Bilinear Cryptanalysis of Multivariate Schemes Pierre-Alain FOUQUE Crypto Team École normale supérieure Joint work with Dubois, Stern, Shamir, Macario-Rat
Summary • Matsumoto-Imai (MI) cryptosystem • Cryptanalysis of MI by Patarin • The SFLASH signature scheme • First attack against SFLASH (E07) • Second attack against NESSIE parameters of SFLASH (C07) • Key Recovery on SFLASH (E08)
Alternative to RSA • f(x)=x e mod N with N=pq q � +1 • F(X)=X in the finite field GF(q n ) • F permutation iff gcd(q � +1,q n -1) • GF(q n ) vector space over GF(q) ≅ GF(q) n q � q � • X � X linear map on GF(q) n and F(X)=X ! X is quadratic over GF(q) n • F is described as n quadratic polynomials in (x 1 ,x 2 ,...x n ) where X=(x 1 ,...,x n )
MI Cryptosystem E88 • F system of n quadratic polynomials (f 1 ,...,f n ) in X=(x 1 ,x 2 ,...,x n ) ∈ (GF(q)) n easily invertible • Linear masking: S and T two linear bijective maps over GF(q) n • Public Key: P=T o � -1 oFo � oS where � is an isomorphism between GF(q) n and GF(q n ) • P is also a set of n quadratic polynomials • Secret Key: S and T
MI Encryption Scheme • For example: q=2 and n=128 • Encryption: computing P(M) where M=(m 1 ,...m n ) is the plaintext in bits is very simple and efficient even on low-cost smartcard • Decryption: • invert T • invert F(X): F(X)=X h with h=(q � +1) -1 mod q n -1 (similar to RSA decryption) • invert S
Security of Multivariate Schemes • Solving a system of n polynomials over GF(2) is a NP-hard problem • No known polynomial-time quantum algorithm contrary to DL or RSA based systems • S and T hide an easy instance of this generic problem • Generic Tool: Gröbner basis based algorithms • exponential complexity in Time/Space
Cryptanalysis of Patarin C95 q � +1 q � -1 q 2 � -1 • B=F(A)=A so B = A q � q 2 � • AB - A B = 0 • n bilinear relations over GF(q) between the coordinates of A and B T F S • Y � B � A � X • n bilinear relations between X (plaintext) and Y (ciphertext) b k (x 1 ,...,x n ,y 1 ,...y n )=0
Cryptanalysis of Patarin • b k (x 1 ,...x n ,y 1 ,...y n )= � i,j � i,j,k x i y j + � i � i,k x i + � j � j,k y j + � k • Find n bilinear relations using (n+1) 2 pairs (X=plaintext, Y=ciphertext) • linear system in the unknowns � , � , � , � which has a n-dimensional kernel • To decrypt any ciphertext, it is sufficient to solve a linear system in (x 1 ,...,x n ) since the � , � , � , � and y are known
SFLASH Signature • Proposed by Patarin, Goubin, and Courtois (2000) • Idea: Removing some equations to the public key (Shamir 93) ( � erase rows of T=T r ) • Also called the C* - scheme • The removed equations are kept in the secret key • to sign a message, try to invert the system with random values for the missing coordinates • Usage for signature only if too many equations are removed
SFLASH • Claimed security: q r where r = number of missing equations Primes • NESSIE Parameters: n>3r log q n � r (Sec.) v2 128 37 11 11 77 v3 128 67 33 11 77
First attack against SFLASH (Eurocrypt 07)
Main idea of the attacks • Reconstruct the missing polynomials • FoS system of n quadratic polynomials • T’s action: linear integer combinaisons over GF(q) of the FoS polynomials • Goal: Find other linear combinaisons of FoS independent of those of the truncated public key ... • Then, apply Patarin’s attack
Final stage of the attack • Goal: Find linear combinations of FoS independent of those of the truncated PK, P r • Find N such that N=S -1 M � S where M � is a matrix of the multiplication by � in GF(q n ) • P r oN � =(T r oFoS)o(S -1 oM � oS)=ToFoM � oS • FoM � =M F( � ) F since F( � X)=F( � )F(X) • P r oN � =(T r oM F( � ) )oFoS gives (n-r) linear combinations of FoS, some independent of those of P r provided � ∉ GF(q)
Differential Cryptanalysis • DF(X,Y)=F(X+Y)-F(X)-F(Y)+F(0) • Since F is quadratic, DF is bilinear ! q � q � • DF(X,Y)=X Y+XY symmetric bilinear map • DP(X,Y)=T(DF(S(X),S(Y))) • Each coordinate of the PK is a bilinear map • Multiplicative Property: q � • DF( � X,Y)+DF(X, � Y)=( � + � )DF(X,Y)
Studying bilinear maps • Mathematicians usually study linear maps called skew-symmetric maps for bilinear maps objects • L is skew-symmetric map for a bilinear map B(x,y) iff B(Lx,y)=B(x,Ly) • Skey-symmetric maps for DF are exactly some multiplications M � by � since F is multiplicative q � and if gcd(n, � )>1, there exists � s.t. � + � = 0 • For DP , they are conjuguates of M � , N=S -1 M � S
Second Attack on NESSIE Parameters (Crypto 07)
NESSIE Parameters • Since n is prime, there is no element � ∉ GF(q) q � s.t. � + � = 0 • We have to find other (or any) multiplications • We still have the equation: • DF( � X,Y)+DF(X, � Y)=( � + � )DF(X,Y) q � • DP(N(X), Y) + DP(X, N(Y)) q � • = (T( � + � )T -1 ) � DP(X,Y) • = L � DP(X,Y)
SFLASH Attack • Let B be the vector space of the symmetric bilinear forms of dimension n(n-1)/2 • Let the n-dimensional vector space Vect (DP 1 ,...,DP n ) spanned by the n forms of PK • If N is a multiplication, for each coordinate i • DP i (N(X),Y)+DP i (X,N(Y)) ∈ Vect(DP 1 ,...,DP n ) • n(n-1)/2 linear relations on the N’s unknowns
Problem of a truncated public key • We don’t know Vect(DP 1 ,...,DP n ) since we have only (n-r) polynomials in PK, • ... but we know the subspace Vect(DP 1 ,...,DP n-r ) • One bilinear form DP i (N(X),Y)+DP i (X,N(Y)) will be in Vect(DP 1 ,...,DP n-r ) with proba. 1/q r • No characterization property holds: N are not always conjuguates of multiplications and not all • but 3 equa. characterize somes conjuguates and if n-3r>1, and we find only conjuguates of mult.
Recovering the secret keys (E08) • N is one conjuguate of a multiplication M:X �� X by the secret matrix S: N=S -1 MS • If M is known, we can linearize the system in SN=MS and look at S • The minimal polynomial of N has � as root and all the conjuguates of � • Any conjuguate will give a possible M and an equivalent secret key
Conclusion and open problems • Bilinear algebra appears to be well suited to cryptanalyze multivariate cryptosystems • Breaking HFE where the monomial X is q � +1 remplaced by a quadratic polynomial of small q i +q j degree � i,j<D p i,j X ?
Recommend
More recommend
