Multivariate Cryptography Part 3: HFE (Hidden Field Equations) - PowerPoint PPT Presentation

Multivariate Cryptography Part 3: HFE (Hidden Field Equations) Albrecht Petzoldt PQCrypto Summer School 2017 Eindhoven, Netherlands Friday, 23.06.2017 A. Petzoldt Multivariate Cryptography PQCrypto Summer School 1 / 53

Reminder: Construction of MPKCs Easily invertible quadratic map F : F n → F m ( central map ) Two invertible linear maps S : F m → F m and T : F n → F n Public key : P = S ◦ F ◦ T supposed to look like a random system Private key : S , F , T allows to invert the public key A. Petzoldt Multivariate Cryptography PQCrypto Summer School 2 / 53

Workflow Decryption / Signature Generation S − 1 F − 1 T − 1 ✲ ✲ ✲ w ∈ F m x ∈ F m y ∈ F n z ∈ F n ✻ P Encryption / Signature Verification A. Petzoldt Multivariate Cryptography PQCrypto Summer School 3 / 53

Big Field Schemes Central map F is defined over a degree n extension field E of F F = Φ − 1 ◦ F ◦ Φ : F n → F n quadratic ¯ Decryption / Signature Generation F − 1 X ∈ E Y ∈ E ✲ ✻ Φ − 1 Φ ❄ S − 1 F − 1 ¯ T − 1 ✲ x ∈ F n ✲ y ∈ F n ✲ z ∈ F n w ∈ F n ✻ P Encryption / Signature Verification A. Petzoldt Multivariate Cryptography PQCrypto Summer School 4 / 53

Extension Fields F q : finite field with q elements g ( X ) irreducible polynomial in F [ X ] of degree n = F [ X ] / � g ( X ) � finite field with q n elements ⇒ F q n ∼ isomorphism φ : F n q → F q n , ( a 1 , . . . , a n ) �→ � n i =1 a i · X i − 1 Addition in F q n : Addition in F q [ X ] Multiplication in F q n : Multiplication in F q [ X ] modulo g ( X ) A. Petzoldt Multivariate Cryptography PQCrypto Summer School 5 / 53

Example: The field GF(2 2 ) Start with the field F 2 = { 0 , 1 } of two elements Choose an irreducible polynomial g ( X ) of degree 2 in F 2 [ X ], i.e. g ( X ) = X 2 + X + 1 F 2 [ X ] / � X 2 + X + 1 � = { 0 , 1 , X , X + 1 } ∼ ⇒ F 2 2 = ∼ { 0 , 1 , w , w 2 } for a root w of g ( X ) = w 2 w 2 + 0 1 × 0 1 w w w 2 0 0 1 0 0 0 0 0 w w 2 w 2 1 1 0 w 1 0 1 w w 2 w 2 0 1 0 1 w w w w w 2 w 2 w 2 w 2 w 1 0 0 1 w A. Petzoldt Multivariate Cryptography PQCrypto Summer School 6 / 53

The HFE Cryptosystem [Pa96] “ Hidden Field Equations” proposed by Patarin in 1995 BigField Scheme can be used both for encryption and signatures finite field F , extension field E of degree n , isomorphism Φ : F n → E A. Petzoldt Multivariate Cryptography PQCrypto Summer School 7 / 53

HFE - Key Generation central map F : E → E , q i + q j ≤ D q i ≤ D α ij X q i + q j + β i · X q i + γ � � F ( X ) = 0 ≤ i ≤ j i =0 F = Φ − 1 ◦ F ◦ Φ : F n → F n quadratic ⇒ ¯ degree bound D needed for efficient decryption / signature generation linear maps S , T : F n → F n F ◦ T : F n → F n public key : P = S ◦ ¯ private key : S , F , T A. Petzoldt Multivariate Cryptography PQCrypto Summer School 8 / 53

Encryption Given: message (plaintext) z ∈ F n Compute ciphertext w ∈ F n by w = P ( z ). A. Petzoldt Multivariate Cryptography PQCrypto Summer School 9 / 53

Decryption Given: ciphertext w ∈ F n 1 Compute x = S − 1 ( w ) ∈ F n and X = Φ( x ) ∈ E 2 Solve F ( Y ) = X over E via Berlekamp’s algorithm 3 Compute y = Φ − 1 ( Y ) ∈ F n and z = T − 1 ( y ) Plaintext: z ∈ F n . A. Petzoldt Multivariate Cryptography PQCrypto Summer School 10 / 53

Remark HFE central map is not bijective ⇒ Decryption process does not neccessarily produce unique solution ⇒ Use redundancy in the plaintext A. Petzoldt Multivariate Cryptography PQCrypto Summer School 11 / 53

Signature Generation Given: message d 1 Use hash function H : { 0 , 1 } ⋆ → F n to compute w = H ( d ) 2 Compute x = S − 1 ( w ) ∈ F n and X = Φ( x ) ∈ E 3 Solve F ( Y ) = X over E via Berlekamp’s algorithm 4 Compute y = Φ − 1 ( Y ) ∈ F n and z = T − 1 ( y ) Signature: z ∈ F n . A. Petzoldt Multivariate Cryptography PQCrypto Summer School 12 / 53

Signature Verification Given: signature z ∈ F n , message d Compute w = H ( d ) ∈ F n Compute w ′ = P ( z ) ∈ F n Accept the signature z ⇔ w ′ = w . A. Petzoldt Multivariate Cryptography PQCrypto Summer School 13 / 53

Remark HFE central map is not bijective ⇒ Signature generation process does not output a signature for every input message ⇒ Append a counter to the message d A. Petzoldt Multivariate Cryptography PQCrypto Summer School 14 / 53

The Attack of Kipnis and Shamir [KS99] Idea: Look at the scheme over the extemsion field E the linear maps S and T relate to univariate maps i =1 s i · X q i amd T ⋆ ( X ) = � n − 1 i =1 t i · X q i with (unknown) S ⋆ ( X ) = � n − 1 coefficients s i and t i ∈ E . the public key P ⋆ can be expressed as n − 1 n − 1 ij X q i + q j = X · P ⋆ · X T , P ⋆ ( X ) = � � p ⋆ i =0 j =0 where P ⋆ = [ p ⋆ ij ] and X = ( X q 0 , X q 1 , . . . , X q n − 1 ) . The components of the matrix P ⋆ can be found by polynomial interpolation. A. Petzoldt Multivariate Cryptography PQCrypto Summer School 15 / 53

The attack of Kipnis and Shamir (2) the relation P ⋆ ( X ) = S ⋆ ◦ F ◦ T ⋆ ( X ) yields ( S ⋆ ) − 1 ◦ P ⋆ ( X ) = F ◦ T ⋆ ( X ) and n − 1 s k · G ⋆ k = W · F · W T ˜ � P = k =0 i − k mod n , j − k mod n ) q k , w ij = s q i with g ⋆ k = ( p ⋆ j − i mod n . ij � � ⋆ 0 We know that F has the form F = . 0 0 ⇒ Rank ( F ) ≤ r with r = ⌊ log q D − 1 ⌋ + 1. ⇒ Rank ( W · F · W T ) ≤ r ⇒ We can recover the coefficients s k by solving a MinRank problem over the extension field E . A. Petzoldt Multivariate Cryptography PQCrypto Summer School 16 / 53

MinRank attack on HFE Computing the map P ⋆ is very costly ⇒ The attack of Kipnis and Shamir is not very efficient. Work of Bettale et al: Perform the MinRank attack without recovering P ⋆ ⇒ HFE can be broken by using a MinRank problem over the base field F . � ω � n + r Complexity MinRank = r with 2 < ω ≤ 3 and r = ⌊ log q ( D − 1) ⌋ + 1. A. Petzoldt Multivariate Cryptography PQCrypto Summer School 17 / 53

Direct Attacks Experiments: Public Systems of HFE can be solved much faster than random systems Theoretical Explanation: Upper bound for d reg � ( q − 1) · ( r − 1) + 2 q even and r odd , 2 d reg ≤ , ( q − 1) · r + 2 otherwise . 2 with r = ⌊ log q ( D − 1) ⌋ + 1. ⇒ Basic version of HFE is not secure A. Petzoldt Multivariate Cryptography PQCrypto Summer School 18 / 53

HFE Variants Encryption Schemes IPHFE+ (not very efficient) ZHFE ( → this conference) HFE- (for small minus parameter; → this conference) Signature Schemes HFEv-, Gui MHFEv ( → this conference) A. Petzoldt Multivariate Cryptography PQCrypto Summer School 19 / 53

HFE Variants Encryption Schemes IPHFE+ (not very efficient) ZHFE ( → this conference) HFE- (for small minus parameter; → this conference) Signature Schemes HFEv-, Gui MHFEv ( → this conference) A. Petzoldt Multivariate Cryptography PQCrypto Summer School 20 / 53

HFEv- - Key Generation finite field F , extension field E of degree n , isomorphism Φ : F n → E central map F : F v × E → E , q i + q j ≤ D q i ≤ D α ij X q i + q j + β i ( v 1 , . . . , v v ) · X q i + γ ( v 1 , . . . , v v ) � � F ( X ) = 0 ≤ i ≤ j i =0 F = Φ − 1 ◦ F ◦ (Φ × id v ) quadratic map: F n + v → F n ⇒ ¯ linear maps S : F n → F n − a and T : F n + v → F n + v of maximal rank F ◦ T : F n + v → F n − a public key : P = S ◦ ¯ private key : S , F , T A. Petzoldt Multivariate Cryptography PQCrypto Summer School 21 / 53

Signature Generation Given: message (hash value) w ∈ F n − a 1 Compute x = S − 1 ( w ) ∈ F n and X = Φ( x ) ∈ E 2 Choose random values for the vinegar variables v 1 , . . . , v v Solve F v 1 ,..., v v ( Y ) = X over E via Berlekamps algorithm 3 Compute y = Φ − 1 ( Y ) ∈ F n and z = T − 1 ( y || v 1 || . . . || v v ) Signature: z ∈ F n + v . A. Petzoldt Multivariate Cryptography PQCrypto Summer School 22 / 53

Signature Verification Given: signature z ∈ F n + v , message (hash value) w ∈ F n − a Compute w ′ = P ( z ) ∈ F n − a Accept the signature z ⇔ w ′ = w . A. Petzoldt Multivariate Cryptography PQCrypto Summer School 23 / 53

Workflow of HFEv- Signature Generation F − 1 X ∈ E Y ∈ E ✲ ✻ ✓ v 1 , . . . , v v Φ − 1 Φ ✏ ❄ ¯ S − 1 F − 1 T − 1 ✲ x ∈ F n ✲ y ∈ F n + v ✲ z ∈ F n + v w ∈ F n − a ✻ P Signature Verification A. Petzoldt Multivariate Cryptography PQCrypto Summer School 24 / 53

Toy Example - Key Generation ( q , n , D , a , v ) = (4 , 3 , 17 , 0 , 1). w is a generator of the field F = GF (4). Extension field E = GF (4 3 ), E = F [ b ] / � b 3 + w � isomorphism φ : F 3 → E , ( a 1 , a 2 , a 3 ) = a 1 + a 2 · b + a 3 · b 2 . affine map S : F 3 → F 3 ,       w w 1 x 1 w S ( x 1 , . . . , x 3 ) = 1 0  ·  + 0 w x 2           w 2 w 0 x 3 1 affine map T : F 4 → F 4 ,    w 2  0 w w 1  x 1  w 2 w 2 0 w w .     . T ( x 1 , . . . , x 4 ) =  ·  +       . w 2 w 2 w 2 1 w         x 4 w 2 w 2 w 2 0 1 A. Petzoldt Multivariate Cryptography PQCrypto Summer School 25 / 53