MASARYK UNIVERSITY FACULTY OF INFORMATICS

Algebraic cryptanalysis of Hidden Field Equations family

BACHELOR'S THESIS

Adam Janovsky

Brno, Spring 2016

Declaration

I declare that this paper is my original authorial work, which I have worked out on my own. All sources, references, and literature used or excerpted during elaboration of this work are properly cited and listed in complete reference to the due source.

Adam Janovský

Advisor: prof. RNDr. Jan Slovák, DrSc.

i Abstract

The goal of this thesis is to present a Grobner basis as a tool for algebraic cryptanalysis. Firtst, the thesis shortly introduces asymmetric cryptography. Next, a Grobner basis is presented and it is explained how a Grobner basis can be used to algorithmic equation solving. Further, fast algorithm for the Grobner basis computation, the F4, is presented. The thesis then introduces basic variant of Hidden field equations cryptosystem and discusses its vulnerability to algebraic attacks from Grobner basis perspective. Finally, the thesis gives an overview of recent results in algebraic cryptanalysis of Hidden Field Equations and suggests parameters that could make the algebraical attacks intractable.

ii Keywords

Grobner basis, cryptanalysis, Hidden Field Equations, F4

iii

Contents

1 Introduction 1 1.1 Notation 2 2 Preliminaries 3 2.1 Asymmetric cryptography 3 2.1.1 Overview 3 2.1.2 RSA 5 2.2 Grobner basis 7 2.3 Equation solving 14 3 F4 algorithm for computing a Grobner basis 19 4 Hidden Field Equations 27 4.1 Overview of HFE 27 4.1.1 Parameters of HFE 27 4.2 Encryption and Decryption 29 4.2.1 Encryption 29 4.2.2 Decryption 31 4.3 Public key derivation 32 5 Algebraic attacks on HFE 35 5.1 Algebraic attack for q = 2 35 5.2 Algebraic attack for odd q 37 6 Conclusions 41 Appendices 42 A SAGE code 43 B Grobner basis for q=ll 47

A"

1 Introduction

The thesis studies algebraic attacks against basic variant of Hidden Field Equations (HFE) cipher. Results for various attack parameters are examined and precautions to achieve higher security of HFE against algebraic attacks suggested. HFE family is an alternative to various ciphers based on factorizing integers or discrete logarithm problem. These are proven to be insecure against quantum algorithms which does not hold for HFE. Therefore it is important to understand vulnerability of HFE against algebraic attacks in order to decide about its overall security in case the number theory ciphers become practically insecure. We restrict our attention to attacks from a Grobner basis perspective and we develop necessary theory throughout the text. Only a minimum amount of background is given in cryptography area. For introduction to cryptography, one can see [1]. More theory is given in Grobner bases. However, proofs are often omitted and only basic context is provided. Great introductory text to Grobner bases is [2]. In the second chapter asymmetric cryptography is presented and its concepts demonstrated on example. Further we study a Grobner basis, we give the Buchberger's algorithm for finding such a basis and we show how it can be used to solve a system of polynomial equations algorithmically. In the third chapter we discuss possible improvements on the Buchberger's algorithm and we present Faugere's algorithm for fast Grobner basis computation, the F4. In the Chapter 4 we present basic HFE variant and study its properties. We demonstrate how encryption and decryption are performed on example and show how a public key is derived. Finally, the Chapter 5 describes an algebraic attack against HFE. Different parameters of such attacks are discussed. The thesis suggests parameters that could make the algebraic attack against HFE intractable.

1 1. INTRODUCTION 1.1 Notation

N,N0,Z Positive integers, non-negative integers, integers;

ZTl integers modulo n; 0(n) Euler's phi function for n\ a = b ( mod n) a is congruent b modulo n, i.e. a — b\n;

[xi,..., xn] monomials over xi,... ,xn;

..., xn] ring of polynomials over k in variables x\,..., xn; gcd(/, 5-) greatest common divisor of / and g; LCM(/,^) least common multiple of / and g\

MatmjS(fc) set of matrices with m rows and s columns over k; GF(q) Galois filed with q elements where q is power of prime; k[t]/(g(t)) vector space generated by the irreducible polynomial g;

2 2 Preliminaries

The purpose of this chapter is to provide theory and notation neces• sary to discuss algorithmic solving of multivariate polynomial systems. Also, the chapter introduces asymmetric cryptography and shows, how solving a system of equations may lead to breaking a cipher. First, the asymmetric cryptography is introduced. Next, a Grobner basis is presented. Finally, we describe how a Grobner basis can be used for solving a system of multivariate polynomial equations. We make no claim of self-sufficiency of this chapter. In the relevant parts of the text we the refer reader to recommended literature.

2.1 Asymmetric cryptography

In this section some basics of asymmetric cryptography are introduced. Further, we illustrate concepts of asymmetric cryptography on the oldest asymmetric cipher, the RSA. For great introduction to cryptography one can look into [1]. We note, that asymmetric cryptography is commonly referred public-key cryptography and both titles appear in the text.

2.1.1 Overview

In the following text, consider this setting: Alice and Bob are two friends somewhere on earth, who want to communicate securely over insecure channel. Evil Eve wants to eavesdrop their communication. For secure communication, Alice uses her secret key to encrypt a message into a ciphertext and sends it to Bob. Then Bob uses his secret key to decrypt the ciphertext in order to recover the original message. We begin with a formal definition of a cryptosystem.

Definition. A cryptosystem is a five-tuple (V,C,JC,£,T>) where the following conditions are satisfied:

1. V is a finite set of possible plaintexts;

2. C is a finite set of possible ciphertexts;

3. /C, the keyspace, is a finite set of possible keys;

3 2. PRELIMINARIES

4. For each k G /C, there is an encryption rule G S and a corresponding decryption rule dk G X>. Each e*, : P —> C and dfc : C —>• V are functions such that dk(ek(x)) = x for every plaintext x eV.

Modern cryptosystems can be divided into two main areas of study, symmetric cryptosystems and public-key cryptosystems. In symmetric cryptosystems Alice and Bob usually share the same key. Less com• monly their keys differ, but are related in an easily computable way. Consequently, exposure of any of their keys to Eve renders the system insecure. The drawback of a symmetric key cryptosystem is the need of prior communication of Alice and Bob over a secure channel, in order to agree on a secret key. In practice, this may be very difficult to achieve as Alice and Bob can be anywhere around the globe. The idea behind a public-key cryptosystem is that there might exist such a functions that it is infeasible to obtain a decryption rule given an encryption rule. The encryption rule e& then can be made public (hence public-key cryptography) and everyone can encrypt messages with the encryption rule Ck- In order to decrypt a ciphertext, Bob holds additional piece of information about the function e^, the trapdoor. To decrypt the ciphertext, one has to invert e^, which is feasible only with knowledge of the trapdoor. Thus only Bob can decrypt the ciphertext. Such a function is called a one-way trapdoor function.

Definition. A function / : A —> B is called a one-way trapdoor function if the following three conditions hold:

1. Easy to compute: It is computationally easy to find f(x) given an arbitrary x G A;

2. Hard to invert: For almost all y G B is computationally infeasi• ble to find x G A such that f(x) = y;

3. Easy to invert with a trapdoor: with some additional piece of information, it is easy to obtain x G A such that fix) = y given yeB.

Our definition of a one-way trapdoor function is vague. Yet, for our purposes it is sufficient to understand the idea behind it, not concerning details, e.g. what computationally easy, computationally infeasible or

4 2. PRELIMINARIES almost all mean precisely. Intuitively, one can compute f(x) quickly on computer and inverting / without knowledge of a trapdoor is not within reach of computational power. Using a one-way trapdoor function, Bob can now communicate securely with Alice in the following way:

1. Bob chooses a one-way trapdoor bijection / and has knowledge of the corresponding trapdoor;

2. Bob makes / public and sends it to Alice through a (insecure) channel;

3. Alice encrypts an arbitrary message m with / and sends f(m) to Bob;

4. Since Bob knows the trapdoor for /, he can invert / and apply it to the ciphertext f(m). By that he obtains the original message rn.

If Eve eavesdrops a public key / or a ciphertext f(m), she cannot recover a message m efficiently since inverting / is computationally infeasible. However, she could try to encrypt all possible plaintexts p by herself and eventually find the one, such that f(p) = f(m). Then p = m since function / is bijection. Probability of this event should be negligible. Unfortunately, it is not clear whether a one-way trapdoor function exists. Necessary condition for that to be true is that M ^ J\fV. Never• theless, there are functions believed to be one-way and are widely used in practice.

2.1.2 RSA

In the following text 0 denotes the Euler's phi function. We proceed with a function believed to be one-way trapdoor function. It is a function

defined as f(x) = xb (mod n) where gcd(6, (n)) = 1. We call / the RSA encryption function. First, we present the key generation algorithm:

5 2. PRELIMINARIES

1. Randomly choose two large primes p, q such that p ^ q;

2. Compute n = pq and 0(n) = {p — l)(q — 1);

3. Choose a random 6, where 1 < 6 < 0(n) and gcd(6, (n)) = 1;

4. Compute a = 6_1 mod (n);

5. The public key is (n, 6), the private key is (p, q, a). Encryption and decryption are performed as

&k{x) = xb (mod n). dk{y) = ya (mod n). Using Little Fermat's theorem and Euler's theorem, it is easy to verify that encryption and decryption are inverse, i.e.

dk(ek(x)) = (xb)a = x (mod n)

for an arbitrary x G Zn. The RSA exploits the fact that multiplying two integers is easy whereas factoring their product is difficult. Trapdoor knowledge is in this case p and q. Knowledge of primes p and q allows to compute (n) efficiently. For better understanding we give a toy example of the RSA cryptosystem. Suppose that Bob chooses p = 11, q = 13. Then he computes n = 143 and (n) = 120 and randomly chooses b = 97. It is easy to check that gcd(97,120) = 1. Next, Bob computes a = 97_1 (mod 143) for himself. In this case a = 73. At this point, system is set and Bob sends the public key (143,97) to Alice. Now, suppose Alice wants to encrypt the plaintext m = 82. She encrypts it by computing e(82) = 8297 = 69 (mod 143) and sends the ciphertext 69 to Bob. When Bob receives the ciphertext, he decrypts it by computing

d(e(82)) = 6973 EE 82 (mod 143). Note that encryption and decryption actually commute, i.e. d(e{m)) = m. If Eve wants to break the cipher, i.e. be able to recover message from an arbitrary ciphertext, she probably has to factor n to primes. It has not been proven that factoring is necessary though it is the only known way nowadays. Of course, factoring n = 143 is rather easy for Eve. In practice for a public key, at least 795 bit number is used.

6 2. PRELIMINARIES 2.2 Grobner basis

In this section we provide theory necessary to understanding a Grobner basis concept. The thesis focuses particularly on equation solving prop• erty of Grdbner bases. First, we present some basic definitions. Next, we introduce the original algorithm for computing a Grobner basis and show how it can be used for solving multivariate polynomial systems. By this we set the ground for the next chapter in which we present faster algorithm for computing a Grobner basis. For comprehensive introductory text in the field of a Grobner basis we refer the reader to [2] and [3]. Most of the statements were taken from [2], some of them might be slightly modified. Proofs of all statements can be found in [2]. We begin with a quick review of notation.

Definition. A monomial in variables x\,..., xn over commutative field k is an expression x^1 • • • x%n where en e No. By degree, degx"1 • • • x%n of this monomial we mean the sum a\ + • • • + an. By [x\,..., xn] we under• stand the set of all monomials over xi,..., xn. We denote k[xi,..., xn] a ring of polynomials over k in variables xi,... ,xn where the elements of k[x\,... finite /c-linear combinations of monomials. By k- linear combination we mean linear combination with coefficients over k. We set the multiindex to be a = (ai,..., an) and we shortly write xa = x^1 • • • x%n and |a| = degxa.

Definition. Let R be a commutative ring. We call I C R an ideal of R if it holds:

1. 0 e /;

2. If f,ge I then f + ge I;

3. UfeI,reR then f • r el.

If there exists a finite set of polynomials that generates a given Ideal, we call this set a basis. A Grobner basis of an ideal is a canonical representation among all bases. To be able to provide it, we define an order on terms of multivariate polynomial.

Definition. A monomial ordering is any relation > on NQ or, equiva- lently, any relation on the set of monomials ia, a e NJJ, satisfying:

7 2. PRELIMINARIES

1. > is a total ordering on NQ;

2. If a > f3 and 7 G N£, then a + 7 > /3 + 7;

3. > is a well-ordering on NQ\ This means that every nonempty subset of NQ has the smallest element under >. Since a monomial ordering is a total ordering, we can order all terms

a 13 in k[xi,..., xn}. Also, the second condition implies that if x > x then

a 1 1 a 1 x x > x^x for arbitrary monomials x ,x@,x in k[x\,... ,xn]. Each monomial ordering depends on the ordering of the variables. In the thesis we order

xl > x2 > • • • > xn. The following orderings are monomial orderings and are particularly important in the Grobner basis theory.

Definition (Lexicographic Order). Let a = (ai,..., an) and (3 =

N (Pi,..., (5n) G NQ. We say a >iex P if, in the vector difference a — /3e Z ,

a 13 the leftmost nonzero entry is positive. We will write x >\ex x if a >lex (3-

Definition (Graded Lex Order). Let a,(3 e NQ. We say a >griex (5 if |a| > \(3\ or

|a| = \(3\ and a >iex (3. Definition (Graded Reverse Lex Order). Let a,(3 6 NQ. We say ^grevlex (3 if |a| > \(3\ or | a | = | (31 and the rightmost nonzero entry of a — (3 G Z™ is negative. Examples on monomial orderings follow with terms over k[x, y, z}.

2 3 2 2 x yz >lex x yz since (2,1, 3) - (2,1, 2) = (0, 0,1),

2 2 2 3 x y >lex x yz since(2, 2, 0) - (2,1, 3) = (0,1, -3),

x yz >griex x yz since multiindex x yz > multiindex x yz .

3 2 xy >griex xy z since (1, 3, 0) - (1, 2,1) = (0,1,-1),

3 2 2 xy z >greviex x yz since (1, 3,1) - (2,1, 2) = (-1,2, -1),

2 z 2 2 2 z 2 2 x yz >greviex x !J since multiindex x yz > multiindex x y .

8 2. PRELIMINARIES

Later we shall see that choice of a monomial ordering is crucial for computing a Grobner basis and in our case perhaps the least intuitive graded reverse lexicographic ordering often yields the fastest compu• tation. Once a monomial ordering is fixed, the terms of a polynomial can be ordered in unambiguous way. That allows us to define further properties on multivariate polynomials.

Definition. Let > be a monomial order. Further, Let / = S«eN

be a nonzero polynomial in k[xi,..., xn}. We define:

• The multidegree of /: multideg/ = maxja G NQ \ aa 7^ 0};

• The leading coefficient of /: LC(/) = amuitideg/;

• The leading monom of /: LM(/) = xmultldeg^;

• The leading term of /: LT(/) = LC(/) • LM(/).

Definition. Let I be an ideal I C k[x\,... ,xn]. We say that / is a monomial ideal if it can be spanned by monomials.

Next lemma describes the elements of a monomial ideal.

Lemma 2.1. Let I C k[xi,... ,xn] be a monomial ideal and let f G k[xi,... ,xn}. Then the following conditions are equivalent:

l- fe I;

2. Each term of f lies in I;

3. Polynomial f is a k-linear combination of the monomials in I.

Proof. See [2, p. 71] •

The lemma above implies, that two monomial ideals are the same if and only if they contain the same monomials. Moreover, a monomial or lies in / if and only if x13 is divisible by xa for some monomial xa G /. The Dickson's lemma states that every monomial ideal is finitely generated.

Lemma 2.2 (Dickson's Lemma). A monomial ideal I = {xa \ a G A) C

ai am k[xi,... ,xn] can be written in the form of I = (x ,... ,x ) where

am G A. In particular, I has finite basis.

9 2. PRELIMINARIES

Proof. See [2, p. 71] •

Next, the set of leading terms on an ideal I is introduced.

Definition. If I C k[xi,... ,xn] is nonzero, we define the set of leading terms of elements of I

LT(J) = {axa \ 3fel: LT(f) = axa}.

The ideal (LT(J)) is a monomial ideal and hence, we can write

(LT(J)) = (LT(^i),..., LT(&)) for some gu ..., gs e I.

Theorem 2.3 (Hilbert Basis Theorem). Every ideal I C k[x\,... ,xn] is finitely generated.

Proof. See [2, p. 76] •

If I = {0}, the generating set is {0}. If I contains some nonzero polynomial, then according do Dickson's lemma there exist polynomials

<7i,..., gs such that (LT(pi),..., LT(ps)) = (LT(J)). It can be shown that {<7i,... gs} is the finite generating set of I. The foregoing theorem is a corollary of Hilbert Basis Theorem and it is useful to show that the algorithm for the Grobner basis computation terminates.

Theorem 2.4 (Ascending chain condition). If I\ C I2 C ... is non- decreasing chain of ideals in k[xi,..., xn}. Then N > 1 exists such that = In+i = • • • •

Proof. See [2, p. 79] •

We are now ready to define a Grobner basis.

Definition. Fix a monomial order. A finite subset G = {g\,... ,gn} of an ideal I C k[xi,..., xn] is said to be a Grobner basis if

(LT(G)> = .

Consequently, every ideal I C k[x\,..., xn] has a Grobner basis. The previous definition seems to require infinite number of checks to decide whether a set of polynomials is a Grobner basis or not. That is rather impractical for algorithmic use. We aim for a criterion that decides

10 2. PRELIMINARIES whether a set of polynomials is a Grobner basis in a finite number of steps. That will allow us to construct Grobner basis algorithmicaly. The tool to such a criterion is notion of reducing multivariate polynomials. Reducing multivariate polynomials is a similar concept to the Euclidean algorithm for division of univariate polynomials.

Definition. Let > be a monomial ordering, further let

G = {gi, ...,gt}Q k[xi,.. .,xn].

We say that / G k[xi,... xn] reduces to g modulo G with respect to > if there exists ai,..., at G k[xi,..., xn] such that

/ = ai£i H h atgt + g and multideg/ > multideg for every 1 < % < t when 7^ 0. We write that / —>a <7- By —>Q we denote reflexive transitive closure of —>a- If / —>Q f and /' is irreducible modulo G, we then say that /' is a normal form of / with respect to —>a- We say that G is the reductor.

It can be shown, that at some point, every polynomial / in the ideal / reduces to zero modulo finite basis G. When constructing a Grobner basis, we search for the elements, such that the leading terms generate the ideal (LT(J)). We proceed with S-polynomials, that could add new leading terms to the intermediate basis G'.

Definition. Let f,g G k[x\,...,xn] be nonzero polynomials.

1. If multideg / = a and multideg g = (3 then let 7 = (71,..., 7„), where 7« = max(aj, /%) for each i. We call x1 the least common multiple of LM(/) and LM(g), written = LCM(LM(/), LM(g));

2. The S-polynomial of / and g is the combination

s(L9) = ijf{f)'f~mg)'9'

For the sake of better understanding of S-polynomials, there is an example. Two polynomials / = x4y — z2 and g = 3xz2 — y over M[x, y, z]

11 2. PRELIMINARIES

A 2 with respect to >iex are given. Then LT(/) = x y and LT(^) = 3xz . Thus LCM(LM(/), LM(g)) = xAyz2 and the resulting S-polynomial is

4 2 4 2 S(f g) = X yZ f - X yZ g xAy 3xz2 3 X 42 4 V to 2 \ = x yz —z —{Sxz — y)

4 2 4 4 2 i ^ y = x yz —z — x yz H —.

The pairs (/, g) from the S-polynomial definition are commonly referred as critical pairs. The following theorem claims that it is sufficient to perform finitely many operations in order to decide whether a set of polynomials is a Grobner basis. It is the major result from Buchberger's dissertation thesis [4].

Theorem 2.5 (Buchberger's Criterion). A basis G = {gi,..., gs} of an ideal I C k[xi,..., xn] is a Grobner basis if and only if S(gi, gj) —>Q 0 for all % 7^ j.

Proof. See [2, p. 104] •

One can now proceed with the basic variant of Buchberger's algo• rithm for the Grobner basis construction. The input is a set of polyno• mials {/i,..., fs} C k[xi,..., xn] and the output is a Grobner basis of

/ = (fi,..., fs). The algorithm is on the consequent page.

Proof. Correctness and termination are proven by the following obser• vations:

1. At every stage of the algorithm, GC / and (G) = I hold;

2. If G = G' then S(p, q) —>Q 0 for all p,q G G Thus, according to Buchberger's criterion, G is a Grobner basis;

3. The algorithm terminates since the ideals (LT(G')) form an ascending chain. This chain of ideals stabilizes after finite number of steps (see Theorem 2.4). •

12 2. PRELIMINARIES

Algorithm 1: Buchberger's Algorithm

Input: F = {/i,..., fs} C ..., xn] where fi ^ 0 for 1 < z < s and some monomial ordering >.

Output: G = {<7i,..., (?„}, a Grobner basis of J = (/i,..., fs) w.r.t. >. G = F, G' = 0 while G ^ G' do G' = G foreach critical pair (p, q), p ^ q in G' do Find h such that S(p, q) —>G h if h ^ 0 then | G = GU{/i} end

end end return G

There are two strategies which need further investigation in order to speed up the algorithm. Namely, how to choose the critical pairs and how to choose the reductors when computing a normal form. These parameters have dramatic influence on the overall performance of the algorithm. For instance, various strategies for critical pairs selection have been proposed. These strategies reduces number of reductions to zero. The reduction of polynomials is in fact computationally the most demanding step of the algorithm. Also several reductions to zero can be done simultaneously using linear algebra techniques similar to Gauss elimination. The algorithm F4, which we study in the next chapter, utilizes this fact well. The complexity of the Buchberger's algorithm is closely related to degree of the intermediate polynomials which appear during the computations. As a matter of fact, the complexity of the algorithm can be double exponential. Nevertheless, in many practical cases the computation is rather fast and the intermediate polynomials are of low degree.

13 2. PRELIMINARIES 2.3 Equation solving

This section shows that under certain circumstances, a Grobner basis brings a system of polynomial equations to the triangular form. Shape lemma states that explicitly. We also show how breaking a cryptosystem may reduce to solving a system of polynomial equations. The main source of this chapter is the book [5]. The section begins by defining a set of solutions of polynomial equations, an affine variety.

Definition. Let k be a field and fi,..., fm polynomials in k[x\,..., xn}. We define

V(/i,..., fm) = {(ai,..., an) | /j(ai,..., an) = 0 for all 1 < i < m}.

We call V(/i, • • •, fm) the affine variety defined by f\,..., fm-

Definition. Let / C k[xi,..., xn] be an ideal. We denote by V(I) the set

n {(ai,..., an) e k | /(ai,..., a„) = 0 for all / e I}.

The following preposition states that variety of the ideal generated by set of polynomials is equal to variety of corresponding polynomials. As a consequence of that, the variety is determined by the set of polynomials and, equivalently, by the ideal spanned by the polynomials. Hence, finding affine variety of an ideal is equal to finding affine variety of corresponding set of polynomials.

Proposition 2.6. V(I) is an affine variety. If I = (fi,... ,fm), then

V(I) = V(f1,...Jm). Proof. See [2, p. 80] •

In cryptography, it is particularly important to understand poly• nomial systems with a finite set of solutions. If an ideal is spanned by polynomials that forms such system we say that the ideal is zero- dimensional. The following proposition provides an algorithmic criterion for finiteness.

Proposition 2.7. Let > be the monomial ordering, R = k[x\,... ,xn] polynomial ring and T(R) set of all terms of R. For a system of polyno• mial equations corresponding to an ideal I — (fi,..., fm), the following conditions are equivalent:

14 2. PRELIMINARIES

1. The system of equations has finitely many solutions;

2. The set of monomials T(R) \ {LT(/) \ f E 1} is finite;

3. I fl k [xi] 7^ 0 for every % G {1,..., n}.

Proof. See [2, p. 234] •

To introduce Shape lemma, the following theory concerning ideal properties is necessary.

Definition. Let / C k[x\,..., xn] be an ideal. The radical ideal of I is the set {/ | fe G / for some integer e > 1}.

Lemma 2.8 (Seindenberg's lemma). Let k be a field, R = k[x\,... ,xn] polynomial ring. Further let I C k[x\,... ,xn] be a zero-dimensional ideal. Suppose that for every 1 < % < n there exists a nonzero polynomial gi G / fl k[xi] such that

gcd((?j,^) = 1, where g\ is a derivative of gi. then I is a radical ideal.

Proof. See [5, p. 250]. •

Further we illustrate the equation solving on an example. Consider this cryptosystem. Let q be power of prime and write k = GF(q), where GF is the Galois Field with q elements. By k we mean algebraic closure of k. In our cryptosystem, a plaintext consists of n elements x\,...,xn G k and a ciphertext consists of m elements yi, • • • ,ym G k. Furthermore, a m-tuple of polynomials F = {f1,..., fm} C k[x\,..., xn] is given. The ciphertext is obtained as

yi = h(xi,.. .,xn),

ym fm \X\, • • • , Xn^.

Note that the elements of message lie in k, but / are polynomials over algebraic closure of k. Therefore some solutions in k \ k may appear. If we can solve the system F and retrieve only the solutions that lie in k.

15 2. PRELIMINARIES

we recover the plaintext xi:... ,xn among the solutions of F. Also note that the ideal I = (F) is not necessarily a radical ideal. Nevertheless, if we append the field equations, i.e. the set

{xf — Xi | 1 < % < n}, we eventually get a radical ideal. Indeed, for every 1 < % < n, the xf — Xi is a nonzero polynomial in k[xi\ that evaluates to zero in all points. Next, notice that (xf)' equals qxf~x and in GF(q) it holds that q = 0. Hence, the derivative of xf — Xi is always —1. Thus, xf — Xi and (xf — xi)' are relatively prime. In total, the ideal spanned by F appended with the field equations is a radical ideal. Furthermore, from fmiteness criterion follows that the ideal is zero-dimensional. Appending the field equations does not change the set of solutions as in the GF(q) it trivially holds xf = Xi. Further, all factors of xf — Xi lie in k[xj\ and therefore in variety

V(fli • • • i fmi %l • • • i %fi %n) nothing from k\k can appear. Hence, adding the field equations also removes the solutions in k \ k Moreover, the field equations over-define the system F and might speed up desired computation of a Grobner basis. Hence, if we could compute a Grobner basis of an ideal

(fli • • • i fmi %l • • • i %fi %n) and recover solutions from desired Grobner basis, we would eventually break the cryptosystem. Next, the notion of a reduced Grobner basis is presented. An ideal can be spanned by many Grobner bases. However, the following definition of reduced Grobner basis represents a unique form among the Grobner bases that span the same ideal. The reduced Grobner basis exists for every polynomial ideal. When one holds an arbitrary Grobner basis of an ideal, he or she can obtain corresponding reduced Grobner basis efficiently, as the Algorithm 2 illustrates. For further explanation of the Algorithm 2 and for proof of uniqueness see [2, p. 105].

Definition. A reduced Grobner basis of a polynomial ideal J is a Grobner basis G for I such that for all g G G it holds:

1. LC(<7) = 1;

16 2. PRELIMINARIES

Algorithm 2: The algorithm for the reduced Gröbner basis derivation

Input: Gröbner basis G = {g\,... ,gm} w.r.t. monomial ordering >.

Output: Gm, the reduced Gröbner basis of (G) GQ = G for % — 1 torn do Gi = Gi_i \ {&} if LT(^) ^ LT(Gj) then

1 Gi = GiU{(LC(^))- -77} /* where rj is normal form of g^ w.r.t. Gi */ end end

return Gm

2. ^iex for a zero-dimensional radical ideal

/ = (/i,..., fm) exposes variety V(/i,..., fm). More precisely, it yields a triangular form basis from which we can extract the variety rather easily, and therefore obtain solutions of a system /1;..., fm.

Definition. Given an ideal I = (/i,..., fm) C ... ,xn], the Z-th elimination ideal J; is the ideal of k[xi+i,..., i„] defined as

Ii = I n fc[a;j+i, • • • ,x„]. Theorem 2.9 (Shape lemma). Ze^ k be a finite field GF(q) where q is a power of prime, let I C k[xi,... ,xn] be a zero-dimensional radical ideal such that the xn coordinates of the points in V(I) are distinct. Let gn G k[xn] be the monic generator of the elimination ideal If] k[xn] and let d = deg(gn).

1. Then the reduced Grobner basis of the ideal I w.r.t. >iex is of the form

{x\ — <7i,..., xn-\ — gn-i, gn}

where gu ... ,gn e k[xn};

2. The polynomial gn has d distinct zeros ai,..., G k and the set of zeros of I is

{(gi(ai),... ,gn-i{ai),ai) \ 1 < i < d}.

17 2. PRELIMINARIES

Proof. See [5, p. 257]. •

Recall the toy cryptosystem used above. It consisted of the set of equations

Vi = fi(xi,.. .,xn),

Vm fm (*£ 1 j • • • j Xn ).

Then the reduced Grobner basis of

(fli • • • 1 Xn) Xj\, . . . , fm; • • • ; -£n) Vmi %\ %\ ; • • • ; %n Xn) with respect to lexicographic ordering is set of form

{x\ — gi,..., xn-i — gn-i,gn}

where gi,... ,gn G k[xn]. Then solvinggn(xn) = 0 exposes distinct values of xn. By substituting gn roots to gn-i, • • • ,9i we obtain the solution

Xi,... ,xn. A Grdbner basis strongly depends on choice of monomial ordering. If we use the lexicographic ordering, we get the triangular form. From complexity point of view, graded reverse lexicographic ordering gives faster computation. For the sake of complexity, it is reasonable to compute Grobner basis w.r.t. >greviex and then transform it to >iex • There are algorithms that efficiently convert a Grobner basis from one ordering to another. For instance, one can use the algorithm FGLM [6]. For a zero-dimensional ideal, the time complexity of FGLM algorithm is polynomial in the number of monomials not in the ideal. Practically for algebraic attacks FGLM is usually used. One should also consider the Grobner walk [7]. Finally, we give the overall algorithm for solving a system of polynomial equations F = {/i,..., fm} when there is an assumption, that the ideal (F) is zero-dimensional:

1. Append the field equations to F;

2. Find the reduced Grobner basis G of (F) w.r.t >greviex;

3. Transform G to >iex ordering;

4. Recover x^ for all 1 < % < n.

18 3 F4 algorithm for computing a Grobner basis

The aim of this chapter is to introduce new algorithm for fast Grobner basis computation. In 1999, Faugere published the paper [9] which presented an algorithm for computing a Grdbner basis, the F4. In Buchberger's algorithm, only one polynomial can be reduced at each step. The idea of the F4 algorithm is to represent several polynomials as vectors in a matrix and reduce them simultaneously using linear algebra techniques. This speeds up the computation rapidly. In fact, some before intractable challenges were first tackled with F4. For instance, the HFE 1 challenge in [8]. Main sources of this chapter are: the original F4 paper [9] and master thesis [10] which studies algebraic cryptanalysis in overall. Particularly Segers's thesis presents F4 in very easy to understand way.

Definition. Let F = ..., fm} be a set of polynomials in

..., xn\ = R.

We define:

• T(F) the set of pairwise distinct terms of polynomials in F;

• T>(F) the set T(F) with some monomial ordering >. We denote the cardinality of T>(F) by s.

Let i?T>(F) denote the subspace of R generated by T>(F). Then c x(F) can be written uniquely as / = Yli=i i where Q G k, en G NQ and for all j > % it holds that en > ctj. Now we show how to represent a tuple of polynomials as a matrix.

Definition. Let mapping

V>r>(F) : #T>(F) ->• ks

be defined as

; V T>(F)(/) = (Ci,...,Cs). Then the matrix representation of a tuple of polynomials F is the map

#T>(F) : i?T>(F) ->• Matm,s(/c)

19 3. F4 ALGORITHM FOR COMPUTING A GRÖBNER BASIS where / ^T>(F)(/l)^

*T>(F)(/l, • • • ,/n

\^T>(F)(/m)/

Due to the fact that i?T>(F) is ordered w.r.t. > and polynomials fi,..., fm are a sum of terms from i?T>(F), the order in which coefficients appear in the matrix or vector is unambiguous. The subscripts are omitted if it is clear which support F and ordering > we mean.

Definition. Let F C k[x\,... ,xn}. We denote F the set of polynomials corresponding to the fixed row echelon form of *&{F). Further we denote

F+= {/G F | LT(/) £ LT(F)}.

Note, that there exists many row echelon forms of *&{F). We choose an arbitrary one. We would like extend F+ to a basis of the ideal (F). To achieve that, we union F+ with the following set. Consider a set H, H C F such that

LT(iJ) = LT(F) and \H\ = |LT(F)| .

Next theorem shows that the ideal (F) is spanned by F+ U H.

Theorem 3.1. Let k be a field, F a finite subset of k[x\,..., xn]. For any subset H C F such that \H\ = |LT(F)| and LT(H) = LT(F), the vectors 4>(g) e ks, for g e F+ UH form a triangular basis of the subspace of vector space ks spanned by the vectors {ip(f) \ f G F}.

Proof. Write G = F+ U H. All elements g of G have distinct leading terms and are linear combinations of elements of F. Hence, the set {^{g) I 9 £ G} is linearly independent and is included in the subspace spanned by the vectors corresponding to elements of F. Furthermore, let r denote the rank of the subspace spanned by ip(f) for / in F. It holds that LT(G) = LT(F+) U LT(iJ) = LT(F). That implies |LT(G)| = LT(F+) r and the theorem follows. •

20 3. F4 ALGORITHM FOR COMPUTING A GRÖBNER BASIS

Algorithm 3: Symbolic preprocessing

Input: A set F C k[xi,... ,xn] and the intermediate basis G'. Output: The set F U P for a set of reductors P w.r.t. G . D = LT(F), P = 0. while T(F U P) ^ D do Select m G T(F UP)\D D = DU {m} if m is divisible by an element g G LT(G') then I P = P i j o . m end end return F U P

Algorithm 4: ReductionF4 Input: A finite set L C k[xi,..., x„] and the intermediate basis G'. Output: The set F+ reduced w.r.t. G . F = SymbolicPreprocessing(L, G ) F = Polynomials corresponding to the row echelon form of ^(F) F+ = {g_eF\LT(g)#LT(F)} return F+

The F4 algorithm needs to select the critical pairs of the intermedi• ate basis G'. Multiple strategies for such a selection has been adopted. Buchberger proved that the selection strategy does not affect the cor• rectness of the (Buchberger's) algorithm, yet can significantly affect the overall performance of the computation. We consider the normal selection strategy, i.e. we select polynomials &i, 62 G G' such that at the step of computation d it holds

deg(LCM(LT6!,LT62) = d.

The step of computation describes how many times we have been trough main cycle, i.e. how many intermediate bases G' were constructed. For a critical pair (61,62) G Bd the polynomials

LCM(LT(&!),LT(&2)) LCM(LT(ft!),LT(&2))

2 LT(6i) LT(62)

21 3. F4 ALGORITHM FOR COMPUTING A GRÖBNER BASIS are passed to the simultaneous reduction. In total, to reduction procedure at degree d, the following set is passed

r _ I I /LCMCLTfoO.LTte)^ LCM(LT(&!), LT(62)), Ld~ U 1 LT(60 6l' LT(63 62

We proceed with two algorithms. The Algorithm 3 (Symbolic pre• processing) extends the set F with the polynomials that might appear useful for linear reduction of the set F. The Algorithm 4 (ReductionF4) then represents them as a matrix and transforms the matrix to the row echelon form using Gaussian elimination. When F+ is constructed, only the polynomials that contribute new leading monomials are appended to the intermediate basis. Moreover, the elements of LT(F+) extend the ideal spanned by LT(G') and are members of the ideal (G'). The set P in the Algorithm 3 algorithm consists of the polynomials that might appear useful for linear reduction of the set F. In fact, when the algorithm terminates, all polynomials g G k[xi,..., xn] in the set P satisfy the condition

LT(g) GT(F)\LT(F).

The algorithm traverses every polynomial m in T(FUP)\D and searches for a polynomial g in the intermediate basis G' that reduces m. When a polynomial g • fjfh; is added to set F U P, it is considered as a subject of reduction. Moreover, the set F U P cannot decrease, which guarantees the termination of the algorithm. The thesis presents two lemmas used for the proof of correctness of the F4 algorithm. First lemma formalizes, that the leading terms of elements of F+ contribute to the ideal spanned by the leading terms of the intermediate basis.

Lemma 3.2. Let F+ denote the output of ReductionF4 algorithm

+ applied to Ld with respect to G'. For all f G F , it holds that LT(/) is not an element o/(LT(G')).

Proof. Let / be in F+ and the output of Symbolic Preprocessing of

Ld w.r.t. G' be denoted by F. Suppose, to achieve a contradiction, that LT(/) G (LT(G')). This assumption and LT(/) G T(F+) C T(F) implies that Symbolic Preprocessing must have added a reductor (LT(/)-

22 3. F4 ALGORITHM FOR COMPUTING A GRÖBNER BASIS g)/LT(g)) to F for suitable g G G'. This would mean that LT(/) G LT(F), a contradiction to definition of F+. Hence, LT(/) is not an element of (LT(G')). • The second lemma states that all critical pairs in the set of possible /c-linear combinations of Ld reduce to zero by subset F+ U G'. Lemma 3.3. Let f be in F+ and the output of Symbolic Preprocessing of Ld w.r.t. G' be denoted by F. Let f be an arbitrary k-linear com• bination of elements of Ld. The the normal form of f with respect to F+ U G' equals zero. Proof. Let / be a linear combination of elements of Ld- Suppose F is the output of Symbolic Preprocessing of Ld with respect to G'. By construction, Ld is a subset of F and, therefore due to Theorem 3.1, these elements are a linear combination of the triangular basis F+ U H for a suitable subset H C F. The elements of H are either elements of Ld or of the form xag for some g G G' and a e Njf. Then / can be written as f = ^2aifi + Yl "rr"'!t.r i j for fi G F+ and gj G G',ai,aj G K and otj G NQ. Hence there exists a reduction chain to zero. •

We are now ready to give the basic version of the F4 algorithm. We keep the selection routine of the critical pairs unspecified and call it simply selectQ. The arguments of correctness are: 1. Note, that every / G F+ is a linear combination of elements of Ld

and reductors R. Since Ld and R are subsets of the intermediate basis (G1), then F+ is also subset of G'. That implies that during the step d = d' of the algorithm, the intermediate basis satisfies, d! G'=\jF+C(F); d=l 2. Lemma 3.2 implies that

+ + (LT(F1 )C(LT(F1 UF+))C..., and according to the Ascending chain theorem, the sequence eventually stabilizes and the algorithm terminates.

23 3. F4 ALGORITHM FOR COMPUTING A GRÖBNER BASIS

Algorithm 5: Algorithm F4

Input: A finite set F C k[x\,..., xn}. Output: A Grobner basis G for (F) with respect to some monomial ordering >. G' = F,FQ=F,CI = 0

B = {(b1,b2) | 61,63 eG'and 61 ^ 62} while B ^ 0 do d = d+ 1 Bd = select (B)

B = B\Bd

T _ I I /LCM(LT(bi),LT(b2))k LCM(LT(bi),LT(b2))^ 1

- U(6i,62)GBd 1 LT(6i) °1' LT(b2) °2 J

F+ = ReductionF4{LD, G') foreach / e do

B = BU{(/l9)|56G'} G' = G'U{/} end end return G'

3. Suppose that the algorithm terminates at d = dp±- Since every

+ is pair (5-1,5-2) for 51,52 G G = Ud=i ^ considered, S(g1,g2) is in the linear span of the elements of G. Lemma 3.3 implies that its normal form equals zero. Hence, the Buchberger's criterion is satisfied and G is a Grobner basis. We illustrate the F4 algorithm on the example. We compute a Grobner basis for the Cyclic 4 problem. We only perform first iteration of algo• rithm as further on the matrices are of large size. Consider the ideal / generated by the polynomials:

fl = X1+ X2+ X3+ £4,

f2 = X\X2 + X2Xz + X3X4 + X1X4,

/3 = X\X2Xz + £1X2X4 + £1X3X4 + X2XzX^ U = -1-

The monomial ordering is >greviex and we adapt the normal selection strategy. For step d — 1 nothing happens, as there are no critical pairs

24 3. F4 ALGORITHM FOR COMPUTING A GRÖBNER BASIS

of degree 1. We choose B2 = {/i,/2} and hence L2 = {x2fi,f2}. We enter the SymbolicPreprocessing(L2, {/i, f2, /3, /4}) since at first step

G" = {/i, /2, /3, A}- Also, we have

T(L2) = {xi£4, £^2^3, £3^4,^4}

LT(L2) = {xix2}.

The only monomial g G ..., xn] such that LT(g) G T(L2) \ LT(L2) divisible by some h G LT(G') is the monomial xix±. It is divisible by LT(/i) = x\. Thus, we add X4/1 as a reductor. The reduction is done on the set

F2 = { f2,X4f1,X2f1}

= { XiX2 + X2X3 + X3X4 + X1X4, X1X4 + £20:4 + X3X4 + x\, XiX2 +

x\ + X2Xz + X2X4}.

The corresponding matrix of terms is

X\X2 x\ X2X3 X\X± X2X± X3X4 x\ 10 1 1 0 1 0 \ 0 0 0 1 1 111. Ill 0 1 0 0/

The columns are indexed with monomials from F2 w.r.t >greviex • The row echelon form of F2 is

/l 0 1 0 -1 0 -l\

F2 = 0 1 0 0 2 0 1. \0 0 0 1 1 1 1 /

Thus F = {X2+2X2X4-I-X4, X1X4+X2X4+X3X4-I-X4, X1X2+X2X3—x2x4—X4}.

+ Note, that XiX2,XiX4 G LT(Fi) and therefore F = {x\ + 2x2x± + x\}.

Thus we add the polynomial x\ + 2x2x± + x\ to the intermediate basis G'. After another six iterations we obtain the Grobner basis containing the polynomials

= G {x2x^ ~\~ x2x^ — x2x^. ~\~ X3X4 — xjjx^ ~\~ x^x^ — X3 — X4,

X2X4 + x\ - X2 - £4, £2X3X4 + X3X4 - X2X% + X3X4 - x\ — 1,

X2X3 + X3X4 - X2X4 - X4, £3 + 2x2x4 + X4, x1+x2 + xs + x4}.

25 3. F4 ALGORITHM FOR COMPUTING A GRÖBNER BASIS

There is still space for improvements in order to increase the per• formance of the F4 algorithm. For instance, more sophisticated selectQ subroutine can be chosen. Also matrices that appear during the reduc• tion are often sparse. More efficient methods than Gaussian elimination can be employed to solve a sparse matrix. Most of the practical im• plementations of F4 are focused purely on sparse systems. In 2016, not many fast, free implementations of F4 are available. A lot of work has recently been done in parallelization of F4, see [11]. The fastest implementation available in 2016 — both for dense and sparse systems - is employed in Magma computer algebra system. For some timing benchmarks visit [12],[13]. The complexity of the F4 algorithm is not much better then complexity of the Buchberger's algorithm, i.e. there are still many Grobner bases we cannot compute practically. The F4 is very demanding in terms of memory consumed. Matrices that appear during the computations are of huge size, often around 500 000 rows. Also new algorithms for the Grobner basis computation are in the scope. Some challenges were broken with the F5 algorithm [14] which utilizes different idea than F4. Though, these challenges were broken by the author of F5 — Faugere. The public black-box implementation of F5 is far from being as effective as claimed.

26 4 Hidden Field Equations

The Chapter 2 gave an overview of some basic concepts of public- key cryptography. In this chapter we present Hidden Field Equations (HFE) family of cryptosystems and study its properties. We restrict our attention to the encryption scheme. For details concerning HFE digital signatures we refer to [15]. We begin with an overview of the basic variant of HFE scheme. Next, toy example illustrates how encryption and decryption are performed. Finally, we explain how to derive a public key given a private key.

4.1 Overview of HFE

HFE is a family of public key cryptosystems based on hardness of AiQ problem. Here, AiQ stands for 'Multivariate Quadratic' and refers to the fact that solving a system of quadratic equations in many variables over a finite field is A/'P-complete. A proof by reduction to 3—SAT can be found in [15]. HFE is a trapdoor for AiQ problem in a sense that a public key can be seen as a system of quadratic multivariate polynomial equations and in order to break the cipher, one needs to solve this system. On the contrary, with knowledge of secret key decryption is easy. The breakthrough in research in multivariate public key cryptosystems was the C* scheme proposed by Matsumoto and Imai in [16]. The C* was however broken by Patarin in [17]. Patarin further suggested changes in the C* scheme that led to HFE scheme, as first described in [18].

4.1.1 Parameters of HFE

In HFE, two finite fields are used. We denote the first one F and set F = GF(q) where q is a power of prime. The second field is the extension of F of degree n, generated by the irreducible polynomial g(t) of degree n. It is denoted E = GF(qn). Field E is hidden, which sets the trapdoor for the M.Q. Field E can be also identified with the vector space F[t]/(g(t)). Multiplication of the polynomials is then done modulo g(t) and addition is performed in the standard way. During decryption and encryption, we would like to transfer elements between F and E. Notice that Fn and E are of same cardinality and therefore we can construct bijection from

27 4. HIDDEN FIELD EQUATIONS

FN to E. Recall, how elements of F™ and E look:

N {ui,u2, 1 l^n e F , + U, G E.

The existence of bijection immediately follows: if : F™ —> E where

1 2 V?((MI, 1i2, • • • , «n)) = «1 • t™" + M2 • ^™" H hM„.

For the opposite direction, i.e. E —> F™, mapping <^_1 is used. Every element in E can be then equally seen as a vector from F™ and, moreover, as a polynomial of degree at most n — 1 with coefficients in F. Private key in HFE cryptosystem is a triplet (S, T, P) where S, T : F™ —> F™ are affine bijections and P : E —> E is a polynomial in single variable x. Each of S, T can be represented by regular matrix of size n x n over F and one n-dimensional vector. By applying transformation S to the vector (ai, G FN we mean:

/ai \

5((ai,... ,a„)) = Ms + vs

\an/

where Ms is the regular matrix of size nx n and vs is the n-dimensional vector. Let us write S = (Ms,vs) and T = (Mt,vt). The polynomial P can also be seen as the function P : E —> E. We denote its degree Z) = deg(P) and set some restrictions on powers of its terms. Secret polynomial P is of the form

P(xu i) = (Pl{xi, • • • ,Xn), . . . ,pn(xi, • • -Xn))

where pi,... ,pn are polynomials in n variables. The purpose of restric• tion on powers of terms in P is to keep polynomials Pi, • • • ,pn quadratic at most. We explain why this works in 4.3. The degree of polynomial D should not be too large as decryption process involves solving P(x) = y

28 4. HIDDEN FIELD EQUATIONS

for given y. The public parameters of HFE are polynomials (pi, • • • ,pn) in n variables over F. The private parameters are S, T, P. In order to increase the security of HFE, several variants were introduced and are studied. Namely, four variants were proposed in [18]. These variations are:

1. HFE—: Remove some equations from the public key;

2. HFE+: Add some random equations to the public key;

3. HFEv: Add some variables to the private key;

4. HFEf: Remove some variables by fixing their values.

These variants are not studied in this text.

4.2 Encryption and Decryption

Now the thesis presents how to encrypt message with knowledge of a private key. This procedure is never used in practice. Instead of that, a public key is derived from a private key and used to encrypt secret messages. Yet, the following example illustrates the process of encryption beautifully. How to obtain the private key given the public key is described in 4.3.

4.2.1 Encryption

The following example shows how to encrypt messages in HFE scheme. In this example we consider finite field F = GF(2) and its extension E = GF(4) generated by g(t) = t2 + t + 1. Furthermore, let S, T be affine transformations given by Ms,vs and Mt,Vt respectively.

The polynomial P is P(x) = x3 + 1. Finally, let m — (1,1) be the message we encrypt. The corresponding ciphertext is computed as c = T o ip~x o P o tp o S(m). The figure 4.2.1. illustrates this process in general. Recall the mapping if. In our example we have

ip((u1,u2j) =u1-t + u2.

29 4. HIDDEN FIELD EQUATIONS

P E > E

S n n r F™ —>F 3 e (m) m e F • ¥ ' fc

Figure 4.1: Commutative diagram of encryption in HFE

We encrypt as follows:

1. Apply the affine transformation S on the message m:

1 0\ /1 0N S(m) = 1 1/ U

2. Lift S(m) up to E:

(0,1)^1;

3. Apply the secret polynomial P:

P(l) = 1 + 1= 0;

4. Transfer the result back to F:

0^(0,0);

5. Apply the affine transformation T:

T((0,0)) = + l o) (o) (o

Given the message m — (1,1), after encryption we receive the ciphertext c = (1,0). We proceed with an example of how to retrieve the message given the ciphertext with knowledge of the private key. We are given the ciphertext c = (1,0). We decrypt in the following fashion:

30 4. HIDDEN FIELD EQUATIONS

4.2.2 Decryption

Apply T -l.

0 1 T-\c)=M^ [c-v] t 1 0

Transform T 1(c) to E:

(0,0)-X);

By inspecting all possible values P(a) where a G ¥/{g(t)) solve P(x) = 0:

P(0) = 1, P(1) = 0, P(t) = t3 + 1 = 0, P(t + 1) = t3 = 0.

At this point we are in trouble, since we cannot decide which message points to the correct solution. In practice, we would continue with decrypting all possible intermediate ciphertexts, i.e. elements 1, t and t + 1. Let us presume that we somehow can decide, that t and t + 1 cannot result in the message we try to decrypt. We proceed with decrypting the intermediate result 1 and we discuss this question below the example.

Transfer the result back to F:

1 ^ (0,1)

5. Apply S' -l. 1 0 1 1

Recall that the problematic step in decryption is solving P(x) = y, given y. Since degree of P is D, we can obtain up to D unique solutions. As

31 4. HIDDEN FIELD EQUATIONS

S and T are bijections, they have no effect on the number of solutions of the corresponding cryptosystem. When encrypting an actual text, we simply decrypt all solutions of P(x) = y. It is very probable that in all cases but one we do not get meaningful text. The meaningful text obviously points to the correct solution. When we encrypt data for which receiver can't predict how they should look like, extra redundancy is needed. We add this redundancy before encrypting message. The easiest way is to hash a message and concatenate the original message with its hash. The encrypted message is then w! = m.h(m) where . is concatenation. Various ways of adding redundancy to a message are described in [18]. For solving P(x) = y one can use the Berkelamp's algorithm of complexity 0(nD2 + log(D) + D3). In this toy example, it was easy to inspect all possible values due to low degree D and the finite fields of small cardinalities. Note that solving P(x) = y is the only computationally difficult part of decryption. Inverting the affine transformations and applying them are expected to be rather fast.

4.3 Public key derivation

As described earlier, private key is not used to encrypt messages. Instead of that, a public key is computed and used for encryption. A public key can be derived from a private key by two methods. First method generates a public key by the polynomial interpolation. The second method uses a base transformation. The thesis describes the faster base transformation method. The thesis proceeds with an example and further argues, that this procedure is correct. For complete proof of correctness and for polynomial interpolation method, see [15]. Recall the HFE scheme with parameters used in examples above. !)—(9- *-G !)•*-(!)• The polynomial P(x) = x3 + 1. Let message m be a general vector from F2, m = (xi,X2)- We obtain corresponding public key by encrypting the general message m: 1. Apply S:

32 4. HIDDEN FIELD EQUATIONS

2. Lift the vector up to the field E and denote the result /:

3. Apply polynomial P(x) = x3 + 1. First, we compute f2:

2 f = (Xl + 1) -t + (xi + x2 + 1).

Using the intermediate result f2 we compute f3 = f2 • f:

3 3 2 f =(xi + 1) • t + (Xlx2 + xi + x2 + 1) • t +

(Xlx2 + Xi + x2 + I) • t+

(xi + x2 + 1)

=X\X2 + Xi + 1

where = denotes the reduction modulo g(t). The computation

yields the result P(f) = X\X2 + X\. In this step, we receive

quadratic polynomial in terms of X\,x2 since we have multiplied two affine polynomials. For polynomial being affine we mean that it has degree at most 1;

4. Transfer P(f) back to F:

0

(xix2 + xi) i y XiX2 + Xi

5. Apply T:

0 l\ f 0 ^ + /xix2 + xi + l

1 0/ \XiX2 + Xi/ \0J \ 0

Finally, we denote

Pi = x\x2 + xi + 1, p2 = 0.

The polynomials p\ and p2 form the public key. We see that they are quadratic at most. Encrypting a message m now means evaluating

33 4. HIDDEN FIELD EQUATIONS public polynomials. We can check correctness of our computation by encrypting m — (1,1) using the public key:

Pi(l,l) = l, p2(M) = 0.

This yields the ciphertext (1,0), which is the same result as in 4.2. Note that this example is somewhat artificial. As we described in 4.2.2, three out of four messages are represented by the same ciphertext (1,0). This is also due to the fact, that the polynomial p2 is of degree 0. In practice, we would not use such a key. Consider an arbitrary general message m as a vector of affine polyno• mials pi,... ,pn G ¥[x\,... ,xn}. Initially the message m = (p\,... ,pn) =

(x\,... ,xn) Then applying affine transformation T keeps the polynomi• als affine, as multiplication by constant and addition of affine polyno• mial cannot increase a degree of affine polynomial. After applying if to the intermediate result, we obtain polynomial in t with multivariate polynomial coefficients of degree 1 at most. Note, that xq = x and (a + b)q = aq + bg. We argue that applying an arbitrary secret polynomial

P keeps the resulting polynomials p[,.. .p'n quadratic at most. Let p be a general affine polynomial, p = ao + OL\X\ + • • • + anxn Then

q p = (a0 + aiXi +

q q a x y r = «0 + \ \ + '• • • + ctnxn

= a0 + a1x1 + • = p.

Thus pq is the identity operation for affine polynomials over GF(q). Before applying the secret polynomial P the argument / is of the form

n 1 n 2 f = p1.t - +p2.t - + ---+pn

for some affine polynomials pi,... ,pn. Note, that reduction of / modulo g(t) consists of adding multiples of affine polynomials, which does not increase the degree of polynomials p\,.. .pn. As a result of that, powering / to the power ql keeps the coefficients affine. It is the multiplication

l 3 l -1 p+q = jq . jq> ^hat makes p\,...,pn quadratic. The mapping <^ gives a vector (pi,... ,pn) of quadratic polynomials. Then applying affine transformation S, does not increase the degree of polynomials. Hence, after computing a public key, the resulting polynomials are quadratic at most.

34 5 Algebraic attacks on HFE

In this chapter algebraic attacks on basic variant of HFE are studied. First, we describe the attacks when cardinality of basic field F is 2 and we evaluate its complexity. Next, we treat the attacks for odd q. Qualitative difference between these attacks is explained and cases when the field equations cannot be utilized are discussed. For both types of attacks we give an example. Finally, we suggest parameters of HFE that makes algebraic attacks intractable. By algebraic attack we mean the following setting. An attacker is given a public key and the corresponding ciphertext for HFE system,

yi = Pi(xi,... ,£„),

2/2 = P2(X1, . . . ,£„),

2/n PniXli • • • i Xji)- An attacker tries to use a Grobner basis approach to recover the original message xi,..., xn. A key concept in inverting polynomial systems is that of degree of regularity. The degree of regularity of functions pi,... ,pn is the lowest degree at which non-trivial relations between the pi occur. Experiments show, that F4 algorithm terminates at or close to degree of regularity and thus its complexity is determined by degree of regularity. Moreover, degree of polynomials reduced during the Grobner basis computation is not higher then degree of regularity of corresponding system. Therefore the degree of regularity also determines size of reduced matrices in F4 algorithm and hence memory requirements. 5.1 Algebraic attack for q = 2

In 2003, Faugere broke first HFE challenge and published the paper [8]. The system of equations to solve for this challenge can be found in [19]. Parameters of HFE are in this case q = 2, n = 80, d = 96. Challenge was broken with specialized version of the F5 algorithm on EV68 processor at 1 Ghz and 4 Gb of RAM. The computation took 2 days and 4 hours

35 5. ALGEBRAIC ATTACKS ON HFE and during a computation, matrix of size 307 126 x 1 667 009 was reduced. The corresponding degree of regularity was 5. The exhaustive search attack would take more than 280 operations, hence was not feasible. Alan Steel successfully attacked the same system in 2004, using his Magma implementation of the F4 algorithm. Later Steel introduced variant of the F4 algorithm for dense systems, which can be applied to HFE. On one core of a 3.2GHz Intel Xeon E5-1560 system with 64 GB memory he was able to solve similar challenge, q = 2, n = 80, d = 100, within 3 minutes. The paper [20] derived an upper bound for the complexity of the attack when q — 2. It states that for d = 0(na) where a is some constant, the attack has the complexity in 0(nlog2d). As a result of that, breaking such a cryptosystem is much easier than factorizing the integer N of size n = log TV or to compute the discrete logarithm n = logp modulo p. We give a small scale example of a direct algebraic attack for q = 2. For generating instances of HFE, one can use our script for SAGE. The script can be found in the Appendix A. For the Grdbner basis computation, one can use the FGb library from [21]. Consider the following instance of HFE: q = 2,n = 5. The affine transformations are as follows:

(l 0 0 1 l\ 1 1 0 (° 1 1 1 1 1 1 1 1 1 1 0 1

0 1 1 1 1 1 ,Mt = 0 0 0 1 0 1

1 0 1 0 0 1 1 0 1 0 0 0

0 1 1 1 1 1 v° °) w V w The secret polynomial is P = x48 + x24 + x6 + x5 and the message we encrypt is (1,1, 0,1, 0). We derive the following public key:

pi = x\ + XlX2 + X\XZ + x1x4 + XlXZ +x1 + x2x3 + x2 + x3x4 + x3x5 + x4 + x\ + x5,

P2 = x\ + X1X2 + X1X4 + X1X5 + x\ + X2X3 + X2X4 + x\ + X3X5 + X3 + X4X5 + X4 + x\,

%>Z = ^1X2 + X\XZ + XlXZ + x\ + X3X4 + £3 + x\ + X4 + X%,

P4 = X\XZ + X\X4 + x\ + X2X4 + X2 + x\ + X3X4 + X3 + X4X5 + x\ + X5,

P5 = x\ + X\XZ + X1X4 + x2x3 + x2x4 + x\ + X3X5 + £3 + x4x5 + x4 + x\.

By evaluating the public key we obtain the ciphertext (1, 0,1,1, 0). The attacker is given the ciphertext and the public key. With respect to the

36 5. ALGEBRAIC ATTACKS ON HFE algorithm given in Chapter 2, the attacker tries to compute the reduced

Grobner basis of the following polynomials w.r.t. >greviex :

x\ + XlX2 + X\XZ + X1X4, + x1x5 +x1 + x2x3 + x2 + x3x4 + x3x5 + X4 + x\ + X5 + 1,

x\ + XlX2 + X1X4, + Z1Z5 + x\ + x2x3 + x2x4 + x\ + X3X5 + £3 + X4X5 +X4 + x%,

X1X2 + x\xz + xix5 + x\ + X3X4 + X3 + x\ + X4 + x% + 1,

XlX3 + x1x4 +x\+ X2X4 + x2 + x\ + X3X4 + £3 + x4x5 + x\ + X5 + 1,

x\ + X\XZ + X\X4 + X2XZ + X2X4 + x\ + X3X5 + £3 + X4X5 + X4 + £§,

xf + 1,

2 X 2 + l,

xl + 1,

x\ + 1,

2 x 5 + l.

After transforming the Grobner basis to >iex , it is of the form:

Xl + 1,

X2 + 1;

£4 + 1;

x5.

From which we can easily recover the original message, (1,1, 0,1, 0).

5.2 Algebraic attack for odd q The efficient use of the field equations is strongly related to character• istics of the field GF(q). For instance consider q — 11. Then the field equations x\ — Xi = 0 1 < % < n are of degree 11. The field equations can only be utilized in the Grobner basis computation if the degree of a polynomial is at least 11. Then, for n = 32 variables, we have (32 + 11)!/(ll! • 32!) possible terms. That is roughly 232. With current memory capacity, for n > 64, the computation with the field equations is infeasible. We still might try to

37 5. ALGEBRAIC ATTACKS ON HFE compute the Grobner basis without the field equations and recover the corresponding solutions. The observation of the paper [22] is, that the degree of regularity for such a system is likely to be higher than D/2, where D is the degree of secret polynomial P. The arguments follows.

Proposition 5.1. Let pi(xi,..., xn) = 0,... ,pn(x\,..., xn) = 0 be a set of n multivariate polynomial equations in n variables over GF(q).

For each xi; 1 < % < n, if Xi has d different solutions (including the ones in the algebraic closure of GF(q)), the maximum degree of the corresponding Grobner basis w.r.t. >iex must have a degree higher or equal to d.

Proof. Suppose we get exactly d values for xn generated by the equations. If the degree of gn(xn) in the corresponding Grobner basis is d' < d, then have only d! values, which is impossible. •

To investigate the estimated degree of regularity, we are interested in the number of solutions of HFE instance. As stated earlier, the transformation T does not affect the number of solutions. The same holds for S, as it only changes the basis. Thus we are interested in the number of solutions of the equations in the form of P{x) = y, where y is the corresponding intermediate ciphertext. Theorem 5.2. If we do not include the field equations, the overall Grobner basis algorithm has to deal with polynomials with degree at least equal to the number of solutions of the equations P(x) - y = 0 in the algebraic closure of GF(q). Extensive experiments in [22] show, that the number of solutions of such a system is likely to be at least D/2. This implies, that for D = ll2 + 11, the corresponding polynomials in the Grobner basis computation are at least of degree 66. That points to high degree of regularity and makes the computation intractable. For secret polynomial P(x) = x2 the article [23] proves, that the degree of regularity of the corresponding system is q. As a result of that, the following theorem holds.

38 5. ALGEBRAIC ATTACKS ON HFE

Theorem 5.3. Inverting an HFE instance with P(x) = x2 algebraically is exponential, when q = Q(n), where n is the number of variables of the system.

Common sense implies, that this holds for arbitrary P, as P(x) = x2 is the simplest among all HFE polynomials. This is a very strong conjecture that needs further investigation. If the conjecture appears to be true, the HFE is then practically secure against HFE attacks just by using odd q. We would like to point out, that systems with quadratic secret polynomials are proven to be insecure in [24]. Yet, the approach of those attack is different from our Grobner basis perspective. The example of attack for odd q follows. The HFE parameters are: q — 11, n — 5, P(x) = x22 + x11 + 1. The affine transformations are

1 1 2 5\ 1 3 9 (9 (2) (3 2) 1 1 2 10 3 8 8 7 6 2 5 4

3 2 1 1 4 , v • = 1 ,Mt = 2 7 7 7 10 3

6 0 3 0 9 10 4 8 0 8 6 8 V6 10 5 9 V \°) V1 0 5 8 4J w

The plaintext is (1,4,3, 5, 2) and we obtain the public key: pi = Ax\ — 4xiX2 — 4x\ + 4x1x3 — 4x2X3 — 3x§ — 5x1x4 + 4x3x4 — 2x| + 4x1x5 — 2x2x5 —

5x3x5 - 2x4x5 + 2x| + xi + x3 - x4 + 4x5 + 2,

P2 = 2xi + 3xiX2 — 3x2 — 5x1x3 + 5x2x3 — x\ — X1X4 + 4x3x4 + 3x| — 4x1x5 + 4x2x5 —

5x3x5 + X4X5 + 5x| — 2xi — 3x2 — X3 + 5x4 + 5x5 + 5,

P3 = — x\ — 3xiX2 — 5x2 — X1X3 + 2x2x3 — 5x§ + 5x1x4 — 5x2x4 — 4x3x4 + 4x| + 4x1X5 +

X2X5 + 2x4x5 — x\ + xi + X2 — 4x3 + 4x4 — 5x5 + 2,

P4 = 3xi + 3xiX2 + 2x2 + 4xiX3 + X2X3 + 5x| — 5x1x4 + 4x2x4 — 5x3x4 + x\ — X1X5+

4x2X5 + 5x3X5 — 4x4x5 + 5x§ + 5xi + 2x2 — X3 + 3x4 — 2x5 — 1,

P5 = — 5xi + 3x1x2 — 3x2 + 4x1x3 — 2x2x3 + 3x§ + 3x1x4 + 2x2x4 + 2x3x4 + 3x| — 3x1x5 +

2x2X5 + 3x3X5 + 5x4x5 + 3x§ + 4xi - x2 + 5x3 + 2x5 + 5.

From the public key we derive the ciphertext (3, 3,6, 5, 6). We have tried to compute the corresponding Grobner basis without the field equations, but we were not capable of recovering the solutions from the Grobner basis. The computed Grobner basis is in the Appendix B. With the field

39 5. ALGEBRAIC ATTACKS ON HFE equations, we compute a Grobner basis of an ideal generated by the polynomials

4xf — 4xiX2 — 4x\ + 4xiX3 — 4x2X3 — 3x3 — 5x1x4 + 4x3x4 — 2x| + 4x1x5 — 2x2x5 — 5x3x5 —

2x4X5 + 2x| + xi + X3 — X4 + 4x5 — lj

2x\ + 3xiX2 — 3x2 — 5x1x3 + 5x2x3 — x\ — X1X4 + 4x3x4 + 3x| — 4x1x5 + 4x2x5 — 5x3x5 +

X4X5 + 5x| — 2xi — 3x2 — X3 + 5x4 + 5x5 + 2,

— x\— 3xiX2 — 5x2 — X1X3 + 2x2x3 — 5x| + 5x1x4 — 5x2x4 — 4x3x4 + 4x| + 4x1X5 + X2X5 +

2x4x5 — x\ + xi + X2 — 4x3 + 4x4 — 5x5 — 4,

3x^ + 3xiX2 + 2x2 + 4xiX3 + X2X3 + 5x| — 5x1x4 + 4x2x4 — 5x3x4 + x| — X1X5 + 4x2X5+

5x3x5 — 4x4x5 + 5x§ + 5xi + 2x2 — X3 + 3x4 — 2x5 + 5,

— 5xf + 3xiX2 — 3x| + 4x1x3 — 2x2x3 + 3x§ + 3x1x4 + 2x2x4 + 2x3x4 + 3x| — 3x1x5 +

2x2X5 + 3x3X5 + 5x4x5 + 3x§ + 4xi - x2 + 5x3 + 2x5 - 1,

xj;1 — xi,

1 Xj - x2,

1 Z3 - x3,

X41 — X4,

X51 — X5.

The resulting Grobner basis is

xi + 5x5,

%2 + %5 + 5,

£3 + 8x5 + 3,

£4 + 6x5 + 5,

x\ + 9x5.

There are two solutions of this system. The first is (0, 6, 8, 6, 0) and the second is (1,4,3,5,2). The second solution is the original plaintext.

40 6 Conclusions

The goal of this thesis was to present a Grobner basis as a tool for algebraic cryptanalysis of HFE. The thesis introduced asymmetric cryp• tography and a Grobner basis. Next, we have showed how a Grobner basis can be used to break a cryptosystem. Further, the thesis described the F4 algorithm for fast computation of a Grobner basis. Finally, we have presented HFE cryptosystem and studied the complexity of Grobner basis attack against HFE. In the Chapter 5, we have concluded shattered results from several papers and suggested parameters that could make the algebraic attack against HFE intractable. Moreover, we gave an examples of the algebraic attacks against HFE. For future research, more experimental work in evaluating the complexity of alge• braic attacks is needed. Namely, there are no experiments that would support the conjecture that inverting an HFE instance is exponential. Also, no fast public implementation of an F5 algorithm is available. It might also be useful to study the properties of the resulting Grobner basis of an attack where the field equations are not involved.

41 Appendices

42 A SAGE code

The chapter contains SAGE code for generating the HFE instances. We have implemented the code. The code was designed for academic use. It is not optimized and does not treat many implementation details. The code is able to generate pseudorandom HFE instances.

#@brief generates public key for an HFE instance #@param n — number of variables #@param q — cardinality of base field to work over. This has to be power of prime #The function computes the public key by base transformation . It uses multivariate polynomials to simulate general vector. #Hence , the orientation in code might be difficult as we work with polynomials such that coefficents are multivariate polynomials. def HFEkeyGeneration (n , q) :

^Initializes basic structures k = GF(q)

^Variables name, use whatever you want v = [ 'x'+ str (num) for num in range (1 ,n+l) ] R= PolynomialRing (k , v, n)

#The quotient ring for x_i"q = x_i J = R. ideal([x"q—x for x in R. gens()]) H = R. quotient-ring (J , v)

^Initializes random affine transformations S = (A,c) , T = (B,d) A = random_matrix (k , n, n) while A. is.singular () : A= random.matrix (k ,n , n)

B = random_matrix (k , n , n) while B. is_singular () : B = random_matrix (k ,n , n)

c = random_vector (k , n) d = random_vector (k , n)

#The general vector we encrypt

43 A. SAGE CODE

#Serves for construction of public key m = vector (R,n,R.gens())

#Apply S to general message m m = Awn m = m + c

^Transforms vector to list and reverses it list = m. list () list . reverse ()

#Setup of quotient ring P. = PolynomialRing (k) g = P. irreducible_element (n)

L. = PolynomialRing (R) pol = L( list)

#Sets the quotient ring with irreducible polynomial g of degree n g = L(g) I = L.ideal([g]) Q = L . quotient-ring (I)

#Apply the fixed secret polynomial #In sage cloud we recommend not using polynomials of degree higher then 50 for q not 2 and long plaintexts , computation takes long time #For our purposes this part is fixed . It produces quadratic terms for sure as pol"(q+q) appears in the polynomial pol = Q(pol'(q + q) + pol'q + 1)

^Transforms polynomial back to vector list = pol. list () list .reverse() m = vector(R,n, list)

#Apply affine transformation T m = B*m m = m + d

^Following part prints the setup of current HFE instance and can be turned off by commenting

44 A. SAGE CODE

print "setup the HFE instance with n=%d and q=%d" % (n, q) print 7/////////////////////////////////////////////////////////////////////////////////////V" print "The affine transformation S is:" print A print "" print c print "\nThe affine transformation T is:" print B print "" print d #print "generator of quotient ring:" #print g

^Forces x"q = x and prints the public key. print "\nThe public key is:" list = m. list () for i in range(n): list [i] = H(list [i]) print "p" + str (i+1) + " = " + str ( list [ i ]) + return m

^Wrapper for function . #@brief Function encrypts the list with an HFE instance over GF(q) #@param is list of plaintext. For instance [1,0,0,1] for n = 4 #@param is base field to work in. The field q has to be power of prime def HFEencrypt (list ,q): n = len(list) m= HFEkeyGeneration (n , q)

print "\nThe plaintext is:" print list print "\nThe ciphertext is" return m( 1 ist ) . list ()

To generate the HFE instance, set the secret polynomial P and call the function HFEencrypt (list, q). For instance call

HFEencrypt([l, 0,1, 0,1, 0,1,0,1, 0], 2).

45

B Grobner basis for q=ll

The following code is output from FGb computation of Grobner basis example for q = 11 without the use of the field equations.

[ l*x[5] ~6 + 5*x[5] ~5+5*x [1] *x[5] ~3 + 7*x [2] *x[5] ~3+10*x [3] *x [5] ~3 + 7*x [4] *x[5] ~3 + 9*x[5] ~4 + 7*x [1] *x[5] ~2+l*x [2] *x [5] ~2 + 3*x [3] *x[5] ~2+l*x [4] *x[5] ~2 + 5*x[5] ~3 + 6*x [3]~2 + 9*x[3]*x[4]+4*x[4]~2 + 3*x[l]*x[5] + 10*x[2]*x [5]+4*x[3]*x[5] + 3*x[4]*x[5] + 6*x[5]~2 + 7*x[l]+4*x [2] + 5*x[3] + 10*l , l*x [1] *x[5] ~4 + 8*x[5] ~5 + 7*x [1] *x[5] ~3 + 9*x[5] ~4 + 5*x[3] " 2*x [5]+8*x[l]*x[4]*x[5] + 10*x[2]*x[4]*x[5]+6*x[3]*x[4]*x [5] + 8*x[2]*x[5]~2 + 4*x[3]*x[5]~2 + 4*x[4]*x[5]~2+l*x [5]~3 + 6*x[3]~2 + 3*x[l]*x[4] + l*x[2]*x[4]+5*x[3]*x [4] + 8*x[l]*x[5] + 6*x[2]*x[5] + 3*x[3]*x[5]+4*x[4]*x [5] + 2*x[5] ~2 + 8*x[l] + 10*x[2] + 10*x[3] + 5*x[4] + 7*x [5]+6*l , l*x [2] *x[5] ~4 + 5*x[5] ~5 + 7*x [2] * x [5]" 3 + 3*x [5]" 4 + 7*x [3] " 2 *x [5]+8*x[l]*x[4]*x[5]+5*x[2]*x[4]*x[5] + 5*x[3]*x[4]*x [5] + 5*x [4] " 2*x[5] + 8*x [1] *x[5] ~2+8*x [2] * x [5]" 2 + 4*x [3]*x[5]~2 + 5*x[4]*x[5]~2 + 2*x[5]~3 + 4*x[3]~2 + 3*x[l]*x [4] + 6*x[2]*x[4] + 6*x[3]*x[4] + 6*x[4]~2 + 6*x[l]*x[5]+3*x [2]*x[5] + 3*x[3]*x[5]+5*x[4]*x[5] + l*x[l]+8*x[2]+4*x [3] + l*x[4]+2*x[5] + 5*l , l*x[3]*x[5]~4 + 7*x[3]*x[5]~3 + 4*x[3]~2*x[5]+4*x[l]*x[4]*x [5]+9*x[2]*x[4]*x[5]+7*x[3]*x[4]*x[5]+4*x[4p2*x [5] + 10*x [1] *x[5] ~2+l*x [2] *x[5] ~2 + 6*x [3] *x[5] ~2 + 5*x [4]*x[5]~2 + 9*x[5]~3 + 7*x[3]~2 + 7*x[l]*x[4] + 2*x[2]*x [4]+4*x[3]*x[4] + 7*x[4]~2 + 2*x[l]*x[5] + 9*x[2]*x[5]+7*x [3]*x[5] + 9*x[4]*x[5]+7*x[5]~2 + 6*x[l] + 10*x[2] + 9*x [3] + 6*x[4]+6*x[5] + l*l , l*x[4]*x[5]"4 + 7*x[4]*x[5]"3 + l*x[l]*x[4]*x[5]+8*x[2]*x [4]*x[5] + 2*x[3]*x[4]*x[5]+8*x[4p2*x[5]+8*x[l]*x [5]~2 + 9*x[2]*x[5]~2 + 6*x[3]*x[5]~2 + 2*x[4]*x[5]~2+l*x [5]~3+10*x[l]*x[4] + 3*x[2]*x[4] + 9*x[3]*x[4] + 3*x [4]~2 + 6*x[l]*x[5]+4*x[2]*x[5] + 10*x[3]*x[5] + 2*x[4]*x [5] + 3*x[5] ~2 + 7*x[l]+6*x[2] + 9*x[4] + 7*x[5] + 10*l , l*x[3]~2*x[5]~2 + 3*x[l]*x[5]~3 + 7*x[2]*x[5]~3+l*x[3]*x [5]~3 + 3*x[4]*x[5]~3 + 2*x[5]~4 + 9*x[3]~2*x[5] + 2*x[l]*x [5] ~2+l*x [2] *x[5] ~2+8*x [3] *x[5] ~2+2*x [4] *x[5] ~2+5*x [5]~3 + 5*x[3]~2 + 6*x[l]*x[4] + 9*x[2]*x[4] + 10*x[3]*x [4] + 6*x[l]*x[5] + 2*x[2]*x[5] + 10*x[3]*x[5] + 6*x[4]*x [5] + 7*x[5] ~2 + l*x[2]+3*x[3] + 7*x[4] + 10*x[5]+3*l ,

47 B. GRÖBNER BASIS FOR q —11

l*x[l]*x[4]*x[5]~2 + 4*x[l]*x[5]~3 + 4*x[2]*x[5]~3 + 4*x[3]*x [5] ~3+2*x [4] *x[5] ~3 + 7*x[5] ~4+9*x [1] *x [4] *x[5] + 10*x [1] *x[5] ~2 + 10*x [2] *x[5] ~2+10*x [3] *x[5] ~2 + 10*x [4] *x [5] ~2 + 5*x[5] ~3+10*x[3] ~2 + 2*x [1] *x[4] + 2*x [2] *x[4]+4*x [3]*x[4] + l*x[4]~2+l*x[l]*x[5] + 10*x[2]*x[5] + 9*x[3]*x [5] + 7*x [4] *x[5]+4*x[5]~ 2 + 7*x [1]+ 9*x [2] +10*x [3]+ 9*x [4] + 3*x[5] + 5*l , l*x[2]*x[4]*x[5]~2 + 7*x[l]*x[5]~3 + 7*x[2]*x[5]~3 + 5*x[3]*x [5] ~3+3*x [4] *x[5] ~3 + 7*x[5] ~4 + 9*x [2] *x [4] *x[5] + l*x [l]*x[5]~2+l*x[2]*x[5]~2 + 7*x[3]*x[5]~2 + 8*x[4]*x [5] ~2 + 5*x[5] ~3 + 9*x[3] ~2 + 9*x [1] *x[4] + 2*x [2] *x[4] + 10*x [l]*x[5] + 9*x[2]*x[5]+2*x[3]*x[5] + 2*x[4]*x[5]+4*x [l] + 5*x[2]+8*x[3] + 5*x[4] + 6*x[5] + 9*l , l*x[3]*x[4]*x[5]~2 + 4*x[2]*x[5]~3 + 3*x[3]*x[5]~3 + 8*x [5] ~4+9*x [3] *x [4] *x[5] + 10*x [2] *x[5] ~2+2*x [3] *x [5] ~2 + 3*x[5] ~3+10*x[3] ~2 + 6*x [1] *x[4] + 8*x [2] *x[4]+4*x [3]*x[4] + 8*x[4]~2 + 8*x[l]*x[5]+8*x[2]*x[5] + 2*x[3]*x [5] + 6*x[4]*x[5] + 6*x[5]~2 + 3*x[l]+4*x[3]+6*x[4] + 7*x [5]+9*l , l*x[4]~2*x[5]~2 + 7*x[l]*x[5]~3 + 3*x[2]*x[5]~3 + 6*x[3]*x [5] ~3+8*x [4] *x[5] ~3 + 2*x[5] ~4 + 9*x[4] ~2*x[5] + l*x [1] *x [5] ~2 + 2*x [2] *x[5] ~2 + 4*x [3] *x[5] ~2 + 9*x [4] * x [5]" 2+1 *x [5]~3 + 9*x[3]~2 + 5*x[l]*x[4] + 7*x[2]*x[4]+6*x[3]*x [4]+4*x[4] ~2+2*x [1] *x[5] + 7*x [2] *x[5] + 10*x [3] *x[5]+5* x[4]*x[5] + 8*x[5]~2+l*x[l] + 10*x[2] + 2*x[3] + l*x[4] + 9*x [5] , l*x[3]~3 + 4*x[3]~2*x[5] + 5*x[2]*x[4]*x[5]+9*x[3]*x[4]*x [5] + 3*x [1] *x[5] ~2+5*x [3] *x[5] ~2+9*x [4] *x[5] ~2+2*x [5]~3 + 7*x[3]~2 + 6*x[2]*x[4] + 2*x[3]*x[4]+5*x[l]*x [5] + l*x [3] *x[5] + l*x [4] *x[5] + 9*x[5]~2 + 2*x[l] + l*x [2] + 5*x[3]+9*x[4] + 9*x[5]+3*l , l*x[3]~2*x[4] + 10*x[3]~2*x[5] + 2*x[l]*x[4]*x[5] + 7*x[2]*x [4] *x[5] + 10*x [3] *x [4] *x[5] + 2*x[4] " 2*x[5] + 10*x [1] *x [5] ~2+l*x [2] *x[5] ~2+5*x [3] *x[5] ~2+6*x [4] *x[5] ~2+5*x [5]~3+l*x[3]~2 + 9*x[l]*x[4]+4*x[2]*x[4] + l*x[3]*x [4] + 9*x[4]~2 + 2*x[l]*x[5] + 9*x[2]*x[5] + l*x[3]*x[5]+7*x [4]*x[5] + 8*x[5]~2 + 9*x[l] + l*x[2] + 7*x[3] + l*x[4] + 2*x [5]+2*l , l*x[l]*x[4]~2 + 5*x[3]~2*x[5] + 6*x[l]*x[4]*x[5]+4*x[2]*x [4] *x[5] + l*x [3] *x [4] *x[5] + 9*x [4] " 2*x[5] + 10*x [1] *x [5] ~2+5*x [2] *x[5] ~2+9*x [3] *x[5] ~2+8*x [4] *x[5] ~2+9*x [5]~3 + 6*x[3]~2 + 5*x[l]*x[4] + 7*x[2]*x[4] + 10*x[3]*x [4] + 7*x[4] ~2 + 2*x [1] *x[5] + l*x [2] *x[5]+4*x [3] *x[5]+5*x [4]*x[5] + 9*x[5]~2+l*x[l] + 7*x[2] + 5*x[3]+9*x[4] + l*x [5]+3*l ,

48 B. GRÖBNER BASIS FOR q = 11 l*x[2]*x[4]~2 + 8*x[3]~2*x[5] + 2*x[2]*x[4]*x[5] + 8*x[3]*x [4]*x[5] + l*x[4] 2*x[5]+3*x [l]*x[5]~2 + 10*x[2] *x [5] ~2 + 7*x [3] *x[5] ~2 + 2*x [4] * x [5]" 2 + 4*x [5]" 3 + 3*x [3]'2 + 9*x[2]*x[4] + 3*x[3]*x[4]+5*x[4]'2 + 5*x[l]*x [5] + 2*x[2]*x[5] + 8*x[3]*x[5] + 8*x[4]*x[5]+8*x[5]~2 + 2*x [l] + l*x[2] + l*x[3] + 9*x[4] + 8*x[5]+9*l , l*x[3]*x[4]'2 + 3*x[3]'2*x[5] + 8*x[l]*x[4]*x[5] + 6*x[2]*x [4]*x[5]+9*x[3] *x [4]*x[5]+8*x[4] ~2*x[5] + 10*x [1] *x [5] ~2+10*x [2] *x[5] ~2+7*x [3] * x [5] " 2 + 5*x [4] * x [5] " 2 + 6*x [5]~3 + 8*x[3]~2 + 3*x[l]*x[4] + 5*x[2]*x[4]+2*x[3]*x [4] + 3*x[4]~2 + 2*x[l]*x[5] + 2*x[2]*x[5] + 8*x[3]*x[5]+4*x [5]~2 + 7*x[l] + 5*x[2]+5*x[3] + 10*x[4] + 5*x[5]+6*l , l*x[4]"3 + 8*x[l] *x [4]*x[5] + 5*x[2]*x [4] *x[5] + 10*x[3]*x [4] * x[5] + 6*x[4]~2*x[5] + 2*x[l]*x[5]~2 + 3*x[2]*x[5]~2 + 7*x [3] *x[5] ~2+3*x [4] *x[5] ~2 + 7*x[5] ~3+3*x [1] *x[4] + 6*x [2]*x[4] + l*x[3] *x[4]+5*x[4]~2 + 7*x [1] *x[5] + 5*x [2]*x [5]+8*x [3]*x[5]+9*x[4]*x[5] + 7*x[5]~2 + 9*x[2] + 7*x [3] + 7*x[4] + 10*x[5] + 2*l , l*x[l]~2 + 2*x[3]~2 + 9*x[l]*x[4]+5*x[2]*x[4] + l*x[3]*x[4] + 8* x[4]~2 + 8*x[l]*x[5] + 9*x[2]*x[5] + 8*x[3]*x[5]+4*x[4]*x [5]+4*x[5]~2 + 2*x[l]+2*x[2] + 3*x[3] + 5*x[4] + 9*x[5] + 5*l, l*x [1] *x[2] + 9*x[3] '2 + 2*x [2] *x[4] + 7*x [3] *x[4] + 7*x[4] '2 + 9* x[2]*x[5]+6*x[3] *x[5] + 5*x [4] * x [5]+9*x [5] ' 2 + 6*x [1]+ 7* x[2] + 5*x[3] + 7*x[4] + 3*x[5]+4*l , l*x[2]'2 + 8*x[3]'2 + 5*x[l]*x[4]+8*x[2]*x[4] + 9*x[3]*x [4] + 10*x[4] '2+2*x [2] *x[5] + 10*x [3] *x[5] + 10*x [4] *x [5] + l*x[5]'2+10*x[2] + l*x[3] + 8*x[4] + 10*x[5]+5*l , l*x[l] *x[3] + 10*x[3]"2 + l*x [1] *x[4] + l*x[2]*x[4] + 7*x[3]*x [4] + l*x[4] '2+9*x [1] *x[5] + 6*x [2] *x[5] + 7*x [3] *x[5]+4*x [4]*x[5]+4*x[5]'2 + 2*x[l] + 5*x[2] + 9*x[3]+7*x[4] + 7*x [5]+7*l , l*x[2]*x[3]+4*x[3]'2 + 9*x[l]*x[4] + 7*x[2]*x[4] + 2*x[3]*x [4] + 9*x[4] '2 + 5*x [1] *x[5] + 10*x [2] *x[5] + 3*x [3] *x [5] + 10*x [4] *x[5] + 3*x[5]' 2 + 6*x [1] +1 *x [2]+3*x [3]+ 2*x [5]+6*l

49

Bibliography

[1] STINSON, Douglas Robert. Cryptography: theory and practice. 3rd ed. Boca Raton: CRC Press, 2006. CRC press series on discrete mathematics and its applications. ISBN 1-58488-508-4.

[2] COX, David A., John B. LITTLE and Donal O'SHEA. Ideals, va• rieties, and algorithms: an introduction to computational algebraic geometry and commutative algebra. 3rd ed. New York: Springer, 2007. ISBN 03-873-5651-7.

[3] BECKER, Thomas and Volker WEISPFENNING. Grobner Bases a Computational Approach to Commutative Algebra. New York: Springer New York, 1993. ISBN 978-146-1209-133.

[4] BUCHBERGER, Bruno. Bruno Buchberger's PhD thesis 1965: An algorithm for finding the basis elements of the residue class ring of a zero dimensional polynomial ideal. Journal of Symbolic Computation. 2006, 41(3-4), pp 475-511. DOI: 10.1016/j.jsc.2005.09.007. ISSN 07477171.

[5] KREUZER, Martin. Computational commutative algebra 1. Berlin: Springer, 2000. ISBN 978-3-540-70628-1.

[6] FAUGERE, J.C., P. GIANNI, D. LAZARD and T. MORA. Efficient Computation of Zero-dimensional Grobner Bases by Change of Ordering. Journal of Symbolic Computation. 1993, 16(4), pp 329- 344. DOI: 10.1006/jsco.l993.1051. ISSN 07477171.

[7] COLLART, S., M. KALKBRENER and D. MALL. Converting Bases with the Grobner Walk. Journal of Symbolic Computation. 1997, 24(3-4), pp 465-469. DOI: 10.1006/jsco.l996.0145. ISSN 07477171.

[8] FAUGERE, Jean-Charles and Antoine JOUX. Algebraic Cryptanal- ysis of Hidden Field Equation (HFE) Cryptosystems Using Grobner Bases. Advances in Cryptology - - Crypto 2003. Springer Berlin Heidelberg. 2003, pp 44-60. DOI: 10.1007/978-3-540-45146-4.3.

[9] FAUGERE, Jean-Charles. A new efficient algorithm for computing Grobner bases (F4). Journal of Pure and Applied Algebra. 1999,

51 BIBLIOGRAPHY

139(1-3), pp 61-88. DOI: 10.1016/S0022-4049(99)00005-5. ISSN 00224049.

[10] SEGERS, A.J.M. Algebraic Attacks from a Gröbner Basis Perspec• tive. Eindhoven, 2004. Master thesis.

[11] NEUMANN, Severin. A modified parallel F4 algorithm for shared and distributed memory architectures. In: SCSS 2013. 5th Inter• national Symposium on Symbolic Computation in Software Science. EasyChair, 2013, pp 70-80.

[12] Allan Steel's Gröbner Basis Timings Page. Allan Steel's Home• page [online]. 2004 [cit. 2016-05-09]. Accessible from: http://magma, maths.usyd.edu.au/users/allan/gb/

[13] A Dense Variant of the F4 Groebner Basis Algorithm.Allan Steel's Homepage [online]. 2013 [cit. 2016-05-09]. Accessible from: http: //magma.maths.usyd.edu.au/users/allan/densef4/

[14] FAUGERE, Jean Charles. A new efficient algorithm for computing Gröbner bases without reduction to zero (F5). In: Proceedings of the 2002 international symposium on Symbolic and algebraic computation - ISS AC '02. New York, New York, USA: ACM Press, 2002, pp 75-83. DOI: 10.1145/780506.780516. ISBN 1581134843.

[15] WOLF, Christopher. "Hidden Field Equations" (HFE) - Variations and attacks. Ulm, 2002. Master thesis.

[16] MATSUMOTO, Tsutomu and Hideki IMAI. Public Quadratic Polynomial-Tuples for Efficient Signature-Verification and Message- Encryption. In: Advances in Cryptology — EUROCRYPT '88. Berlin, Heidelberg: Springer Berlin Heidelberg, 1988-12-1, pp 419-453. DOI: 10.1007/3-540-45961-8_39. ISBN 978-3-540-50251-7.

[17] PATARIN, Jacques. Cryptanalysis of the Matsumoto and Imai Public Key Schemeof Eurocrypt'98. Designs, Codes and Cryptogra• phy. 2000, 20(2), pp 175-209. DOI: 10.1023/A:1008341625464. ISSN 09251022.

52 BIBLIOGRAPHY

[18] PATARIN, Jacques. Hidden Fields Equations (HFE) and Isomor• phisms of Polynomials (IP): Two New Families of Asymmetric Algo• rithms. In: Eurocrypt 96'. Springer, 1996, pp 33-48. DOI: 10.1007/3- 540-68339-9_4.

[19] Minrank - HFE challenge. Minrank.org [online], [cit. 2016-05-09]. Accessible from: http://www.minrank.org/challengel.txt

[20] GRANBOULAN, Louis, Antoine JOUX and Jacques STERN. In• verting HFE Is Quasipolynomial. In: Advances in Cryptology - CRYPTO 2006. Santa Barbara, California, USA: Springer, 2006, pp 345-356. DOI: 10.1007/11818175_20. ISBN 978-3-540-37432-9.

[21] FGb - Jean-Charles-Faugere - Software. Web de Jean-Charles Faugere [online]. Paris, 2015 [cit. 2016-05-20]. Accessible from: http://www-polsys.Iip6.fr/~j cf/FGb/index.html

[22] DING, Jintai, Dieter SCHMIDT and Fabian WERNER. Alge• braic Attack on HFE Revisited. In: Information Security. Berlin, Heidelberg: Springer Berlin Heidelberg, 2008, pp 215-227. DOI: 10.1007/978-3-540-85886-7_15. ISBN 978-3-540-85884-3.

[23] DING, Jintai, Crystal CLOUGH and Roberto ARAUJO. Inverting square systems algebraically is exponential. Finite Fields and Their Applications. 2014, 26(1), pp 32-48. DOI: 10.1016/j.ffa.2013.10.004. ISSN 10715797.

[24] BILLET, Olivier a Gilles MACARIO-RAT. Cryptanalysis of the Square Cryptosystems. In: Advances in cryptology - ASIACRYPT 2009. Berlin: Springer, 2009, pp 451-468. DOI: 10.1007/978-3-642- 10366-7_27. ISBN 978-3-642-10365-0.

53