J. Math. Cryptol. 4 (2010), 349–364 DOI 10.1515/JMC.2011.002 © de Gruyter 2011
Poly-Dragon: an efficient multivariate public key cryptosystem
Rajesh P. Singh, A. Saikia and B. K. Sarma Communicated by Neal Koblitz
Abstract. In this paper, we propose an efficient multivariate public key cryptosystem. Public key of our cryptosystem contains polynomials of total degree three in plaintext and ciphertext variables, two in plaintext variables and one in ciphertext variables. However, it is possible to reduce the public key size by writing it as two sets of quadratic multivariate polynomials. The complexity of encryption in our public key cryptosystem is O.n3/, where n is bit size, which is equivalent to other multivariate public key cryptosystems. For decryption we need only four exponentiations in the binary field. Our Public key algorithm is bijective and can be used for encryption as well as for signatures.
Keywords. Permutation polynomial, multivariate cryptography, Little Dragon and Big Dragon cryptosystems.
2010 Mathematics Subject Classification. 11T71, 11T06, 94A60.
1 Introduction
Public key cryptography has several practical applications, for example in elec- tronic commerce systems for authentication (electronic signatures) and for secure communication. The most widely used cryptosystems RSA and ECC (elliptic curve cryptosystems) are based on the problems of integer factorization and dis- crete logarithm respectively. Integer factorization and discrete logarithm problems are only believed to be hard but no proof is known for their NP-completeness or NP-hardness. Improvements in factorization algorithms and computation power demands larger bit size in RSA key which makes RSA less efficient for practical applications. Although RSA and ECC have some drawbacks, they are still not broken. But in 1999 [18] Peter Shor discovered the polynomial time algorithm for integer factorization and computation of discrete logarithm on quantum com- puters. Thus, once we have quantum computers in the range of 1,000 bits, the cryptosystems based on these problems can no longer be considered secure. So there is a strong motivation to develop public key cryptosystems based on prob- 350 R. P. Singh, A. Saikia and B. K. Sarma lems which are secure on both conventional and quantum computers. Multivariate cryptography is based on the problem of solving system of nonlinear equations over finite fields which is proven to be NP-complete. Quantum computers do not seem to have any advantage on solving NP-complete problems, so multivariate cryptography can be a viable option applicable to both conventional and quan- tum computers. MIC*, the first practical public key cryptosystem based on this problem was proposed in 1988 [13] by T. Matsumoto and H. Imai. The MIC* l cryptosystem was based on the idea of hiding a monomial x2 C1 by two invert- ible affine transformations. This cryptosystem was more efficient than RSA and ECC. Unfortunately, this cryptosystem was broken by Patarin in 1995 [14]. In 1996 [15] Patarin gave a generalization of MIC* cryptosystem called HFE. How- ever in HFE the secret key computation was not as efficient as in the original MIC* cryptosystem. The basic instance of HFE was broken in 1999 [10]. The at- tack uses a simple fact that every homogeneous quadratic multivariate polynomial has a matrix representation. Using this representation a highly over defined system of equations can be obtained which can be solved by a new technique called re- linearization. Patarin [16] investigated whether it is possible to repair MIC* with the same kind of easy secret key computations. He designed some cryptosystems known as Dragons (Little Dragon and Big Dragon) with multivariate polynomials of total degree 3 or 4 in public key (instead of 2) with enhanced security and with efficiency comparable to MIC*. In Dragon cryptosystems the public key was of mixed type of total degree 3 which is quadratic in plaintext variables and linear in ciphertext variables. However, Patarin [16] found that Dragon scheme with one hidden monomial is insecure. Some more multivariate public key cryptosystems can be found in [19] and [4]. For a brief introduction of multivariate cryptography we refer interested readers to [20]. An interesting introduction of hidden mono- mial cryptosystems can be found in [11]. Designing secure and efficient multivariate public key cryptosystems contin- ues to be a challenging area of research in recent years. In this paper, we present Poly-Dragon, an efficient multivariate public key Cryptosystem. Like Big Dragon cryptosystem the public key in our cryptosystem is of mixed type of total degree three, two in plaintext variables and one in ciphertext variables. However, it is possible to reduce the public key size by writing it as two sets of quadratic mul- tivariate polynomials (see [16]). The efficiency of our public key cryptosystem is equivalent to that of Big Dragon cryptosystem. The complexity of encryption or signature verification is equivalent to other multivariate public key cryptosystems, that is, O.n3/ where n is the bit size. In decryption or in signature generation we need four exponentiations in the finite field F2n and this results in much faster decryption and signature generation. The organization of the paper is as follows. In Section 2 we give some preliminaries and in Section 3 we generate some per- Poly-Dragon: an efficient multivariate public key cryptosystem. 351 mutation polynomials. In Section 4 we present our cryptosystem. In Section 5 we give the security analysis and in Section 6 we discuss the efficiency of the cryptosystem. Finally we make some concluding remarks in Section 7.
2 Preliminaries
n Let p beaprime,n be a positive integer, and Fq be the finite field of q D p elements. A polynomial f.x/in FqŒx� is said to be a permutation polynomial,ifit is a bijection of Fq onto Fq. For a polynomial f 2 FqŒx� the following conditions are equivalent:
(i) f is a permutation polynomial of Fq.
(ii) the function f W Fq 7! Fq is onto.
(iii) the function f W Fq 7! Fq is one-to-one.
(iv) f.x/D a has a solution in Fq for each a 2 Fq.
(v) f.x/D a has a unique solution in Fq for each a 2 Fq.
Lemma 2.1 ([12]). (1) Every linear polynomial ax C b; a ¤ 0 over Fq is a permutation polynomial of Fq. k (2) The monomial x is a permutation polynomial of Fq if and only if gcd.k; q � 1/ D 1.
A polynomial L.x/ 2 Fqm Œx� is called a linearized polynomial over Fq if mX�1 qi L.x/ D ˛i x : (2.1) iD0 A linearized polynomial L.x/ satisfies the following: L.ˇ C �/ D L.ˇ/ C L.�/ and L.aˇ/ D aL.ˇ/ for all ˇ; � 2 Fqm and a 2 Fq. Thus, L.x/ is a linear operator of the vector space Fqm over Fq. Consequently, L.x/ is a permutation polynomial of Fqm if and only if the only root of L.x/ in Fqm is 0. Let B D¹#1;#2;:::;#nº be aP basis of F2n over F2. Any element x 2 F2n n can be uniquely expressed as x D iD0 xi #i . Thus, F2n can be identified with n F2 and the element x 2 F2n with the n-tuple .x1;x2;:::;xn/.Theweight of x D .x1;x2;:::;xn/, denoted by !.x/, is defined to be the number of 1’s in x. Corresponding to an element ˛ D .˛0;˛1;:::;˛n�1/ of the finite field F2n ,we define a linearized polynomial L˛.x/ on F2n as nX�1 2i L˛.x/ D ˛i x : (2.2) iD0 352 R. P. Singh, A. Saikia and B. K. Sarma
We use Tr.x/to denote the trace function from the field F2n to F2, i.e.,
2 n�1 Tr.x/D x C x2 C x2 C���Cx2 :
3 Some permutation polynomials
In this section, we generate some families of permutation polynomials over F2n which will be used for the proposed cryptosystem.
Proposition 3.1. Let n be an odd positive integer, and ˇ D .ˇ1;ˇ2;:::;ˇn/ be an element of F2n such that !.ˇ/ is even and that 0 and 1 are the only roots of Lˇ .x/ k in F2n . Suppose k1 and k2 are two nonnegative integers such that gcd.2 1 C 2k2 ;2n � 1/ D 1.Let` be any positive integer with .2k1 C 2k2 / � ` D 1 mod 2n � 1 and � be an element of F2n with Tr.�/D 1.Then
` f.x/D .Lˇ .x/ C �/ C Tr.x/ is a permutation polynomial of F2n .
Proof. Suppose x and y are distinct elements in F2n such that f.x/ D f.y/.We claim that Tr.x/ ¤ Tr.y/. Otherwise, f.x/ D f.y/ implies that .Lˇ .x/ C ` ` �/ D .Lˇ .x/ C �/ . Thus, we have .Lˇ .x/ C �/ D .Lˇ .x/ C �/,thatis, Lˇ .x C y/ D 0. Since x ¤ y and Lˇ .x/ has only 0 and 1 as roots, we have x C y D 1. Then, Tr.x/C Tr.y/ D Tr.x C y/ D 1, since n is odd. This contradiction shows Tr.x/ ¤ Tr.y/. Without loss of generality we may assume that Tr.x/D 0 and Tr.y/D 1.Now,f.x/D f.y/implies that
` ` .Lˇ .x/ C �/ D .Lˇ .y/ C �/ C 1 and therefore
` 2k1 C2k2 Lˇ .x/ C � D Œ.Lˇ .y/ C �/ C 1�
`.2k1 C2k2 / `:2k1 `�2k2 D .Lˇ .y/ C �/ .Lˇ .y/ C �/ C.Lˇ .y/ C �/ C1
`:2k1 `�2k2 D Lˇ .y/ C � C .Lˇ .y/ C �/ C .Lˇ .y/ C �/ C 1;
k1 k2 n since .2 C 2 / � ` � 1 mod 2 � 1. Note that Tr.Lˇ .x// D 0. Now applying the trace function to both sides of the above equation, we get
Tr.�/D Tr.�/C T r.1/; which implies that Tr.1/D 0, a contradiction since n is odd. Poly-Dragon: an efficient multivariate public key cryptosystem. 353
2 The polynomial x C x has only 0 and 1 as roots in F2n . It is easy to see that 2k 0 and 1 are the only roots of x C x in F2n if and only if k and n are relatively prime. In the next lemma, we construct another linearized polynomial having only 0 and 1 as roots in F2n .
Lemma 3.2. Let k beP an even integer, with gcd.k; n/ D 1. Then, 0 and 1 are the k�1 2i only roots of h.x/ D iD0 x in F2n .
2 Proof. Consider h1.x/ D h.x/ C h.x/ D h.x/.h.x/ C 1/. Clearly, each root of 2k h.x/ is a root of h1.x/. Moreover, h1.x/ D x C x and has 0 and 1 as its only roots.
k2r r k2r r Lemma 3.3. The polynomial f.x/D x2 C2 C x2 C x2 ,wherer and k are k2r r positive integers, is a permutation polynomial of F2n if and only if 2 C 2 and 2n � 1 are co-prime.
r Proof. First, note that there exist integers r and k such that 22 k C2r and 2n�1 are co-prime. It is known that composition of two polynomials is a permutation poly- nomial if and only if both the polynomials are permutation polynomials (see chap- k2r r ter 7 of [12]). It is easy to check that f.xC 1/ D x2 C2 C 1. By Lemma 2.1, r f.xC 1/ is a permutation polynomial if and only if 22 k C 2r and 2n � 1 are co- prime. Since x C1 is always a permutation of F2n , therefore f.x/is a permutation k2r r n polynomial of F2n if and only if 2 C 2 and 2 � 1 are co-prime.
As a consequence of above lemma we prove the following proposition, which will be used in the public key cryptosystem.
k2r r Proposition 3.4. The polynomial g.x/ D .x2 C x2 C ˛/l C x is permutation k2r r n polynomial of F2n if Tr.˛/D 1 and .2 C 2 / � l D 1 mod 2 � 1.
k2r r k2r r Proof. Since Tr.x2 C x2 C ˛/ D Tr.˛/D 1, x2 C x2 C ˛ ¤ 0 for all x 2 F2n .Letˇ be an element of F2n .Theng.x/ D ˇ implies
k2r r .x2 C x2 C ˛/l D x C ˇ:
r Raising both sides to the power 2k2 C 2r ,weget
k2r r k2r r .x2 C x2 C ˛/ D .x C ˇ/2 C2 ;
k2r r k2r r i.e.;.x2 C x2 C ˛/ C .x C ˇ/2 C2 D 0: 354 R. P. Singh, A. Saikia and B. K. Sarma
k2r r k2r r Suppose h.x/ D .x2 C x2 C ˛/ C .x C ˇ/2 C2 . It is enough to show that for any ˇ 2 F2n the equation h.x/ D 0 has a unique solution. Note that h.x/ D 0 and h.x C ˇ/ D 0 have the same number of solutions. Now h.x C ˇ/ D 0 is equivalent to
k2r r k2r r k2r r x2 C2 C x2 C x2 C ˇ2 C ˇ2 C ˛ D 0:
r r 2k2 C2r 2k2 2r By Lemma 3.3, x C x C x is a permutation polynomial of F2n . Hence the equation h.x C ˇ/ D 0 has a unique solution for any ˇ 2 F2n .
4 The cryptosystem Poly-Dragon
4.1 Public key generation For the public key cryptosystem we will use permutation polynomials g.x/ D r 2k2 2r l ` .x C x C ˛/ C x and f.x/D .Lˇ .x/ C �/ C Tr.x/obtained in Propo- sition 3.1 and Proposition 3.4. For quadratic public key size, we cannot take k2r r all the permutation polynomials of the form .x2 C x2 C ˛/l C x.Butthe permutation polynomials in which l is of the form 2t C 1 or 2t � 1 can be used to design the multivariate public key cryptosystem with quadratic public key size. For l is of the form 2t C 1 it is not clear whether g.x/ is a permu- tation polynomial or not. But for r D 0, n D 2m � 1, k D m, k2 D m, m m k1 D 0, l D 2 � 1 and ` D 2 � 1, g.x/ and f.x/ are permutation poly- r nomials because in this case 22 k C 2r D 2m C 1, 2k1 C 2k2 D 2m C 1 and .2m � 1/ � .2m C 1/ D 1 mod 2n � 1. So for public key generation we will 2m 2m�1 2m�1 take g.x/ D .x C x C ˛/ C x and f.x/ D .Lˇ .x/ C �/ C Tr.x/, where ˛; ˇ; � are secret. Suppose s and t are two invertible affine transforma- tions. The relation between plaintext and ciphertext is g.s.x// D f.t.y//,where variable x denotes the plaintext and y the ciphertext. Suppose s.x/ D u and t.y/ D v. Thus we have the following relation between plaintext and ciphertext: 2m 2m�1 2m�1 2m .u C u C ˛/ C u D .Lˇ .v/ C �/ C Tr.v/. Since u C u C ˛ and Lˇ .v/ C � are nonzero in the field F2n , this relation gives
2m 2m 2m .u C u C ˛/ .Lˇ .v/ C �/C u.u C u C ˛/.Lˇ .v/ C �/ 2m 2m 2m C .u C u C ˛/.Lˇ .v/ C �/ C T r.v/.u C u C ˛/.Lˇ .v/ C �/ D 0:
Suppose Tr.v/ D �y 2¹0; 1º. Using a fixed basis B D¹#1;#2;:::;#nº of n F2n over F2, we identify the field F2n by F2 , the set of all n-tuples over F2. Substituting u D s.x/ and v D t.y/,wherex D .x1;x2;:::;xn/ and y D Poly-Dragon: an efficient multivariate public key cryptosystem. 355
.y1;y2;:::;yn/,wegetn nonlinear polynomial equations of the form X X X alijkxi xj yk C blijxi xj C .clij C �y/xi yj X X C .dlk C �y/yk C .elk C �y/xk C fl D 0; (4.1) where 1 � l � n and alij;blij;clk;dlk;elk 2 F2. These equations are of degree three and therefore each of them contains O.n3/ terms. Since we have n equa- tions, total size will be of O.n4/, which is large. It is possible to reduce the size of polynomial equations (4.1) to O.n3/ by writing it as two sets of public polynomi- als containing only quadratic terms without changingP the security since this can be 2 done in polynomial time (see [16]). Suppose glk D alijkxi xj .Fromthesen quadratic polynomials glk, suppose g1;g2;:::;g� are independent. Then � � n. Thus, the public key will be two sets of quadratic polynomial equations of the form: X X 0 alkgkyk C .blij C �y/xi yj X X C .dlk C �y/yk C .elk C �y/xk C fl D 0; P where gk D hij k xi xj ;.1� k � �/.
4.2 Secret key The invertible affine transformations .s; t/ and the field elements ˛; ˇ; � are secret keys.
4.3 Encryption
If Bob wants to send a plaintext message x D .x1;x2;:::;xn/ to Alice, he does the following:
(i) Bob substitutes the plaintext .x1;x2;:::;xn/ and �y D 0 in the public key and gets n linear equations in ciphertext variables y1;y2;:::;yn. Bob solves 0 the system of linear equations by Gaussian elimination and gets y D .y1;y2; :::;yn/.
(ii) In the second step of encryption, Bob substitutes the plaintext .x1;x2; :::;xn/ and �y D 1 in the public key and gets n linear equations in ciphertext 00 variables y1;y2;:::;yn and again solves to get y D .y1;y2;:::;yn/. (iii) The ordered pair .y0;y00/ is the required ciphertext. 356 R. P. Singh, A. Saikia and B. K. Sarma
4.4 Decryption
The decryption algorithm is as follows.
Input: Ciphertext .y0;y00/ and secret parameters .s;t;˛;ˇ;�/. Output: Message .x1;x2;:::;xn/. 0 00 1: v1 t.y / and v2 t.y /. 2: z1 Lˇ .v1/ C � and z2 Lˇ .v2/ C �. 0 2m�1 0 2m�1 3: z3 .z1/ and z4 .z2/ . 0 0 4: z3 z3 C Tr.v1/ and z4 z4 C Tr.v2/. 2m 2m 5: z5 z3 C z3 C ˛ C 1 and z6 z4 C z4 C ˛ C 1. 2m�1 2m�1 6: z7 z5 and z8 z6 . �1 �1 �1 7: X1 s .z3 C 1/, X2 s .z4 C 1/, X3 s .z3 C z7 C 1/ and �1 X4 s .z4 C z8 C 1/. 8: Return .X1;X2;X3;X4/.
Between X1;X2;X3;X4 one Xi will be the correct message. There are only four choices for the message, and it will be easy to identify the correct one.
Theorem 4.1. Given a ciphertext, the decryption algorithm outputs a valid plain- text.
Proof. We prove that the procedure described above outputs a valid plaintext. The 2m 2m�1 relation between plaintext and ciphertext is .u C u C ˛/ C u D .Lˇ .v/ C m m m �/2 �1 C Tr.v/, or equivalently, u2 C u C ˛ D .u C z/2 C1,wherez D 2m�1 2mC1 .Lˇ .v/C�/ CTr.v/which can be converted to the form .uCz C1/ C m z C z2 C ˛ C 1 D 0. There are only two possibilities either u D z C 1 or u ¤ z C 1.Ifu D z C 1,thenx D s�1.z C 1/.Ifu ¤ z C 1, then raising both m m sides power 2m � 1 in the relation .u C z C 1/2 C1 D z C z2 C ˛ C 1,weget m m m m .u C z C 1/ D .z C z2 C ˛ C 1/2 �1 or u D z C 1 C .z C z2 C ˛ C 1/2 �1 m m which implies x D s�1.z C 1 C .z C z2 C ˛ C 1/2 �1/.
Example 4.2. Here is a toy example for our cryptosystem. We consider, for sim- plicity, the finite field F23 , that is, the case m D 2 and n D 3. The polynomial 3 x C x C 1 is irreducible over F2. Suppose # is the root of this polynomial in the 3 2 extension field of F2, i.e., # C# C1 D 0. Using the basis ¹1; #; # º the finite field 2 2 2 2 F23 can be expressed as F23 D¹0; 1; #; # ;1C #; 1 C # ;#C # ;1C # C # º. We take ˛ D � D 1 C # C #2,asTr.1C # C #2/ ¤ 0,andˇ D 1 C #. 2 Corresponding to ˇ D 1 C #, Lˇ D x C x . We take invertible transformations Poly-Dragon: an efficient multivariate public key cryptosystem. 357
s.x/ D A1x C c1 and t.x/ D A2x C c2,where 0 1 0 1 110 111 B C B C A1 D @ 011A;A2 D @ 011A; 001 001 T T c1 D .1;0;1/ and c2 D .0;1;0/ :
2 Suppose x 2 F23 ,thenx can be expressed as x D x1 C x2# C x3# ,wherexi 2 T T F2. Taking x D .x1;x2;x3/ ,wehaveA1xCc1 D .x1Cx2C1; x2Cx3;x3C1/ T and A2x C c2 D .x1 C x2 C x3;x2 C x3 C 1; x3/ . For the plaintext variable x D .x1;x2;x3/ the corresponding ciphertext variable is y D .y1;y2;y3/.We 2 have u D .x1 C x2 C 1/ C .x2 C x3/# C .x3 C 1/# and v D .y1 C y2 C y3/ C 2 .y2 C y3 C 1/# C y3# . The relation between plaintext and ciphertext is
2m 2m 2m .u C u C ˛/ .Lˇ .v/ C �/C u.u C u C ˛/.Lˇ .v/ C �/ 2m 2m 2m C .u C u C ˛/.Lˇ .v/ C �/ C T r.v/.u C u C ˛/.Lˇ .v/ C �/ D 0:
2 2 Substituting u and v and ˛ D � D 1C# C# ,andLˇ .x/ D x Cx and Tr.v/D �y we have the following relation between the plaintext and the ciphertext: ® 1 C � C .1 C � /x y C .1 C � /x y C � x y C x C y C x x y y 3 3 ¯ y 3® 2 y 2 2 1 2 2 3 C x1x2y2 C x1x3y2 C x1x3y3 C # x2 C .�y C 1/y2 C y3 C �yx3 C �yx3y2
C .�y C 1/x3y3 C �yx2y3 C x1x3 C x1y2 C x1x3y3 C x1x2y2 C x2y2 ¯ ® 2 C x2x3y3 C # 1 C x3 C .�y C 1/y3 C �yx2 C �yy2 C .�y C 1/x2y2 C � x y C .� C 1/x y C x y C x x C x y C x y C x x y y 2 3 y 3 2 3¯ 3 1 2 1 2 1 3 1 2 2 C x1x2y3 C x1x3y2 C x2x3y2 D 0; or, equivalently,
1 C �y C .1 C �y/x3y3 C .1 C �y/x3y2 C �yx2y2
C x1 C y2 C x2x3 C x1x2y2 C x1x3y2 C x1x3y3 D 0;
x2 C .�y C 1/y2 C y3 C �yx3 C �yx3y2 C .�y C 1/x3y3 C �yx2y3
C x1x3 C x1y2 C x1x3y3 C x1x2y2 C x2y2 C x2x3y3 D 0;
1 C x3 C .�y C 1/y3 C �yx2 C �yy2 C .�y C 1/x2y2
C �yx2y3 C .�y C 1/x3y2 C x3y3 C x1x2 C x1y2 C x1y3
C x1x2y2 C x1x2y3 C x1x3y2 C x2x3y2 D 0: 358 R. P. Singh, A. Saikia and B. K. Sarma
Above equations represent the required public key. Note that the above equations are nonlinear in plaintext variables .x1;x2;x3/ and linear in ciphertext variables .y1;y2;y3/.
5 Security of the proposed cryptosystem
In this section, we discuss the security of the proposed cryptosystem. In general, it is difficult to prove the security of a public key cryptosystem. For example, if the public modulus of RSA is decomposed into its prime factors then the RSA is broken. However, it is not proved that breaking RSA is equivalent to factoring its modulus. In this section we will give some security arguments and evidence that m m our cryptosystem is secure. We are using the polynomials .x2 Cx C˛/2 �1 Cx, 2m�1 and .Lˇ .x/ C �/ C Tr.x/where ˛, ˇ and � areP secret. Thus, if we write 2m 2m�1 d i the polynomial .x C x C ˛/ C x in the form iD0 pi x then some of coefficients will be 0 or 1 and the rest will be certain functions of ˛. Since ˛ is secret, most of the coefficients of this polynomial are also secret.P Similarly, if we 2m�1 d 0 i write the polynomial .Lˇ .x/ C �/ C Tr.x/ in the form iD0 pi x ; then all the coefficients of this polynomial are secret because ˇ and � both are secret. One important point is that the degrees of these polynomials are not constant but are functions of n,asm D .n C 1/=2. The Coppersmith–Patarin attack on Little Dragon cryptosystem [11] is due to the use of the monomial xn to design the Little Dragon cryptosystem, so this attack is not applicable to our cryptosystem. Here we discuss some known attacks developed for multivariate cryptosystems and argue that those attacks are not applicable to our cryptosystem. The attacks discussed in this section are Linearization equation, Gröbner basis, univariate polynomial rep- resentation, Differential cryptanalysis, Relinearization, XL and FXL algorithms attacks.
5.1 Linearization equation attacks
Let F D¹f0;f1;:::;fn�1º be any set of n polynomials in FqŒx0;x1;:::;xn�1�. A linearization equation for F is a polynomial in FqŒx0;x1;:::;xn�1;y0;y1;:::; yn�1� of the form nX�1 nX�1 nX�1 nX�1 aij l xi yj C bilxi C cjlyj C dl ; (5.1) iD0 j D0 iD0 j D0 where l D 0;1;:::;n� 1 and yi D fi . This attack was first successfully applied by Patarin in [14] to break the Mat- sumoto and Imai cryptosystem C � [13]. Patarin’s idea was to notice that if a Poly-Dragon: an efficient multivariate public key cryptosystem. 359
i function is defined as F W x ! xq C1, then a relation between plaintext vari- ables xi and ciphertext variables yj of the form shown in equations (5.1) can be obtained, where aij ;bi ;cj and dl are unknown coefficients. By taking at least .m C 1/2 different plaintext and ciphertext pairs a linear system of equations i can be obtained and solved. We are not using the monomial xq C1. Moreover, in our cryptosystem the plaintext and ciphertext are connected by the relation 2m 2m�1 2m�1 .u C u C ˛/ C u D .Lˇ .v/ C �/ C Tr.v/where ˛; ˇ; � are secret. So, in our case it is not possible to obtain a relation of the form (5.1). However, one can try to find a relation which is linear in xi and nonlinear in yj . We will prove that this line of attack is not possible as the degree of the inverse func- 2m�1 tion is very high. Suppose .Lˇ .v/ C �/ C Tr.v/ D z, then our relation m m between plaintext and ciphertext is .u2 C u C ˛/2 �1 C u D z or equiva- m m lently we have .u2 C u C ˛/ D .z C u/2 C1 which is further equivalent to m m .z C u C 1/2 C1 D z2 C z C ˛ C 1.Ifz C u C 1 ¤ 0 then raising both m m sides to the power 2m � 1 we get .z C u C 1/ D .z2 C z C ˛ C 1/2 �1.If m z2 C z C ˛ C 1 ¤ 0, then we have the following relation between plaintext and m m m ciphertext .z C u C 1/.z2 C z C ˛ C 1/ C .z2 C z C ˛ C 1/2 D 0.This relation gives equations which are linear in plaintext variables xi and nonlinear 2m�1 in ciphertext variables yi . Note that z D .Lˇ .v/ C �/ C Tr.v/ will give nonlinear equations of degree w.2m � 1/,wherew.2m � 1/ denotes the weight of m m m 2m � 1 so the relation .z C u C 1/.z2 C z C ˛ C 1/ C .z2 C z C ˛ C 1/2 D 0 m gives equations of nonlinear degree 2w.2 � 1/ in ciphertext variables yi . Thus, this line of attack is completely infeasible.
5.2 Attacks with differential cryptanalysis Differential cryptanalysis has been successfully used earlier to attack symmetric cryptosystems. In recent years differential cryptanalysis has emerged as a pow- erful tool to attack the multivariate public key cryptosystems too. In 2005 [9] Fouque, Granboulan and Stern used differential cryptanalysis to attack the mul- tivariate cryptosystems. The key point of this attack is that in case of quadratic polynomials the differential of public key is a linear map and its kernel or its rank can be analyzed to get some information on the secret key. For any multivariate n m quadratic function G W Fq ! Fq the differential operator between any two points n x;k 2 Fq can be expressed as LG;k D G.xCk/�G.x/�G.k/CG.0/ and in fact that operator is a bilinear function. By knowing the public key of a given multi- variate quadratic scheme and by knowing the information about the nonlinear part i xq C1, they showed that for certain parameters it is possible to recover the kernel of LG;k. This attack was successfully applied on MIC* cryptosystem and after- wards using the same technique Dubois, Fouque, Shamir and Sterm in 2007 [5] 360 R. P. Singh, A. Saikia and B. K. Sarma have completely broken all versions of the SFLASH signature scheme proposed by Patarin, Courtois, and Goubin [17]. In our cryptosystem instead of using mono- i m m mial of the form xq C1, we are using the polynomials .x2 Cx C˛/2 �1 Cx and 2m�1 .Lˇ .v/ C �/ C Tr.v/,where˛, ˇ, � are secret. Clearly the degree of these polynomial are not quadratic. Moreover, the public key in our cryptosystem is of mixed type. Substituting the ciphertext gives quadratic equations in plaintext vari- ables but in that case, they will be different for different ciphertexts. So, attacking our cryptosystem by the methods of [9] and [5] is not feasible.
5.3 Gröbner basis attacks After substituting the ciphertext in public key one can get n quadratic equations in n variables and then Gröbner basis techniques can be applied to solve the sys- tem. The classical algorithm for solving a system of multivariate equations is Buchberger’s algorithm [1]. Although it can solve all the multivariate quadratic equations in theory, its complexity is exponential in the number of variables. We remark that there is no closed-form formula for its complexity. In the worst case the Buchberger’s algorithm is known to run in double exponential time and on av- erage its running time seems to be single exponential (see [2]). There are some effi- cient variants F4 and F5 of Buchberger’s algorithm given by Jean-Charles Faugere (see [6] and [7]). The complexity of computing a Gröbner basis by Buchberger’s algorithm for the public key polynomials of the basic HFE scheme is too high to be feasible. However, it is completely feasible using the algorithm F5.Thecom- plexities of solving the public polynomials of several instances of the HFE using the algorithm F5 are provided in [8]. Moreover, it has been expressed in [8] “a crucial point in the cryptanalysis of HFE is the ability to distinguish a randomly algebraic system from an algebraic system coming from HFE”. Our public key is of mixed type, this mean for different ciphertexts we will get different system of quadratic polynomial equations, so in our public key the quadratic polynomials look random. We are using a polynomial which has degree proportional to n.It is explained in [8] that in this case there does not seem to exist polynomial time algorithm to compute the Gröbner basis. Hence, Gröbner basis attacks on our cryptosystem do not seem feasible.
5.4 Relinearization, XL and FXL algorithms Relinearization, XL or FXL algorithms [10], [2] are the techniques to solve an overdefined system of equations i.e., "n2 equations in n variables, where ">0. To attack the HFE cryptosystem, first the equivalent quadratic polynomial repre- sentation of HFE public key was obtained and then using the matrix representation Poly-Dragon: an efficient multivariate public key cryptosystem. 361 of quadratic polynomials, O.n2/ polynomial equations in O.n/ variables were ob- tained [10]. The Relinearization and XL or FXL techniques are used to solve this system of equations. Note that our polynomials are not quadratic. Moreover, the degrees of our polynomials are not constant, but are functions of n. So, the attack as given in [10] is not feasible to our cryptosystem. Adversary can not use directly Relinearization, XL or FXL algorithms to attack our cryptosystem, because when the number of equations is equal to the number of variables, the complexities of these algorithms is 2n.
6 Efficiency of the proposed cryptosystem
In this section we discuss complexities of the encryption and decryption of our cryptosystem.
6.1 Encryption 2 There are O.n / terms of the form xi xj in each n equations of the public key. 3 So the complexity of evaluating public key at message block x1;:::;xn is O.n /. The next step of encryption is to solve the n linear equations in n ciphertext vari- ables y0;y1;:::;yn. This can be done efficiently by Gaussian elimination with complexity O.n3/. Hence the complexity of encryption is O.n3/.
6.2 Decryption For decryption in the proposed cryptosystem we need four exponentiations namely 0 2m�1 0 2m�1 2m�1 2m�1 z3 .z1/ , z4 .z2/ , z7 z5 and z8 z6 .Sothecom- plexity of decryption is equivalent to Dragon cryptosystems [11], [16]. Note that for exponentiation in finite fields F2n , there are several efficient algorithms, so the exponentiation can be performed very efficiently. The exact complexity of expo- nentiation will depend on the algorithm used for exponentiation.
7 Conclusion
We have designed an efficient multivariate public key cryptosystem. Like in Big Dragon Cryptosystem, the public key is mixed type of total degree three, two in plaintext variables and one in ciphertext variables. The public key size can be reduced by writing it as two sets of quadratic equations. The efficiency of encryp- tion is equivalent to those of other multivariate public key cryptosystems, that is, O.n3/,wheren is the bit size. For decryption we need four exponentiations in the binary field, and therefore decryption process is fast. Our algorithm is bijective 362 R. P. Singh, A. Saikia and B. K. Sarma and can be used for both encryption and signature generation. It is not clear at this stage how to design a secure cryptosystem like Little Dragon cryptosystem having public key mixed type but quadratic. Further investigations to develop an Little Dragon type cryptosystem using permutation polynomials over finite fields can be an interesting topic of future work.
Acknowledgments. We are grateful to Prof. Lei Hu of Chinese Academy of Sci- ence for his constructive suggestions.
Bibliography
[1] D. Cox, J. Little and D. O’Shea, Ideals, Varieties, and Algorithms: An Introduction to Computational Algebraic Geometry and Commutative Algebra, Undergraduate Texts in Mathematics, 2nd ed. New York: Springer-Verlag, 1997. [2] N. T. Courtois, A. Klimov, J. Patarin and A. Shamir, Efficient algorithm for solving overdefined system of multivariate polynomial equations, Advances in cryptology- Eurocrypt 2000, Lecture Notes in Computer Science 1807, pp. 392–407, Springer, Berlin, 2000.
[3] N. T. Courtois and J. Patarin, About the XL algorithm over F2. Topics in Cryptology– CT–RSA 2003, Lecture Notes in Computer Science 2612, pp. 141–157, Springer, Berlin, 2003. [4] F. Delgosha and F. Fekri, Public-key cryptography using paraunitary matrices, IEEE Transactions on Signal Processing, 54(9) (2006), 3489–3504. [5] V. Dubois, P.-A. Fouque, A. Shamir and J. Stern, Practical cryptanalysis of Sflash, Advances in Cryptology – Crypto 2007, Lecture Notes in Computer Science 4622, pp. 1–12, Springer, Berlin, 2007.
[6] J.-C. Faugère, A new efficient algorithm for computing Gröbner bases .F4/, Journal of Pure and Applied Algebra, 139 (2002), 61–88. [7] J.-C. Faugère, A new efficient algorithm for computing Gröbner bases without reduc- tion to zero .F5/, International Symposium on Symbolic and Algebraic Computation – ISSAC, ACM Press, pp. 75–83, 2002. [8] J.-C. Faugère and A. Joux, Algebraic cryptanalysis of Hidden Field Equation (HFE) cryptosystems using Gröbner basis. Advances in cryptology – Crypto 2003, Lecture Notes in Computer Science 2729 (2003), 44–60. [9] P.-A. Fouque, L. Granboulan and J. Sterm, Differential cryptanalysis for multivariate schemes, Advances in cryptology – Eurocrypt 2005, Lecture Notes in Computer Science 3494, pp. 341–353, Springer, Berlin, 2005. [10] A. Kipnis and A. Shamir, Cryptanalysis of the HFE public key cryptosystem by relinearization, Advances in cryptology – Crypto 1999, Lecture Notes in Computer Science 1666, pp. 19–30, Springer, Berlin, 1999. Poly-Dragon: an efficient multivariate public key cryptosystem. 363
[11] N. Koblitz, Algebraic Aspects of Cryptography, Algorithms and Computation in Mathematics Vol. 3, Springer-Verlag, 1998. [12] R. Lidl and H. Niederreiter, Finite Fields, Encyclopedia of Mathematics and its ap- plications, Cambridge University Press, 1997. [13] T. Matsumoto and H. Imai, Public quadratic polynomial-tuples for efficient signature-verification and message-encryption, Advances in Cryptology – Eurocrypt 1988, Lecture Notes in Computer Science 330, pp. 419–453, Springer, Berlin, 1988. [14] J. Patarin, Cryptanalysis of the Matsumoto and Imai public key scheme of Eurocrypt ’88, Advances in Cryptology – Crypto 1995, Lecture Notes in Computer Science 963, pp. 248–261, Springer, Berlin, 1995. [15] J. Patarin, Hidden Field equations (HFE) and isomorphism of polynomials (IP): two new families of asymmetric algorithms, Advances in cryptology – Eurocrypt 1996, Lecture Notes in Computer Science 1070, pp. 33–48, Springer, Berlin, 1996. [16] J. Patarin, Asymmetric cryptography with a hidden monomial, Advances in cryptol- ogy – Crypto 1996, Lecture Notes in Computer Science 1109, pp. 45–60, Springer, Berlin, 1996. [17] J. Patarin, N. T. Courtois and L. Goubin, FLASH, a fast multivariate signature al- gorithm, Topics in Cryptology – CT-RSA 2001, Lecture Notes in Computer Science 2020, pp. 298–307, Springer, Berlin, 2001. [18] P. W. Shor, Polynomial time algorithms for prime factorization and discrete loga- rithms on a quantum computer, SIAM J. Computing. 26 (1997), 1484–1509. [19] L.-C. Wang, B.-Y. Yang, Y.-H. Hu and F. Lai, A medium-field multivariate pub- lic key encryption Scheme, Topics in Cryptology – CT-RSA 2006, Lecture Notes in Computer Science 3860, pp. 132–149, Springer, Berlin, 2006. [20] C. Wolf and B. Preneel, Taxonomy of Public Key Schemes based on the problem of Multivariate Quadratic equations, http://eprint.iacr.org/2005/077.
Received November 27, 2009; revised January 21, 2011.
Author information Rajesh P. Singh, Department of Mathematics, Indian Institute of Technology Guwahati, Guwahati-781039, India. E-mail: [email protected] A. Saikia, Department of Mathematics, Indian Institute of Technology Guwahati, Guwahati-781039, India. E-mail: [email protected] 364 R. P. Singh, A. Saikia and B. K. Sarma
B. K. Sarma, Department of Mathematics, Indian Institute of Technology Guwahati, Guwahati-781039, India. E-mail: [email protected]