Improved Cryptanalysis of HFEv- via Projection Jintai Ding, Ray - PowerPoint PPT Presentation

Improved Cryptanalysis of HFEv- via Projection Jintai Ding, Ray Perlner, Albrecht Petzoldt, Daniel Smith-Tone PQ Crypto 2018 Fort Lauderdale, Florida 04/10/2018 A. Petzoldt Cryptanalysis of HFEv- via Projection PQ Crypto 2018 1 / 25

Outline Multivariate Cryptography 1 The HFEv- Signature Scheme 2 Notations and Previous Work 3 Our three new Attacks against HFEv- 4 Conclusion 5 A. Petzoldt Cryptanalysis of HFEv- via Projection PQ Crypto 2018 2 / 25

Multivariate Cryptography n n n � � � p (1) p (1) · x i + p (1) p (1) ( x 1 , . . . , x n ) = · x i x j + ij i 0 i =1 j = i i =1 n n n � � � p (2) p (2) · x i + p (2) p (2) ( x 1 , . . . , x n ) = · x i x j + ij i 0 i =1 j = i i =1 . . . n n n � � � p ( m ) p ( m ) · x i + p ( m ) p ( m ) ( x 1 , . . . , x n ) = · x i x j + ij i 0 i =1 j = i i =1 The security of multivariate schemes is based on the Problem MQ : Given m multivariate quadratic polynomials p (1) ( x ) , . . . , p ( m ) ( x ), find a vector ¯ x = (¯ x 1 , . . . , ¯ x n ) such that p (1) (¯ x ) = . . . = p ( m ) (¯ x ) = 0. A. Petzoldt Cryptanalysis of HFEv- via Projection PQ Crypto 2018 3 / 25

Construction Decryption / Signature Generation T ✲ x ∈ F m F ✲ y ∈ F n U ✲ z ∈ F n w ∈ F m ✻ P Encryption / Signature Verification Easily invertible quadratic map F : F n → F m Two invertible linear maps T : F m → F m and U : F n → F n Public key : P = T ◦ F ◦ U supposed to look like a random system Private key : T , F , U allows to invert the public key A. Petzoldt Cryptanalysis of HFEv- via Projection PQ Crypto 2018 4 / 25

Big Field Signature Schemes Signature Generation F − 1 X ∈ E Y ∈ E ✲ ✻ Φ − 1 Φ ❄ ¯ T − 1 F − 1 U − 1 ✲ x ∈ F n ✲ y ∈ F n ✲ z ∈ F n w ∈ F n ✻ P Signature Verification A. Petzoldt Cryptanalysis of HFEv- via Projection PQ Crypto 2018 5 / 25

HFEv − - Key Generation BigField + Minus Equations + Vinegar Variation central map F : F v × E → E , q i + q j ≤ D q i ≤ D � � α ij X q i + q j + β i ( v 1 , . . . , v v ) · X q i + γ ( v 1 , . . . , v v ) F ( X ) = 0 ≤ i ≤ j i =0 F = Φ − 1 ◦ F ◦ Φ quadratic ⇒ ¯ linear maps T : F n → F n − a and U : F n + v → F n + v of maximal rank F ◦ U : F n + v → F n − a public key : P = T ◦ ¯ private key : T , F , U A. Petzoldt Cryptanalysis of HFEv- via Projection PQ Crypto 2018 6 / 25

Signature Generation Given: message (hash value) w ∈ F n − a 1 Compute x = T − 1 ( w ) ∈ F n and X = Φ( x ) ∈ E 2 Choose random values for the vinegar variables v 1 , . . . , v v Solve F v 1 ,..., v v ( Y ) = X over E via Berlekamps algorithm 3 Compute y = Φ − 1 ( Y ) ∈ F n and z = U − 1 ( y || v 1 || . . . || v v ) Signature: z ∈ F n + v . A. Petzoldt Cryptanalysis of HFEv- via Projection PQ Crypto 2018 7 / 25

Signature Verification Given: signature z ∈ F n + v , message (hash value) w ∈ F n − a Compute w ′ = P ( z ) ∈ F n − a Accept the signature z ⇔ w ′ = w . A. Petzoldt Cryptanalysis of HFEv- via Projection PQ Crypto 2018 8 / 25

Direct Attack � � 2 � � n − a n − a Complexity direct = 3 · · d reg 2 Experiments: HFEv- systems can be solved faster than random systems Reason: low degree of regularity � ( q − 1) · ( r + a + v − 1) + 2 q even and r + a odd , 2 d reg ≤ , ( q − 1) · ( r + a + v ) + 2 otherwise . 2 with r = ⌊ log q ( D − 1) ⌋ + 1. Experiments: d reg ≈ r + a + v +7 for HFEv- systems over GF(2). 3 A. Petzoldt Cryptanalysis of HFEv- via Projection PQ Crypto 2018 9 / 25

Q-Rank Definition Let E be a degree n extension of the field F q . The Q-rank of a quadratic q is the rank of the quadratic form φ ◦ F ◦ φ − 1 in map F ( x ) on F n E [ X 0 , . . . , X n − 1 ] via the identification X i = X q i . F : n quadratic polynomials f (1) , . . . f ( n ) in F q [ x o , . . . , x n − 1 ] Interpolation ⇒ F ⋆ : � n − 1 � n − 1 j = i α ji X q i · X q j in E [ X ] i =0 X i = X qi F ⋆ : � n − 1 � n − 1 ˆ → j = i α ij X i X j in E [ X 0 , . . . , X n − 1 ] i =0 F ⋆ : ( X 0 , . . . , X n − 1 ) · M · ( X 0 , . . . X n − 1 ) T ⇒ ˆ Q-rank( F ) = Rank( M ) Q-Rank is invariant under invertible affine transformations F → F ◦ T , but not under isomorphisms F → S ◦ F ◦ T A. Petzoldt Cryptanalysis of HFEv- via Projection PQ Crypto 2018 10 / 25

Q-Rank (2) Definition Let E be a degree d < n extension field of F q . The min-Q-rank of a quadratic map F : F n q → F m q over E is min-Q-rank( F ) = min S max { Q-rank ( S ◦ F ◦ T ) } , T where S : F d q → F m q and T : F n q → F d q are nonzero linear transformations. The min-Q-Rank of a multivariate quadratic system is invariant under isomorphisms of polynomials. A. Petzoldt Cryptanalysis of HFEv- via Projection PQ Crypto 2018 11 / 25

The KS-attack on HFE Idea: Use the low min-Q-rank of the central map F to recover an equivalent private key Lift public map P to the extension field E (polynomial interpolation) Solve a MinRank Problem to find linear map N with N ◦ P of low rank Later Improvement (Minors Modelling): N can be found by computing a Gr¨ obner basis over F (and computing the variety over E ) �� � ω � n + r + 1 Complexity MinRank = O r with 2 < ω ≤ 3. A. Petzoldt Cryptanalysis of HFEv- via Projection PQ Crypto 2018 12 / 25

The algebra A E : degree n extension field of F , θ : primitive element of E φ : F n → E , φ ( x 0 , . . . , x n − 1 ) = � n − 1 i =0 x i α i isomorphism Φ : E → A , Φ( a ) = ( a , a q , . . . , a q n − 1 ) ∈ A ⊂ E n ⇒ We can pass between elements ( x 0 , . . . , x n − 1 ) ∈ F n and ( X , X q , . . . , X q n − 1 ) ∈ A by right multiplication with M n and M − 1 n , where   1 1 1 . . .   θ q n − 1 θ q  θ . . .     θ 2 q n − 1  θ 2 θ 2 q . . . M n =     . .  . .  . .   θ ( n − 1) q n − 1 θ n − 1 θ ( n − 1) q . . . A. Petzoldt Cryptanalysis of HFEv- via Projection PQ Crypto 2018 13 / 25

The algebra A (cont.) To cover the vinegar variables v 1 , . . . , v v , we define � � M n 0 n × v � M n = 0 v × n I v lifting a vector ( x 0 , . . . , x n − 1 , v 1 , . . . , v v ) ∈ F n to an element of A × F v . A. Petzoldt Cryptanalysis of HFEv- via Projection PQ Crypto 2018 14 / 25

MinRank then Projection We find T U T , . . . , U � T U T ) , ( P 1 , . . . , P n ) T − 1 M n = ( U � M n F ⋆ 0 � M n F ⋆ ( n − 1) � M n M n where U , T and P i are the matrix representations of the affine transformations U and T and the public polynomials P i , and F ⋆ i is the i -th Frobenius power of F over A × F v . We find that F ⋆ 0 has the form Rank ( F ⋆ 0 ) = r + a + v A. Petzoldt Cryptanalysis of HFEv- via Projection PQ Crypto 2018 15 / 25

MinRank then Projection (2) 1 Apply a MinRank attack on the matrices P i (with target rank r + a + v ) ⇒ equivalent output transformation T ′ ⇒ matrix L representing the low Q -rank quadratic form T U ′ T . L = U ′ � M n F ⋆ 0 � M n 2 Find the vinegar subspace of L . ◮ project L to the orthogonal complement of a codimension 1 subspace of ker ( L ). Denote the result by ˆ L . ◮ Apply a further codimension one projection π to ˆ L . If there is a nontrivial intersection between ker ( π ) and the vinegar subspace, the rank of ˆ L will drop.   � � 2 � � n + r + v n − a + ( r + a + v + 1) 3 · q r + a +1   . Comp MP = O · r + a + v 2 A. Petzoldt Cryptanalysis of HFEv- via Projection PQ Crypto 2018 16 / 25

Project then MinRank 1 Apply a projection π , projecting the plaintext space to a codimension k subspace 2 Apply the MinRank attack If there is a nontrivial intersection between ker ( π ) and the vinegar subspace, we can find a quadratic form of degree less then r + a + v .  � � � 2 �  q c ( r + a + √ n − a ) − ( c +1 n + r + v − c n − a 2 )  . Comp PM = O · r + a + v − c 2 A. Petzoldt Cryptanalysis of HFEv- via Projection PQ Crypto 2018 17 / 25

The Distinguisher Observation 1: Two HFEv- public keys P 1 and P 2 with same values for n , D and a but different values v 1 and v 2 Fix variables to get determined systems and solve the systems with F 4 ⇒ The step degrees of the F 4 algorithm will be different ⇒ This also holds when guessing (not too many) additional variables (hybrid approach) A. Petzoldt Cryptanalysis of HFEv- via Projection PQ Crypto 2018 18 / 25

The Distinguisher (2) Observation 2: HFEv-( n , D , a , v ) public key P Define V = span ( T n +1 , . . . , T n + v ) Append ℓ ∈ V to the system P and apply F 4 ⇒ The so obtained system P ′ behaves exactly like an HFEv − ( n − 1 , D , a , v − 1 ) public key. A. Petzoldt Cryptanalysis of HFEv- via Projection PQ Crypto 2018 19 / 25

The Distinguisher (3) Consider an HFEv-( n , D , a , v ) public key P Add the field equations { x 2 i − x i = 0 } to P Add randomly chosen linear equations ℓ 1 , . . . , ℓ k to P Solve the system with F 4 ⇒ By looking at the F 4 step degrees, we can distinguish the two cases 1) span ( ℓ 1 , . . . , ℓ k ) ∩ V = ∅ and 2) span ( ℓ 1 , . . . , ℓ k ) ∩ V � = ∅ . A. Petzoldt Cryptanalysis of HFEv- via Projection PQ Crypto 2018 20 / 25