Security of Unbalanced Oil-Vinegar Signature Scheme

A dissertation submitted to the

Division of Research and Advanced Studies of the University of Cincinnati

in partial fulﬁllment of the requirements for the degree of

Doctor of Philosophy

in the Department of Mathematical Sciences of the College of Arts and Sciences

2012

Zhijun Yin

B.S., the University of Science and Technology of China (USTC), 2001 M.S., University of Cincinnati, 2004

Committee Chair: Professor Jintai Ding

July 16, 2012 Abstract

We explore ideas for oil-vinegar signature schemes in the multivariate polynomial cryptography. In the first half, we focus on TTS (Tame Transformation Signature) systems. We find a structure attack to defeat a family of TTS systems. Then we have the related complexity analysis to claim that a family of TTS systems can be broken in the time complexity O(261). In the second half, we discuss the algebraic attack for the randomly built unbalanced oil-vinegar signature systems with different characteristics. Then we explore the security of those general oil-vinegar systems under F4 algorithm attack.

i ii To my family: my mom Yongzhen Qiu and my wife Yu Mao

iii Acknowledgements

Foremost, I would like to show my gratitude to my advisor Prof. Jintai Ding for the continuous support of my Ph.D study and research, for his patience, motivation, enthusiasm, and immense knowledge. His guidance helped me through my research and writing of this thesis.

I am grateful to so many people who oﬀered help during the writing of this thesis. I would like to thank the committee members Dr. Dieter Schmidt and Dr.

Ning Zhong for their comments and assistance. I want to thank Dr. Crystal L.

Clough for her help in checking the English. I would like to thank Youjiao Zou,

Weiwei Cao, Adama Diene, Jason Gower, Daniel Cabarcas and Victoria Kruglov.

Moreover I would like to thank the entire Applied Algebra and Cryptography Group at the University of Cincinnati.

I would like to thank Dr. Tim Hodges, Dr. James Osterburg, Dr. Shuang

Zhang, Dr. Herbert Halpern, Dr. Philip Korman, Dr. Gary Weiss, Dr. Anthony

Leung, Dr. Scott Dumas and Dr. Joanna Mitro for help throughout my graduate work. I would like to thank the staﬀ of the department for their unconditional help:

Anita, Patti, Nancy, Terry and Sue. Truly, the entire faculty of the Department of

Mathematical Sciences at University of Cincinnati deserves my warmest gratitude for the help, instruction, guidance and support over the years. I feel they have

iv taught me not only about mathematics, but also how to be a mathematician.

My thanks to the department of mathematics at the Ohio University for supporting me at Ohio University from 2008 to 2012.

Last but not the least, I would like to thank my family: my parents Dengxiang

Yin and Yongzhen Qiu, for giving birth to me in the ﬁrst place and supporting me spiritually throughout my life.

v Contents

1 Introduction 1

2 Relevant Background Material 3

2.1 Crypto-system ...... 3

2.2 Modern Cryptography ...... 4

2.3 Public Key Crypto-system ...... 4

2.4 Post-Quantum Era Public Key Crypto-system ...... 6

2.5 Multivariate Public Key Crypto-systems (MPKCs) ...... 7

2.6 Signature Scheme ...... 9

2.7 Oil-Vinegar Signature Schemes ...... 10

2.8 Current Attacks on Oil-Vinegar Signature Schemes ...... 16

3 Notation 19

3.1 Multivariate Polynomials ...... 19

3.2 TTS Attack notation ...... 22

4 Structure Attack on Oil-Vinegar Scheme 29

4.1 Structure Attack background ...... 29

4.2 Main Attack Process ...... 31

vi 4.2.1 7-step attack outline ...... 37

4.2.2 Step 1: The unbalanced oil and vinegar attack ...... 37

4.2.3 Step 2: The Min-rank attack ...... 44 ˜ 4.2.4 Step 3: The search for the null subspace O1 ...... 48 ˜ 4.2.5 Step 4: Finding the space G12 ...... 52 ˜ 4.2.6 Step 5: Finding the space G1 ...... 54 ˜ 4.2.7 Step 6: Reformulation of G1 ...... 55

4.2.8 Step 7: Completing the attack ...... 58

4.3 Attack Complexity(Eﬃciency) Analysis ...... 61

4.4 Conclusion ...... 63

5 Algebraic Attack on Oil-Vinegar Scheme 64

5.1 Algebraic Attack background ...... 64

5.2 F 4 algorithm attacking ...... 65

5.3 Toy Example ...... 67

5.4 Three Authors’ cryptanalysis ...... 70

5.4.1 Case v=2m ...... 71

5.4.2 Case v=3m ...... 72

5.5 Improvement of three authors’ Cryptanalysis ...... 75

5.5.1 Probability Problem ...... 75

5.5.2 Our experiment result ...... 76

5.6 Conclusions ...... 78

6 The Conclusion and Future Work 79

6.1 The conclusion ...... 79

vii 6.2 The future work ...... 79

A Appendix: TTS Attack Details 90

A.1 The linear mapping L1 given by a matrix A1 and a vector b1 from the

simulation program with k = GF (4)...... 91

A.2 The linear mapping L2 given by a matrix A2 and a vector b2 from the

simulation program with k = GF (4)...... 92

A.3 A Matrix A3 from the simulation program with k = GF (4) ...... 94

A.4 A Matrix A4 from the simulation program with k = GF (4) ...... 96

A.5 A Matrix A5 from the simulation program with k = GF (4) ...... 98

B Appendix: Details for UOV Signature Scheme Attack 101

B.1 The source code for the oil vinegar system attack using MAGMA . . 102

B.2 The data of experiment for the oil vinegar system attack using MAGMA107

viii List of Tables

2.1 The Toy Example ...... 8

2 2.2 Computation in F4 = {0, 1, α, α } ...... 14

4.1 The linear mapping LZ ...... 38

−1 4.2 The linear mapping LZ ...... 39

5.1 Graphs Result ...... 77

B.1 Data for v = 2 × o over |F | =2 ...... 108

B.2 Data for v = 2 × o over |F | =3 ...... 109

B.3 Data for v = 2 × o over |F | =4 ...... 109

B.4 Data for v = 2 × o over |F | =5 ...... 110

B.5 Data for v = 2 × o over |F | = 11 ...... 110

B.6 Data for v = 2 × o over |F | = 16 ...... 110

B.7 Data for v = 2 × o over |F | = 31 ...... 111

B.8 Data for v = b1.5 × oc over |F | =2...... 111

B.9 Data for v = b1.5 × oc over |F | =3...... 112

B.10 Data for v = b1.5 × oc over |F | =4...... 112

B.11 Data for v = b1.5 × oc over |F | =5...... 113

B.12 Data for v = b1.5 × oc over |F | = 11 ...... 113

ix B.13 Data for v = b1.5 × oc over |F | = 16 ...... 113

B.14 Data for v = b1.5 × oc over |F | = 31 ...... 114

B.15 Data for v = 3 × o over |F | =2 ...... 114

B.16 Data for v = 3 × o over |F | =3 ...... 115

B.17 Data for v = 3 × o over |F | =4 ...... 115

B.18 Data for v = 3 × o over |F | =5 ...... 116

B.19 Data for v = 3 × o over |F | = 11 ...... 116

B.20 Data for v = 3 × o over |F | = 16 ...... 116

B.21 Data for v = 3 × o over |F | = 31 ...... 116

x List of Figures

2.1 Encryption and Decryption Process ...... 4

2.2 Signing and veriﬁcation Process ...... 10

2.3 Oil-Vinegar signature scheme from k4 to k2 ...... 12

2.4 Oil-Vinegar signature scheme from k4 to k2 ...... 14

3.1 The combination of 3 mappings ...... 21

3.2 A typical crypto-system from kn to kn ...... 21

3.3 A typical signature scheme from kn to kn−r ...... 22

4.1 TTS signature scheme from k28 to k20 in TTS [6] ...... 31

4.2 Step 1 Attack Diagram 1 ...... 38

4.3 Step 1 Attack Diagram 2 ...... 43

4.4 Step 1 Attack Diagram 3 ...... 44

4.5 Step 3 Attack Diagram 1 ...... 48

4.6 Step 3 Attack Diagram 2 ...... 51

4.7 Step 6 Attack Diagram 1 ...... 56

4.8 Step 6 Attack Diagram 2 ...... 57

B.1 Oil-vinegar Signature Scheme Diagram ...... 102

B.2 System Diagram ...... 107

xi Chapter 1

Introduction

Multivariate public key crypto-systems (MPKCs) are viewed as potential systems to resist attacks by a quantum computer. The mathematical background of MPKC is that solving a system of randomly chosen multivariate quadratic equations over a finite field is an NP-Hard problem [1]. This problem is NP-hard no matter how we solve it: using a traditional computer or a quantum computer [2]. MPKC research originally started in 1988. Two Japanese scientists, Tsutomu Matsumoto and Hideki Imai presented their crypto-system “Matsumoto-Imai-Scheme” in the Eurocrypt conference [3]. This system was broken by Jacques Patarin in 1995 [4]. However, it has inspired many new encryption and signature schemes. A signature scheme called Tame Transformation Signature (TTS) based on quadratic triangular type mapping was created by Bo-yin Yang and Jiun-Ming Chen in 2003 [5]. Then they formalized the TTS system in 2004 [6]. This system is a very efficient signature scheme. The oil-vinegar signature scheme proposed by Jacques Patarin [7] is another choice for the signature system. It uses a system of so-called oil-vinegar equations to build up a surjective mapping between the signature space and the document space. The unbalanced oil-vinegar signature scheme [9] and the more complicated TTS

1 signature system [6] are applicable systems to use. Our research is an analysis for oil-vinegar signature schemes. The first part of this thesis is to find an efficient attacking method for the TTS system proposed in 2004. The second part of the thesis is to do the analysis for general unbalanced oil-vinegar signature schemes over different characteristic finite fields. This work adds to our understanding of the oil-vinegar signature system. And it may inspire new designs of oil-vinegar signature schemes in the future.

2 Chapter 2

Relevant Background Material

2.1 Crypto-system

The purpose of a crypto-system is to hide information. More speciﬁcally, it is used to protect our secret information. The oldest crypto-system is the Caesar Cipher used by Julius Caesar of Rome more than 2000 years ago. A crypto-system refers to a series of algorithms needed to implement a particular form of encryption and decryption. Typically, a crypto-system includes three algorithms: one for key generation, one for encryption, and one for decryption. The key generation algorithm is used to generate the encryption key and decryption key. The encryption algorithm is used to transform the message into a cipher text, which usually is some meaningless string of characters. Then the cipher text can be delivered in any open channel without revealing the information of the message. The receiver can use the decryption algorithm to recover the message from the cipher text. A third party, without knowing the decryption algorithm, cannot recover the message if a crypto-system is well designed. Both encryption and decryption processes are like the following ﬁgure 2.1.

3 F - Math is fun. Ndpl zh tqc. F −1 plain text cipher text

Figure 2.1: Encryption and Decryption Process

2.2 Modern Cryptography

After World War II, cryptography and cryptanalysis used more and more mathematical techniques, especially algebra. Roughly speaking, there are the following 2 main subjects in modern cryptography,

• Crypto-systems

– Symmetric key cryptography

– Public key cryptography (or Asymmetric key cryptography)

• Cryptanalysis

2.3 Public Key Crypto-system

Based on the keys, a crypto-system can be categorized into two types: symmetric key crypto-system and public key crypto-system. A symmetric key crypto-system uses the same key for encryption and decryption. The benefit of the symmetric key crypto-system is the high efficiency. The related computation is easy to perform. A public key crypto-system uses different keys to do the encryption and the decryption. The benefit of public key crypto-systems is key management. There are two parts to key management. The first part is the total number of keys needed. For

4 example, if there are one million users in a cell phone network, we need

106×(106−1) 2 = 499999500000 different keys to guarantee every two parties can communicate with each other safely using a symmetric system. But if we choose the public key crypto-system, we only need 2 × 106 = 2000000 keys which is much fewer. The second part to key management is how to set keys. Using a symmetric key crypto-system, the sender and the receiver must decide which key to use in advance using a safe channel. For example, they could meet each other face to face to choose the key. But using a public key crypto-system, everyone can publish his or her public key in any open channel (unsecured). For example, one can send the public key in an email or directly upload the key on the Internet. Then a sender can encrypt the message by using the receiver’s public key, and send the cipher text in an email to the receiver. The whole process can be done in an unsecured channel. So strangers at any two places on the planet can communicate. The first public key system is the Diffie-Hellman key exchange protocol. It was proposed by Whitfield Diffie and Martin Hellman in 1976 [23]. The most famous public key system is RSA [24]. It was invented by Ronald Rivest, Adi Shamir, and Leonard Adleman in 1978. The RSA system is still widely used today. In recent years, some new public key crypto-systems have been invented such as elliptic curve crypto-systems, multivariate polynomial crypto-systems and lattice based crypto-systems, etc. Most public key crypto-systems can be modified to be used as digital signature schemes.

5 2.4 Post-Quantum Era Public Key Crypto-system

Post-quantum cryptography refers to the study of crypto-systems not breakable even using quantum computers, i.e. “quantum computer resistant crypto-systems”. The current widely used public key crypto-systems rely on the integer factorization problem or discrete logarithm problem. These problems become solvable on large enough quantum computers using Dr. Peter Shor’s algorithm [25]. Even though currently known quantum computers are nowhere near powerful enough to attack real crypto-systems, many cryptographer are doing research for new algorithms, in case quantum computing becomes a threat in the future. This work includes our cryptography group in the University of Cincinnati. In fact, the Department of Mathematical Sciences hosted the PQCrypto 2008 at the University of Cincinnati [29]. In 2001, Shor’s algorithm was demonstrated by a group at IBM, who factored 15 into 3 and 5, using an NMR (Nuclear magnetic resonance) implementation of a quantum computer with 7 qubits [26]. On the other hand, most current symmetric cryptography is still secure from quantum computers [28]. Currently, post-quantum cryptography is mostly focused on four diﬀerent categories: [28]

• Multivariate cryptography such as Matsumoto-Imai Cryptosystem

• Lattice-based cryptography such as NTRU

• Hash-based signatures such as Merkle signature scheme

• Code-based cryptography that relies on error-correcting codes, such as McEliece encryption

6 2.5 Multivariate Public Key Crypto-systems (MPKCs)

“Multivariate public key cryptography” refers to asymmetric cryptography based on multivariate polynomials over finite fields. Solving a system of m randomly chosen multivariate polynomial equations with n variables has been proven to be a NP-Hard problem [1] [31]. It means that this problem is, in general, very difficult to solve. Solving a random system of m quadratic equations with n variables over GF (2) (Galois filed of two element) remains an NP-Hard problem even with a large enough quantum computer. Therefore signature schemes based on multivariate systems of equations are quantum resistant signature schemes. Today, most multivariate quadratic polynomials could be used to build signature schemes only. There are four categories of multivariate public key crypto-system so far:

• Matsumoto-Imai(MI) system based on the simple power function over the extension ﬁeld

• Hidden Field Equation(HFE) System

• Triangular system like TTM, TTS

• Oil-vinegar system (Only used for the Signature Scheme)

Example 2.1 The following is a toy example of a multivariate polynomial crypto-system over GF (2) (the ﬁnite ﬁeld of two elements) in four variables.

2 2 2 2 y1 = x1 + x1x2 + x2 + x2x3 + x3 + x1x4 + x2x4 + x3x4 + x4 + x1 + x2 + x4 y2 = x1x3 + x3x4 + x1 + x2 + x3 + x4 + 1 2 2 y3 = x1x2 + x1x4 + x2x3 + x2x4 + x3 + x3x4 + x4 + x1 + x3 2 2 y4 = x1 + x2

7 This quadratic multivariate polynomial equation system forms a bijective mapping on the vector space GF (2)4. In fact, the general quadratic multivariate polynomial equation system is only required to be a surjective mapping for a signature scheme. The mapping can also be given in the following table form:

Hash of Message Cipher text < x1, x2, x3, x4 > < y1, y2, y3, y4 > < 0, 0, 0, 0 > < 0, 1, 0, 0 > < 0, 0, 0, 1 > < 0, 0, 1, 0 > < 0, 0, 1, 0 > < 1, 0, 0, 0 > < 0, 0, 1, 1 > < 0, 0, 0, 0 > < 0, 1, 0, 0 > < 0, 0, 0, 1 > < 0, 1, 0, 1 > < 1, 1, 0, 1 > < 0, 1, 1, 0 > < 0, 1, 1, 1 > < 0, 1, 1, 1 > < 0, 1, 0, 1 > < 1, 0, 0, 0 > < 0, 0, 1, 1 > < 1, 0, 0, 1 > < 1, 1, 1, 1 > < 1, 0, 1, 0 > < 1, 0, 1, 1 > < 1, 0, 1, 1 > < 1, 0, 0, 1 > < 1, 1, 0, 0 > < 1, 1, 0, 0 > < 1, 1, 0, 1 > < 1, 0, 1, 0 > < 1, 1, 1, 0 > < 1, 1, 1, 0 > < 1, 1, 1, 1 > < 0, 1, 1, 0 >

Table 2.1: The Toy Example

To use this system, we need do the followings, 1. Coding the message. It is to transform the message into a binary sequence. For example, if the message we want to send is “Math is fun.”. Then we can use the standard ASCII code for each character: 77, 97, 116, 104, 32, 105, 115, 32, 102, 117, 110, 46. Next, we can get the corresponding binary code for each number in the length 7: 1001101 1100001 1110100 1101000 0100000 1101001 1110011 0100000 1100110 1110101 1101110 0101110. We can connect them into a binary string with the total length 84. 2. Encryption. We cut the binary string into pieces with length 4 to encrypt each piece by this system. For example, the ﬁrst piece is 1001. we use the crypto-system listed early,

8 we can get the encrypted piece to be 1111. After using the crypto-system for each piece, we get the encrypted binary string 1111 1001 0011 0101 1011 0111 0011 0001 0010 1011 0101 1111 1011 0100 1100 1010 1010 0101 0101 1000 1110. We can organize them into length 7 blocks: 1111100 1001101 0110110 1110011 0001001 0101101 0111111 0110100 1100101 0101001 0101011 0001110. The corresponding numbers are 124, 77, 54, 115, 9, 45, 63, 52, 101, 41, 43, 14. Those numbers are the ASCII code for the cipher text to send in the open channel. So the cipher text will be “| M6s -?4e)+ ”. Here, the ﬁfth letter and the twelfth letter are not printable character in ASCII code. As an alternative choice, we can also send the numbers 124, 77, 54, 115, 9, 45, 63, 52, 101, 41, 43, 14 as our cipher text directly with necessary explanation.

2.6 Signature Scheme

A digital signature scheme is used to convince a receiver that a message is really from the alleged sender. The background of digital signatures is public key cryptography. For example, similar to a multivariate polynomial crypto-system, we can use an injective mapping between 2 finite fields as a signature scheme while a crypto-system use a surjective mapping between 2 finite fields. Typically, a signature scheme includes three algorithms: one for key generation, one for signing, and one for verification. The key generation algorithm is used to generate the public key and the secret key similar to the crypto-system case. The signing algorithm is used to generate the signature from the document by the secret key of the sender. Then the document and its signature can be delivered in any open channel at the same time. The receiver can use the verification algorithm (which is the public key of the sender) to verify the document has been sent by the sender. A third party, without knowing the signing algorithm, cannot forge the

9 signature if a signature scheme is well designed.

F −1 - Math is fun. Ndpl zh tqc. F Document A signature

Figure 2.2: Signing and veriﬁcation Process

2.7 Oil-Vinegar Signature Schemes

The Oil and Vinegar scheme was designed by Jacques Patarin [7]. It is a multivariate digital signature scheme. The mathematical problem is to solve m quadratic equations with n variables in the finite field of size q. The system of equations is the public key. The Oil-Vinegar schemes can be grouped into three families: balanced Oil-Vinegar [7], unbalanced Oil-Vinegar [9] and Rainbow, a multi-layer construction using unbalanced Oil-Vinegar at each layer [21]. The basic building block of the Oil-Vinegar scheme is the Oil-Vinegar polynomial. Oil-Vinegar polynomials are quadratic polynomials in which oil variables can only appear linearly. After fixing values for all vinegar variables, the quadratic Oil-Vinegar polynomial becomes linear in the oil variables. With a set of (not too many) Oil-Vinegar polynomials we can then solve for the oil variables and produce a signature.

For example, let k be a ﬁnite ﬁeld with |k| = q. The variables x1, . . . , xi, . . . , xo

will be called the oil variables, and the variablesx ¯1,..., x¯v will be called the vinegar variables. Let n = o + v. An Oil-Vinegar polynomial is a degree two polynomial f

10 in the polynomial ring k[x1, . . . , xo, x¯1,..., x¯v] of the form v v o v o v X X X X X X aijx¯ix¯j + bijxix¯j + cixi + djx¯j + e i=1 j=i i=1 j=1 i=1 j=1 where aij, bij, ci, dj and e ∈ k. The name for Oil-Vinegar polynomials comes from the fact that Oil-Vinegar variables are not fully mixed in the quadratic terms; i.e., there are no terms of the form xixj. In fact, if we use the bilinear form of an oil vinegar polynomial, the structure of the polynomial is easily seen. Let M be the (n + 1) × (n + 1) upper triangular matrix like the following,   0 ··· 0 b1,1 ··· b1,v c1 . . . . . ......  . . . . .      0 BC 0 ··· 0 bo,1 ··· bo,v co    M = 0 AD = 0 ··· 0 a1,1 ··· a1,v d1 . ......  0 0 E ......    0 ··· 0 0 ··· av,v dv 0 ··· 0 0 ··· 0 e • The upper left block matrix 0 is an o × o zero matrix;

• The upper middle block matrix B is an o × v matrix;

• The upper right block matrix C is an o × 1 matrix or be viewed as an o-dimensional column vector;

• The middle left block matrix 0 is an v × o zero matrix;

• The center block matrix A is an v × v upper triangular matrix;

• The middle right block matrix D is an v × 1 matrix or be viewed as a v-dimensional column vector;

• The lower left block matrix 0 is a 1 × o zero matrix or be viewed as an o-dimensional zero row vector;

11 • The lower middle block matrix 0 is a 1 × v zero matrix or be viewed as a v-dimensional zero row vector;

• The lower right block matrix E is a 1 × 1 matrix or be viewed as the element e.

¯ An Oil-Vinegar polynomial f(x1, . . . , xo;x ¯1,..., x¯v) can be rewritten as the [1, 1] position of the following 1 × 1 matrix:

t [x1, . . . , xo, x¯1,..., x¯v, 1] × M × [x1, . . . , xo, x¯1,..., x¯v, 1] . Let F : kn → ko be a surjective polynomial mapping of the form

F (x1, . . . , xo, x¯1,..., x¯v) = (f1, . . . , fo), where

q q f1, . . . , fo ∈ k[x1, . . . , xo, x¯1,..., x¯v]/ < x1 − x1, . . . , xn − xn > are Oil-Vinegar polynomials. Then F is called an Oil-Vinegar mapping. The key property of the Oil-Vinegar mapping F is the following. If the

o coeﬃcients of F are chosen randomly, then given a ﬁxed vector (y1, . . . , yo) ∈ k we

can “invert” F by randomly choosing values ofx ¯1,..., x¯v. Example 2.2

P F¯ ? k4 - k2 - k2

Figure 2.3: Oil-Vinegar signature scheme from k4 to k2

Let k = GF (2) = ({0, 1}, +, ×), o = 2, v = 2. So the message is from k2. The signature is from k4.

12 The polynomial mapping F = (f1, f2) is the following,

2 2 f1(x1, x2, x¯1, x¯2) =x ¯1 +x ¯1x¯2 +x ¯2 + x1x¯1 + x2x¯1 + x2x¯2 + x1 +x ¯2

2 f2(x1, x2, x¯1, x¯2) =x ¯1 + x1x¯1 + x1x¯2 + x2x¯1 + x1 + x2 +x ¯1 + 1

If we choose the following values for the vinegar variables:

x¯1 = 0

x¯2 = 1 we have

f1(x1, x2, 0, 1) = x1 + x2

f2(x1, x2, 0, 1) = x2 + 1

We can rewrite the mapping as

F¯ : k2 −→ k2

(x1, x2) 7−→ (x1 + x2, x2 + 1)

We can quickly ﬁnd the inverse mapping F¯−1 by solving this linear system of equations in 2 variables with f1 = y1 and f2 = y2 as constants.

F¯−1 : k2 −→ k2

(y1, y2) 7−→ (y1 + y2 + 1, y2 + 1)

So we ﬁnd a pre-image (y1 + y2 + 1, y2 + 1, 0, 1) for any given (y1, y2) in the image space. Here this given (y1, y2) plays the role of the message. This pre-image plays the role of a signature for it. Here is another example. Example 2.3 Let k = GF (4) = ({0, 1, α, α2}, +, ×)

13 F¯

LF ? k4 - k4 - k2

Figure 2.4: Oil-Vinegar signature scheme from k4 to k2

2 Table 2.2: Computation in F4 = {0, 1, α, α } + 0 1 α α2 × 0 1 α α2 0 0 1 α α2 0 0 0 0 0 1 1 0 α2 α 1 0 1 α α2 α α α2 0 1 α 0 α α2 1 α2 α2 α 1 0 α2 0 α2 1 α

The computation tables in k is done according to the following tables Let o = v = 2, and hence n = o + v = 4. So the message is from k2. The signature is from k4.

T 4 For x = (x1, x2, x¯1, x¯2) ∈ k , the polynomial mapping F = (f1, f2) is the following:

2 2 2 2 2 f1(x1, x2, x¯1, x¯2) = x1x¯1 + α x1x¯2 + αx2x¯1 + x2x¯2 + α x¯1 + α x¯1x¯2 + αx¯2

2 2 2 2 f2(x1, x2, x¯1, x¯2) = αx1x¯1 + αx1x¯2 + x2x¯1 + α x2x¯2 + αx¯1 + α x¯1x¯2 +x ¯2

T When these functions are written in bilinear form fi = x Qix for i = 1, 2,

a possible choice for the matrices Qi is in upper triangular form:

0 0 1 α2 0 0 α α  0 0 α 1  0 0 1 α2 Q1 =   ,Q2 =   . 0 0 α2 α2 0 0 α α2 0 0 0 α 0 0 0 1 For simplicity, we will choose L to be the invertible linear transformation given in matrix form by x = Lz

14 T where x was given above, z = (z1, z2, z3, z4) , and

α2 1 0 α   0 0 α2 α2 L =   . α2 α2 α α  1 1 1 0

The public polynomials can then be computed via

¯ T ¯ T T fi = z Qiz = z (L QiL)z, i = 1, 2

In fact, they are:

¯ 2 2 2 2 2 f1(z1, z2, z3, z4) = z1 + z2 + αz2z3 + α z2z4 + α z4 ¯ 2 2 2 2 2 2 f2(z1, z2, z3, z4) = αz1 + z1z2 + αz1z4 + α z2 + αz2z3 + α z2z4 + αz3 + z3z4 + z4

¯ The corresponding matrices Qi are in upper triangular form:

1 0 0 0  α 1 0 α  2 2 2 ¯ 0 1 α α  ¯ 0 α α α  Q1 =   , Q2 =   . 0 0 0 0  0 0 α 1  0 0 0 α2 0 0 0 1 ¯ ¯ ¯ Then the public key is F = (f1, f2).

Suppose we want to sign D = (d1, d2) = (α, 1). To ﬁnd a valid signature

S = (s1, s2, s3, s4), we begin by randomly choosing values for the vinegar variables, say

2 (¯x1, x¯2) = (α , α)

Substituting these values into the Oil-Vinegar polynomials yields the linear polynomials:

2 2 2 f1(x1, x2, α , α) = αx1 + α x2 + α

2 2 f2(x1, x2, α , α) = αx1 + αx2 + α

15 2 Setting fi(x1, x2, α , α) = di for i = 1, 2, That is,

2 2 αx1 + α x2 + α = α

2 αx1 + αx2 + α = 1

We have the simpliﬁed linear system:

2 αx1 + α x2 = 1

αx1 + αx2 = α

Or rewrite as,

2 x1 + αx2 = α

x1 + x2 = 1

which has the solution:

2 (x1, x2) = (α, α )

To check our work, we simply verify that:

F (α, α2, α2, α) = (α, 1)

Finally, the signature is computed as:

S = L−1(α, α2, α2, α) = (1, α2, 0, 1)

The legitimacy of the signature can be veriﬁed using the public key F¯:

F¯(1, α2, 0, 1) = (α, 1)

2.8 Current Attacks on Oil-Vinegar Signature Schemes

An oil-vinegar signature scheme (OV) is a signature scheme based on multivariate quadratic polynomial equations over a ﬁnite ﬁeld. There are m

16 equations and n variables in the oil and vinegar equation system with m < n. Typically we need 2m ≤ n to form a proper signature scheme. There are v vinegar variables and o oil variables with v + o = n. There are three types of OV so far: balanced oil-vinegar signature scheme, unbalanced oil-vinegar signature scheme (UOV), and branch oil-vinegar signature scheme. A balanced oil-vinegar signature scheme has m (oil and vinegar) equations and n = 2m variables with m of them being oil variables and m of them being vinegar variables. That is o = v = m and n = o + v = 2m. An unbalanced oil-vinegar signature scheme has m (oil and vinegar) equations and n variables with n > 2m. There are o = m oil variables and v = n − m vinegar variables. A branch oil-vinegar signature scheme has several layers with each layer being a small oil-vinegar signature scheme. We can use either balanced or unbalanced oil-vinegar signature scheme in a particular layer. But there is at least one of those layers being an unbalanced oil-vinegar signature scheme. The original balanced oil-vinegar system proposed by Jacques Patarin [7] was broken in a paper of Louis Goubin and Nicolas T. Courtois [34]. The structure

−1 attack used the fact that the oil space is invariant under the mapping gi(gj (X)). By identifying the oil space, we can construct a linear mapping to remove the effect of the affine linear mapping L2. Regarding the security of the unbalanced oil-vinegar system (proposed by Aviad Kipnis [9]), there are some results in the same paper of Louis Goubin and Nicolas T. Courtois [34]. But after a careful check, the method does not work for the unbalanced oil-vinegar system. So far, there is no effective method to break the general unbalanced oil-vinegar system. For the branch oil-vinegar system like TTS, the security is unknown before our work. (The branch oil-vinegar system has the multi-layer structure with each layer

17 to be an oil-vinegar system. Typically, TTS is a 3 layer branch oil-vinegar system.)

18 Chapter 3

Notation

3.1 Multivariate Polynomials

A polynomial in x with coeﬃcients in a ﬁeld F is an expression of the form

n X i n p(x) = aix = a0 + a1x + ... + anx i=0

2 n where a0, ..., an are elements of F , the coeﬃcients of p; x, x , ..., x are powers of the variable x. Those expressions can be added and multiplied, then brought into the same form using the ordinary rules for manipulating algebraic expressions, such as associativity, commutativity, distributivity, and collecting the similar terms. Any

k term akx with zero coeﬃcient, ak = 0, may be omitted. The product of the powers of x is deﬁned by the familiar formula xixj = xi+j. Multivariate polynomial is a generalization of the polynomial p(x) with

x1, x2, ..., xn as variables for the integer n > 1.

3 2 3 Example 3.1 f(x1, x2) = x1 + 3x1x2 + 2x1 + x2 + 3x2 + 2 is a polynomial of 2

variables x1 and x2 of total degree 3 over the integer ring Z.

The ground finite field k with q elements. So the order of the field |k| = q The extension field K with the extension degree [K : k] = n. So we have the order |K| = qn.

19 Oil variables x1, . . . , xo with the positive integer o.

Vinegar variablesx ¯1,..., x¯v with the positive integer v. Here o + v = n.

P = k[x1, . . . , xn] is a polynomial ring over the ground ﬁeld k of n variables x1, . . . , xn.

Q = k[x1, . . . , xn]/I is the quotient ring with the ideal

q q I =< x1 − x1, . . . , xn − xn >. We also call Q the function ring in abstract algebra. Oil-vinegar polynomial

v v o v o v X X X X X X f(x1, . . . , xo;x ¯1,..., x¯v) = aijx¯ix¯j + bijxix¯j + cixi + djx¯j + e i=1 j=i i=1 j=1 i=1 j=1 where aij, bij, ci, dj and e ∈ k. In fact f ∈ k[x1, . . . , xo, x¯1,..., x¯v]. The aﬃne linear mapping L on the vector space kn can be written as

L(x1, . . . , xn) = AX + b, with A an n × n matrix over k, b an n × 1 vector over k

T and X an n × 1 vector (x1, . . . , xn) . The value of each xi is from the ﬁeld k. If there is more than one aﬃne linear mapping, we will use L1, L2, etc. to name them. ϕ : K → kn, the natural bijective mapping from K to kn satisfying

n−1 T ϕ(a1 + a2α + ... + anα ) = (a1, a2, . . . , an)

with α being a generator of the field K and each ai being an element of the ground field k. In this situation, the field K can be written as

n−1 K = {a1 + a2α + ... + anα | all ai ∈ k}. F¯ : K → K is the core mapping of a crypto-system. F : kn → kn is the combination mapping. We have the relation

F = ϕ ◦ F¯ ◦ ϕ−1

The diagram is like the following,

We use the row vector (x1, . . . , xn) to stand for the variables in the message space.

20 F¯ K - K

6 ϕ−1 ϕ

F ? kn - kn

Figure 3.1: The combination of 3 mappings

We use the row vector (y1, . . . , yn) to stand for the variables in the cipher space. A typical crypto-system is given in the following diagram.

F¯ K - K

6 ϕ−1 ϕ ? L2 FL1 kn - kn - kn - kn

Figure 3.2: A typical crypto-system from kn to kn

D = (m1, m2, . . . , mn−r), the document to be signed. Here each mi is an element of the ground ﬁeld k.

S = (s1, s2, . . . , sn), the signature for the document D. Here each si is an element of the ground ﬁeld k.

PKey = (f1, f2, . . . , fn), the public key of a crypto-system or a signature scheme.

Here each fi is a multivariate polynomial of variables x1, x2, . . . , xn over the ground ﬁeld k. In this paper, it has total degree at most 2.

21 SKey = (g1, g2, . . . , gn), the secret key (or private key) of a crypto-system or a

signature scheme. Here each gi is a multivariate polynomial of variables

y1, y2, . . . , yn over the ground ﬁeld k. Its total degree is not necessary to be less or equal to 2 generally. A typical signature scheme is given in the following diagram.

F¯ K - K

6 ϕ−1 ϕ ? L2 FL1 π kn - kn - kn - kn - kn−r

Figure 3.3: A typical signature scheme from kn to kn−r

3.2 TTS Attack notation

We will use the following parameters:

• q = 28 = 256 the size of the ground ﬁnite ﬁeld.

• m = 20 the number of equations in the TTS signature scheme.

• n = 28 the number of variables.

• o = 13 the number of oil variables.

• v = 15 the number of vinegar variables.

22 Let the ground field be k = GF (q), a Galois field of size q. Let the extension field be K with the extension degree [K : k] = n.

Let the public key polynomials be F = (F1,...,F20). They are m quadratic polynomials of n variables.

Let the private keys be given by L1,L2, f = (f1, . . . , f20) with F = L1 ◦ f ◦ L2. Here f are m quadratic polynomials of n variables given in the design of the TTS [6].

The affine linear mapping is L1(x1, . . . , x20) = (x1, . . . , x20) × A1 + b1 where A1 is an m × m invertible matrix over the ground field k, b1 = (b1,1, . . . , b1,20) is an m-dimensional row vector over the ground field k.

An affine linear mapping is L2(x1, . . . , x28) = (x1, . . . , x28) × A2 + b2 where A2 is an n × n invertible matrix over the ground field k, b2 = (b2,1, . . . , b2,28) is an n-dimensional row vector over the ground field k.

0 0 0 Let L1(x1, . . . , x20) = (x1, . . . , x20) × A1 = (L1,1,...,L1,20) be the linear part of L1. 0 0 0 Let L2(x1, . . . , x28) = (x1, . . . , x28) × A2 = (L2,1,...,L2,28) be the linear part of L2. 0 Let fi denote all homogeneous quadratic terms of the polynomial fi in the secret key.

0 0 0 Let f (x1, . . . , x28) = (f1 , . . . , f20). 0 Let Fi denote all homogeneous quadratic terms of the polynomial Fi in the public key.

0 0 0 0 0 0 0 Let F (x1, . . . , x28) = (F1 ,...,F20), so we have F = L1 ◦ f ◦ L2. ˜ ˜ ˜ ˜0 ˜0 ˜0 0 0 Let F = (F1,..., F20) = f ◦ L2. Similarly let F = (F1 ,..., F20) = f ◦ L2. 0 For each homogeneous quadratic polynomial fl = Σi≤j(fl)i,jxixj, we associate a symmetric n × n matrix ml to it such that (ml)i,i = 2(fl)i,i = 0 and

(ml)i,j = (ml)j,i = (fl)i,j.

0 0 t For each ml, we can associate a bilinear form as < X, X >l= Xml(X ) and its

t quadratic form < X, X >l= Xmutl X .

0 0 0 Here X = (x1, . . . , x28) and X = (x1, . . . , x28).

23 mutl is the upper triangular matrix from ml. It is deﬁned as (mutl )i,j = 0 for i ≥ j

and (mutl )i,j = (fl)i,j for i < j.

0 Similarly, for each homogeneous quadratic polynomial Fl = Σi≤j(Fl)i,jxixj, we can

associate a symmetric n × n matrix Ml.

0 l 0 t For each Ml, we can associate a bilinear form as < X, X > = XMl(X ) and its

l t quadratic form < X, X > = XMutl X .

Mutl is the upper triangular matrix from Ml. It is deﬁned as (Mutl )i,j = 0 for i ≥ j and (Mutl )i,j = (Fl)i,j for i < j.

s 28 Let fi be the sum of the quadratic terms in fi restricted to the space O × k . So we have

s f1 = x2x9p8,1 + x4x11p8,3 + x6x13p8,5 + x8x15p8,7

s f2 = x2x10p9,1 + x4x12p9,3 + x6x14p9,5 + x8x16p9,7

s f3 = x2x11p10,1 + x4x13p10,3 + x6x15p10,5 + x8x17p10,7

s f4 = x2x12p11,1 + x4x14p11,3 + x6x16p11,5 + x8x9p11,7

s f5 = x2x13p12,1 + x4x15p12,3 + x6x17p12,5 + x8x10p12,7

s f6 = x2x14p13,1 + x4x16p13,3 + x6x9p13,5 + x8x11p13,7

s f7 = x2x15p14,1 + x4x17p14,3 + x6x10p14,5 + x8x12p14,7

s f8 = x2x16p15,1 + x4x9p15,3 + x6x11p15,5 + x8x13p15,7

s f9 = x2x17p16,1 + x4x10p16,3 + x6x12p16,5 + x8x14p16,7

24 s f10 = x2x7p17,1 + x3x6p17,2 + x4x5p17,3

s f11 = x3x8p18,1 + x4x7p18,2 + x5x6p18,3

s f12 = x1x20p19,1 + x19x21p19,2 + x18x22p19,3 + x17x23p19,4 + x16x24p19,5

+x15x25p19,6 + x14x26p19,7 + x13x27p19,8 + x12x28p19,9

s f13 = x3x20p20,1 + x1x21p20,2 + x19x22p20,3 + x18x23p20,4 + x17x24p20,5

+x16x25p20,6 + x15x26p20,7 + x14x27p20,8 + x13x28p20,9

s f14 = x5x20p21,1 + x3x21p21,2 + x1x22p21,3 + x19x23p21,4 + x18x24p21,5

+x17x25p21,6 + x16x26p21,7 + x15x27p21,8 + x14x28p21,9

s f15 = x7x20p22,1 + x5x21p22,2 + x3x22p22,3 + x1x23p22,4 + x19x24p22,5

+x18x25p22,6 + x17x26p22,7 + x16x27p22,8 + x15x28p22,9

s f16 = x9x20p23,1 + x7x21p23,2 + x5x22p23,3 + x3x23p23,4 + x1x24p23,5

+x19x25p23,6 + x18x26p23,7 + x17x27p23,8 + x16x28p23,9

s f17 = x11x20p24,1 + x9x21p24,2 + x7x22p24,3 + x5x23p24,4 + x3x24p24,5

+x1x25p24,6 + x19x26p24,7 + x18x27p24,8 + x17x28p24,9

s f18 = x13x20p25,1 + x11x21p25,2 + x9x22p25,3 + x7x23p25,4 + x5x24p25,5

+x3x25p25,6 + x1x26p25,7 + x19x27p25,8 + x18x28p25,9

s f19 = x15x20p26,1 + x13x21p26,2 + x11x22p26,3 + x9x23p26,4 + x7x24p26,5

+x5x25p26,6 + x3x26p26,7 + x1x27p26,8 + x19x28p26,9

s f20 = x17x20p27,1 + x15x21p27,2 + x13x22p27,3 + x11x23p27,4 + x9x24p27,5

+x7x25p27,6 + x5x26p27,7 + x3x27p27,8 + x1x28p27,9

s s We will use f10 and f11 in our attack with

s f10 = x2x7p17,1 + x3x6p17,2 + x4x5p17,3

s f11 = x3x8p18,1 + x4x7p18,2 + x5x6p18,3

25 Let Sv = {x1, . . . , x28} be the set of all variables.

Let Ov = {x2, x4, x6, x8, x20, . . . , x28} be the set of Oil variables. Here |Ov| = o = 13.

The Vinegar variables make up the set Vv = Sv\Ov = {x1, x3, x5, x7, x9, . . . , x19}

with |Vv| = v = 15 .

28 th Let X = (x1, ..., x28) = Σi=1xiEi where Ei = (0 ... 0, 1, 0 ... 0) is the vector whose i component is 1 and the rest are zeros. Let O denote the space of the span of the vectors corresponding to the Oil variables,

namely O = Span(E2,E4,E6,E8,E20,...,E28), Let V denote the space of the span of the vectors corresponding to the Vinegar

variables, namely V = Span(E1,E3,E5,E7,E9,...,E19). ¯ Let X = (x2, x4, x6, x8, x20, . . . , x28; x1, x3, x5, x7, x9, . . . , x19). And the 28 × 28 permutation matrix Z such that X = X¯ × Z. t ¯ ¯ t So we have < X, X >l= XmlX is same as Xm¯ lX with the matricesm ¯ i for 1 ≤ i ≤ 20 in the following forms,

0 bi m¯ i = t bi di

Here each bi is a block matrix of 13 × 15 over the ground ﬁeld k;

t bi is the transpose matrix of the matrix bi;

each di is a block symmetric matrix of 15 × 15 over the ground ﬁeld k. ˜ 0 0 Let O = L2(O) be the image of O under L2.

Let Ni denote the null space for each bilinear form <, >i. So we have

N1 = Span(E1,E16,...,E28) because no x1, x16, . . . , x28 terms in f1.

N2 = Span(E1,E9,E17,...,E28),

N3 = Span(E1,E9,E10,E18,...,E28),

N4 = Span(E1,E10,E11,E18,...,E28),

N5 = Span(E1,E11,E12,E18,...,E28),

26 N6 = Span(E1,E12,E13,E18,...,E28),

N7 = Span(E1,E13,E14,E18,...,E28),

N8 = Span(E1,E14,E15,E18,...,E28),

N9 = Span(E1,E15,E16,E18,...,E28),

N10 = Span(E1,E8,E9,E18,...,E28),

N11 = Span(E1,E2,E9,E10,E19,...,E28),

N12 = Span(E2,...,E8,E10),

N13 = Span(E2,E4,...,E9,E11),

N14 = Span(E2,E4,E6,E7,E8,E9,E10,E12),

N15 = Span(E2,E4,E6,E8,...,E11,E13),

N16 = Span(E2,E4,E6,E8,E10,E11,E12,E14),

N17 = Span(E2,E4,E6,E8,E10,E12,E13,E15),

N18 = Span(E2,E4,E6,E8,E10,E12,E14,E16),

N19 = Span(E2,E4,E6,E8,E10,E12,E14,E17),

N20 = Span(E2,E4,E6,E8,E10,E12,E14,E16,E18).

Here the dimension of every space from N1 to N11 is 14.

The dimension of every space from N12 to N19 is 8.

The dimension of N20 is 9. ˜ 0 ˜ 0 Let N10 = L2(N10) and N11 = L2(N11). ˜ 0 Here, Ni = L2(Ni) for the integer i with 1 ≤ i ≤ 20. ¯ Let O1 = O ∩ N10 ∩ N11 = Span(E20,...,E28). ˜ 0 ¯ ˜ ˜ ˜ Let O1 = L2(O1) = O ∩ N10 ∩ N11. ˜ 0 0 Then O1 = Span(L2(x20),...,L2(x28)). s ˆ Let <, >i denote the bilinear form corresponding to the quadratic part of Fi over k16.

s s Let Ni denote the null space for each bilinear form <, >i . s s s s Then we have Span(N1 ,...,N9 ) = Span(E9,...,E17).

27 s ˜ Here Ei = L5(Ei) with L5 the linear mapping in step 6 reformulation of G1.

28 Chapter 4

Structure Attack on Oil-Vinegar Scheme

4.1 Structure Attack background

The subject we deal with is the new TTS authentication system presented in “CHES 2004: 6th International Workshop” at Cambridge, MA, USA in August 2004. This new system belongs to the family of TTS multivariate signature schemes [10]. The main achievement of our work is to show how the combination of several different attack methods can be used to defeat the new TTS system, more generally how combining known attacks on multivariate schemes can be a powerful tool. In the last few years, new methods have been invented to construct multivariate crypto-systems, which use multivariate polynomial functions instead of functions of a single variable. The security of this type of crypto-systems is based on the fact that solving the system of modular polynomial equations with many variables is an NP-complete problem [1]. In 2003, Sflash [11], a multivariate signature scheme was selected by NESSIE, the New European Schemes for Signatures, Integrity, and Encryption project within the Information Society Technologies (IST) Program of the European Commission, as one of the security standards for low cost smart card applications. Sflash is a variant of the Matsumoto-Imai crypto-system [3], and is derived from it by

29 applying the minus method, which was originally suggested by Shamir [32]. The minus method amounts to taking out (minus) a few components of a given multivariate mapping. After Patarin defeated the original Matsumoto-Imai encryption crypto-system [4], several variants and extensions of the Matsumoto-Imai crypto-system [33, 14, 17, 12], including Sﬂash, were constructed. Another interesting family of crypto-systems is the TTM system [35]. The basic idea of this construction in some way is originated from the famous Jacobian Conjecture in mathematics. For the TTM construction, the key building block is a nonlinear invertible de

Jonqui`eres mapping J(z1, ..., zn) between two n-dimensional vector spaces over a

n ﬁnite ﬁeld k, which sends an element X = (z1, ..., zn) in k to:

J(z1, . . . , zn) = (z1 + g1(z2, . . . , zn), z2 + g2(z3, . . . , zn), . . . , zn−1 + gn−1(zn), zn)

where each gi is a nonlinear polynomial function. All de Jonquières mappings belong to the family of so-called tame transformations in algebraic geometry. The original TTM schemes were intended for the purpose of public key encryption. Attempts were made to apply a similar but simpler idea for signatures, the result being called the TTS (tamed transformation signature) scheme. It is essentially the result of an application of the minus method in [32] to a tame transformation. A few systems were suggested by Chen and his collaborators in [36, 5] and the security and efficiency of these systems were claimed to rival that of Sflash. The inventors of the first TTS schemes later admitted in [6] that they had been careless about their security claims, and they showed that all schemes in [5] could be defeated easily. New schemes were suggested in [10] and again were claimed to have the security and efficiency rivaling those of Sflash. One scheme in particular was carefully studied in terms of its practical implementation on low cost smart-card, and was presented at CHES 2004 [6]. They concluded that the system

30 is indeed very eﬃcient.

4.2 Main Attack Process

The target system we are trying to attack is the TTS presented at CHES 2004 [6]. The system diagram is the following.

? L2 f L1 k28 - k28 - k20 - k20

Figure 4.1: TTS signature scheme from k28 to k20 in TTS [6]

The main idea to attack the target system is to forge a pre-image for the given document D. Using this forged signature Sf , we can use the public key F to verify

F (Sf ) = D.

28 20 The core quadratic mapping f from k to k is the following with each pi,j being randomly chosen element in the ground ﬁeld k:

f(x1, ..., x28) = (f1(x1, ..., x28), . . . , f20(x1, ..., x28)) (4.1)

31 f1 = x9 + x2x9p8,1 + x3x10p8,2 + x4x11p8,3 + x5x12p8,4 + x6x13p8,5 + x7x14p8,6

+x8x15p8,7

f2 = x10 + x2x10p9,1 + x3x11p9,2 + x4x12p9,3 + x5x13p9,4 + x6x14p9,5 + x7x15p9,6

+x8x16p9,7

f3 = x11 + x2x11p10,1 + x3x12p10,2 + x4x13p10,3 + x5x14p10,4 + x6x15p10,5

+x7x16p10,6 + x8x17p10,7

f4 = x12 + x2x12p11,1 + x3x13p11,2 + x4x14p11,3 + x5x15p11,4 + x6x16p11,5

+x7x17p11,6 + x8x9p11,7

f5 = x13 + x2x13p12,1 + x3x14p12,2 + x4x15p12,3 + x5x16p12,4 + x6x17p12,5

+x7x9p12,6 + x8x10p12,7

f6 = x14 + x2x14p13,1 + x3x15p13,2 + x4x16p13,3 + x5x17p13,4 + x6x9p13,5

+x7x10p13,6 + x8x11p13,7

f7 = x15 + x2x15p14,1 + x3x16p14,2 + x4x17p14,3 + x5x9p14,4 + x6x10p14,5

+x7x11p14,6 + x8x12p14,7

f8 = x16 + x2x16p15,1 + x3x17p15,2 + x4x9p15,3 + x5x10p15,4 + x6x11p15,5

+x7x12p15,6 + x8x13p15,7

f9 = x17 + x2x17p16,1 + x3x9p16,2 + x4x10p16,3 + x5x11p16,4 + x6x12p16,5

+x7x13p16,6 + x8x14p16,7 f10 = x18 + x2x7p17,1 + x3x6p17,2 + x4x5p17,3 + x10x17p17,4 + x11x16p17,5

+x12x15p17,6 + x13x14p17,7 f11 = x19 + x3x8p18,1 + x4x7p18,2 + x5x6p18,3 + x11x18p18,4 + x12x17p18,5

+x13x16p18,6 + x14x15p18,7 f12 = x20 + x9x11p19,0 + x1x20p19,1 + x19x21p19,2 + x18x22p19,3 + x17x23p19,4

+x16x24p19,5 + x15x25p19,6 + x14x26p19,7 + x13x27p19,8 + x12x28p19,9

32 f13 = x21 + x10x12p20,0 + x3x20p20,1 + x1x21p20,2 + x19x22p20,3 + x18x23p20,4

+x17x24p20,5 + x16x25p20,6 + x15x26p20,7 + x14x27p20,8 + x13x28p20,9

f14 = x22 + x11x13p21,0 + x5x20p21,1 + x3x21p21,2 + x1x22p21,3 + x19x23p21,4

+x18x24p21,5 + x17x25p21,6 + x16x26p21,7 + x15x27p21,8 + x14x28p21,9

f15 = x23 + x12x14p22,0 + x7x20p22,1 + x5x21p22,2 + x3x22p22,3 + x1x23p22,4

+x19x24p22,5 + x18x25p22,6 + x17x26p22,7 + x16x27p22,8 + x15x28p22,9

f16 = x24 + x13x15p23,0 + x9x20p23,1 + x7x21p23,2 + x5x22p23,3 + x3x23p23,4

+x1x24p23,5 + x19x25p23,6 + x18x26p23,7 + x17x27p23,8 + x16x28p23,9

f17 = x25 + x14x16p24,0 + x11x20p24,1 + x9x21p24,2 + x7x22p24,3 + x5x23p24,4

+x3x24p24,5 + x1x25p24,6 + x19x26p24,7 + x18x27p24,8 + x17x28p24,9

f18 = x26 + x15x17p25,0 + x13x20p25,1 + x11x21p25,2 + x9x22p25,3 + x7x23p25,4

+x5x24p25,5 + x3x25p25,6 + x1x26p25,7 + x19x27p25,8 + x18x28p25,9

f19 = x27 + x16x18p26,0 + x15x20p26,1 + x13x21p26,2 + x11x22p26,3 + x9x23p26,4

+x7x24p26,5 + x5x25p26,6 + x3x26p26,7 + x1x27p26,8 + x19x28p26,9

f20 = x28 + x17x19p27,0 + x17x20p27,1 + x15x21p27,2 + x13x22p27,3 + x11x23p27,4

+x9x24p27,5 + x7x25p27,6 + x5x26p27,7 + x3x27p27,8 + x1x28p27,9

The core mapping f = (f1, . . . , f20) are m(= 20) quadratic polynomials of n(= 28) variables given in the design of the TTS [6]. It can be viewed as a three layer (or branch) oil-vinegar system.

The ﬁrst layer is from f1 to f9. The second layer is from f10 to f11. The third layer is from f12 to f20.

33 That is,

(I) = {fi|i = 1,..., 9}

(II) = {fi|i = 10, 11}

(III) = {fi|i = 12,..., 20} (4.2)

In the ﬁrst layer, the quadratic part of every fi has the following form,

8 17 0 X X fl = aijxixj (4.3) i=2 j=9

The associated matrix mi has rank 14 in the ﬁrst layer since each fi has 7 diﬀerent quadratic terms. The linear combination of those mi matrices will not change the rank. In another word, any matrix in the space spanned by m1, . . . , m9 has the rank 14.

In the second layer, f10 and f11 both come from a de Jonqui`eres construction. That is,

f10(x2, . . . , x18) = x18 + g10(x2, . . . , x17)

f11(x2, . . . , x19) = x19 + g11(x2, . . . , x18)

In fact, They can be written in a more special way as follows,

f10(x2, . . . , x18) = x18 + g10(x2, . . . , x7; x10, . . . , x17)

f11(x2, . . . , x19) = x19 + g11(x3, . . . , x8; x11, . . . , x18)

If we add group (II) elements (They also have rank 14.) to the group (I) elements, the rank of the matrix may increase but it will not be larger than 16. In another word, any matrix in the space spanned by m1, . . . , m11 has the rank either 14 or 16. Rank 16 happens only if this rank 16 matrix is a linear combination of those 11 basis matrices mi for 1 ≤ i ≤ 11 with the coeﬃcient of m11 nonzero.

34 In the third layer, the quadratic part of every fi has the following form, 19 28 19 19 28 0 X X X X X fl = aijxixj + bijxixj + cjx1xj (4.4) i=2 j=20 i=9 j=9 j=20 If we add group (III) elements to any linear combination of the group (I) and (II) elements, the rank of the matrix may increase and a random linear

0 combination of all fi world produce a non-degenerate quadratic form. The construction of the signature S for the given document D, we need to solve the equation D = F (S) to get S.

−1 So we need to deal with f ◦ L2(S) = L1 (D) since F = L1 ◦ f ◦ L2.

Since both L1 and L2 are aﬃne linear mappings, the inverses of L1 and L2 are easy to ﬁnd. So the signature construction is focused on how to get an inverse of the core mapping f = (f1, . . . , f20).

0 0 0 28 0 0 0 That is, given a value Y = (y1, . . . , y20) in k , to ﬁnd a value X = (x1, . . . , x28) such that Y 0 = f(X0). We can do this in the following 3 steps,

0 0 Step 1: Randomly chosen values x2, . . . , x8 for x2, . . . , x8 such that the aﬃne linear equation system from the group (I) is solvable. Then those equations become an aﬃne linear equation system of 9 equations and 9 variables x9, . . . , x17. That is,

 0 0 0 f1(x2, . . . , x8, x9, . . . , x17) = y1  f (x0 , . . . , x0 , x , . . . , x ) = y0  2 2 8 9 17 2  0 0 0 f3(x2, . . . , x8, x9, . . . , x17) = y3  f (x0 , . . . , x0 , x , . . . , x ) = y0  4 2 8 9 17 4 0 0 0 f5(x2, . . . , x8, x9, . . . , x17) = y5  0 0 0 f6(x2, . . . , x8, x9, . . . , x17) = y6  0 0 0 f7(x2, . . . , x8, x9, . . . , x17) = y7  f (x0 , . . . , x0 , x , . . . , x ) = y0  8 2 8 9 17 8  0 0 0 f9(x2, . . . , x8, x9, . . . , x17) = y9 We can easily solve this linear equation system to get a solution, say

0 0 (x9, . . . , x17).

35 Step 2: Due to the polynomials f10 and f11 are triangular mappings, we can

0 0 0 substitute the values of x2, . . . , x17 into f10(x2, . . . , x18) = y10 to get a linear equation of x18. (Since f10 = x18 + g10(x2, . . . , x17) ) Then solve the linear equation

0 0 0 to get the value of x18. Say, x18. Then we can substitute the values of x2, . . . , x18 0 into f11(x2, . . . , x19) = y11 to get a linear equation of x19. (Since f11 = x19 + g11(x2, . . . , x18) ) Then solve the linear equation to get the value of x19.

0 Say, x19. So far, we have the value of the variables x2, . . . , x19 such that 0 0 (x2, . . . , x19) = (x2, . . . , x19). 0 Step 3: Randomly chosen values x1 for x1 such that the aﬃne linear equation system from the group (III) is solvable. Then those equations become an aﬃne linear equation system of 9 equations and 9 variables x20, . . . , x28. That is,  0 0 0 f12(x1, . . . , x19, x20, . . . , x28) = y12  f (x0 , . . . , x0 , x , . . . , x ) = y0  13 1 19 20 28 13  0 0 0 f14(x1, . . . , x19, x20, . . . , x28) = y14  f (x0 , . . . , x0 , x , . . . , x ) = y0  15 1 19 20 28 15 0 0 0 f16(x1, . . . , x19, x20, . . . , x28) = y16  0 0 0 f17(x1, . . . , x19, x20, . . . , x28) = y17  0 0 0 f18(x1, . . . , x19, x20, . . . , x28) = y18  f (x0 , . . . , x0 , x , . . . , x ) = y0  19 1 19 20 28 19  0 0 0 f20(x1, . . . , x19, x20, . . . , x28) = y20 We can easily solve this linear equation system to get a solution, say

0 0 (x20, . . . , x28). 0 0 So we have gotten a pre-image (x1, . . . , x28) of core mapping f for the given 0 0 image (y1, . . . , y20) which play the role as the document. Our attacking will simulate this signature construction process to get a pre-image of the given document.(This pre-image is not necessary to be same as the constructed pre-image using the secret keys.)

36 4.2.1 7-step attack outline

7-step attack outline:

1. Step 1: The unbalanced Oil and Vinegar attack.

0 The goal of this step is to remove the eﬀect of the linear part L2 of the secret ˜ mapping L2 using a linear mapping L3 for the hidden oil space O. ˜ 0 0 The space O = L2(O) is invariant under the mapping L2 ◦ L3.

2. Step 2: The Min-rank attack ˜ ˜ ˜ The goal of this step is to get the full form of F10 and F11 with F = f ◦ L2

˜ 3. Step 3: The search for the null subspace O1. t ˜ The goal of this step is to ﬁnd the 28 × 28 matrix A4 such that A4MiA4 = Mi in the block matrix form. ˜ ˜ ˜ ˜ 0 The null space O1 = O ∩ N10 ∩ N11 is invariant under the mapping L2 ◦ L4.

˜ 4. Step 4: Finding the space G12 which is the subspace of the linear span of ﬁrst

0 11 components of f ◦ L2.

˜ 5. Step 5: Finding the space G1 which is the subspace of the linear span of ﬁrst 9

0 components of f ◦ L2.

˜ 6. Step 6: Reformulation of G1.

7. Step 7: Completing the attack.

4.2.2 Step 1: The unbalanced oil and vinegar attack

0 Removing the eﬀect of the linear part L2 of the secret mapping L2 using a linear ˜ mapping L3 to get the hidden oil space O.

37 F

? L3 L2 f L1 k28 - k28 - k28 - k20 - k20 6

F˜

Figure 4.2: Step 1 Attack Diagram 1

First, we deﬁne a linear mapping LZ to change the order of variables in the following way,

28 28 LZ : k −→ k (4.5)

X¯ 7−→ X

¯ ¯ such that X = LZ (X) = X × Z. Here X = x1 x2 . . . x28 , a 28-dimensional row vector; (Or a 1 × 28 matrix.) ¯ X = [x2, x4, x6, x8, x20, . . . , x28; x1, x3, x5, x7, x9, . . . , x19]. Z is the 28 × 28 permutation matrix with X = X¯ × Z.

−1 In fact, we can also give the linear mapping LZ and LZ in the following table form,

xi x1 x2 x3 x4 x5 x6 x7 LZ (xi) x14 x1 x15 x2 x16 x3 x17

xi x8 x9 x10 x11 x12 x13 x14 LZ (xi) x4 x18 x19 x20 x21 x22 x23

xi x15 x16 x17 x18 x19 x20 x21 LZ (xi) x24 x25 x26 x27 x28 x5 x6

xi x22 x23 x24 x25 x26 x27 x28 LZ (xi) x7 x8 x9 x10 x11 x12 x13

Table 4.1: The linear mapping LZ

38 xi x1 x2 x3 x4 x5 x6 x7 −1 LZ (xi) x2 x4 x6 x8 x20 x21 x22 xi x8 x9 x10 x11 x12 x13 x14 −1 LZ (xi) x23 x24 x25 x26 x27 x28 x1 xi x15 x16 x17 x18 x19 x20 x21 −1 LZ (xi) x3 x5 x7 x9 x10 x11 x12 xi x22 x23 x24 x25 x26 x27 x28 −1 LZ (xi) x13 x14 x15 x16 x17 x18 x19

−1 Table 4.2: The linear mapping LZ

The full form of the matrix Z is given in the following,

 0100000000000000000000000000  0001000000000000000000000000  0000010000000000000000000000     0000000100000000000000000000   0000000000000000000100000000   0000000000000000000010000000     0000000000000000000001000000   0000000000000000000000100000   0000000000000000000000010000     0000000000000000000000001000   0000000000000000000000000100   0000000000000000000000000010     0000000000000000000000000001  Z =  1000000000000000000000000000   0010000000000000000000000000   0000100000000000000000000000     0000001000000000000000000000   0000000010000000000000000000   0000000001000000000000000000     0000000000100000000000000000   0000000000010000000000000000   0000000000001000000000000000     0000000000000100000000000000   0000000000000010000000000000   0000000000000001000000000000   0000000000000000100000000000   0000000000000000010000000000  0000000000000000001000000000

39 In fact, the 28 × 28 permutation matrix Z can be written as the following block matrix form,

 E2   E4     E6     E8     E20   .   .   .     E28  Z =    E1     E3     E5     E7     E9   .   .  E19

Here, each Ei is a 28-dimensional row vector (or we can view it as a 1 × 28 matrix.) with only ith position to be 1 and all other positions to be zeros.

By doing this, we can shift the 13 oil variables x2, x4, x6, x8, x20, . . . , x28 into the ﬁrst 13 positions of a vector which is in the oil space O. We have the following relations:

t ¯ ¯ t XmlX ,< X, X >l= Xm¯ lX

with the matricesm ¯ i for 1 ≤ i ≤ 20 in the following form,

0 bi m¯ i = t bi di t Here 0 is a 13 × 13 zero matrix, bi is a 13 × 15 matrix, bi is the transpose matrix of

bi and hence a 15 × 13 matrix, di is a 15 × 15 symmetric matrix.

We have the relation between mi andm ¯ i for each integer i with 1 ≤ i ≤ 20,

t m¯ i = ZmiZ (4.6)

40 Second, because the public key polynomials F1,...,F20 are gotten from oil-vinegar polynomials with o = 13 and v = 15, we can apply the attack methods in ˜ ˜ 0 0 [9] to find the hidden oil space O. Here O = L2(O) where L2 is the linear part of the affine linear mapping L2. According to [9], the computation complexity is O((28)v−o−1o4) = O((28) × 134) < O(223). We will use the hidden oil space O˜ in the following step 3 of the attack, too. After we have found the hidden oil space O˜, we can choose a new coordinate ˜ system such that the first o components are from O and rewrite the matrix Mi from the public key Fi for 1 ≤ i ≤ 20 in the following way, t ¯ 0 Bi A3MiA3 = Mi = t (4.7) Bi Di

t Here, 0 is a 13 × 13 zero matrix. Each Bi is a 13 × 15 matrix. Bi is the t transpose matrix of Bi, and hence each Bi is a 15 × 13 matrix. Each Di is a 15 × 15 symmetric matrix.

A3 is an invertible 28 × 28 matrix. In fact, if Bs1 = {V a1, . . . , V a13} is a basis in row vector form of the hidden oil space O˜, then we can extend this basis of O˜ into a basis of k28 since O˜ ⊂ k28 with another 15 linearly independent row vectors ˜ V b1, . . . , V b15 not contained in O. Then   V a1 .  .   .     V a13  A3 =    V b1   .   .  V b15

t ¯ is a matrix satisfying the equation A3MiA3 = Mi for each integer i with 1 ≤ i ≤ 20. 28 We can deﬁne a linear mapping between k by the matrix A3 in the following way,

41 28 28 L3 : k −→ k (4.8)

L3(X) = X × A3 Here X is a row vector x1 x2 . . . x28 . Then we know that the subspace O˜ is invariant under the linear transformation

0 L2 ◦ L3 or equivalently.

Let the 28 × 28 matrix A32 to be given in the followings, −1 −1 Q1 0 −1 A32 = Z × A3 × A2 = Z × × Z = Z × Q × Z (4.9) RQ2

Here the matrix Q is a 28 × 28 matrix in the 2 × 2 block form.

The upper left block Q1 is a 13 × 13 matrix over k; The upper right block 0 is a 13 × 15 zero matrix; The lower left block R is a 15 × 13 matrix over k;

The lower right block Q2 is a 15 × 15 matrix over k.

We can deﬁne the linear mapping LQ in the following way,

28 28 LQ : k −→ k (4.10)

LQ(X) = X × Q Here X is a row vector x1 x2 . . . x28 . So we have the following diagram,

42 LQ

0 −1 ? LZ L3 L2 LZ k28 - k28 - k28 - k28 - k28

Figure 4.3: Step 1 Attack Diagram 2

If we deﬁne the linear mapping L32 in the following way,

28 28 L32 : k −→ k (4.11)

X 7→ X × A32

Here X is a row vector x1 x2 . . . x28 . ˜ We know that the linear mapping L32 preserves the oil space O. This means the following, ˜ For the vector Vo = a1, . . . , a13, 0,..., 0 × Z ∈ O. It’s the image of the linear mapping LZ ( a1, . . . , a13, 0,..., 0 ). We have

L32(Vo) = Vo × A32

−1 = Vo × Z × A3 × A2

−1 = Vo × Z × Q × Z = a1, . . . , a13, 0,..., 0 × Q × Z = b1, . . . , b13, 0,..., 0 × Z ˜ = LZ ( b1, . . . , b13, 0,..., 0 ) ∈ O

The diagram is the following,

43 L32

0 L3 L2 - k28 −1 ? LZ k28 - k28 k28 LQ LZ 6 - k28

Figure 4.4: Step 1 Attack Diagram 3

4.2.3 Step 2: The Min-rank attack

˜ ˜ The goal of this step is to get the full form of F10 and F11.

Based on the equation F = L1 ◦ f ◦ L2, (Here F is the public key, L1, f and L2

0 0 0 0 0 0 are secret keys.) we have F = L1 ◦ f ◦ L2.(L1 is the linear part of L1, L2 is the 0 linear part of L2 and f is the homogeneous quadratic part of f.) The corresponding quadratic form will be

20 X t Ml = (A1)i,l(A2miA2) (4.12) i=1

Here, (A1)i,l is the [i, l] position of the 20 × 20 matrix A1.

A1 is the linear part of the mapping L1 with L1(X) = X × A1 + b1, b1 is a 20-dimensional row vector (Or view it as a 1 × 20 matrix);

A2 is the linear part of the mapping L2 with L2(X) = X × A2 + b2, b2 is a 28-dimensional row vector (Or view it as a 1 × 28 matrix);

Each mi is the quadratic form for the secret quadratic polynomials fi given in (4.1); (They are 20 matrices of 28 × 28.)

Each Ml is the quadratic form for the public quadratic polynomials Fl. (They are 20 matrices of 28 × 28.) ¯ Then we consider the upper right 13 × 15 blocks for the matricesm ¯ i and Mi

44 with 1 ≤ i ≤ 20. t 0 bi ¯ t 0 Bi Herem ¯ i = ZmiZ = t ; Mi = A3MiA3 = t . bi di Bi Di Note that (4.6), (4.7) and (4.11), we can get the following result,

20 X t Bl = (A1)i,l(Q1biQ2) (4.13) i=1

Here, (A1)i,l is the [i, l] position of the 20 × 20 matrix A1.

Q1 is the upper left 13 × 13 block of the matrix Q which deﬁne the linear mapping

LQ with LQ(X) = X × Q;

Q2 is the lower right 15 × 15 block of the matrix Q; bi is the upper right 13 × 15 block of the matrixm ¯ i; ¯ Bl is the upper right 13 × 15 block of the matrix Ml. We have this result mainly because the following,

t t Q1 0 0 bi Q1 0 Qm¯ iQ = × t × RQ2 bi di RQ2 t 0 Q1biQ2 = t t t t t t t Q2biQ1 Q2biR + RbiQ2 + Q2diQ2

t The upper right 13 × 15 block is given by Q1biQ2.

s Note that fi be the sum of the quadratic terms in fi restricted to the space O × k28. So we have

f10 = x2x7p17,1 + x3x6p17,2 + x4x5p17,3

f11 = x3x8p18,1 + x4x7p18,2 + x5x6p18,3

We ﬁnd that the rank of the corresponding matrices bi is exactly 3 for i = 10, 11.

(That is, rank b10 = rank b11 = 3.) The rank for all other bi’s is larger than 3. We can also see clearly that in the space of all possible linear combinations of bi, these two matrices and their constant multiples are the only matrices of the lowest rank 3.

45 t In this case, we can use the Min-rank method to search for both Q1b10Q2 and t Q1b11Q2 through linear combinations of Bi, because A1 is invertible. Here, we have a total 20 matrices of size 13 × 15 and the Min-rank is 3. From the complexity analysis by Goubin and Courtois [34], we know to ﬁnd one of them takes no more than a complexity of O(261). This is because of the following: The standard Min-Rank problem is: For the given parameters: integer N (The row number of matrices), integer n (The column number of matrices), integer k (The sum of 1 and the total number of given N × n matrices.), integer r (The maximal

rank), Matrices M0, M1, ..., Mk over the ﬁnite ﬁeld Fq. (That is

M0,M1,...,Mk ∈ MN×n(Fq). Here Fq stands for the ﬁnite ﬁeld of size q.), to decide k if there exists (λ1, . . . , λk) ∈ Fq such that

k X Rank(M0 − λiMi) ≤ r. i=1 The standard Min-Rank problem is a NP-complete problem [34]. But for small

d k er 3 integer r, there exists an algorithm with the computation complexity O(q n k ).

By choosing M0 a zero matrix, we can transfer the standard Min-Rank problem into our problem with the following parameters: N = 13, n = 15, k = 20, r = 3,

8 d k er 3 8 2×3 3 q = 2 = 256. So the complexity is O(q n k ) = O((2 ) × 20 ). It’s no more than a complexity of O(261).

Now, suppose that we have found two linearly independent rank 3 matrices Hi

with 10 ≤ i ≤ 11 (That is, H10 and H11) in the linear combinations of Bj in the following from, 20 X Hi = hi,jBj (4.14) j=1

Here h10,j and h11,j for 1 ≤ j ≤ 20 are elements in the ground ﬁeld k.

46 Because of the uniqueness of the space of linear combinations of matrices Bj, we have that 20 20 X 0 ˜0 X 0 ˜0 h10,jFj = β1F10, h11,jFj = β2F11 (4.15) j=1 j=1 or 20 20 X 0 ˜0 X 0 ˜0 h10,jFj = β1F11, h11,jFj = β2F10 (4.16) j=1 j=1 where β1 and β2 are non-zero constants in the ground ﬁeld k and

˜0 ˜0 ˜0 0 0 F = [F1 ,..., F20] = f ◦ L2,

0 0 0 f = [f1 , . . . , f20].

0 The homogeneous quadratic polynomials fi are linearly independent from the construction of the core mapping f, the linear and constant terms are, therefore, determined by the quadratic terms. This means that we could ﬁnd constant ˜ ˜ multiples of both F10, F11 by applying formula (4.15) or(4.16), namely

20 20 X ˜ X ˜ h10,jFj = β1F10, h11,jFj = β2F11 (4.17) j=1 j=1 or 20 20 X ˜ X ˜ h10,jFj = β1F11, h11,jFj = β2F10 (4.18) j=1 j=1 ˜ ˜ ˜ Here F = [F1,..., F20] = f ◦ L2, and essentially f10 and f11 with a substitution of variables.

47 4.2.4 Step 3: The search for the null subspace O˜1

Step 3: The search for the null subspace

˜ ˜ ˜ ˜ O1 = O ∩ N10 ∩ N11.

t ˜ The goal of this step is to ﬁnd the 28 × 28 matrix A4 such that A4MiA4 = Mi in the block matrix form.

? L4 L2 f L1 k28 - k28 - k28 - k20 - k20 6

F˜

Figure 4.5: Step 3 Attack Diagram 1

First, we will try to ﬁnd the space

˜ 0 O1 = L2(O1)

0 = L2(Span(E20,...,E28))

Consider quadratic form matrices m10 and m11 respect to f10 and f11 in the secret key polynomials f = [f1, . . . , f20].

Both m10 and m11 are of rank 14. The null space N10 of m10 has dimension 14 by the linear algebra formula: Rank(m) + Null(m) = Column numbers of the matrix m. (Here Null(m) means the nullity (of the matrix m) which is the dimension of the null space.) In fact, we have

N10 = Span(E1,E8,E9,E18,E19,E20,...,E28).

48 Similarly, we have the null space N11 of m11 has dimension 14. Here

N11 = Span(E1,E2,E9,E10,E19,E20,...,E28).

From the notation part, O = Span(E2,E4,E6,E8,E20,...,E28). Then the space

O1 = N10 ∩ N11 ∩ O

= Span(E20,...,E28).

And

˜ 0 O1 = L2(O1) ˜ ˜ ˜ = N10 ∩ N11 ∩ O

0 0 = Span(L2(x20),...,L2(x28)).

˜ ˜ For the computation, we need to use the result of the previous step: F10 and F11.

First, we can get two matrices Mf 10 and Mf 11 from them. They are symmetric matrices from the bilinear form of the homogeneous quadratic parts of each ˜ ˜ quadratic polynomials F10 and F11. ˜ Then N10 is the null space of the matrix Mf 10. We can get it by solving a linear equation system of

X × Mf 10 = 0.

Here X is a row vector x1 x2 . . . x28 ; 0 is a 28-dimensional row vector with all entries zeros. This linear system has 28 equations with 28 variables. It’s very easy to be solved by the Gauss elimination method. ˜ The solution space is called N10.

49 ˜ Similarly, we can get the space N11 by doing the same thing to the matrix Mf 11. And hence we can have the space

˜ ˜ ˜ ˜ O1 = N10 ∩ N11 ∩ O

˜ ˜ ˜ ˜ since we know each of N10, N11 and O. (Here O is from the step 1 attack.) ˜ After we get the space O1, we can choose a new coordinate system such that the ˜ ˜ ﬁrst 9 components are from O1. Here o1 = 9 is the dimension of O1. Then in the new coordinate system, each Mi for 1 ≤ i ≤ 9 can be rewritten in the following form,

˜ t ˜ 0 Bi A4MiA4 = Mi = ˜t ˜ (4.19) Bi Di ˜ ˜t ˜ Here 0 is a 9 × 9 zero matrix, Bi is a 9 × 19 matrix, Bi is the transpose matrix of Bi ˜ and hence a 19 × 9 matrix, Di is a 19 × 19 matrix. ˜ The reason we can have these block matrices Mi with 1 ≤ i ≤ 9 is due to the speciﬁc formulas of fi with 1 ≤ i ≤ 9. There is no xixj term if 20 ≤ i, j ≤ 28.

The 28 × 28 matrix A4 is invertible. It is chosen by the following steps: ˜ First, we can find a basis for the space O1. It will a be a linearly independent set of 9 of 28-dimensional row vectors. ˜ n 28 For the complement space of O1 in k = GF (256) , we can also find a basis for it. It will a be a linearly independent set of 19 of 28-dimensional row vectors, which ˜ has no intersection with the space O1. Then the union of these two sets will be a basis for kn. ˜ We can define the matrix A4 with first 9 rows being basis row vectors in O1; last ˜ 19 rows being basis vectors in the complement space of O1.

Then the matrix A4 will have the property of the equation (4.19).

We will use A4 in the step 4 of the attack, too.

28 We can deﬁne a linear mapping between k by the matrix A4 in the following

50 way,

28 28 L4 : k −→ k (4.20)

X 7→ X × A4

Here X is a row vector x1 x2 . . . x28 . ˜ Then we know that the subspace O1 is invariant under the linear transformation

0 L2 ◦ L4. So we have the following diagram,

0 L4 L2 k28 - k28 - k28

Figure 4.6: Step 3 Attack Diagram 2

51 4.2.5 Step 4: Finding the space G˜12

˜ Step 4: Finding the space G12 which is the subspace of the linear span of ﬁrst 11

0 components of f ◦ L2. Using a new coordinate system X˜ = x20 . . . x28 x1 . . . x19 , we can have diﬀerent matricesm ˜ i for fi for 1 ≤ i ≤ 11. In fact, for 1 ≤ i ≤ 11, we have

0 0 m˜ i = (4.21) 0 Ui Here the upper left block 0 is a 9 × 9 zero matrix, upper right block 0 is a 9 × 19 zero matrix, lower left block 0 is a 19 × 9 zero matrix, Ui is a 19 × 19 matrix.

We can have this due to the fact that there is no xixj term for 1 ≤ i ≤ 19 and

20 ≤ j ≤ 28 in the ﬁrst 11 quadratic polynomials f1, . . . , f11. ˜ ˜t ˜ In fact, we havem ˜ i = ZmiZ with the permutation matrix Z given by

 0000000000000000000100000000  0000000000000000000010000000  0000000000000000000001000000     0000000000000000000000100000   0000000000000000000000010000   0000000000000000000000001000     0000000000000000000000000100   0000000000000000000000000010   0000000000000000000000000001     1000000000000000000000000000   0100000000000000000000000000   0010000000000000000000000000     0001000000000000000000000000  Z˜ =  0000100000000000000000000000   0000010000000000000000000000   0000001000000000000000000000     0000000100000000000000000000   0000000010000000000000000000   0000000001000000000000000000     0000000000100000000000000000   0000000000010000000000000000   0000000000001000000000000000     0000000000000100000000000000   0000000000000010000000000000   0000000000000001000000000000   0000000000000000100000000000   0000000000000000010000000000  0000000000000000001000000000

In fact, the 28 × 28 permutation matrix Z˜ can be written as

52   E20 .  .   .    ˜  E28  Z =    E1   .   .  E19 th Here, each Ei is a 28-dimensional row vector with only i position is 1 and all other positions are zeros.

By doing this, we can shift the last 9 variables x20, . . . , x28 into the ﬁrst 9 positions of a vector. We have the relation X = X˜Z.˜

With the help of the matrix A4 and the equation (4.19) from step 3 ˜ t ˜ 0 Bi A4MiA4 = Mi = ˜t ˜ , Bi Di ˜ we can ﬁnd all 28 matrices Mi for 1 ≤ i ≤ 20. ˜ ˜ We can use the ﬁrst 19 of those matrices M1,..., M19 to do linear combination ˆ to get the same form of block matrices Mj asm ˜ i with 1 ≤ i ≤ 11. 19 ˆ X ˜ 0 0 Mj = γijMi = ˆ (4.22) 0 Uj i=1 Here upper left block 0 is a 9 × 9 zero matrix, upper right block 0 is a 9 × 19 zero ˆ matrix, lower left block 0 is a 19 × 9 zero matrix, Uj is a 19 × 19 matrix. We can have this due to the following:

All matrices Mi are linearly independent since they are from the public key of

the signature scheme. And hence after the invertible linear mapping L4, the new ˜ t ˜ matrices Mi with A4MiA4 = Mi are also linearly independent. ˜ Any 9 of those linearly independent matrices Mi can use a linear combination to ˆ ˜ get a matrix of form Mj. Any 10 of those linearly independent matrices Mi can use

53 ˆ a linear combination to get 2 linearly independent matrices of the form Mj. So on ˜ and so forth, any 19 of those linearly independent matrices Mi can use a linear ˆ combination to get 11 linearly independent matrices of the form Mj. Typically, we ˜ ˜ can use the linear combination of ﬁrst 19 linearly independent matrices M1,..., M19 ˆ to get those 11 linearly independent matrices of the form Mj.

So in the equation (4.22), we have total 11 × 19 = 209 variables of γij. We have ˆ 19 × 19 = 361 linear equations with for each Mj with 1 ≤ j ≤ 11. But here there are only 190 of those equations can be used due to the symmetric property of the ˆ matrix Mj. We can easily solve those linear system of equations by Gauss

elimination method to get total 209 values for γij. Here the solution is not unique. ˆ But we need to choose those values for γij carefully to make 11 matrices Mj are linearly independent. This can be done without problem since the solution of the linear system is guaranteed to exist due to those equations come from a real signature scheme.

After we have the 209 values of γij, by the equations (4.15), (4.16) and (4.21), we have that

19 X ˜ Span( γijFi|1 ≤ j ≤ 11) = Span(Fi|1 ≤ j ≤ 11) (4.23) i=1 ˜ We call this space to be G12. ˜ Due to the way we ﬁnd γij, the dimension of the space G12 will be 11. That is, ˜ dim G12 = 11.

4.2.6 Step 5: Finding the space G˜1

˜ Step 5: Finding the space G1 which is the subspace of the linear span of ﬁrst 9

0 components of f ◦ L2.

54 Let us denote this space of the linear span of the elements in the Group (I˜) by ˜ G1. We know that

˜ ˜ ˜ ˜ 1. G1 is a subspace of G12, whose dimension is dim(G1)=dim(G12)-2 = 9;

˜ ˜ 2. If we take any polynomial in G12 not in G1 with the property that the quadratic form corresponding to the quadratic part of this polynomial is of ˜ rank 18 (bigger than 14). On the other hand for any elements inside G1, the corresponding rank is exactly 14.

˜ This means that we can find a basis of G1 by choosing three polynomials q1, q2 ˜ and q3 from any basis of G12 and search for all q1 + u1q2 + u2q3 whose corresponding quadratic form is of rank 14, where u1, u2 ∈ k. This will definitely produce one ˜ element in G1 because a dimension 3 subspace must non-trivially intersect a dimension 11. Using this procedure on the corresponding matrices of the bilinear ˜ form for the polynomials by looking for matrix of rank 14, we can find a basis of G1 by at most searching 10 times. The complexity of this step is O((28)2 × 183 × 10/6) < O(230).

4.2.7 Step 6: Reformulation of G˜1

˜ Let G12 = Span(fi|i = 1,..., 11) ˜ G1 = Span(fi|i = 1,..., 9)

Let Ni denote the null space for each bilinear form h , ii. Then we observe and prove by calculation that

¯ \ N = Ni = Span(E1,E18,...,E28). i=1,...,9

This implies that we could ﬁnd a basis of the space, which consists of a basis of the subspaces of the intersection of all the null spaces of the bilinear forms deﬁned

55 ˜ by the quadratic parts of the polynomials in G1. This gives us a matrix A5 such that t 0 0 A5BA5 = ˜ . 0 di Here B is any symmetric matrix of the bilinear form corresponding to the quadratic ˜ part of any polynomial in G1. The upper left block 0 is a 12 × 12 zero matrix, upper right block 0 is a 12 × 16 ˆ zero matrix, lower left block 0 is a 16 × 12 zero matrix, di is a 16 × 16 symmetric matrix.

This implies that we can deﬁne a linear transformation L5 as

L5(x1, . . . , x28) = [x1, . . . , x28] × A5

˜ ˜ for any Fi in G1. We have 17 17 ˜ X X Fi ◦ L5(x1, . . . , x28) = α˜j,kxjxk + α˜jxj +α. ˜ j≥k=2 j=2

ˆ Fi ˜ ? L5 Fi k28 - k28 - k

Figure 4.7: Step 6 Attack Diagram 1

˜ Therefore by composing with L5, all the polynomials in G1 become a set of ˜ polynomials with only 16 variables. We will call this new set of polynomials GL1. From the above procedure and by solving a set of linear equations, we ﬁnd an 16 ˜ aﬃne linear transformation L6 on k such that the space GL1 is derived from composition of the elements in G1 by L6 in the following diagram.

56 gi ˆ ? L6 Fi k16 - k16 - k

Figure 4.8: Step 6 Attack Diagram 2

ˆ ˜ Here Fi is a quadratic polynomial from GL1 with

˜ ˆ ˆ GL1 = Span(F1,..., F9).

gi is a quadratic polynomial from G1 with

G1 = Span(f1, . . . , f9).

All gi spans the polynomial space G1.

Span(g1, . . . , g9) = G1

= Span(f1, . . . , f9).

˜ Now we treat all elements in G1 and GL1 as a polynomial of only 16 variables and ignore the other variables.

ˆ ˜ ˜ ˆ ˆ Now let F to be a quadratic polynomial from GL1 with GL1 =Span(F1,..., F9). f is a quadratic polynomial from G1 with G1 = Span(f1, . . . , f9).

We associate the quadratic part of each G1 with a bilinear form and we can see that all those forms are exactly of rank 14. Let us pick randomly 9 linearly ˜ ˜ independent polynomials Fi from GL1. s ˜ 16 Let h, ii denote the bilinear form corresponding to the quadratic part of Fi over k . s s Let Ni denote the null space for each bilinear form h, ii .

57 Through observation and computation simulations, we ﬁnd

s s s s Span(N1 ,...,N9 ) = Span(N8 ,...,N16).

They both have the dimension 9. Similar to the step 1 attack, we can use the unbalanced oil-vinegar attack [9] to

ﬁnd the image of the space spanned by the image of L6,i with 1 ≤ i ≤ 7 where

L6([x1, . . . , x16]) = [L6,1([x1, . . . , x16]),...,L6,16([x1, . . . , x16])].

So we ﬁnd the image of the linear parts of the seven variable set {x1, . . . , x7}

composed by L6.

Similar to the step 1 attack, by combining L5 and L6, for any basis of the space

−1 spanned by L6,i([x1, . . . , x16]) with integer i ≤ i ≤ 7, if we compose each by L5 from the right, they give us a basis of the image space of the span of the linear parts

of seven variable set {x1, . . . , x7} composed by L2. We will denote a basis we ﬁnd

for this space by ki(x1, . . . , x28) with 1 ≤ i ≤ 7.

4.2.8 Step 7: Completing the attack

Now assume that we have a message P to be signed.

We ﬁrst choose 7 random values ri with 1 ≤ i ≤ 7 from the ground ﬁeld k. Then

we can solve the equation ki([x1, . . . , x28]) = ri by Gaussian elimination method to cancel 7 variables out. We substitute the results into the polynomials equations ˜ coming from a basis of G1 found in step 5. Note: from the point view of algebraic geometry, this is equivalent to giving

speciﬁc values to x1, . . . , x7 for each core mapping polynomial fi. This should produce 9 linearly independent linear equations since we have 16 variables with 7 of them known now. (Here we means those 7 variables can be expressed as the linear combination of the rest 21 variables.)

58 We can solve this linear equation system of 9 equations and 9 variables by Gaussian elimination method. This is equivalent to ﬁnishing the polynomials from the group (I).

Next, we substitute those 16 values in to the remaining 2 polynomial equations ˜ from G12, whose linear combination would produce one linear equation. After solving this linear equation we can get another variable to make the number of known variables 17. Then we substitute again, the remaining equations should produce another linear equation. This completes the polynomials from group (II). The number of the known variable becomes 18.

After we substitute again, we only have 9 nonlinear equations left from

F (x1, . . . , x28) = P.

They are all coming from linear combinations of polynomials from group (III). The variables x2, . . . , x19 are all replaced by expressions of x1 and x20, . . . , x28. This 9 nonlinear equation system with 10 variables will guarantee to be an invertible mapping after we choose any value for one of those 10 variables.

Now let us simply choose a random set of values vi and choose  x2 = v2  . .  x19 = v19

e Let fi (x1, x20, . . . , x28) = fi(x1, v2, . . . , v19, x20, . . . , x28) for integer 12 ≤ i ≤ 20. e e e Let f (x1, x20, . . . , x28) = [f12(x1, x20, . . . , x28), . . . , f20(x1, x20, . . . , x28)], a dimension 9 row vector.

e e e e e e Let F (x1, x20, . . . , x28) = L1 ◦ f ◦ L2(x1, x20, . . . , x28), where L1 and L2 are invertible aﬃne linear mappings.

59 The rest is to solve a set of equations in the form:

e F (x1, x20, . . . , x28) = Pe.

9 Here Pe belongs to k with the ground ﬁnite ﬁeld k.

To do so, the only thing we need to know is how to ﬁnd the image of the linear

e part of x1 under the composition from the right by L2, which is a linear combination e of other variables. We observed that all quadratic parts of the fi is in the form

x1 × xj with no other quadratic terms. The corresponding bilinear form to the quadratic polynomial has the rank 2.

e e e Let fa and fb be two linearly independent elements in the space spanned by fi . e e Let Na and Nb denote the null space for each bilinear form derived from the e e quadratic part of fa and fb . We have

e e e e Span(Na ,Nb ) = Span(E1,...,E9)

e 10 with Ei = [0,..., 0, 1, 0,..., 0] being the standard basis in k . Similar to the step 2 attack, this implies that we can ﬁnd the image of the space

e spanned by L2(x1, . . . , x28), with

e e e L2(x1, . . . , x28) = [L2,1(x1, . . . , x28),...,L2,9(x1, . . . , x28)].

This is done by ﬁnding the corresponding dimension two space of the invariant

e e variables for both fa and fb . The intersection of the two spaces has exactly e dimension one and it is proportional to the linear part of L2,0(x1, . . . , x28). e Then we choose a random value for L2,0(x1, . . . , x28) and we substitute it into the nonlinear equations, which is equivalent to the case of giving x1 a speciﬁc value in addition to x2, . . . , x28 to all the fi. This will produce again 9 linear independent

60 equations. Then we collect all the linear independent equations whose solution will give a forgery of a signature.

4.3 Attack Complexity(Eﬃciency) Analysis

The total complexity of the attack is O(261). In this 7-step attack process, the step by step computation complexity is as follows:

• Step 1: The total complexity is O(223). In the step 1 attack, the computation happens in the following 4 parts.

Writing down polynomials into the bilinear matrix forms mi and Mi is very fast. The complexity is O(m ∗ n2) = O(20 ∗ 283) ≤ O(214).

−1 Finding matricesm ¯ i is just the matrix computationm ¯ i = Z × mi × Z . The complexity is O(m ∗ n3) = O(20 ∗ 283) ≤ O(219). Finding the hidden oil space O˜ using Min-rank attack, the complexity is O(qv−o−1 × o4) = O(2561 × 134) ≤ O(223). (Here using the parameters in the Kipnis and Patarin’s paper [9], o = 13, v = 15, q = 28 = 256.)

2 2 10 Finding the matrix A3. The complexity is O(n ) = O(28 ) ≤ O(2 ). The most expensive part is the Kipnis’s unbalanced oil-vinegar attack part, the complexity is no more than O(223). So we can view the total complexity of the step 1 as O(223).

• Step 2: The total complexity is O(261). ¯ Writing down polynomials into matrices Mi from Mi and A3 is very fast ¯ T since we have Mi = A3MiAi . The complexity is O(m ∗ n3) = O(20 ∗ 283) ≤ O(219).

61 Getting the sub-matrices Bi is also very fast. The complexity is O(m ∗ n2) = O(20 ∗ 282) ≤ O(214). Here ¯ 0 Bi Mi = T . Bi Di Finding the hidden oil space O˜ using Min-rank attack, the complexity is

d k e∗r 3 8 2×3 3 61 O(q n × k ) = O((2 ) × 20 ≤ O(2 ). (Here using the parameters in the Min-rank attack paper, N = 13, n = 15, k = 20, r = 3, q = 28 = 256.)

We used this method twice here to search for both b10 and b11. So the total complexity is O(261).

Finding constant multiples β1 and β2 is very fast. It is equivalent to solving a homogeneous linear equation system of 21 variables for a nontrivial

solution to each betai. Using Gaussian Elimination method to solve, the complexity is O(213) ≤ O(214).

• Step 3: The total complexity is O(215).

Finding the null spaces N10 and N11, We need ﬁrst write down the bilinear

o o matrix form from the quadratic polynomials f10 and f11. Then solving a system of linear equations to get the null space of those matrices. The complexity is O(2 ∗ n3) + O(n3) = 3O(n3) = O(3n3) = O(3 × 203) ≤ O(215).

˜ Finding the matrix A4 is equivalent to ﬁnding a basis for O1 and a basis ˜ for its complement space, say V1. This can be done by solving a set of n linear equations with n variables for a general solution with singular coeﬃcient matrix. We can use Gaussian elimination method to solve. The complexity is O(203) ≤ O(213).

• Step 4: The total complexity is O(215).

62 • Step 5: The total complexity is O(230).

• Step 6: The total complexity is O(212).

• Step 7: The total complexity is O(219).

4.4 Conclusion

We conclude that in the total complexity of O(261), we can attack the target TTS signature scheme in [6]. We have programmed the attack code for a small toy example with the parameter q = 4 by MAGMA software with the Version 2.11. We combined a few different methods to break the TTS Scheme of [6]. One can see that we go though a very complicated procedure, but computationally it is not difficult. The reason for this is that this new family of schemes uses specialized sparse polynomials. This introduced a chain of weaknesses. Each weakness can then be attacked with a different tool. We believe that our attack can be made to work against all other TTS Schemes, which were published in the February 2004 version of [6]. Of course, one can immediately suggest new formulas, as was done in the revised version of [6], which our method as given cannot defeat. But we think, one must be extremely careful when using specific sparse polynomials.

63 Chapter 5

Algebraic Attack on Oil-Vinegar Scheme

5.1 Algebraic Attack background

An algebraic attack on a multivariate polynomial system is a brute-force attack based on solving a system of multivariate polynomial equations. There are diﬀerent methods to solve multivariate polynomial systems:

• Classic Gr¨obner basis method: Buchberger’s Algorithm

• Modiﬁed Gr¨obner basis method: F 4 algorithm

• F5 algorithm

• ZhuangZi algorithm and mutant ZhuangZi algorithm

• XL algorithm and mutant XL algorithm

The Gröbner basis method was proposed by Bruno Buchberger [37] in 1976. By constructing S-polynomials recursively, we can generate a Gröbner basis with respect to a chosen monomial order. Then the system of equations composed by Gröbnerbasis can be solved recursively.

64 The F 4 algorithm proposed by Jean-Charles Faugère [38] is used to compute the Gröbnerbasis for an ideal of a multivariate polynomial ring. The algorithm is one of most efficient algorithms to compute the Gröbnerbasis today. And hence it is one of the best choices to solve a multivariate polynomial equation system. The F 5 algorithm is a variation of the F 4 algorithm. It will be better than F 4 algorithm in efficiency sometimes. But there exist some cases such that the F 4 algorithm is still faster than the F 5 algorithm. The ZhuangZi algorithm is a very new method proposed by Jintai Ding [16]. The main idea of the algorithm is like the followings:

• Step 1: Transform the multivariate polynomial systems over the ground finite field into a single polynomial equation over a big finite field which is easy to solve.

• Step 2: Solve this new generated polynomial equation to get the solution.

• Step 3: Find the corresponding solution for the original multivariate polynomial systems.

The ZhuangZi algorithm becomes very eﬃcient in some cases. The mutant ZhuangZi algorithm is a variation of the ZhuangZi algorithm. XL algorithm is the short name for the eXtended Linearization algorithm. It’s a very good method to use for solving over-deﬁned systems of multivariate polynomial equations. The mutant XL algorithm is a variation of the XL algorithm.

5.2 F 4 algorithm attacking

The oil-vinegar system is a signature scheme based on oil-vinegar multivariate polynomial equations. There are a few types of oil-vinegar system: balanced oil-vinegar system, unbalanced oil-vinegar system and branch oil-vinegar system.

65 Remark: The most trivial one is a balanced oil-vinegar system. We carefully choose v oil-vinegar equations with v vinegar variables and o oil variables ( here o = v or o + v = n = 2v) to form the signature scheme. We must choose those equations so that no matter how we assign the values to all vinegar variables, the nonlinear oil vinegar equations can be simplified into an invertible affine linear equation system with o = v variables and v equations. That will guarantee no matter which document we want to sign for, we can get a proper signature for it by solving this invertible affine linear equation system. The balanced oil vinegar signature system is not safe any more due to the work of Aviad Kipnis and Adi Shamir [8]. An unbalanced oil-vinegar signature scheme has m (oil and vinegar) equations and n variables with n > 2m. There are o = m oil variables and v = n − m vinegar variables with o 6= v since we have n > 2m condition. That is why we call them “unbalanced”. In fact, we have v > o. In this chapter, we will use the Faugère F 4 algorithm to attack the unbalanced oil vinegar system with different characteristic. Typically for the unbalanced oil vinegar systems with v = b1.5 × oc, v = 2 × o and v = 3 × o these 3 different cases. The similar work was done by Christopher Wolf etc. [40] in 2005. In the paper, three authors claimed that “the case 2m < v < 4m is particularly vulnerable to Gröbnerbasis attacks like F 4” [40]. Here, the integer n stands for the variable number of an oil-vinegar system; the integer m stands for the equation number of an oil-vinegar system. But we think that there is no theoretical support for it. We have done the experiment to use F 4 algorithm to solve the multivariate polynomial equation system induced from the certain built unbalanced oil-vinegar system and the random chosen document. But our conclusion is different from Wolf’s claim “The unbalanced oil-vinegar system with 2m < v < 4m is particularly vulnerable”.

66 5.3 Toy Example

For the target system we have build for v = 2 × o case with o = 2 and q = 2. That is an unbalanced oil vinegar system with 2 equations and 6 variables. (2 of them are oil variables; 4 of them are vinegar variables.) The public key of the target system is given in the following,

2 y1 = x1 + x1 ∗ x4 + x1 + x2 ∗ x3 + x2 ∗ x4 + x2 ∗ x5 + x2 ∗ x6 + x2 + x3 ∗ x4

2 2 2 +x3 ∗ x6 + x4 + x4 ∗ x5 + x4 ∗ x6 + x5 + x5 ∗ x6 + x5 + x6

2 y2 = x1 ∗ x3 + x1 ∗ x6 + x1 + x2 + x2 ∗ x3 + x2 ∗ x6 + x2 + x3 ∗ x4 + x3 ∗ x5

+x4 + x5 ∗ x6 + 1

The target system is built by the composite of the linear mapping between GF (2)6 and a quadratic oil vinegar mapping from GF (2)6 to GF (2)2. The linear mapping L is given in the following,

L(x) = Ax + b with       0 1 1 0 0 0 x1 0  0 0 1 1 0 1   x2   1         0 1 1 1 1 0   x3   1  A =   , x =   , b =   .  0 1 1 1 0 1   x4   1         1 1 1 0 1 1   x5   1  1 1 0 1 1 1 x6 1 The chosen unbalanced oil vinegar mapping g is given by

g1 = x1 ∗ x4 + x1 ∗ x6 + x1 + x2 ∗ x4 + x2 ∗ x6 + x3 ∗ x4 + x3 ∗ x5

2 +x3 ∗ x6 + x3 + x4 + x4 ∗ x5 + x5 ∗ x6 + x5

2 2 g2 = x1 ∗ x6 + x1 + x2 ∗ x5 + x2 ∗ x6 + x3 + x4 + x4 ∗ x6 + x5 ∗ x6 + x6

In this chosen mapping g, x1 and x2 are oil variables; x3, x4, x5 and x6 are vinegar variables. After assigning values to the vinegar variables, the mapping g will become an invertible aﬃne linear mapping.

67 For example, if we choose the values of x3, x4, x5 and x6 to be the following,

x3 = 0

x4 = 1

x5 = 0

x6 = 1 then the mapping g becomes the following invertible aﬃne linear mapping

g1 = x1 + 1

g2 = x2 + 1

Now if we have the document as an 1 × 2 row vector [0,0], we sign it with the following computation. What we need here is a pre-image of the mapping f. We can get it by reversing the aﬃne linear mapping L then reversing the mapping g. First we reverse the mapping g with chosen vinegar variables. Here

−1 g1 = x1 + 1

−1 g2 = x2 + 1.

We can have the pre-image of reduced mapping g is [1,1]. That is,

x1 = 1

x2 = 1.

And hence the pre-image of mapping g is [1,1,0,1,0,1]. Then we reverse the aﬃne linear mapping L to get the signature. Let L(x) = [1, 1, 0, 1, 0, 1] to get the signature x =[1,0,1,0,0,1].

68 Now assume we act as an attacker, all we know is the public key f and the document [0,0]. We want to forge a pre-image of the document for the mapping f as the signature. We randomly choose values for four variables in the public key mapping f; then solve for the other two by solving the resulting equations in two variables. Due to the construction of the unbalanced oil vinegar system, this nonlinear system of 2 equations and 2 variables must have a solution. So using F 4 algorithm, we can ﬁnd at least one solution of this equation system. Then the forged signature is the combination of the values chosen above with this solution. it will be a length six binary digits in this case. It’s not necessary to be same as the original signature [1,0,1,0,0,1] due to the mapping f from GF (2)6 to GF (2)2. Here are attacking details:

Public key polynomial [y1, y2] = f([x1, x2, x3, x4, x5, x6]) = g(L([x1, x2, x3, x4, x5, x6]))

2 y1 = x1 + x1 ∗ x4 + x1 + x2 ∗ x3 + x2 ∗ x4 + x2 ∗ x5 + x2 ∗ x6 + x2 + x3 ∗ x4

2 2 2 +x3 ∗ x6 + x4 + x4 ∗ x5 + x4 ∗ x6 + x5 + x5 ∗ x6 + x5 + x6

2 y2 = x1 ∗ x3 + x1 ∗ x6 + x1 + x2 + x2 ∗ x3 + x2 ∗ x6 + x2 + x3 ∗ x4 + x3 ∗ x5

+x4 + x5 ∗ x6 + 1

Document [0,0].

Step 1: We randomly choose values for variables x3, x4, x5 and x6 like the following.

x3 = 1

x4 = 1

x5 = 1

x6 = 0

Then equations y1 = 0 and y2 = 0 become followings,

2 x1 + 1 = 0

2 x2 = 0

69 Step 2: We use the implemented F 4 algorithm to compute solutions for this new system of equations. We have one solution in GF (2),

x1 = 1

x2 = 0

Step 3: We get one forged signature [1,0,1,1,1,0] for the given document. It’s easy to conﬁrm this forged signature is a good choice since f([1,0,1,1,1,0]) = [0,0] is same as the given document.

5.4 Three Authors’ cryptanalysis

In the paper A Study of the Unbalanced Oil and Vinegar Signature Schemes [40] in 2005, three authors claimed that the case 2m < v < 4m is particularly vulnerable for a randomly chosen unbalanced oil vinegar system under the modified Gröbner basis attack. “vulnerable” is a tricky word. It means that the system is easy to be attacked. They view systems in the case 2m < v < 4m as weak systems. Here, the modified Gröbnerbasis method which three authors used is Faugère’s algorithm F 4 implemented in the MAGMA software. The experiment result from the paper of Wolf etc. given by the following pictures:

70 5.4.1 Case v=2m over GF (2) (the ﬁnite ﬁeld of size 2)

The attacking time is approximately an exponential function of the total oil variable number m. Using the base 3.07, the time complexity function is given by log3.07 t = −17.53 + 1.62m with m being the the equation number satisfying m = o, the oil variable number and t being the attacking time using the unit second (s). over GF (3) (the ﬁnite ﬁeld of size 3)

Using the base 6.68, the time complexity function is given by

log6.68 t = −23.17 + 2.74m

71 over GF (16) (the ﬁnite ﬁeld of size 16)

Using the base 28.20, the time complexity function is given by

log28.2 t = −21.14 + 4.82m

5.4.2 Case v=3m over GF (2) (the ﬁnite ﬁeld of size 2)

Here, authors made a mistake in the caption part of the graph. The right caption should be “Log time for v = 3 ∗ m, q = 2, and varying m”. Using the base 3.03, the time complexity function is given by

72 log3.03 t = −16.66 + 1.60m. over GF (3) (the ﬁnite ﬁeld of size 3)

Here, authors made a mistake in the caption part of the graph. The right caption should be “Log time for v = 3 ∗ m, q = 3, and varying m”. Using the base 6.36, the time complexity function is given by

log6.36 t = −21.85 + 2.67m

over GF (16) (the ﬁnite ﬁeld of size 16)

73 Using the base 32.63, the time complexity function is given by

log32.63 t = −21.89 + 5.03m

The conclusion and their experiment result are a contradiction. Their experiments did not support their main claim: the case 2m < v < 4m is weak for a randomly chosen unbalanced oil vinegar system under the modiﬁed Gr¨obnerbasis attack. Based on their experiments, they have the following two main direct results. And those results did not support their claim at all:

• For the two categories v = 2m and v = 3m in three sub-cases q = 2, q = 3 and q = 16, the attacking time is always an exponential function of the equation number m for each target unbalanced oil and vinegar system. That tells us that at least both v = 2m and v = 3m cases are not weak at all. We can simply increase the size of the system to make it unbeatable in the complexity 264 by the modiﬁed Gr¨obner basis method.

• Authors gave a set of recommended parameters for systems in the section 3.3. That is “the number m of equations should be higher than 38 for characteristic 2 and higher than 24 for characteristic 3 both for n ≥ 2m and n ≥ 3m in order to obtain a security level greater than 264”.

Using q = 2 as an example, for two cases v = 2m and v = 3m, the attacking time is given by the following two functions of the equation number m,

−17.53+1.62m Ta = 3.07 for v = 2m

−16.66+1.6m Tb = 3.03 for v = 3m

Suppose we consider a system of m = 12, the attacking time for two cases v = 2o and v = 3o are Ta = 8.5 seconds and Tb = 16.7 seconds separately. And hence the v = 3m case is not weaker than the other case at all since we need more time to attack a v = 3m case system. Choosing diﬀerent m value will not change this result.

74 5.5 Improvement of three authors’ Cryptanalysis

5.5.1 Probability Problem

In the paper A Study of the Unbalanced Oil and Vinegar Signature Schemes the section 3.3, authors thought “with fixed m value and varying v value to solve an oil and vinegar equation system with m equations and n = o + v = m + v variables, because the number of solutions increases by qv, the probability of finding one out of these qv solutions becomes higher.” In another word to say, to find a solution out of a generally speaking size qv solution space with m linearly independent oil and vinegar equations and n1 = o + v1 = m + v1 total variables is easier than to solve a system with m linearly

independent oil and vinegar equations and n2 = o + v2 = m + v2 total variables if

n1 > n2. It’s not true in mathematics. The probability to find a solution for a solvable equation system with m oil and vinegar equations and n variables with m ≤ n over the size q finite field is given by qn−m 1 P = = (5.1) 1 qn qm This value will stay same no matter which n value we choose. Here if we use n = o + v = m + v and hence after changing the value v, the probability to find a solution is given by the following formula, qv 1 P = = (5.2) 2 qm+v qm

Those two values P1 and P2 will give us the same probability. We have also repeated the experiment of three authors for probability of trying times. We choose the ground ﬁeld of size q = 2. The total equation number is m = o = 9. We build up a series of target system with diﬀerent variable numbers from n = o + v = 9 + 13 = 21 to n = o + v = 9 + 36 = 45. For each target system,

75 we choose v random values for v variables to form an quadratic multivariate polynomial equation system of m equations in m variables. Then we use F 4 algorithm to solve this system. If no solution exist, we choose another v random values for v variables and repeat the F 4 attack again until we get a proper solution. The experiment shows the winning chance for the ﬁrst try is between 57% and 73%. And it’s not increasing as three authors claimed while we increased the v value.

5.5.2 Our experiment result

We have repeated the experiments with the same Faugère’salgorithm F 4 implemented in the MAGMA software over the randomly chosen unbalanced oil and vinegar system. We did 10 experiments to get the average time and average maximal memory usage for every chosen parameters v = b1.5oc, v = 2o and v = 3o over the finite field of size q =2, 3, 4, 5, 11,16 and 31. Here the oil variable number o is same as the equation number m. The graphing result for the q = 2 for all 3 cases is given in the following table, the base for the logarithmic function is the natural number e.

76 Table 5.1: Graphs Result

Our experiments give us the following experiment results:

• The attacking time t is an exponential function of the equations number m for every case.

• There are no big diﬀerence in the attacking time for the case v = b1.5oc and other two cases v = 2o and v = 3o. Here the number o stands for the oil variable number which is same as the equation number m.

The first result is same as theirs. But due to the difference of our hardware and the randomness of the target system, the numerical result are not exactly same. The second result tell us their conclusion “the case 2m < v < 4m is vulnerable for a randomly chosen unbalanced oil vinegar system under the modified Gröbner basis attack.” is not right. Our cases v = b1.5oc and v = 2o are not in the category 2m < v < 4m. But the other case v = 3o is in the category 2m < v < 4m. Here the number o stands for the oil variable number which is same as the equation number m. Since the attacking time for those cases have no big difference, we can’t conclude that the 2m < v < 4m case is weaker (or “vulnerable”). In fact, there is still no firm conclusion yet about the security for the 2m < v < 4m case unbalanced oil and vinegar signature scheme so far.

77 Using q = 2 as an example, for three cases v = b1.5oc, v = 2o and v = 3o, the attacking time is given by the following three functions of the equation number m = o,

0.638069m−10.8647 T1 = e for v = b1.5oc

0.594218m−10.042 T2 = e for v = 2o

0.612784m−10.1927 T3 = e for v = 3o

Suppose we consider a system of m = 20, the attacking time for three cases v = b1.5oc, v = 2o and v = 3o are T1 = 6.6 seconds, T2 = 6.3 seconds and T3 = 7.8 seconds separately. And hence the v = 3o case is not weaker than other two cases at all. Choosing diﬀerent m value will not change this result.

5.6 Conclusions

By our experiment result, we confirmed the attacking time is an exponential function of the value m. Here m stands for the equation number (=oil variable number o). We point out the conclusion about the case 2m < v < 4m of random oil and vinegar signature scheme by Christopher Wolf etc. can’t be supported even by their experiments. In fact, their experiment result contradict with their final conclusion. We believe there is no big difference in system security for the case 2m < v < 4m and the other cases like m < v ≤ 2m. A natural conclusion following the result of Wolf etc. will be the general unbalanced oil and vinegar signature scheme is not secure. But we point out it’s not right. The security for general unbalanced oil and vinegar signature scheme is still an open problem.

78 Chapter 6

The Conclusion and Future Work

6.1 The conclusion

In this thesis, we have first discussed a special branch oil and vinegar system with an attacking method. Then for general unbalanced oil and vinegar system, we used the F 4 algorithm attack to discuss about the security of those system. That is, in the different characteristic finite fields, by chosen large parameters, the unbalanced oil vinegar system is secure under the algebraic attack. We point out one result of Wolf for the unbalanced oil vinegar system which is not right. That is, the unbalanced oil vinegar system with parameter chosen with 2m < v < 4m is not vulnerable under the F 4 algorithm attack. Here, v stands for the vinegar variable number; m = o stands for the equations number; the total variable number n = o + v with o oil vinegar number.

6.2 The future work

There are a few directions we can explore in the future for the unbalanced oil vinegar signature system. 1. In the system security side, we can try other attacking method to check the security property of the unbalanced oil vinegar system like algebraic attack based on ZhuangZi algorithm. We can extend the security analysis to some branched

79 unbalanced oil vinegar system. 2. From the system construction side, after discussion the security property of the unbalanced oil vinegar system, we can give the recommended parameter choices to make those signature scheme more applicable in the near future under different characteristic finite fields. 3. Using the thought of unbalanced oil vinegar system in other related signature scheme design.

80 Bibliography

81 Bibliography

[1] Michael R. Garey and David S. Johnson. Computers and Intractability: A Guide to the Theory of NP-Completeness, chapter 7.2 Algebraic Equations over GF(2). W H Freeman & Co, 1979.

[2] Jacques Patarin and Louis Goubin. Trapdoor one-way permutations and multivariate polynomials. In ICICS’97: Proceedings of the First International Confer- ence on Information and Communication Security, pp. 356 - 368, London, UK, 1997. Springer-Verlag.

[3] Matsumoto, T., Imai, H., Public quadratic polynomial-tuples for eﬃcient signature veriﬁcation and message encryption. In: Guenther, C.G. (ed.) Advances in Cryptology - EUROCRYPT’88, vol. 330 of LNCS, pp. 419 - 453. Springer, Berlin Heidelberg New York (1988)

[4] Patarin, J., Cryptanalysis of the Matsumoto and Imai public key scheme of Eu- rocrypt’88. In: Coppersmith, D. (ed.) Advances in Cryptology - Crypto’95, vol. 963 of LNCS, pp. 248 - 261 (1995)

[5] Yang, B., Chen, J., A more secure and eﬃcacious TTS signature scheme. ICISC 2003 (2003). http://eprint.iacr.org/2003/160

[6] Yang, B., Chen, J., Chen, Y., TTS: High-speed signatures on a low-cost smart card. In: Joye, M., Quisquater, J. (eds.) Cryptographic Hardware and Embed-

82 ded Systems: CHES 2004, vol. 3156 of LNCS, pp. 371 - 385. Springer, Berlin Heidelberg New York (2004)

[7] J. Patarin, The Oil and Vinegar Signature Scheme, presented at the Dagstuhl Workshop on Cryptography, September 1997 (transparencies)

[8] Aviad Kipnis, Adi Shamir, Cryptanalysis of the oil and vinegar signature scheme. In: Guenther, C.G. (ed.) Advances in Cryptology - CRYPTO’98, vol. 1462 of LNCS, pp. 257 - 266. Springer, Berlin Heidelberg New York (1998)

[9] Kipnis, A., Patarin, J., Goubin, L., Unbalanced oil and vinegar signature schemes. In: Stern, J. (ed.) EUROCRYPT’99: International Conference on the Theory and Application of Cryptographic Techniques, Prague, Czech Republic, May 2 - 6, 1999, vol. 1592 of LNCS, pp. 206 - 222. Springer, Berlin Heidelberg New York (1999)

[10] Yang, B., Chen, J., TTS: Rank attacks in tame-like multivariate PKCs. http://eprint.iacr.org/2004/061 (February 2004)

[11] Patarin, J., Courtois, N., Goubin, L., Flash, a fast multivariate signature algorithm. In: Naccache, C. (ed.) Progress in Cryptology, CT-RSA, vol. 2020 of LNCS, pp. 298 - 307. Springer, Berlin Heidelberg New York (2001)

[12] Patarin, J., Courtois, N., Goubin, L., QUARTZ, 128-bit long digital signatures http://www.min-rank.org/quartz/. In: Naccache, C. (ed.) Progress in Cryptol- ogy, CT-RSA, vol. 2020 of LNCS, pp. 282 - 297. Springer, Berlin Heidelberg New York (2001)

[13] Ding, Jintai, Gower, Jason E. and Schmidt, Dieter S, Multivariate Public Key Crypto-systems. Springer Science-Business Media, LLC. ISBN-10: 0-387-22426-3

83 [14] Ding, Jintai, A new variant of the Matsumoto-Imai crypto-system through pertur- bation. In Bao, F., Deng, R., and Zhou, J., editors, Public Key Crypto-systems, PKC 2004, volume 2947 of LNCS, pp. 305-318. Springer.

[15] Ding, Jintai and Gower, Jason E., Inoculating multivariate schemes against dif- ferential attacks. In et al., M. Yung, editor, PKC 2006, volume 3958 of LNCS, pp. 290 - 301. Springer, http://eprint.iacr.org/2005/255.

[16] Ding, Jintai, Gower, Jason E., and Schmidt, Dieter, Zhuang-Zi: A new algorithm for solving multivariate polynomial equations over a ﬁnite ﬁeld. Preprint, University of Cincinnati.

[17] Ding, Jintai, Gower, Jason E., Schmidt, Dieter, Wolf, Christopher, and Yin, Zhi- jun (2005). Complexity estimates for the F 4 attack on the perturbed Matsumoto- Imai cryptosystem. In Smart, N.P., editor. Tenth IMA International Conference on Cryptography and Coding(CCC 2005), volume 3796 LNCS, pp. 262 - 277. Springer 2005, http://math.uc.edu/˜aac/pub/pmi-groebner.pdf.

[18] Ding, Jintai, Hu, Lei, Nie, Xuyun, Li, Jianyu, and Wagner, John, High order linearization equation (hole) attack on multivariate public key cryptosystems. preprint, University of Cincinnati.

[19] Ding, Jintai and Schmidt, Dieter, The new TTM implementation is not secure. In Feng, Kegin, Niederreiter, Harald, and Xing, Chaoping, editors. Workshop on Coding Cryptography and Combinatorics, CCC2003 Huangshan (China), volume 23 of Progress in Computer Science and Applied Logic, pp. 113 - 128. Birkhauser Verlag.

[20] Ding, Jintai and Schmidt, Dieter, Cryptanalysis of HFEV and the internal per- turbation of HFE. In Vaudenay, Serge, editor, Public key cryptography: PKC

84 2005: 8th International Workshop on Theory and Practice in Public Key Cryp- tography, Les Diablerets, Switzerland, January 23 - 26, 2005, volume 3386 of LNCS, pp. 288 - 301. Springer.

[21] Ding, Jintai and Schmidt, Dieter, Rainbow, a new multivariable polynomial signature scheme. In loannidis, John, Keromytis, Angelos D., and Yung, Moti, editors. Third International Conference Applied Cryptography and Network Se- curity (ACNS 2005), volume 3531 LNCS, pp. 164 - 175 Springer.

[22] Ding, Jintai and Yin, Zhijun, Cryptanalysis of TTS and Tame-like signature schemes. In Third International Workshop on Applied Public Key Infrastructures 2004 (IWAP 2004).

[23] Whitﬁeld Diﬃe and Martin Hellman, New Directions in Cryptography. IEEE Transactions on Information Theory, vol. IT-22, Nov. 1976, pp. 644 - 654

[24] Rivest, R.; A. Shamir; L. Adleman, A Method for Obtaining Digital Signatures and Public Key Cryptosystems. Communications of the ACM 21 (2): pp. 120 - 126.

[25] Shor, Peter W. (1997), Polynomial-Time Algorithms for Prime Factorization and Discrete Logarithms on a Quantum Computer, SIAM J. Comput. 26 (5): 1484 - 1509, doi:10.1137/S0036144598347011, arXiv:quant-ph/9508027v2 . Revised version of the original paper by Peter Shor (“28 pages, LaTeX. This is an expanded version of a paper that appeared in the Proceedings of the 35th Annual Sympo- sium on Foundations of Computer Science, Santa Fe, NM, Nov. 20 - 22, 1994. Minor revisions made January, 1996”).

[26] Vandersypen, Lieven M. K.; Steﬀen, Matthias; Breyta, Gregory; Yannoni, Costantino S.; Sherwood, Mark H. & Chuang, Isaac L.(2001), Experimental real-

85 ization of Shor’s quantum factoring algorithm using nuclear magnetic resonance, Nature 414 (6866): Pages 883 - 887.

[27] Nielsen, Michael A. & Chuang, Isaac L. (2000), Quantum Computation and Quantum Information, Cambridge University Press .

[28] Q&A With Post-Quantum Computing Cryptography Researcher Jintai Ding. IEEE Spectrum. 2008-11-01. http://spectrum.ieee.org/computing/networks/qa- with-postquantum-computing-cryptography-researcher-jintai-ding.

[29] PQCrypto 2008. University of Cincinnati, USA, October 17 - 19, 2008. http://math.uc.edu/˜aac/pqcrypto2008/. All of the accepted papers are available in the proceedings: Johannes Buchmann, Jintai Ding (editors). Post-quantum cryptography, second international workshop, PQCrypto 2008, Cincinnati, OH, USA, October 17 - 19, 2008, proceedings. Lecture Notes in Computer Science 5299, Springer, 2008. ISBN 978-3-540-88402-6. http://www.pqcrypto.org/

[30] Elwyn R. Berlekamp. Factoring Polynomials Over Finite Fields. Bell Sys- tems Technical Journal, 46:1853-1859, 1967. Later republished in: Elwyn R. Berlekamp. “Algebraic Coding Theory”. Mc-Graw Hill, 1968.

[31] Aviezri S. Fraenkel and Yaacov Yesha. Complexity of solving algebraic equations. Inf. Process. Lett., 10(4/5): pp. 178 - 179, 1980.

[32] Shamir, A., Eﬃcient signature schemes based on birational permutations. In: Stinson, D.R. (ed.) Advances in Cryptology - CRYPTO’93 (Santa Barbara, CA, 1993), vol. 1462 of LNCS, pp. 257 - 266. Springer, Berlin Heidelberg New York (1993)

[33] Courtois, N., Goubin, L., Patarin, J., Sﬂashv3, a fast asymmetric signature scheme (2003). http://eprint.iacr.org/2003/211

86 [34] Goubin, L., Courtois, N., Cryptanalysis of the TTM cryptosystem. In: Okamoto, T. (ed.) Advances in Cryptology - ASIACRYPT 2000, International Conference on the Theory and Application of Cryptology and Information Security, Singa- pore, December 3 - 7, 2000, vol. 1976 of LNCS, pp. 44 - 57. Springer, Berlin Heidelberg New York (2000)

[35] Moh, T.T., A fast public key system with signature and master key functions. Commun. Algebra 27, 1999, pp. 2207 - 2222. http://www.usdsi.com/ttm.html

[36] Chen, J., Yang, B., Peng, B., Tame transformation signatures with topsy-yurvy hashes. IWAP’02, pp. 1 - 8 (2002). http://dsns.csie.nctu.edu.tw/iwap/proceedings/proceedings/sessionD/7.pdf

[37] Buchberger, B. (August 1976). Theoretical Basis for the Reduction of Polynomi- als to Canonical Forms. ACM SIGSAM Bull. (ACM) 10 (3): 19 - 29

[38] Jean-Charles Faugère. A new efficient algorithm for computing Gröbnerbases (F 4). Journal of Pure and Applied Algebra, 139(1-3):61-88, June 1999. http://www-calfor.lip6.fr/ jcf/Papers/F99a.pdf

[39] Braeken, An; Wolf, Christopher; Preneel, Bart, A Study of the Security of Un- balanced Oil and Vinegar Signature Schemes, ESAT-COSIC, September 2. 2004

[40] An Braeken, Christopher Wolf, Bart Preneel. A Study of the Security of Unbal- anced Oil and Vinegar Signature Schemes. CT-RSA 2005: pp. 29-43

[41] Nicolas Courtois, Louis Goubin, Willi Meier, and Jean-Daniel Tacier. Solving underdeﬁned systems of multivariate quadratic equations. In Public Key Cryp- tography - PKC 2002, vol. 2274 of LNCS (Lecture Notes in Computer Science), pp. 211 - 227. David Naccache and Pascal Paillier, editors, Springer, 2002.

87 [42] Computational Algebra Group, University of Sydney. The MAGMA Com- putational Algebra System for Algebra, Number Theory and Geometry. http://magma.maths.usyd.edu.au/magma/

88 Appendix

89 Appendix A

Appendix: TTS Attack Details

90 A.1 The linear mapping L1 given by a matrix A1 and a vector b1 from the simulation program with k = GF (4)

The 20 × 20 invertible matrix A1 and the 1 × 20 constant vector b1 are used to deﬁne the aﬃne linear mapping L1 in the secret key.

L1([x1, . . . , x20]) = [x1, . . . , x20] × A1 + b1

 a 0 a 0 a2 0 a a a2 0 0 a 0 0 a2 1 a 1 0 a2  0 1 a2 a a2 a 0 1 1 0 a a a 0 1 a2 0 a2 a 1  a 1 a2 a2 a a2 1 a2 a a a a2 a2 a2 a 1 1 1 a2 a2   1 0 a a 1 1 a2 a2 1 1 a2 a2 1 1 a2 a 0 a a2 a2   2 2   1 1 0 0 a a a a a a 0 0 1 a 1 1 a a 0 1   a2 0 a2 a a2 1 0 1 1 a 1 1 a a a2 a2 0 a 0 a2   0 a a 0 a a2 1 a 0 a 0 0 0 a 0 a2 0 a a2 0   2 2 2 2 2 2   0 a a a a a 1 1 1 a a a a 0 a 0 1 0 a 1   a2 0 a 0 0 1 1 a2 1 a2 0 0 a a2 1 1 0 0 a2 1   0 0 1 a a 1 1 0 a 0 0 1 0 a a a a 0 a2 1  A1 =  2 2 2 2 2 2  ,  a 0 a a 0 a 0 a 1 1 a a 0 a a a 1 0 a 0   a2 a 1 a2 0 1 0 a2 a a2 0 a a2 a2 a a2 0 0 a a   1 a2 0 a2 a2 0 0 0 a2 a2 a 0 1 a2 a 0 a2 1 0 a   0 a a2 a a 0 a a2 a a 0 a 1 a2 1 a a 0 a2 1   2 2 2 2 2 2   1 1 1 a 1 a a a a 0 a 0 a 0 0 1 a a 1 1   1 a a2 0 a 0 a 0 1 1 1 1 a2 a a a 1 1 a2 1   a 0 a a 0 a 1 1 1 1 1 a2 a 1 1 0 a2 a 1 a2   2 2 2 2 2 2 2 2 2   a a a a 1 a 0 1 1 1 a 1 a a a a 1 a 1 a  a 1 a a2 a2 1 a2 a a a 1 0 1 0 a2 a a2 0 0 0 a 1 a 0 a2 a a a a 0 1 1 a a2 a2 a2 a 1 0 a

2 2 2 2 2 2 2 b1 = a 0 a 1 1 0 1 0 0 1 a 0 a a a a a a 1 a .

91 A.2 The linear mapping L2 given by a matrix A2 and a vector b2 from the simulation program with k = GF (4)

The 28 × 28 invertible matrix A2 and the 1 × 28 constant vector b2 are used to deﬁne the aﬃne linear mapping L2 in the secret key.

L2([x1, . . . , x28]) = [x1, . . . , x28] × A2 + b2

92  1 a2 1 1 1 1 1 a2 a 1 a 1 a2 1 0 1 0 a a 1 a 0 0 a2 a a 0 a  a 0 0 1 1 1 a2 0 0 a2 a2 a2 1 a a 0 a2 0 0 1 a2 a 0 a2 0 a2 a 0  a2 0 a a2 1 a2 a 0 0 a2 a 1 a2 a2 a 1 1 a2 a a2 a 0 a2 a2 a 1 0 0   0 a2 0 0 1 a 1 0 a2 1 1 1 0 0 a 0 a 1 1 a 0 a 1 0 1 1 1 a   2 2 2 2 2 2   a 1 1 a 1 a 0 0 a 1 1 a a a 0 1 a 1 1 a 0 0 a a a a 1 a   a2 0 a2 a 1 a2 0 0 1 0 a2 a 1 0 1 a a a a2 1 0 a2 a a a2 0 0 a   a2 0 a a 1 1 a a a2 a2 0 1 a a2 a a2 1 a2 a a2 1 0 a 1 a2 0 a2 0   2 2 2 2   a 0 1 a a a a 1 0 a a 0 a 0 1 a 0 a a a a a 0 1 a 0 a 1   1 0 a2 a a a2 0 1 a2 a 1 1 a2 0 1 a2 a a2 1 1 0 0 0 a a a a2 0   a2 a a2 0 a a 1 1 0 a2 0 a2 0 a 1 a2 a2 a 1 a a2 0 1 a2 1 a 1 0   2 2 2 2 2 2   a a 1 a a 1 0 0 0 1 0 0 0 0 a 0 a a a 1 1 a a a a 1 a 1   1 a2 a2 a a 1 a a 1 a a 1 a a a a2 1 0 1 1 a 1 a2 1 1 1 a a   0 a a2 1 a2 a a a 1 a2 1 0 a2 1 1 0 a 1 a2 a 0 1 0 1 a 1 a a2   a2 a2 a 0 0 0 1 a a2 a 1 a a2 a 0 a2 a2 a a2 1 1 a a2 a 1 1 1 a2  A =  2 2 2 2 2  , 2  a a 1 0 0 1 0 a a a a a a a 1 0 0 0 0 a 1 0 1 a a a 1 a   a a2 0 0 a2 a2 a2 a a a 1 a2 a 1 0 a 1 a2 0 a a a2 1 1 1 a a a   2 2 2 2 2 2 2   a a 1 a a a a a 0 0 a 1 1 a 0 a a a 0 1 0 0 0 a a 0 1 1   a 0 a a 1 a a2 1 0 a a 0 1 a 0 1 1 a 0 a2 0 0 a2 a2 0 a a 0   0 a2 1 a2 0 a2 0 1 a a 0 a2 a2 1 1 a2 0 0 a2 a a2 a a2 a2 a 0 a2 0 

93  2 2 2 2 2 2 2 2   a 0 a 0 a 0 1 0 a 1 a a a a 1 1 1 a 0 a a 1 0 a a a 0 a   a2 a2 1 a 1 a a 1 a a a2 0 a2 1 a2 0 a 0 1 0 a2 1 a 1 a2 a2 0 a   1 0 a a2 a2 a2 0 1 1 1 a a2 1 1 a 1 a2 0 1 a2 0 0 1 1 a a2 1 0   2 2 2 2 2   a 0 0 a a a a 0 a a 1 1 1 0 a a 0 1 a 1 a a 1 a 1 a 0 a   a 0 1 1 a a 0 a 0 1 a 1 a2 a2 0 a a2 a2 0 a 0 1 1 a2 1 a2 1 a   1 1 a a 1 a2 0 a2 a 1 a a2 a 1 1 0 a2 0 a 1 1 a 0 0 a a2 a2 0   a2 a2 0 a2 0 1 a 1 1 1 0 a 1 a2 a a 0 0 1 a2 1 1 1 1 a2 a 1 1   a2 a2 0 1 1 0 1 1 0 1 a2 1 a a2 a a2 1 a2 a2 1 a2 a2 a a2 0 a2 a2 a2  a 1 0 a2 a 1 1 a2 0 a2 a2 0 a 1 a2 a2 0 a2 0 a a2 a2 a2 a2 1 1 1 1

2 2 2 2 2 2 2 2 2 2 b2 = a a 1 a 1 1 1 a a 0 a 0 a a a 0 a 1 a a 0 a 0 a 1 1 1 a . A.3 A Matrix A3 from the simulation program with k = GF (4)

The invertible 28 × 28 matrix A3 is used to construct the linear mapping L3 in the ﬁrst step attack.

L3([x1, . . . , x28]) = [x1, . . . , x28] × A3

Here, the matrix A3 has the following properties,

t ¯ 0 Bi A3MiA3 = Mi = t , 1 ≤ i ≤ 20 Bi Di

Here, each Mi is the bilinear form of the public key quadratic polynomial Fi for integer 1 ≤ i ≤ 20. ¯ t In each matrix Mi, 0 is a 13 × 13 zero matrix. Each Bi is a 13 × 15 matrix. Bi is t the transpose matrix of Bi. And hence each Bi is a 15 × 13 matrix. Each Di is a 15 × 15 symmetric matrix.

94  a 1 a2 a2 a a 1 a2 1 1 1 a 1 a2 a2 1 a2 a 1 0 0 1 1 a a2 a 0 1  a2 a 1 0 0 a 0 0 a2 1 a2 1 a 1 1 a2 a 1 1 a2 1 1 a 1 1 a2 1 1  a2 1 a2 a2 a 0 1 1 a a a2 0 a2 a 0 1 a 1 a 1 1 a a2 a 0 a 1 0   a a2 0 a2 a2 0 1 a a2 a 1 a a2 a2 1 1 a2 a a2 0 a2 a a2 a a2 0 a2 1   2 2 2 2 2 2 2 2   a a 0 a 1 1 0 0 0 a 1 a 0 a a 0 a a a 1 0 1 0 a a a a a   a a2 1 0 1 a2 a2 a2 0 1 a 0 a 0 1 1 0 0 a2 a2 0 a a 0 1 1 a2 a   a2 1 0 1 a 1 a 0 a 1 a 1 0 0 a 1 a a2 0 1 a a2 a2 0 a 0 0 0   2 2 2 2 2 2 2 2 2 2 2   a 1 a a a a a a 0 0 a 1 a 0 0 a a a 0 a 1 1 0 a 0 a 0 a   0 a a2 1 a2 a2 0 a2 1 1 a 1 a2 a2 0 a2 0 0 a a a a a 0 a a a2 1   0 a 1 a2 a2 a a a2 a2 0 0 0 a a a a 1 a 1 0 a2 a2 a2 0 a a2 1 1   2 2 2 2 2   0 0 a a 0 0 1 0 a a a 1 a 0 1 a a a 1 a a a 0 a a a 1 0   0 a 1 1 a2 1 1 a a 0 a a2 a2 a2 a a a2 0 0 a2 0 a2 0 0 1 a2 0 a   a a 0 a 0 a2 a 0 0 1 a 0 0 a2 a 0 a2 0 1 0 a2 0 a2 a 1 1 a2 0   a2 a 0 0 a2 0 a 1 a2 0 1 a2 a a a a2 a2 a a2 a 1 a 1 a2 a a2 0 1  A =  2 2 2 2 2 2 2 2 2 2 2  . 3  0 a a 1 a a 1 0 a 1 a 0 a 0 1 a a a a a 1 a a a a a a a   a2 0 1 1 a2 1 a 0 1 a2 0 a2 a2 0 a a a2 a2 a a2 a2 1 1 a2 1 0 a2 a   2 2 2   a 1 0 a 0 a a 1 a 0 1 0 a a a a 1 a a a 1 1 1 a 0 a a 1   0 1 0 1 1 0 a2 a 1 a a 1 a a 0 a2 a2 a2 1 1 a2 0 0 a2 1 1 1 0   a a2 1 a2 0 1 0 1 a2 1 a 1 1 a2 1 a 0 a 0 0 1 a 0 1 0 0 1 a 

95  2 2 2   a a a 0 0 0 1 a 1 a 1 0 1 0 0 a a 0 0 1 a 0 0 a 1 1 1 1   1 1 0 0 a2 a2 a2 a 1 0 a2 a 1 a2 1 0 a2 a a a 1 0 a a2 a 1 a2 a   0 a2 a2 1 a2 a a2 a2 0 a 1 a2 a a2 1 1 0 a2 0 0 a a a2 1 a2 0 a2 0   2 2 2 2 2 2 2 2 2   a a a a a 1 1 1 a 0 a a 0 a a 0 0 a a a a a 0 1 a 1 a a   0 a 1 1 a2 1 a2 0 a 0 1 a a2 a a2 a2 0 a2 a2 a2 0 0 a 1 a 1 0 a   a2 1 0 0 a2 1 a2 0 1 a2 a a2 a a a a2 a2 1 a 1 a a a a 1 0 a2 a2   1 1 0 0 a2 0 0 a a 1 a2 0 0 a2 0 a2 a2 a a2 a a2 a2 a2 a 0 1 a2 a   a2 a a 1 a 1 0 a 0 a2 a2 a2 a a 0 a a2 0 a a2 0 a2 a a2 a2 0 a a  a2 a 1 a2 a 0 1 1 a a 1 a2 0 1 0 a2 0 0 0 a a2 a a2 a2 a a2 a2 a2 A.4 A Matrix A4 from the simulation program with k = GF (4)

The invertible 28 × 28 matrix A4 is used to construct the linear mapping L4 in the third step attack.

L4([x1, . . . , x28]) = [x1, . . . , x28] × A4

Here, the matrix A4 has the following properties,

˜ t ˜ 0 Bi A4MiA4 = Mi = ˜t ˜ , 1 ≤ i ≤ 20 Bi Di

Here, each Mi is the bilinear form of the public key quadratic polynomial Fi for integer 1 ≤ i ≤ 20. ˜ ˜ ˜t In each matrix Mi, 0 is a 9 × 9 zero matrix. Each Bi is a 9 × 19 matrix. Bi is the ˜ ˜t ˜ transpose matrix of Bi. And hence each Bi is a 19 × 9 matrix. Each Di is a 19 × 19 symmetric matrix.

96  00000100101 a2 0 a2 a2 a2 1 a2 a2 a2 a 1 1 1 a2 a a a2  10000000001 a 1 a 0 0 0 1 1 a2 a 1 a a 1 0 a 0  0 0 0 1 0 0 0 0 a2 0 0 0 1 a a2 a2 0 a2 1 a2 a 0 0 a a a 0 a   2 2 2 2 2   0 0 0 0 1 0 0 0 0 0 a 0 a a a a a a a a 1 0 1 a a a a 1   000000000100 0 a2 0 1 a2 1 0 a a2 a2 0 a 1 a2 a2 a   0 0 1 0 0 0 0 0 a 0 0 a a 1 1 a a2 a2 1 0 1 a2 a a2 0 a2 a a2   0 0 0 0 0 0 1 0 a2 0 a a2 0 0 1 a2 1 0 0 1 a2 1 a a2 a2 1 0 a   2 2 2 2 2   00000001100 a a 0 0 1 a 1 1 a a 0 1 a 0 1 0 a   0 1 0 0 0 0 0 0 a2 0 0 a2 a a2 0 1 a2 a2 1 a2 1 0 a2 a2 a 0 1 a2     0000000000100000000000000000   0000000000000000100000000000   0000000000010000000000000000     0000000000000001000000000000  A =  0000000000000100000000000000  . 4  0000000000000010000000000000   0000000000000000000000000100     0000000000000000000000000010   0000000000000000010000000000   0000000000000000000010000000     0000000000000000000000000001  97  0000000000001000000000000000   0000000000000000000000001000     0000000000000000000100000000   0000000000000000001000000000   0000000010000000000000000000   0000000000000000000000100000   0000000000000000000000010000  0000000000000000000001000000 A.5 A Matrix A5 from the simulation program with k = GF (4)

The invertible 28 × 28 matrix A5 is used to construct the linear mapping L5 in the six step attack.

L5([x1, . . . , x28]) = [x1, . . . , x28] × A5

Here, the matrix A5 has the following properties,

t 0 0 A5BA5 = ˜ . 0 di Here, B is the symmetric matrix of the bilinear form corresponding to the quadratic ˜ part of any polynomial in G1. The upper left block 0 is a 12 × 12 zero matrix, upper right block 0 is a 12 × 16 zero ˆ matrix, lower left block 0 is a 16 × 12 zero matrix, di is a 16 × 16 symmetric matrix.

98  a 0 a2 a2 a a2 0 1 1 a2 a a2 1 1 a2 a2 0 0 a2 a2 1 a2 0 a 1 0 a2 a2  a2 0 1 0 a a2 a2 0 1 a 1 a2 0 a2 a 1 a a 1 a a2 1 0 a2 a2 0 a2 1  a 0 0 a2 1 a 0 1 1 1 0 a 0 0 a a2 a a2 a 1 0 1 1 0 0 0 a2 a   0 0 0 1 a 1 1 a a2 1 0 1 a2 1 a 1 1 0 1 1 a2 a2 a2 0 0 a2 0 a   2 2 2 2 2   0 0 1 a 0 a a a 0 a a a a a a 1 a a 1 a 0 a a a a a 0 1   1 a 1 1 a2 a 1 a2 a 0 0 1 a 0 a2 0 a a2 a2 a a 1 1 0 a2 1 a2 a   1 0 a2 a2 1 a 0 a2 a 1 1 0 a2 0 a a2 1 0 0 a a2 a a2 a2 a a 0 a2   2 2 2 2 2 2 2 2 2   a a 0 a 0 0 a 0 1 1 1 0 0 a 0 1 a a a 1 a a a a a 0 a a   0 0 a a 0 1 a 0 a 1 a 1 1 1 a 1 1 a a2 a 1 1 1 0 0 1 a 0   0 a a2 1 a2 a a2 a2 0 a2 a 1 0 a a2 1 a2 0 0 a 1 1 a2 a2 0 0 0 1   2 2 2 2 2 2 2 2   0 a a a a 1 0 a 1 a 0 a 1 a a 1 1 a 1 1 a 1 0 a a 0 1 a   a 0 1 a2 a2 a a2 a a 1 0 a2 a2 0 0 a 0 0 1 a2 a2 a2 a2 a 0 a a2 a   a 1 a2 a2 a a 1 a2 1 1 1 a 1 a2 a2 1 a2 a 1 0 0 1 1 a a2 a 0 1   0 a a2 a 1 1 0 0 a2 a a2 1 1 a2 1 a 0 0 0 1 0 1 a a a2 a 0 a2  A =  2 2 2 2 2 2 2 2 2  . 5  1 a a a a 0 1 a a 0 a a a a a a 1 a 0 a 1 0 a a a 1 1 0   a 0 1 1 0 0 0 0 a2 a a2 0 1 0 a2 0 a2 a2 0 1 a 1 1 1 0 0 a2 1   2 2 2 2 2 2 2   0 a a a a a 1 1 1 a 0 1 1 a 1 a 0 0 a a 0 a 1 a 1 1 0 1   1 0 1 1 1 1 a2 0 0 a a2 1 0 1 a2 a 0 0 a a a2 a2 a 1 0 1 0 0   1 a a2 0 1 0 0 a2 1 0 a a 0 1 1 0 1 a2 1 1 a 0 0 0 a2 a a 1 

99  2 2 2 2 2 2 2 2 2 2   a 1 a a 1 1 1 a 0 0 0 a a 1 1 a a a a 1 0 a a a 0 0 0 a   1 1 a 1 a 0 0 0 a2 0 0 a a a a a 0 a2 a2 a2 0 a a 0 0 0 0 1   a 0 a 0 0 0 1 1 1 a2 1 0 a2 1 a2 1 a2 1 1 1 1 0 1 1 1 a 0 1   2 2 2 2 2   0 a a 0 a a 1 a 1 0 0 0 0 1 a a 0 1 0 a a 1 a a a 0 a a   1 0 a2 0 0 a a2 a2 0 a a a2 0 a2 1 a a 1 a 1 0 a 1 a2 a 0 1 a2   0 0 0 a2 1 1 0 a2 1 0 a a2 0 a2 1 a2 0 1 0 0 a2 0 a a2 0 a a2 a2   0 a 1 a 0 a 0 1 1 a 1 a2 1 a 1 0 a 0 0 a2 a2 1 0 a2 0 0 0 1   a2 0 0 a2 0 a2 0 0 a2 0 0 a a2 1 a2 1 1 a a2 0 a a a a a a2 a 0  1 1 a 0 a2 a 1 a2 a a2 0 1 1 a2 a2 0 0 0 0 1 1 1 1 1 a2 a 1 1 100 Appendix B

Appendix: Details for UOV Signature Scheme Attack

101 B.1 The source code for the oil vinegar system attack using MAGMA

The source code was written by Zhijun Yin in MAGMA language. MAGMA is a computational algebra system with implemented F 4 algorithm. The system diagram is the followings,

L g ? kn - kn - ko

Figure B.1: Oil-vinegar Signature Scheme Diagram

//======//Oil-Vinegar Signature Scheme //Magma code //By Zhijun Yin ([email protected]) completed on 7/29/2010 //======

//------//System Diagram // L g // k^n ----> k^n ----> k^o // X Z Y // ------> // f

102 //------clear; SetSeed(12,3456789); q := 2; //Order of the finite field G:=GF(q); //Finite field with q elements out := ".\\output\\V1GF2.txt"; SetOutputFile(out : Overwrite := true); print "The experiment of Oil Vinegar Scheme\n"; print "q = ", q, "v = 1.5*o"; print "\n Magma Code by Zhijun Yin ([email protected]) on 7/29/2010\n"; print "Time","\tMemory"; UnsetOutputFile(); print "======"; print " Oil-Vinegar Signature Scheme"; print "======"; print " System Diagram:"; print "------"; print " L g"; print " k^n ---> k^n ---> k^o"; print " X Z Y"; print " ------>"; print " f"; print "------\n"; print "\n Magma Code by Zhijun Yin ([email protected]) on 7/29/2010\n"; for o in [1..18] do //Number of oil variables v := Floor(1.5*o); //Number of vinegar variables

103 n := o+v; P<[x]> := PolynomialRing( G, n ) ; SetOutputFile(out); print "\nq = ", q, "o = ", o; UnsetOutputFile();

// Affine linear transformation L from k^n to k^n repeat L1 := Matrix(P,n,n,[: i,j in [1..n]]); //linear terms L1 until Determinant( L1 ) ne 0; L0 := Matrix(P,n,1,[Random(G) : i in [1..n]] ) ; //constant terms L0

//Generate the oil-vinegar polynomial system g := [P!Random(G) : i in [1..o]]; //Constant terms for i in [1..o] do for j in [1..o] do //x[o]*x[v] terms g[i] +:= (P!Random(G))*x[j]; for k in [1..v] do g[i] +:= (P!Random(G))*x[j]*x[o+k]; end for; end for;

for j in [1..v] do //x[v]*x[v] terms g[i] +:= (P!Random(G))*x[o+j]; for k in [1..j] do g[i] +:= (P!Random(G))*x[o+j]*x[o+k]; end for;

104 end for; end for; //Generate the public key F(X) = g(L(X)) xVec := Matrix(P,n,1,[x[i]: i in [1..n]]); //(x_1,...,x_o,...,x_(o+v)) the plain text (Or signature variable) zV2 := L1 * xVec + L0 ; //same as zVec: prepare for the evaluation zV3 := [] ; //The vector form of the matrix xV2 for i in [1..n] do zV3[i] := zV2[i,1] ; end for ; f := [Evaluate(g[i], zV3) : i in [1..o]];

//print "Publie key multivariate polynomials:\n",f; //Using the public key to get y0 = f(x0), then using the last v values // as the guess of x to solve for the rest x values for loop in [1..10] do //do 10 experiment for fix system with different chosen x0 and y0 t := Cputime();ResetMaximumMemoryUsage(); //Evaluate the system at the chosen vinegar variable values xValue := [Random(G) : i in [1..n]]; //signature yValue := [Evaluate(f[i], xValue) : i in [1..o]]; document := [yValue[i] : i in [1..o]]; //Original Document Q<[x]> := PolynomialRing(G,o); sol := []; while sol eq [] do xGuess := [xValue[i]: i in [o+1..n]]; //using smart guess strategy xVector := [x[i] : i in [1..o]] cat xGuess;

105 eqns := [Evaluate(f[i], xVector) - yValue[i] : i in [1..o]]; eqns := eqns cat [x[i]^q - x[i] : i in [1..o]]; I := ideal; Groebner(I); sol := Variety(I); end while; //Check if the solution is real solution realsol := []; for j in [1..#sol] do doc := [Evaluate(f[i],[sol[j,k]:k in [1..o]] cat xGuess):i in [1..o]]; if doc eq document then Append(~realsol, sol[j]); end if; end for;