Improved Cryptanalysis of HFEv- via Projection Jintai Ding, Ray - - PowerPoint PPT Presentation

improved cryptanalysis of hfev via projection
SMART_READER_LITE
LIVE PREVIEW

Improved Cryptanalysis of HFEv- via Projection Jintai Ding, Ray - - PowerPoint PPT Presentation

Jul 28, 2023 644 likes •912 views

Improved Cryptanalysis of HFEv- via Projection Jintai Ding, Ray Perlner, Albrecht Petzoldt, Daniel Smith-Tone PQ Crypto 2018 Fort Lauderdale, Florida 04/10/2018 A. Petzoldt Cryptanalysis of HFEv- via Projection PQ Crypto 2018 1 / 25 Outline

slide-1
SLIDE 1

Improved Cryptanalysis of HFEv- via Projection

Jintai Ding, Ray Perlner, Albrecht Petzoldt, Daniel Smith-Tone PQ Crypto 2018 Fort Lauderdale, Florida 04/10/2018

  • A. Petzoldt

Cryptanalysis of HFEv- via Projection PQ Crypto 2018 1 / 25

slide-2
SLIDE 2

Outline

1

Multivariate Cryptography

2

The HFEv- Signature Scheme

3

Notations and Previous Work

4

Our three new Attacks against HFEv-

5

Conclusion

  • A. Petzoldt

Cryptanalysis of HFEv- via Projection PQ Crypto 2018 2 / 25

slide-3
SLIDE 3

Multivariate Cryptography

p(1)(x1, . . . , xn) =

n

  • i=1

n

  • j=i

p(1)

ij

· xixj +

n

  • i=1

p(1)

i

· xi + p(1) p(2)(x1, . . . , xn) =

n

  • i=1

n

  • j=i

p(2)

ij

· xixj +

n

  • i=1

p(2)

i

· xi + p(2) . . . p(m)(x1, . . . , xn) =

n

  • i=1

n

  • j=i

p(m)

ij

· xixj +

n

  • i=1

p(m)

i

· xi + p(m) The security of multivariate schemes is based on the Problem MQ: Given m multivariate quadratic polynomials p(1)(x), . . . , p(m)(x), find a vector ¯ x = (¯ x1, . . . , ¯ xn) such that p(1)(¯ x) = . . . = p(m)(¯ x) = 0.

  • A. Petzoldt

Cryptanalysis of HFEv- via Projection PQ Crypto 2018 3 / 25

slide-4
SLIDE 4

Construction

Decryption / Signature Generation w ∈ Fm

✲ x ∈ Fm ✲ y ∈ Fn ✲ z ∈ Fn ✻

P T F U Encryption / Signature Verification Easily invertible quadratic map F : Fn → Fm Two invertible linear maps T : Fm → Fm and U : Fn → Fn Public key: P = T ◦ F ◦ U supposed to look like a random system Private key: T , F, U allows to invert the public key

  • A. Petzoldt

Cryptanalysis of HFEv- via Projection PQ Crypto 2018 4 / 25

slide-5
SLIDE 5

Big Field Signature Schemes

Signature Generation w ∈ Fn

✲ x ∈ Fn ✲ y ∈ Fn ✲ z ∈ Fn ✻

P T −1 ¯ F−1 U−1 Signature Verification X ∈ E Y ∈ E

F−1

Φ

Φ−1

  • A. Petzoldt

Cryptanalysis of HFEv- via Projection PQ Crypto 2018 5 / 25

slide-6
SLIDE 6

HFEv− - Key Generation

BigField + Minus Equations + Vinegar Variation central map F : Fv × E → E, F(X) =

qi+qj≤D

  • 0≤i≤j

αijX qi+qj +

qi≤D

  • i=0

βi(v1, . . . , vv) · X qi + γ(v1, . . . , vv) ⇒ ¯ F = Φ−1 ◦ F ◦ Φ quadratic linear maps T : Fn → Fn−a and U : Fn+v → Fn+v of maximal rank public key: P = T ◦ ¯ F ◦ U : Fn+v → Fn−a private key: T , F, U

  • A. Petzoldt

Cryptanalysis of HFEv- via Projection PQ Crypto 2018 6 / 25

slide-7
SLIDE 7

Signature Generation

Given: message (hash value) w ∈ Fn−a

1 Compute x = T −1(w) ∈ Fn and X = Φ(x) ∈ E 2 Choose random values for the vinegar variables v1, . . . , vv

Solve Fv1,...,vv(Y ) = X over E via Berlekamps algorithm

3 Compute y = Φ−1(Y ) ∈ Fn and z = U−1(y||v1|| . . . ||vv)

Signature: z ∈ Fn+v.

  • A. Petzoldt

Cryptanalysis of HFEv- via Projection PQ Crypto 2018 7 / 25

slide-8
SLIDE 8

Signature Verification

Given: signature z ∈ Fn+v, message (hash value) w ∈ Fn−a Compute w′ = P(z) ∈ Fn−a Accept the signature z ⇔ w′ = w.

  • A. Petzoldt

Cryptanalysis of HFEv- via Projection PQ Crypto 2018 8 / 25

slide-9
SLIDE 9

Direct Attack

Complexitydirect = 3 ·

  • n − a

dreg

2

·

  • n − a

2

  • Experiments: HFEv- systems can be solved faster than random systems

Reason: low degree of regularity dreg ≤

(q−1)·(r+a+v−1)

2

+ 2 q even and r + a odd,

(q−1)·(r+a+v) 2

+ 2

  • therwise.

, with r = ⌊logq(D − 1)⌋ + 1. Experiments: dreg ≈ r+a+v+7

3

for HFEv- systems over GF(2).

  • A. Petzoldt

Cryptanalysis of HFEv- via Projection PQ Crypto 2018 9 / 25

slide-10
SLIDE 10

Q-Rank

Definition

Let E be a degree n extension of the field Fq. The Q-rank of a quadratic map F(x) on Fn

q is the rank of the quadratic form φ ◦ F ◦ φ−1 in

E[X0, . . . , Xn−1] via the identification Xi = X qi. F: n quadratic polynomials f (1), . . . f (n) in Fq[xo, . . . , xn−1] Interpolation ⇒ F⋆ : n−1

i=0

n−1

j=i αjiX qi · X qj in E[X] Xi=X qi

→ ˆ F⋆ : n−1

i=0

n−1

j=i αijXiXj in E[X0, . . . , Xn−1]

⇒ ˆ F⋆ : (X0, . . . , Xn−1) · M · (X0, . . . Xn−1)T Q-rank(F) = Rank(M) Q-Rank is invariant under invertible affine transformations F → F ◦ T , but not under isomorphisms F → S ◦ F ◦ T

  • A. Petzoldt

Cryptanalysis of HFEv- via Projection PQ Crypto 2018 10 / 25

slide-11
SLIDE 11

Q-Rank (2)

Definition

Let E be a degree d < n extension field of Fq. The min-Q-rank of a quadratic map F : Fn

q → Fm q over E is

min-Q-rank(F) = min

S max T

{Q-rank (S ◦ F ◦ T )} , where S : Fd

q → Fm q and T : Fn q → Fd q are nonzero linear transformations.

The min-Q-Rank of a multivariate quadratic system is invariant under isomorphisms of polynomials.

  • A. Petzoldt

Cryptanalysis of HFEv- via Projection PQ Crypto 2018 11 / 25

slide-12
SLIDE 12

The KS-attack on HFE

Idea: Use the low min-Q-rank of the central map F to recover an equivalent private key Lift public map P to the extension field E (polynomial interpolation) Solve a MinRank Problem to find linear map N with N ◦ P of low rank Later Improvement (Minors Modelling): N can be found by computing a Gr¨

  • bner basis over F (and computing the variety over E)

ComplexityMinRank = O

  • n + r + 1

r

ω

with 2 < ω ≤ 3.

  • A. Petzoldt

Cryptanalysis of HFEv- via Projection PQ Crypto 2018 12 / 25

slide-13
SLIDE 13

The algebra A

E: degree n extension field of F, θ: primitive element of E φ : Fn → E, φ(x0, . . . , xn−1) = n−1

i=0 xiαi isomorphism

Φ : E → A, Φ(a) = (a, aq, . . . , aqn−1) ∈ A ⊂ En ⇒ We can pass between elements (x0, . . . , xn−1) ∈ Fn and (X, X q, . . . , X qn−1) ∈ A by right multiplication with Mn and M−1

n , where

Mn =

        

1 1 . . . 1 θ θq . . . θqn−1 θ2 θ2q . . . θ2qn−1 . . . . . . θn−1 θ(n−1)q . . . θ(n−1)qn−1

        

  • A. Petzoldt

Cryptanalysis of HFEv- via Projection PQ Crypto 2018 13 / 25

slide-14
SLIDE 14

The algebra A (cont.)

To cover the vinegar variables v1, . . . , vv, we define

  • Mn =
  • Mn

0n×v 0v×n Iv

  • lifting a vector (x0, . . . , xn−1, v1, . . . , vv) ∈ Fn to an element of A × Fv.
  • A. Petzoldt

Cryptanalysis of HFEv- via Projection PQ Crypto 2018 14 / 25

slide-15
SLIDE 15

MinRank then Projection

We find (P1, . . . , Pn)T−1Mn = (U MnF⋆0 Mn

TUT, . . . , U

MnF⋆(n−1) Mn

TUT),

where U, T and Pi are the matrix representations of the affine transformations U and T and the public polynomials Pi, and F⋆i is the i-th Frobenius power of F over A × Fv. We find that F⋆0 has the form Rank(F⋆0) = r + a + v

  • A. Petzoldt

Cryptanalysis of HFEv- via Projection PQ Crypto 2018 15 / 25

slide-16
SLIDE 16

MinRank then Projection (2)

1 Apply a MinRank attack on the matrices Pi (with target rank

r + a + v) ⇒ equivalent output transformation T ′ ⇒ matrix L representing the low Q-rank quadratic form L = U′ MnF⋆0 Mn

TU′T.

2 Find the vinegar subspace of L. ◮ project L to the orthogonal complement of a codimension 1 subspace

  • f ker(L). Denote the result by ˆ

L.

◮ Apply a further codimension one projection π to ˆ

  • L. If there is a

nontrivial intersection between ker(π) and the vinegar subspace, the rank of ˆ L will drop.

CompMP = O

 

  • n + r + v

r + a + v

2

·

  • n − a

2

  • + (r + a + v + 1)3 · qr+a+1

  .

  • A. Petzoldt

Cryptanalysis of HFEv- via Projection PQ Crypto 2018 16 / 25

slide-17
SLIDE 17

Project then MinRank

1 Apply a projection π, projecting the plaintext space to a codimension

k subspace

2 Apply the MinRank attack

If there is a nontrivial intersection between ker(π) and the vinegar subspace, we can find a quadratic form of degree less then r + a + v. CompPM = O

 qc(r+a+√n−a)−(c+1

2 )

  • n + r + v − c

r + a + v − c

2

·

  • n − a

2

  .

  • A. Petzoldt

Cryptanalysis of HFEv- via Projection PQ Crypto 2018 17 / 25

slide-18
SLIDE 18

The Distinguisher

Observation 1: Two HFEv- public keys P1 and P2 with same values for n, D and a but different values v1 and v2 Fix variables to get determined systems and solve the systems with F4 ⇒ The step degrees of the F4 algorithm will be different ⇒ This also holds when guessing (not too many) additional variables (hybrid approach)

  • A. Petzoldt

Cryptanalysis of HFEv- via Projection PQ Crypto 2018 18 / 25

slide-19
SLIDE 19

The Distinguisher (2)

Observation 2: HFEv-(n, D, a, v) public key P Define V = span(Tn+1, . . . , Tn+v) Append ℓ ∈ V to the system P and apply F4 ⇒ The so obtained system P′ behaves exactly like an HFEv−(n − 1, D, a, v − 1) public key.

  • A. Petzoldt

Cryptanalysis of HFEv- via Projection PQ Crypto 2018 19 / 25

slide-20
SLIDE 20

The Distinguisher (3)

Consider an HFEv-(n, D, a, v) public key P Add the field equations {x2

i − xi = 0} to P

Add randomly chosen linear equations ℓ1, . . . , ℓk to P Solve the system with F4 ⇒ By looking at the F4 step degrees, we can distinguish the two cases 1) span(ℓ1, . . . , ℓk) ∩ V = ∅ and 2) span(ℓ1, . . . , ℓk) ∩ V = ∅.

  • A. Petzoldt

Cryptanalysis of HFEv- via Projection PQ Crypto 2018 20 / 25

slide-21
SLIDE 21

The Attack

Having found ℓ1, . . . , ℓk such that span(ℓ1, . . . , ℓk) ∩ V = {˜ ℓ}, we can recover the private HFEv- key as follows

1 Recover the exact form of ˜

ℓ = k

i=1 λi · ℓi

◮ Remove ℓ1 from the system. If the distinguisher still works, the

coefficient λ1 is zero. Otherwise, λ1 = 1.

◮ Continue this step to find all the coefficients λi 2 Add ˜

ℓ to the HFEv- system and run the distinguisher again to find another linear equation ˆ ℓ ∈ V. After having recovered v of these linear equations the system will behave like an HFE- system.

3 Apply any attack against HFE- (e.g [VS, PQCrypto2017]) to

complete the attack.

  • A. Petzoldt

Cryptanalysis of HFEv- via Projection PQ Crypto 2018 21 / 25

slide-22
SLIDE 22

Complexity of the Distinguisher

Complexity of the Distinguisher (finding ˜ ℓ ∈ V) depends on number of distinguisher runs Pr(ℓ ∈ V) = 2−n Pr(span(ℓ1, . . . , ℓ¯

k) ∩ V = ∅) = 1 − (1 − 2−n)2¯

k ≈ 2

¯ k−n

cost of a single run (= 1 run of F4) CompF4 = O

 

  • n + v − ¯

k d⋆

reg

2

·

  • n + v − ¯

k 2

 

  • A. Petzoldt

Cryptanalysis of HFEv- via Projection PQ Crypto 2018 22 / 25

slide-23
SLIDE 23

Complexity of the Distinguisher

CompDistinguisher; classical = O

 2n−¯

k ·

  • n + v − ¯

k d⋆

reg

2

·

  • n + v − ¯

k 2

 

CompDistinguisher; quantum = O

 2(n−¯

k)/2 ·

  • n + v − ¯

k d⋆

reg

2

·

  • n + v − ¯

k 2

  .

The cost of the remaining steps (finding the exact form of ˜ ℓ and removing the other Vinegar variables from the system, breaking the remaining HFE- system) is much smaller. ⇒ A strategy to estimate ¯ k and d⋆

reg for concrete HFEv- systems can be

found in our paper.

  • A. Petzoldt

Cryptanalysis of HFEv- via Projection PQ Crypto 2018 23 / 25

slide-24
SLIDE 24

Conclusion

We presented three new attacks against HFEv- using the idea of projection MinRank then Projection Projection then MinRank Distinguishing based attack

◮ Better performance than existing attacks against some HFEv- systems

(see example in the paper)

◮ Less memory consumption than all known attacks (for all parameter

sets)

⇒ New insights in the security of HFEv- ⇒ Restrictions for the parameter choice of HFEv- based schemes

  • A. Petzoldt

Cryptanalysis of HFEv- via Projection PQ Crypto 2018 24 / 25

slide-25
SLIDE 25

The End

Thank you for your attention Questions?

  • A. Petzoldt

Cryptanalysis of HFEv- via Projection PQ Crypto 2018 25 / 25