of a codimension 1 subspace of ker(l). Denote the result by ˆL. Apply a further codimension one projection π to ˆL. If there is a nontrivial intersection between ker(π) and the vinegar subspace, the rank of ˆL will drop. ( ) 2 ( ) Comp MP = O n + r + v n a + (r + a + v + 1) 3 q r+a+1. r + a + v 2 A. Petzoldt Cryptanalysis of HFEv- via Projection PQ Crypto 2018 16 / 25

Project then MinRank 1 Apply a projection π, projecting the plaintext space to a codimension k subspace 2 Apply the MinRank attack If there is a nontrivial intersection between ker(π) and the vinegar subspace, we can find a quadratic form of degree less then r + a + v. ( ) 2 ( ) Comp PM = O q c(r+a+ n a) ( c+1 2 ) n + r + v c n a. r + a + v c 2 A. Petzoldt Cryptanalysis of HFEv- via Projection PQ Crypto 2018 17 / 25

The Distinguisher Observation 1: Two HFEv- public keys P 1 and P 2 with same values for n, D and a but different values v 1 and v 2 Fix variables to get determined systems and solve the systems with F 4 The step degrees of the F 4 algorithm will be different This also holds when guessing (not too many) additional variables (hybrid approach) A. Petzoldt Cryptanalysis of HFEv- via Projection PQ Crypto 2018 18 / 25

The Distinguisher (2) Observation 2: HFEv-(n, D, a, v) public key P Define V = span(t n+1,..., T n+v ) Append l V to the system P and apply F 4 The so obtained system P behaves exactly like an public key. HFEv (n 1, D, a, v 1) A. Petzoldt Cryptanalysis of HFEv- via Projection PQ Crypto 2018 19 / 25

The Distinguisher (3) Consider an HFEv-(n, D, a, v) public key P Add the field equations {xi 2 x i = 0} to P Add randomly chosen linear equations l 1,..., l k to P Solve the system with F 4 By looking at the F 4 step degrees, we can distinguish the two cases 1) span(l 1,..., l k ) V = and 2) span(l 1,..., l k ) V. A. Petzoldt Cryptanalysis of HFEv- via Projection PQ Crypto 2018 20 / 25

The Attack Having found l 1,..., l k such that span(l 1,..., l k ) V = { l}, we can recover the private HFEv- key as follows 1 Recover the exact form of l = k i=1 λ i l i Remove l1 from the system. If the distinguisher still works, the coefficient λ 1 is zero. Otherwise, λ 1 = 1. Continue this step to find all the coefficients λ i 2 Add l to the HFEv- system and run the distinguisher again to find another linear equation ˆl V. After having recovered v of these linear equations the system will behave like an HFE- system. 3 Apply any attack against HFE- (e.g [VS, PQCrypto2017]) to complete the attack. A. Petzoldt Cryptanalysis of HFEv- via Projection PQ Crypto 2018 21 / 25

Complexity of the Distinguisher Complexity of the Distinguisher (finding l V) depends on number of distinguisher runs Pr(l V) = 2 n Pr(span(l 1,..., l k ) V ) = 1 (1 2 n ) 2 k cost of a single run (= 1 run of F 4 ) ( ) 2 ( ) Comp F4 = O n + v k n + v k 2 d reg 2 k n A. Petzoldt Cryptanalysis of HFEv- via Projection PQ Crypto 2018 22 / 25

Complexity of the Distinguisher Comp Distinguisher; classical = O 2 n k Comp Distinguisher; quantum = O 2 (n k)/2 ( ) 2 ( ) n + v k n + v k 2 d reg ( ) 2 ( ) n + v k n + v k. 2 The cost of the remaining steps (finding the exact form of l and removing the other Vinegar variables from the system, breaking the remaining HFEsystem) is much smaller. d reg A strategy to estimate k and d reg for concrete HFEv- systems can be found in our paper. A. Petzoldt Cryptanalysis of HFEv- via Projection PQ Crypto 2018 23 / 25

Conclusion We presented three new attacks against HFEv- using the idea of projection MinRank then Projection Projection then MinRank Distinguishing based attack Better performance than existing attacks against some HFEv- systems (see example in the paper) Less memory consumption than all known attacks (for all parameter sets) New insights in the security of HFEv- Restrictions for the parameter choice of HFEv- based schemes A. Petzoldt Cryptanalysis of HFEv- via Projection PQ Crypto 2018 24 / 25

The End Thank you for your attention Questions? A. Petzoldt Cryptanalysis of HFEv- via Projection PQ Crypto 2018 25 / 25

2024 © sciencedocbox.com Privacy Policy | Terms of Service | Feedback