Algebraic Cryptanalysis of Hidden Field Equations Family
Total Page:16
File Type:pdf, Size:1020Kb
MASARYK UNIVERSITY FACULTY OF INFORMATICS Algebraic cryptanalysis of Hidden Field Equations family BACHELOR'S THESIS Adam Janovsky Brno, Spring 2016 Declaration I declare that this paper is my original authorial work, which I have worked out on my own. All sources, references, and literature used or excerpted during elaboration of this work are properly cited and listed in complete reference to the due source. Adam Janovský Advisor: prof. RNDr. Jan Slovák, DrSc. i Abstract The goal of this thesis is to present a Grobner basis as a tool for algebraic cryptanalysis. Firtst, the thesis shortly introduces asymmetric cryptography. Next, a Grobner basis is presented and it is explained how a Grobner basis can be used to algorithmic equation solving. Further, fast algorithm for the Grobner basis computation, the F4, is presented. The thesis then introduces basic variant of Hidden field equations cryptosystem and discusses its vulnerability to algebraic attacks from Grobner basis perspective. Finally, the thesis gives an overview of recent results in algebraic cryptanalysis of Hidden Field Equations and suggests parameters that could make the algebraical attacks intractable. ii Keywords Grobner basis, cryptanalysis, Hidden Field Equations, F4 iii Contents 1 Introduction 1 1.1 Notation 2 2 Preliminaries 3 2.1 Asymmetric cryptography 3 2.1.1 Overview 3 2.1.2 RSA 5 2.2 Grobner basis 7 2.3 Equation solving 14 3 F4 algorithm for computing a Grobner basis 19 4 Hidden Field Equations 27 4.1 Overview of HFE 27 4.1.1 Parameters of HFE 27 4.2 Encryption and Decryption 29 4.2.1 Encryption 29 4.2.2 Decryption 31 4.3 Public key derivation 32 5 Algebraic attacks on HFE 35 5.1 Algebraic attack for q = 2 35 5.2 Algebraic attack for odd q 37 6 Conclusions 41 Appendices 42 A SAGE code 43 B Grobner basis for q=ll 47 A" 1 Introduction The thesis studies algebraic attacks against basic variant of Hidden Field Equations (HFE) cipher. Results for various attack parameters are examined and precautions to achieve higher security of HFE against algebraic attacks suggested. HFE family is an alternative to various ciphers based on factorizing integers or discrete logarithm problem. These are proven to be insecure against quantum algorithms which does not hold for HFE. Therefore it is important to understand vulnerability of HFE against algebraic attacks in order to decide about its overall security in case the number theory ciphers become practically insecure. We restrict our attention to attacks from a Grobner basis perspective and we develop necessary theory throughout the text. Only a minimum amount of background is given in cryptography area. For introduction to cryptography, one can see [1]. More theory is given in Grobner bases. However, proofs are often omitted and only basic context is provided. Great introductory text to Grobner bases is [2]. In the second chapter asymmetric cryptography is presented and its concepts demonstrated on example. Further we study a Grobner basis, we give the Buchberger's algorithm for finding such a basis and we show how it can be used to solve a system of polynomial equations algorithmically. In the third chapter we discuss possible improvements on the Buchberger's algorithm and we present Faugere's algorithm for fast Grobner basis computation, the F4. In the Chapter 4 we present basic HFE variant and study its properties. We demonstrate how encryption and decryption are performed on example and show how a public key is derived. Finally, the Chapter 5 describes an algebraic attack against HFE. Different parameters of such attacks are discussed. The thesis suggests parameters that could make the algebraic attack against HFE intractable. 1 1. INTRODUCTION 1.1 Notation N,N0,Z Positive integers, non-negative integers, integers; ZTl integers modulo n; 0(n) Euler's phi function for n\ a = b ( mod n) a is congruent b modulo n, i.e. a — b\n; [xi,..., xn] monomials over xi,... ,xn; ..., xn] ring of polynomials over k in variables x\,..., xn; gcd(/, 5-) greatest common divisor of / and g; LCM(/,^) least common multiple of / and g\ MatmjS(fc) set of matrices with m rows and s columns over k; GF(q) Galois filed with q elements where q is power of prime; k[t]/(g(t)) vector space generated by the irreducible polynomial g; 2 2 Preliminaries The purpose of this chapter is to provide theory and notation neces• sary to discuss algorithmic solving of multivariate polynomial systems. Also, the chapter introduces asymmetric cryptography and shows, how solving a system of equations may lead to breaking a cipher. First, the asymmetric cryptography is introduced. Next, a Grobner basis is presented. Finally, we describe how a Grobner basis can be used for solving a system of multivariate polynomial equations. We make no claim of self-sufficiency of this chapter. In the relevant parts of the text we the refer reader to recommended literature. 2.1 Asymmetric cryptography In this section some basics of asymmetric cryptography are introduced. Further, we illustrate concepts of asymmetric cryptography on the oldest asymmetric cipher, the RSA. For great introduction to cryptography one can look into [1]. We note, that asymmetric cryptography is commonly referred public-key cryptography and both titles appear in the text. 2.1.1 Overview In the following text, consider this setting: Alice and Bob are two friends somewhere on earth, who want to communicate securely over insecure channel. Evil Eve wants to eavesdrop their communication. For secure communication, Alice uses her secret key to encrypt a message into a ciphertext and sends it to Bob. Then Bob uses his secret key to decrypt the ciphertext in order to recover the original message. We begin with a formal definition of a cryptosystem. Definition. A cryptosystem is a five-tuple (V,C,JC,£,T>) where the following conditions are satisfied: 1. V is a finite set of possible plaintexts; 2. C is a finite set of possible ciphertexts; 3. /C, the keyspace, is a finite set of possible keys; 3 2. PRELIMINARIES 4. For each k G /C, there is an encryption rule G S and a corresponding decryption rule dk G X>. Each e*, : P —> C and dfc : C —>• V are functions such that dk(ek(x)) = x for every plaintext x eV. Modern cryptosystems can be divided into two main areas of study, symmetric cryptosystems and public-key cryptosystems. In symmetric cryptosystems Alice and Bob usually share the same key. Less com• monly their keys differ, but are related in an easily computable way. Consequently, exposure of any of their keys to Eve renders the system insecure. The drawback of a symmetric key cryptosystem is the need of prior communication of Alice and Bob over a secure channel, in order to agree on a secret key. In practice, this may be very difficult to achieve as Alice and Bob can be anywhere around the globe. The idea behind a public-key cryptosystem is that there might exist such a functions that it is infeasible to obtain a decryption rule given an encryption rule. The encryption rule e& then can be made public (hence public-key cryptography) and everyone can encrypt messages with the encryption rule Ck- In order to decrypt a ciphertext, Bob holds additional piece of information about the function e^, the trapdoor. To decrypt the ciphertext, one has to invert e^, which is feasible only with knowledge of the trapdoor. Thus only Bob can decrypt the ciphertext. Such a function is called a one-way trapdoor function. Definition. A function / : A —> B is called a one-way trapdoor function if the following three conditions hold: 1. Easy to compute: It is computationally easy to find f(x) given an arbitrary x G A; 2. Hard to invert: For almost all y G B is computationally infeasi• ble to find x G A such that f(x) = y; 3. Easy to invert with a trapdoor: with some additional piece of information, it is easy to obtain x G A such that fix) = y given yeB. Our definition of a one-way trapdoor function is vague. Yet, for our purposes it is sufficient to understand the idea behind it, not concerning details, e.g. what computationally easy, computationally infeasible or 4 2. PRELIMINARIES almost all mean precisely. Intuitively, one can compute f(x) quickly on computer and inverting / without knowledge of a trapdoor is not within reach of computational power. Using a one-way trapdoor function, Bob can now communicate securely with Alice in the following way: 1. Bob chooses a one-way trapdoor bijection / and has knowledge of the corresponding trapdoor; 2. Bob makes / public and sends it to Alice through a (insecure) channel; 3. Alice encrypts an arbitrary message m with / and sends f(m) to Bob; 4. Since Bob knows the trapdoor for /, he can invert / and apply it to the ciphertext f(m). By that he obtains the original message rn. If Eve eavesdrops a public key / or a ciphertext f(m), she cannot recover a message m efficiently since inverting / is computationally infeasible. However, she could try to encrypt all possible plaintexts p by herself and eventually find the one, such that f(p) = f(m). Then p = m since function / is bijection. Probability of this event should be negligible. Unfortunately, it is not clear whether a one-way trapdoor function exists. Necessary condition for that to be true is that M ^ J\fV. Never• theless, there are functions believed to be one-way and are widely used in practice. 2.1.2 RSA In the following text 0 denotes the Euler's phi function.