Multivariate CryptographyPart 1: Basics

Albrecht Petzoldt

PQCrypto Summer School 2017Eindhoven, Netherlands

Tuesday, 20.06.2017

A. Petzoldt Multivariate Cryptography PQCrypto Summer School 1 / 24

Multivariate Cryptography [DS06]

MPKC: Multivariate Public Key CryptosystemPublic Key: System of nonlinear multivariate polynomials

p(1)(x1, . . . , xn) =n∑

i=1

n∑j=i

p(1)ij · xixj +

n∑i=1

p(1)i · xi + p(1)

0

p(2)(x1, . . . , xn) =n∑

i=1

n∑j=i

p(2)ij · xixj +

n∑i=1

p(2)i · xi + p(2)

0

...

p(m)(x1, . . . , xn) =n∑

i=1

n∑j=i

p(m)ij · xixj +

n∑i=1

p(m)i · xi + p(m)

0

d := degree of the polynomials in the systemm := # equationsn := # variables

A. Petzoldt Multivariate Cryptography PQCrypto Summer School 2 / 24

Public Key Size

size public key = m · T field elements

with T = # monomials of degree ≤ d .

# monomials of degree d =(

n + d − 1d

)

# monomials of degree ≤ d =(

n + dd

)

⇒ size public key = m ·(

n + dd

)m≈n∼ O(nd+1)

⇒ For d ≥ 2 the public key size gets very big⇒ Most MPKCs use for efficiency reasons d = 2.

A. Petzoldt Multivariate Cryptography PQCrypto Summer School 3 / 24

Security

The security of multivariate schemes is based on the

Problem MQ: Given m multivariate quadratic polynomialsp(1)(x), . . . , p(m)(x), find a vector x = (x1, . . . , xn) such thatp(1)(x) = . . . = p(m)(x) = 0.

proven to be NP hard [GJ78]believed to be hard on average (both for classical and quantumconputers) [BB08]also known as the PoSSo Problem (especially for d > 2)

However: no direct reduction

A. Petzoldt Multivariate Cryptography PQCrypto Summer School 4 / 24

Construction

Easily invertible quadratic map F : Fn → Fm

Two invertible linear maps S : Fm → Fm and T : Fn → Fn

Public key: P = S ◦ F ◦ T supposed to look like a random systemPrivate key: S, F , T allows to invert the public key

A. Petzoldt Multivariate Cryptography PQCrypto Summer School 5 / 24

Isomorphism of Polynomials

DefinitionTwo polynomial systems G : Fn → Fm and H : Fn → Fm are calledisomorphic

⇔ ∃linear (affine) maps L1 and L2 s.t. H = L1 ◦ G ◦ L2.

⇒ The central map F and the public key P of an MPKC are isomorphic.

A. Petzoldt Multivariate Cryptography PQCrypto Summer School 6 / 24

Isomorphism of Polynomials (2)

Due to their construction, the security of MPKCs is also based on the

Problem EIP (Extended Isomorphism of Polynomials): Given the publickey P of a multivariate public key cryptosystem, find affine maps S and Tas well as an easily invertible quadratic map F such that P = S ◦ F ◦ T .

⇒ Hardness of the problem depends heavily on the structure of the centralmap⇒ In general, not much is known about the complexity⇒ Security analysis of multivariate schemes is a hard task

A. Petzoldt Multivariate Cryptography PQCrypto Summer School 7 / 24

Encryption Schemes (m ≥ n)

Encryption: Given message z ∈ Fn, compute the ciphertext w ∈ Fm byw = P(z).

Decryption: Given ciphertext w ∈ Fm, compute recursivelyx = S−1(w) ∈ Fm, y = F−1(x) ∈ Fn and z = T −1(y).The condition (m ≥ n) guarantees that F is more or less injective, i.e. wedo not get too many possible plaintexts.

Important SchemesPMI+, IPHFE+ZHFE ( → this conference)Simple Matrix (→ this conference)

A. Petzoldt Multivariate Cryptography PQCrypto Summer School 8 / 24

Signature Schemes (m ≤ n)Signature Generation: Given message d , use a hash functionH : {0, 1}? → Fm to compute w = H(d) ∈ Fm. Compute recursivelyx = S−1(w) ∈ Fm, y = F−1(x) ∈ Fn and z = T −1(y). The signature ofthe message d is z ∈ Fn.The condition (m ≤ n) is needed for the surjectivity of the map F , i.e.every message has a signature.

Signature Verification: To check the authenticity of a signature z ∈ Fn

for a message d , compute w ∈ H(d) ∈ Fm and w′ = P(z) ∈ Fm. Ifw′ = w holds, the signature is accepted, otherwise rejected.

Important SchemesUOV, RainbowHFEv-, GuiMQDSSpFLASH ( → this conference), TTS

A. Petzoldt Multivariate Cryptography PQCrypto Summer School 9 / 24

Signature Schemes (m ≤ n)Signature Generation: Given message d , use a hash functionH : {0, 1}? → Fm to compute w = H(d) ∈ Fm. Compute recursivelyx = S−1(w) ∈ Fm, y = F−1(x) ∈ Fn and z = T −1(y). The signature ofthe message d is z ∈ Fn.The condition (m ≤ n) is needed for the surjectivity of the map F , i.e.every message has a signature.

Signature Verification: To check the authenticity of a signature z ∈ Fn

for a message d , compute w ∈ H(d) ∈ Fm and w′ = P(z) ∈ Fm. Ifw′ = w holds, the signature is accepted, otherwise rejected.

Important SchemesUOV, RainbowHFEv-, GuiMQDSSpFLASH (→ this conference), TTS

A. Petzoldt Multivariate Cryptography PQCrypto Summer School 10 / 24

Workflow

Decryption / Signature Generation

w ∈ Fm -S−1x ∈ Fm -F−1

y ∈ Fn -T −1z ∈ Fn

6

P

Encryption / Signature Verification

A. Petzoldt Multivariate Cryptography PQCrypto Summer School 11 / 24

Attacks

Direct Attacks: Try to solve the public equation P(z) = w as an instanceof the MQ-Problem

all algorithms have exponential running time (for m ≈ n)

A. Petzoldt Multivariate Cryptography PQCrypto Summer School 12 / 24

XL -AlgorithmGiven: nonlinear polynomials f1, . . . , fm

1 eXtend multiply each polynomial f1, . . . , fm by every monomial ofdegree ≤ D

2 Linear Algebra Step: Apply Gaussian Elimination on the extendedsystem to generate a univariate polynomial p

3 Solve: Use Berlekamps algorithm to solve the polynomial p.4 Repeat: Substitute the solution of p into the system and continue

with the simplified system.many variations, e.g. FXL, MutantXL

Complexity = 3 ·(

n + dregdreg

)2

·(

n2

)

A. Petzoldt Multivariate Cryptography PQCrypto Summer School 13 / 24

Grobner Bases Algorithms

find a “nice” basis of the ideal 〈f1, . . . , fm〉first studied by B. Buchbergerlater improved by Faugere et al. (F4, F5) [Fa99]currently fastest algorithms to solve random systems (Hybrid F5[BFP09])

Complexity(q,m, n) = mink qk · O(

m ·(

n − k + dreg − 1dreg

)ω)with 2 < ω ≤ 3.

A. Petzoldt Multivariate Cryptography PQCrypto Summer School 14 / 24

Complexity of Direct Attacks

How many equations are needed to meet given levels of security?

security number of equationslevel (bit) GF(16) GF(31) GF(256)

80 30 28 26100 39 36 33128 51 48 43192 80 75 68256 110 103 93

A. Petzoldt Multivariate Cryptography PQCrypto Summer School 15 / 24

Remark

Every cryptosystem can be represented as a set of nonlinear multivariateequations

⇒ Direct attacks are used in the cryptanalysis of many cryptographicschemes (in particular block and stream ciphers)

⇒ The MQ (or PoSSo) Problem can be seen as one of the centralproblems in cryptography

A. Petzoldt Multivariate Cryptography PQCrypto Summer School 16 / 24

Structural Attacks

Try to decompose the public key P into P = S ◦ F ◦ T by using theknown structure of the central map F

MinRank attack [CSV94]: For many multivariate schemes (certain)central equations have low rank⇒ look for a linear combination of the public key polynomials of low rank⇒ this linear combination corresponds to a central equation⇒ this linear combination yields (parts) of an equivalent affine map S⇒ further analysis: recover equivalent maps S, F and T

A. Petzoldt Multivariate Cryptography PQCrypto Summer School 17 / 24

MinRank Attack

Problem MinRank: Given m n × n matrices G1, . . . ,Gm, find a linearcombination

H =m∑

i=1λiGi

such that Rank(H) ≤ r .

Complexity(MinorsModelling) = O(

n + rr

)ω

with 2 < ω ≤ 3.

A. Petzoldt Multivariate Cryptography PQCrypto Summer School 18 / 24

Other Attacks

HighRank Attack: Try to recover the linear transformation of thevariables appearing the lowest time in the central equations. Thisyields information about the affine transformation T and thereforethe private key.Differential Attacks: Look for invariants or symmetries of thedifferential

G(x , y) = P(x + y)− P(x)− P(y) + P(0)

These symmetries yield information about the private key.

A. Petzoldt Multivariate Cryptography PQCrypto Summer School 19 / 24

Advantages

resistant against attacks with quantum computersvery fast (much faster than RSA)only simple arithmetic operations required⇒ can be implemented on low cost devices⇒ suitable for security solutions for the IoTmany practical signature schemes (UOV, Rainbow, HFEv-, . . . )very short signatures (e.g. 120 bit signatures for 80 bit security)

A. Petzoldt Multivariate Cryptography PQCrypto Summer School 20 / 24

Disadvantages

large key sizes (public key size ∼ 10− 100 kB)no security proofsBut: Practical Security (attack complexities) follows closelytheoretical estimationsmainly restricted to digital signatures (and public key encryption)

A. Petzoldt Multivariate Cryptography PQCrypto Summer School 21 / 24

Lessons Learned

Multivariate Cryptographydeals with systems of nonlinear (usually quadratic) multivariatepolynomialsone of the main candidates for post-quantum cryptosystemsvery efficient signature schemes (e.g. Rainbow, HFEv-) with shortsignaturesnot so good for encryption schemeslarge public key sizes, no security proofsBut: Theoretical Security estimates match very well withexperimental data

A. Petzoldt Multivariate Cryptography PQCrypto Summer School 22 / 24

References

BB08 D.J. Bernstein, J. Buchmann, E. Dahmen (eds.): PostQuantum Cryptography. Springer, 2009.

DG06 J. Ding, J. E. Gower, D. S. Schmidt: Multivariate Public KeyCryptosystems. Springer, 2006.

GJ79 M. R. Garey and D. S. Johnson: Computers andIntractability: A Guide to the Theory of NP-Completeness.

A. Petzoldt Multivariate Cryptography PQCrypto Summer School 23 / 24

References (2)

BF09 L. Bettale, L.C Faugere, L. Perret: Hybrid approach forsolving multivariate systems over finite fields. Journal ofMathematical Cryptology 3, pp. 177-197 (2009).

Fa99 J.C. Faugere: A new efficient algorithm for computingGrobner bases (F4). Journal of Pure and Applied Algebra139, pp. 61-88 (1999).

CS94 D. Coppersmith, J. Stern, S. Vaudenay: Attacks on theBirational Signature Scheme. CRYPTO 1994, LNCS vol.773, pp. 435 - 443. Springer, 1994.

A. Petzoldt Multivariate Cryptography PQCrypto Summer School 24 / 24