Bilinear Cryptanalysis of Multivariate Schemes Pierre-Alain FOUQUE - - PowerPoint PPT Presentation

Bilinear Cryptanalysis of Multivariate Schemes

Pierre-Alain FOUQUE Crypto Team École normale supérieure Joint work with Dubois, Stern, Shamir, Macario-Rat

Summary

• Matsumoto-Imai (MI) cryptosystem
• Cryptanalysis of MI by Patarin
• The SFLASH signature scheme
• First attack against SFLASH (E07)
• Second attack against NESSIE parameters
• f SFLASH (C07)
• Key Recovery on SFLASH (E08)

Alternative to RSA

• f(x)=xe mod N with N=pq
• F(X)=X in the finite field GF(qn)
• F permutation iff gcd(q+1,qn-1)
• GF(qn) vector space over GF(q) ≅ GF(q)n
• XX linear map on GF(q)n and F(X)=X!X

is quadratic over GF(q)n

• F is described as n quadratic polynomials in

(x1,x2,...xn) where X=(x1,...,xn)

q+1 q q

MI Cryptosystem E88

• F system of n quadratic polynomials (f1,...,fn)

in X=(x1,x2,...,xn)∈(GF(q))n easily invertible

• Linear masking: S and T two linear bijective

maps over GF(q)n

• Public Key: P=T
• -1oFooS where is an

isomorphism between GF(q)n and GF(qn)

• P is also a set of n quadratic polynomials
• Secret Key: S and T

MI Encryption Scheme

• For example: q=2 and n=128
• Encryption: computing P(M) where M=(m1,...mn)

is the plaintext in bits is very simple and efficient even on low-cost smartcard

• Decryption:
• invert T
• invert F(X): F(X)=Xh with h=(q+1)-1 mod qn-1

(similar to RSA decryption)

• invert S

Security of Multivariate Schemes

• Solving a system of n polynomials over GF(2) is

a NP-hard problem

• No known polynomial-time quantum algorithm

contrary to DL or RSA based systems

• S and T hide an easy instance of this generic

problem

• Generic Tool: Gröbner basis based algorithms
• exponential complexity in Time/Space

Cryptanalysis of Patarin C95

• B=F(A)=A so B = A
• AB - A B = 0
• n bilinear relations over GF(q) between the

coordinates of A and B

• Y B A X
• n bilinear relations between X (plaintext)

and Y (ciphertext) bk(x1,...,xn,y1,...yn)=0 q+1 q-1 q2-1 q q2 T F S

Cryptanalysis of Patarin

• bk(x1,...xn,y1,...yn)=i,j i,j,k xiyj + i i,k xi + j j,k yj + k
• Find n bilinear relations using (n+1)2 pairs

(X=plaintext, Y=ciphertext)

• linear system in the unknowns , , ,

which has a n-dimensional kernel

• To decrypt any ciphertext, it is sufficient to

solve a linear system in (x1,...,xn) since the , , , and y are known

SFLASH Signature

• Proposed by Patarin, Goubin, and Courtois (2000)
• Idea: Removing some equations to the public key

(Shamir 93) (erase rows of T=Tr)

• Also called the C*- scheme
• The removed equations are kept in the secret key
• to sign a message, try to invert the system with

random values for the missing coordinates

• Usage for signature only if too many equations are

removed

SFLASH

• Claimed security: qr where r = number of

missing equations

• NESSIE Parameters:

q n

• r

log (Sec.) v2 128 37 11 11 77 v3 128 67 33 11 77

Primes n>3r

First attack against SFLASH

(Eurocrypt 07)

Main idea of the attacks

• Reconstruct the missing polynomials
• FoS system of n quadratic polynomials
• T’s action: linear integer combinaisons
• ver GF(q) of the FoS polynomials
• Goal: Find other linear combinaisons of

FoS independent of those of the truncated public key ...

• Then, apply Patarin’s attack

Final stage of the attack

• Goal: Find linear combinations of FoS

independent of those of the truncated PK, Pr

• Find N such that N=S-1MS where M is a

matrix of the multiplication by in GF(qn)

• ProN=(TroFoS)o(S-1oMoS)=ToFoMoS
• FoM=MF()F since F(X)=F()F(X)
• ProN=(TroMF())oFoS gives (n-r) linear

combinations of FoS, some independent of those of Pr provided ∉GF(q)

Differential Cryptanalysis

• DF(X,Y)=F(X+Y)-F(X)-F(Y)+F(0)
• Since F is quadratic, DF is bilinear !
• DF(X,Y)=X Y+XY symmetric bilinear map
• DP(X,Y)=T(DF(S(X),S(Y)))
• Each coordinate of the PK is a bilinear map
• Multiplicative Property:
• DF(X,Y)+DF(X,Y)=(+ )DF(X,Y)

q q q

Studying bilinear maps

• Mathematicians usually study linear maps called

skew-symmetric maps for bilinear maps objects

• L is skew-symmetric map for a bilinear map B(x,y)

iff B(Lx,y)=B(x,Ly)

• Skey-symmetric maps for DF are exactly some

multiplications M by since F is multiplicative and if gcd(n,)>1, there exists s.t. + = 0

• For DP

, they are conjuguates of M, N=S-1MS q

Second Attack on NESSIE Parameters

(Crypto 07)

NESSIE Parameters

• Since n is prime, there is no element ∉GF(q)

s.t. + = 0

• We have to find other (or any) multiplications
• We still have the equation:
• DF(X,Y)+DF(X,Y)=( + )DF(X,Y)
• DP(N(X),

Y) + DP(X, N(Y))

• = (T(+ )T-1)DP(X,Y)
• = LDP(X,Y)

q q q

SFLASH Attack

• Let B be the vector space of the symmetric

bilinear forms of dimension n(n-1)/2

• Let the n-dimensional vector space

Vect (DP1,...,DPn) spanned by the n forms of PK

• If N is a multiplication, for each coordinate i
• DPi(N(X),Y)+DPi(X,N(Y)) ∈

Vect(DP1,...,DPn)

• n(n-1)/2 linear relations on the N’s unknowns

Problem of a truncated public key

• We don’t know

Vect(DP1,...,DPn) since we have

• nly (n-r) polynomials in PK,
• ... but we know the subspace

Vect(DP1,...,DPn-r)

• One bilinear form DPi(N(X),Y)+DPi(X,N(Y))

will be in Vect(DP1,...,DPn-r) with proba. 1/qr

• No characterization property holds: N are not

always conjuguates of multiplications and not all

• but 3 equa. characterize somes conjuguates and

if n-3r>1, and we find only conjuguates of mult.

Recovering the secret keys (E08)

• N is one conjuguate of a multiplication

M:XX by the secret matrix S: N=S-1MS

• If M is known, we can linearize the system in

SN=MS and look at S

• The minimal polynomial of N has as root

and all the conjuguates of

• Any conjuguate will give a possible M and an

equivalent secret key

Conclusion and open problems

• Bilinear algebra appears to be well suited to

cryptanalyze multivariate cryptosystems

• Breaking HFE where the monomial X is

remplaced by a quadratic polynomial of small degree i,j<D pi,j X ?

q+1 qi+qj