Key Recovery Attack on the Cubic ABC Simple-Matrix Encryption Scheme Dustin Moody, *Ray Perlner, Daniel Smith-Tone Outline

Home , ABC (stream cipher)

Key Recovery Attack on The Cubic ABC Simple-Matrix Encryption Scheme Dustin Moody, *Ray Perlner, Daniel Smith-Tone Outline

• Multivariate Cryptography • Cubic ABC • Differential Structure (Band Spaces and Band Kernels) • Finding the Structure • Conclusion Multivariate cryptography

• Public key is a system of 푚 polynomial equations in 푛 varibles over 퐹푞 E.g. 3 2 2 푦1 = 2푥1 + 푥1 푥2 + 푥2 + 3푥1 + 푥2 + 1 2 2 푦2 = 2푥1 푥2 + 3푥1푥2 + 푥1푥2 + 4푥1 • Plaintext is given by 푥푖 and ciphertext is given by 푦푖. • Solving multivariate systems of equations is NP hard in general for polynomials of degree 2 or higher. • Most schemes use degree 2 polynomials; we will be considering a degree 3 scheme. • Private key is some special structure that allows the private-key holder to solve for 푥푖. • Most known schemes only produce secure signatures; we will be considering an encryption scheme. Multivariate Cryptography 2 Butterfly Construction • In most multivariate schemes (Cubic ABC included) the public key is constructed as: 푓푝푢푏(푥) = 풯 ∘ 푓 ∘ 풰(푥) • 푓 is an easily invertible Quadratic/Cubic function 푛 • 푓 is often defined by identifying (퐹푞) with a larger algebraic structure (e.g. an extension field like 퐹푞푛.) • The ABC scheme defines 푓 using a matrix algebra over 퐹푞.

• 풯 and 풰 are affine maps • E.g. 푢1 = 푥1 + 3푥2 + 4 푢2 = 3푥1 + 2푥2 + 1 • Singular maps are sometimes used for signatures. Here we use invertible maps. Cubic ABC (Ding, Petzoldt, Wang 2014) • Cubic ABC is a multivariate encryption scheme • One of the few promising candidates • Modifies the (quadratic) Simple Matrix Encryption Scheme (Tao, Dienne, Tang, Ding 2013) • Heuristic argument claiming to rule out structural attacks • Parameters • 푞: size of the finite field for the variables • 푠: dimension of matrices used in the central map • The central map has 푠2 input variables and 2푠2 output variables. Cubic ABC: The Core Map

• Central map is 푠2 → 2푠2 function where the equations are grouped as the elements of two matrices 푓 푥Ԧ = 퐸1 푥Ԧ , 퐸2 푥Ԧ 퐸1 = 퐴퐵; 퐸2 = 퐴퐶 • 푏푖,푐푖 are linear functions of 푥Ԧ. • 푝푖 are quadratic functions of 푥Ԧ.

• Decryption proceeds by solving: −1 (퐴(푥Ԧ)) 퐸1 = 퐵 푥Ԧ −1 (퐴(푥Ԧ)) 퐸2 = 퐶 푥Ԧ for (퐴(푥Ԧ))−1 and 푥Ԧ. (Linear) Cubic ABC: The Core Map

• Decryption proceeds by solving: −1 (퐴(푥Ԧ)) 퐸1 = 퐵 푥Ԧ −1 (퐴(푥Ԧ)) 퐸2 = 퐶 푥Ԧ for (퐴(푥Ԧ))−1 and 푥Ԧ. (Linear) Quadratic ABC: The Core Map

• Central map is 푠2 → 2푠2 function where the equations are grouped as the elements of two matrices 푓 푥Ԧ = 퐸1 푥Ԧ , 퐸2 푥Ԧ 퐸1 = 퐴퐵; 퐸2 = 퐴퐶 • 푏푖,푐푖 are linear functions of 푥Ԧ. • 푝푖 = 푥푖.

• Decryption proceeds by solving: −1 (퐴(푥Ԧ)) 퐸1 = 퐵 푥Ԧ −1 (퐴(푥Ԧ)) 퐸2 = 퐶 푥Ԧ for (퐴(푥Ԧ))−1 and 푥Ԧ. (Linear) Special structure of Quadratic ABC (Row Band Spaces)

퐴퐵 = 퐸1

푏푗 푥 푥 … 푥 푏푠+푗 퐸 푖−1 푠+1 푖−1 푠+2 푖푠 = 푖−1 푠+푗 ⋮ 푏푠2 −푠+푗

• Note that all quadratic monomials in (퐸 푖−1 푠+1, … , 퐸푖푠) contain one of the 푠 variables (푥 푖−1 푠+1, … , 푥푖푠) • We previously used this structure to cryptanalyze the quadratic ABC scheme. (Moody, Perlner, Smith-Tone 2014) Special Structure of Cubic (and Quadratic) ABC (Column Band Spaces)

퐴퐵 = 퐸1

푏푗 푝 푝 … 푝 푏푠+푗 퐸 푖−1 푠+1 푖−1 푠+2 푖푠 = 푖−1 푠+푗 ⋮ 푏푠2 −푠+푗

′ ′ ′ ′ • Under a basis (푢 1, … 푢 푠2) where 푢 1, … 푢 푠 = (푏푗(푥Ԧ), 푏푠+푗(푥Ԧ) … 푏푠2−푠+푗(푥Ԧ)): • All cubic monomials in column 푗 of 퐸, i.e. (퐸 (푥Ԧ), 퐸 (푥Ԧ) … 퐸 2 (푥Ԧ)) ′ ′ 푗 푠+푗 푠 −푠+푗 contain at least one factor of 푢 1, … 푢 푠 • We will call these 푠 equations (and their linear combination) band-space maps • We will also define the band kernel: The space of vectors 푥Ԧ, such that ′ ′ (푢 1 푥Ԧ , … , 푢 푠 푥Ԧ ) = 0 How many band spaces are there:

• Not only do the columns of 푬ퟏ = 푨푩 and 푬ퟐ = 푨푪 define band spaces, but fixed linear combinations of the columns (휷, 휸) do as well. • Band Space:

• Band Kernel:

(푥 ∈ ℬ풦훽,훾) A Formal Tool for Describing the Structure: The Discrete Differential

• Definition: 푫풇 풙, 풂 = 풇 풙 + 풂 − 풇 풙 − 풇 풂 + 풇 ퟎ • We will be considering the structure of cubic monomials, so we will use 푫ퟐ풇(풂, 풃, 풙) • Useful properties: • Its entries are the coefficients of cubic monomials in 풇

푓 푥Ԧ = ෍ 푎푖푗푘푥푖푥푗푥푘 푖≤푗≤푘 2 2 ⇒ 퐷 푓 푎Ԧ, 푏Ԧ, 푥Ԧ = ෍ (퐷 푓)푖푗푘푎푖푏푗푥푘 ; 푖≤푗≤푘 푎푖푗푘 푖 ≠ 푗 ≠ 푘 2 (퐷 푓)푖푗푘 = ൞2푎푖푗푘 푖 = 푗 ≠ 푘 6푎푖푗푘 푖 = 푗 = 푘

• 푫ퟐ풇 is a 3-tensor: i.e for linear maps/ changes of basis 푼:

푓′ 푥Ԧ = 푓 푈푥Ԧ ⇒ 퐷2푓′ 푎Ԧ, 푏Ԧ, 푥Ԧ = 퐷2푓(푈푎Ԧ, 푈 푏Ԧ, 푈푥Ԧ) Or equivalently: 2 2 (퐷 푓′)푖푗푘 = ෍ (퐷 푓)푙푚푛푈푙푖푈푚푗푈푛푘 푙,푚,푛 The (2nd) Differential Form of Band-Space Maps Some properties of band-space differentials. (in the 푢′푖 basis)

• For three vectors 푥1, 푥2, 푥3 ∈ ℬ풦훽,훾: 2 퐷 ℰ훽,훾 푥1, 푥2, 푥3 = 0

• For two vectors 푥1, 푥2 ∈ ℬ풦훽,훾: 2 ′ ′ 퐷 ℰ훽,훾 푥1, 푥2 = (푦 푢 1 , … , 푦 푢 푠 , 0, … , 0) 2 • Note that 퐷 ℰ훽,훾 maps 푥1, 푥2 to an 푠-dimensional subspace of linear forms

• For one vector 푥1 ∈ ℬ풦훽,훾: 푆 − 푅 − | 퐷2ℰ 푥 = 훽,훾 1 푅푇 0 |

• Note that the rank of the resulting 2-tensor (matrix) is at most 2푠. • But the components of the public key aren’t band-space maps, but linear combinations of them, under the private transformation 풯, since 푓푝푢푏(푥) = 풯 ∘ 푓 ∘ 풰(푥) Our attack strategy (Modified MinRank)

2 • Select 푠 -dimensional vectors, 푥1, 푥2, 푥3, 푥4.

• Solve 2푠2 2 ෍ 푡푖퐷 ℰ푖 푥1, 푥2 = 0 푖=1

2푠2 2 ෍ 푡푖퐷 ℰ푖 푥3, 푥4 = 0 푖=1 For 푡푖.

2푠2 2 • Hope that σ푖=1 푡푖퐷 ℰ푖 ∈ 픅훽,훾 and 푥1, 푥2, 푥3, 푥4 ∈ ℬ풦훽,훾

2푠2 2 • If so, the 2-tensor σ푖=1 푡푖퐷 ℰ푖 (푥푘) will have rank at most 2푠. Setting some vectors equal

• We can increase the probability that the vectors share a band kernel by setting some of them equal to one another (e.g. by solving:) 2푠2 2 ෍ 푡푖퐷 ℰ푖 푥1, 푥1 = 0 푖=1

2푠2 2 ෍ 푡푖퐷 ℰ푖 푥2, 푥2 = 0 푖=1 2 • This works in odd characteristic, but in characteristic 2, 퐷 ℰ푖 푥1, 푥1 = 0 by symmetry. So the best we can do there is: 2푠2 2 ෍ 푡푖퐷 ℰ푖 푥1, 푥2 = 0 푖=1

2푠2 2 ෍ 푡푖퐷 ℰ푖 푥1, 푥3 = 0 푖=1 How likely are random vectors to share a band kernel?

• 푥1, 푥2, … share a band kernel if there is a nontrivial linear relation on the columns of the matrix at right:

• If all four vectors are randomly chosen it’s a random 4푠 × 2푠 1 • Probability is ~ 푞−2푠 푞−1 • If we set a pair of vectors equal (e.g. 푥4 = 푥1) it’s a random 3푠 × 2푠 1 • Probability is ~ 푞−푠 푞−1 • If we set two pairs of vectors equal (e.g. 푥1 = 푥2; 푥3 = 푥4) it’s a random 2푠 × 2푠 1 • Probability is ~ 푞−1 If the vectors share a band kernel, how likely are we to find a band-space map? • We find a band space map if there exists nonzero (휏 , … , 휏 ) such that: 푠 1 푠 2 ෍ 휏푖퐷 ℰ훽,훾,푖 푥1, 푥2 = 0 푖=1 푠 2 ෍ 휏푖퐷 ℰ훽,훾,푖 푥3, 푥4 = 0 푖=1 푠 2 • Recall thatσ푖=1 휏푖퐷 ℰ훽,훾,푖 maps band kernel vectors to an 푠-dimensional space of linear forms. • Thus we have 2푠 (random) linear constrains on 푠 variables 1 • The probability that there is a nontrivial solution is ~ 푞−푠 푞−1 How big a space of solutions do we have to search through

• Even if a low rank solution exists to 2푠2 2 ෍ 푡푖퐷 ℰ푖 푥1, 푥2 = 0 푖=1

2푠2 2 ෍ 푡푖퐷 ℰ푖 푥3, 푥4 = 0, 푖=1 it isn’t necessarily the only one. • Generically we’d expect a 0 dimensional solution space (2푠2 equations in 2푠2 variables.) However, low characteristic imposes some linear dependencies: • Characteristic 2 2푠2 2 2푠2 2 2푠2 2 2푠2 2 • σ푖=1 푡푖퐷 ℰ푖 푥1, 푥2 (푥1) = σ푖=1 푡푖퐷 ℰ푖 푥1, 푥2 (푥2) = σ푖=1 푡푖퐷 ℰ푖 푥3, 푥4 (푥3) = σ푖=1 푡푖퐷 ℰ푖 푥3, 푥4 (푥4) = 0 2푠2 2 2푠2 2 • And if 푥4=푥1: σ푖=1 푡푖퐷 ℰ푖 푥1, 푥2 푥3 + σ푖=1 푡푖퐷 ℰ푖 푥1, 푥3 (푥2) = 0

• So we expect a 5 dimensional solution space which requires 푞4 + 푞3 + 푞2 + 푞 + 1 rank computations to search.

• Characteristic 3 (푥1 = 푥2; 푥3 = 푥4) 2푠2 2 2푠2 2 • σ푖=1 푡푖퐷 ℰ푖 푥1, 푥1 (푥1) = σ푖=1 푡푖퐷 ℰ푖 푥2, 푥2 (푥2) = 0

• So we expect a 2 dimensional solution space which requires 푞 + 1 rank computations to search. Putting it all together

• Once a band space map is found, a full key recovery is possible at minimal additional cost. How bad is the attack

• Finding a band-space map costs approximately • 푞2푠+6푠2휔 for characteristic 2. • 푞푠+3푠2휔 for characteristic 3. • 푞푠+2푠2휔 for higher characteristic. (휔 ≈ 2.373 is the linear algebra constant.) • Once a band space map is found, a full key recovery is possible at minimal additional cost. • We previously did a similar analysis of quadratic ABC: • 푞푠+4푠2휔 for characteristic 2. • 푞푠+2푠2휔 for higher characteristic. • Cubic ABC does not eliminate structural attacks (which was the original goal) • The proposed parameters are still ok (since they used characteristic 2) • However, our attack breaks odd characteristic versions of cubic ABC that previously published analysis says should be secure. Thank You! Key Recovery: Overall Strategy

• Find an equivalent private key. i.e. 풯′, 퐴′, 퐵′, 퐶′ such that ′ ′ ′ ′ ′ 풯 ∘ 퐴 푥 퐵 푥 , 퐴 푥 퐶 푥 = ℰ푝푢푏(푥) • Note that 풰′ is unnecessary, since 푝 풰′ 푥 is still a random quadratic polynomial in 푥 and 푏 풰′ 푥 and 푐 풰′ 푥 are still random linear polynomials. • Multistep process starting with a single band space map and two band kernel vectors: 1. Solve for the whole band kernel. 2. Solve for the whole band space. ′ 푇 3. Solve for a column of 퐵 : (푣1, … , 푣푠) .

′ 4. Solve for 퐴 (mod 푣1, … , 푣푠). ′ 5. Solve for 퐵 and 퐶′ (mod 푣1, … , 푣푠) and 풯′. ′ 6. Select another column of 퐵 (mod 푣1, … , 푣푠) and solve for the corresponding band space.

7. Solve for the band kernel corresponding to the band space in step 6. 8. Solve for the rest of 퐴′. 9. Solve for the rest of 퐵′ and 퐶′ Key Recovery Step 1: Solving for the whole band kernel.

• Once we’ve found a band-space map ℰ훽,훾 and at least two vectors from the band kernel, we can find the whole band kernel by taking 2 2 the span of the union of the kernels of 퐷 ℰ훽,훾 푥1 and 퐷 ℰ훽,훾 푥2 • This works because, in a basis including generators of the band kernel 푆푘 − 푅푘 − 2 | 퐷 ℰ훽,훾 푥푘 = 푇 푅푘 0 | • With high probability each kernel contains 푠2 − 2푠 basis vectors of the (푠2−푠)-dimensional band kernel, and the union contains a full basis. Key Recovery Step 2: Solving for the whole band space

• The band space maps ℰ훽,훾 are simply the maps in the span of the public equations ℰ푖 such that 2 퐷 ℰ훽,훾 푥1, 푥2, 푥3 = 0 ∀푥1, 푥2, 푥3 ∈ ℬ풦훽,훾

• Call a basis of this space (ℰ훽,훾,1, … , ℰ훽,훾,푠) Key Recovery Step 3: Solving for the space of linear forms in 퐵훽 + 퐶훾 (This can be our first column of B’) • These are simply the space of linear forms 푣 such that 푣(푥) = 0 ∀푥 ∈ ℬ풦훽,훾

• Call a basis of this space (푣1, … , 푣푠) Key Recovery Step 4: ′ Solving for 퐴 (mod 푣1, … , 푣푠) 푇 푇 • 퐴 퐵훽 + 퐶훾 and 퐵훽 + 퐶훾 are related to (ℰ훽,훾,1, … , ℰ훽,훾,푠) and (푣1, … , 푣푠) by simple row operations: ℰ훽,훾,1 • 퐴 퐵훽 + 퐶훾 = Ω1 ⋮ ℰ훽,훾,푠 푣1 • 퐵훽 + 퐶훾 = Ω2 ⋮ 푣푠 ′ −1 • Therefore 퐴 = Ω1 퐴Ω2 is a solution of 푣1 ℰ훽,훾,1 퐴′ ⋮ = ⋮ 푣푠 ℰ훽,훾,푠 • However, the solution is only unique over polynomials modulo 푣1, … , 푣푠 • This is because we can get cancellations like 푝1푣1 + 푝2푣2 = (푝1+푢푣2)푣1 + (푝2−푢푣1)푣2 Key Recovery Step 5: ′ ′ ′−1 Solving for 퐵 and 퐶 (mod 푣1, … , 푣푠) and 풯 ′ ′ ′−1 • We can solve linear equations for 퐵 , 퐶 , and 풯 (mod 푣1, … , 푣푠)

′ ′ ′ ′ ′−1 퐴 퐵 , 퐴 퐶 = 풯 ∘ ℰ푝푢푏 (mod 푣1, … , 푣푠)

• The solution (mod 푣1, … , 푣푠) is (with high probability) unique up to column operations on 퐵′, 퐶′ • i.e. any solution will generate a valid private key. • Note that the coefficients of 풯′−1 are scalars, not polynomials, so ′−1 (mod 푣1, … , 푣푠) does not affect 풯 • We now have our 풯′. Key Recovery Step 6: Solving for another Band Space ′ (corresponding to another column of 퐵 (mod 푣1, … , 푣푠))

푇 ′ • Select a column (푣푠+1, … , 푣2푠) of 퐵 (mod 푣1, … , 푣푠)

• We can find the band space maps corresponding to this column of 퐵′ 푇 ′−1 by taking the corresponding column (퐹푠+1, … , 퐹2푠) of 풯 ∘ ℰ푝푢푏 • Note these band space maps are completely known (no mod 푣1, … , 푣푠)! Key Recovery Step 7: Solving for the Band Kernel (For the Band Space we found in Step 6) • We can solve for the intersection of our two band kernels as follows: • The intersection is the set of vectors 푥 such that: 푣푠+1 푥 , … , 푣2푠 푥 mod 푣1 푥 , … , 푣푠 푥 = 0 (푣1 푥 , … , 푣푠 푥 ) = 0 • Now we have (more than 1) equations in the second band space, and (more than 2) elements of the band kernel, so we can do what we did the last time: 2 2 • Take the span of the union of the kernels of 퐷 퐹푠+1푥1 and 퐷 퐹푠+1푥2 for 푥1 and 푥2 in the band kernel of (퐹푠+1, … , 퐹2푠). Key Recovery Step 8: Solving for the Rest of 퐴’ 푇 • With high probability (푣푠+1, … , 푣2푠) is fixed by 푇 • (푣푠+1, … , 푣2푠) (mod 푣1, … , 푣푠) • The condition that 푣푠+1 푥 , … , 푣2푠 푥 = 0 for any 푥 in the band kernel of (퐹푠+1, … , 퐹2푠)

푣1 퐹1 • 퐴′ ⋮ = ⋮ fixes 퐴′ (mod 푣1, … , 푣푠) 푣푠 퐹푠

푣푠+1 퐹푠+1 • 퐴′ ⋮ = ⋮ fixes 퐴′ (mod 푣푠+1, … , 푣2푠) 푣2푠 퐹2푠

• Together the two equations fix 퐴′ entirely. (assuming 푣1, … , 푣2푠 are linearly independent – high probability and easy to check.) Key Recovery Step 9: Solving for the rest of 퐵′ and 퐶′

• Same equation as before without the (mod 푣1, … , 푣푠)

′ ′ ′ ′ ′−1 퐴 퐵 , 퐴 퐶 = 풯 ∘ ℰ푝푢푏