Key Recovery Attack for ZHFE Daniel Cabarcas 1 Daniel Smith-Tone 2 , - PowerPoint PPT Presentation

Key Recovery Attack for ZHFE Daniel Cabarcas 1 Daniel Smith-Tone 2 , 3 Javier A. Verbel 1 1 Universidad Nacional de Colombia, Sede Medell´ ın, Colombia 2 University of Louisville, USA 3 National Institute of Standards and Technology, USA PQCrypto June 28, 2017 Cabarcas, Smith & Verbel Key Recovery Attack for ZHFE PQCrypto June 28, 2017 1 / 23

Context MPK encryption schemes viable in PQ world Some of them based MQ problem HFE, multi HFE - broken by MinRank attack ZHFE Cabarcas, Smith & Verbel Key Recovery Attack for ZHFE PQCrypto June 28, 2017 2 / 23

Our contribution and related work Our contribution Show the existence of a low rank equivalent private key Show a detailed how recover a fully functional private key for ZHFE from the public key. Estimate the complexity of this attack Cabarcas, Smith & Verbel Key Recovery Attack for ZHFE PQCrypto June 28, 2017 3 / 23

Our contribution and related work Our contribution Show the existence of a low rank equivalent private key Show a detailed how recover a fully functional private key for ZHFE from the public key. Estimate the complexity of this attack Bettale, Faug` ere, Perret, (2013) “Cryptanalysis of HFE, multi-HFE and variants for odd and even characteristic” Zhang, Tang (2016) “On the security and key generation of the ZHFE encryption scheme” Perlner and Smith-Tone (2016) “Security analysis and key modification for ZHFE” Cabarcas, Smith & Verbel Key Recovery Attack for ZHFE PQCrypto June 28, 2017 3 / 23

Outline ZHFE encryption scheme 1 Existence of a low rank equivalent key 2 MinRank attack to ZHFE 3 Experiments and results 4 Cabarcas, Smith & Verbel Key Recovery Attack for ZHFE PQCrypto June 28, 2017 4 / 23

ZHFE encryption scheme Let F be a field of size q and K an extension field of degree n of F HFE polynomial n a ij X q i + q j + b i X q i + c , � � F ( X ) = with a ij , b i , c ∈ K 0 ≤ i ≤ j < n i =0 Cabarcas, Smith & Verbel Key Recovery Attack for ZHFE PQCrypto June 28, 2017 5 / 23

ZHFE encryption scheme Let F be a field of size q and K an extension field of degree n of F HFE polynomial n a ij X q i + q j + b i X q i + c , � � F ( X ) = with a ij , b i , c ∈ K 0 ≤ i ≤ j < n i =0 A low degree reduction Let F and ˜ F be high degree (and rank) HFE polynomials, where the following relation holds in K α 1 F q 0 + · · · + α n F q n − 1 + β 1 ˜ F q 0 + · · · + β n ˜ � F q n − 1 � Ψ( X ) = X α n +1 F q 0 + · · · + α 2 n F q n − 1 + β n +1 ˜ F q 0 + · · · + β 2 n ˜ X q � F q n − 1 � + , where deg(Ψ) ≤ D , for some small integer D . Cabarcas, Smith & Verbel Key Recovery Attack for ZHFE PQCrypto June 28, 2017 5 / 23

Public and secret keys SK A secret key is Π = ( G , S , T ), where G = ( F , ˜ F ), T ∈ End ( F 2 n ), S ∈ End ( F n ). PK The public given by Π is P = T ◦ ϕ 2 ◦ G ◦ ϕ − 1 ◦ S , where ϕ : K → F n be the canonical F -isomorphism and ϕ 2 = ϕ × ϕ . Cabarcas, Smith & Verbel Key Recovery Attack for ZHFE PQCrypto June 28, 2017 6 / 23

Public and secret keys SK A secret key is Π = ( G , S , T ), where G = ( F , ˜ F ), T ∈ End ( F 2 n ), S ∈ End ( F n ). PK The public given by Π is P = T ◦ ϕ 2 ◦ G ◦ ϕ − 1 ◦ S , where ϕ : K → F n be the canonical F -isomorphism and ϕ 2 = ϕ × ϕ . Encryption and decryption To encrypt a plaintext x ∈ F n , evaluate P ( x ) To decrypt P ( x ), the map G needs to be inverted. So, if G ( X ) = ( Y 1 , Y 2 ) then the following relation holds: � 1 + · · · + α n Y q n − 1 + β 1 Y 2 + · · · + β n Y q n − 1 � α 1 Y 1 + α 2 Y q Ψ( X ) = X 1 2 X q � 1 + · · · + α 2 n Y q n − 1 + β n +1 Y 2 + · · · + β 2 n Y q n − 1 � α n +1 Y 1 + α n +2 Y q + . 1 2 Cabarcas, Smith & Verbel Key Recovery Attack for ZHFE PQCrypto June 28, 2017 6 / 23

A low rank equivalent key Let L be the function from K 2 to K 2 given by � n n n n � α i X q i − 1 + α n + i X q i − 1 + β i Y q i − 1 , β n + i Y q i − 1 � � � � L ( X , Y ) = . i =1 i =1 i =1 i =1 Cabarcas, Smith & Verbel Key Recovery Attack for ZHFE PQCrypto June 28, 2017 7 / 23

A low rank equivalent key Let L be the function from K 2 to K 2 given by � n n n n � α i X q i − 1 + α n + i X q i − 1 + β i Y q i − 1 , β n + i Y q i − 1 � � � � L ( X , Y ) = . i =1 i =1 i =1 i =1 So, If ( H , ˜ H ) := L ◦ ( F , ˜ F ) and r = ⌈ log q D ⌉ , then Rank(˜ Rank( H ) ≤ r + 1 H ) ≤ r + 1  ∗ ∗ ∗ ∗   ∗ ∗ ∗ ∗ ∗ ∗  . . . ∗ ∗ ∗ ∗ ∗ ∗ . . . . . . ∗ ∗ ∗ ∗ . . .       ∗ ∗ ∗ ∗   ∗ ∗ ∗ ∗      .  ...  .  ... . .     . .   ˜   H = H =     ∗ ∗ ∗ ∗ ∗ ∗ ∗ ∗         ∗ ∗      .   .  . .     . .     ∗ ∗ Cabarcas, Smith & Verbel Key Recovery Attack for ZHFE PQCrypto June 28, 2017 7 / 23

If ( H , ˜ H ) = L ◦ ( F , ˜ F ) and L non-singular (happen with high probability), then F ) ◦ ϕ − 1 ◦ S = ( T ◦ R ) ◦ ϕ 2 ◦ � � ◦ ϕ − 1 ◦ S , T ◦ ϕ 2 ◦ ( F , ˜ H , ˜ H where R = ϕ 2 ◦ L − 1 ◦ ϕ − 1 2 . � � � � ( F , ˜ ( H , ˜ F ) , S , T ) and H ) , S , ( T ◦ R ) are equivalent Cabarcas, Smith & Verbel Key Recovery Attack for ZHFE PQCrypto June 28, 2017 8 / 23

Private key and fundamental equation F ) ◦ ϕ − 1 ◦ S is a ZHFE public key. Suppose P = T ◦ ϕ 2 ◦ ( F , ˜ Fundamental equation 2 n − 1 2 n − 1 � u i , 0 P i +1 = WFW ⊤ , and � u i , n P i +1 = W ˜ FW ⊤ , i =0 i =0 where W := SM n , U := T − 1 M 2 n = [ u ij ] M n = ρ ◦ ϕ and M 2 n = Diag( M n , M n ) , ρ : K → K n , ρ ( a ) = ( a , a q , ..., a q n − 1 ) . Cabarcas, Smith & Verbel Key Recovery Attack for ZHFE PQCrypto June 28, 2017 9 / 23

F ) ◦ ϕ − 1 ◦ S is a ZHFE public key. Suppose P = T ◦ ϕ 2 ◦ ( F , ˜ Fundamental equation 2 n − 1 2 n − 1 � u i , 0 P i +1 = WFW ⊤ , and � u i , n P i +1 = W ˜ FW ⊤ , i =0 i =0     ∗ ∗ ∗ ∗ ∗ ∗ ∗ ∗ ∗ . . . ∗ ∗ ∗ ∗ . . . ∗ ∗ . . . ∗ ∗ ∗ ∗ . . . ∗         ∗ ∗ ∗ ∗ ∗ ∗ ∗ ∗     . .  ...   ...  . .     . . ˜     F = F =     ∗ ∗ ∗ ∗ ∗ ∗ ∗ ∗         ∗ ∗     . .     . .     . .     ∗ ∗ u = [ u i , 0 ] i and v = [ u i , n ] i are solution to the MinRank problem associated with ( P 1 , ..., P 2 n ) and r + 1. Cabarcas, Smith & Verbel Key Recovery Attack for ZHFE PQCrypto June 28, 2017 10 / 23

Too many equivalent keys Cabarcas, Smith & Verbel Key Recovery Attack for ZHFE PQCrypto June 28, 2017 11 / 23

Too many equivalent keys A big set of equivalent keys � � a 00 a 01 Let A : K 2 → K 2 be a non-singular linear transformation represented by A ∗ = a 10 a 11 Frob k : K → K , Frob k ( a ) = a q k , If Frob k ◦ A ◦ ( F , ˜ G ′ = F ) ◦ Frob n − k , T ◦ ϕ 2 ◦ A − 1 ◦ Frob n − k ◦ ϕ − 1 T ′ = 2 , ϕ ◦ Frob k ◦ ϕ − 1 ◦ S , S ′ = T ◦ ϕ 2 ◦ G ◦ ϕ − 1 ◦ S = T ′ ◦ ϕ 2 ◦ G ′ ◦ ϕ − 1 ◦ S ′ ( G , S , T ) and ( G ′ , S ′ , T ′ ) are equivalent, where G = ( F , ˜ F ), Cabarcas, Smith & Verbel Key Recovery Attack for ZHFE PQCrypto June 28, 2017 11 / 23

Given a private key ( G ′ , S ′ , T ′ ), if G ′ := ( H , ˜ H ), U ′ := T ′− 1 M 2 n , W ′ := S ′ M n , 2 n − 1 2 n − 1 � i , 0 P i +1 = W’HW’ ⊤ , and � i , n P i +1 = W’ ˜ HW’ ⊤ . u ′ u ′ i =0 i =0 Cabarcas, Smith & Verbel Key Recovery Attack for ZHFE PQCrypto June 28, 2017 12 / 23

Given a private key ( G ′ , S ′ , T ′ ), if G ′ := ( H , ˜ H ), U ′ := T ′− 1 M 2 n , W ′ := S ′ M n , 2 n − 1 2 n − 1 � i , 0 P i +1 = W’HW’ ⊤ , and � i , n P i +1 = W’ ˜ HW’ ⊤ . u ′ u ′ i =0 i =0 Have the shape, The matrices representing G ′ are   ∗ ∗ ∗ ∗ ∗ ∗ ∗ ∗ H = Frob k ( a 00 F + a 01 ˜ F ) , ∗ ∗ ∗ ∗ ∗ ∗ ∗ ∗     ∗ ∗ ∗ H = Frob k ( a 10 F + a 11 ˜ ˜ F ) ,     ∗ ∗     ∗ ∗     ∗ ∗     Moreover,Rank( H ) , Rank(˜ ∗ ∗ H ) ≤ r + 1   ∗ ∗ Cabarcas, Smith & Verbel Key Recovery Attack for ZHFE PQCrypto June 28, 2017 12 / 23