Building Secure Public Key Encryption Scheme from Hidden Field Equations
Total Page:16
File Type:pdf, Size:1020Kb
Hindawi Security and Communication Networks Volume 2017, Article ID 9289410, 6 pages https://doi.org/10.1155/2017/9289410 Research Article Building Secure Public Key Encryption Scheme from Hidden Field Equations Yuan Ping,1,2 Baocang Wang,1,3 Yuehua Yang,1 and Shengli Tian1 1 School of Information Engineering, Xuchang University, Xuchang 461000, China 2Guizhou Provincial Key Laboratory of Public Big Data, Guiyang 550025, China 3State Key Laboratory of Integrated Service Networks, Xidian University, Xi’an 710071, China Correspondence should be addressed to Baocang Wang; [email protected] Received 4 April 2017; Accepted 5 June 2017; Published 10 July 2017 Academic Editor: Dengpan Ye Copyright © 2017 Yuan Ping et al. This is an open access article distributed under the Creative Commons Attribution License, which permits unrestricted use, distribution, and reproduction in any medium, provided the original work is properly cited. Multivariate public key cryptography is a set of cryptographic schemes built from the NP-hardness of solving quadratic equations over finite fields, amongst which the hidden field equations (HFE) family of schemes remain the most famous. However, the original HFE scheme was insecure, and the follow-up modifications were shown to be still vulnerable to attacks. In this paper, we propose 2 a new variant of the HFE scheme by considering the special equation =defined over the finite field F3 when =0,1. We observe that the equation can be used to further destroy the special structure of the underlying central map of the HFE scheme. It is shown that the proposed public key encryption scheme is secure against known attacks including the MinRank attack, the algebraic attacks, and the linearization equations attacks. The proposal gains some advantages over the original HFE scheme with respect to the encryption speed and public key size. 1. Introduction central map F() can be represented with a low-rank matrix [7], which makes it vulnerable to MinRank attacks [7–9]. Public key cryptography [1] built from the NP-hardness So some modifications are needed to repair the basic HFE of solving multivariate quadratic equations over finite filed scheme [10–14]. However, all known modification methods [2, 3] was conceived as a plausible candidate to traditional only can impose partial nonlinear transformation on the factorization and discrete logarithm based public key cryp- special structure of the HFE central map, and hence they are tosystems due to its high performance and the resistance to quantum attacks [4]. The hidden field equations (HFE) still vulnerable to some attacks [15–17]. scheme [5] may be the most famous cryptosystem amongst We consider the HFE scheme over finite fields with all multivariate public key cryptographic schemes. The HFE characteristic 3. We impose some restrictions on the plaintext scheme firstly defines a univariate map over an extension field space and can use the restriction to merge the coefficients F : of the linear part and the square part. By doing this, we can impose a fully nonlinear transformation on the central () = ∑ + + ∑ + , F (1) map of the HFE encryption scheme. Performance analysis 0≤≤<,+≤ 0≤<,≤ shows that the modification can save the public key storage (2) where the degree bound chosen cannot be very large by O bits and reduces the encryption costs by about (2) in order that the user can use the Berlekamp algorithm O bit operations. It is shown that the modification can [6] to efficiently compute the roots of F(). Then two defend the known attacks including the MinRank attack, invertible affine transformations are applied to hide the the linearization equations attack, and the direct algebraic special structure of the central map [2, 5]. However, the attacks. 2 Security and Communication Networks 2. Proposal Why Decryption Works.Wejustobservethat =0,1,so 2 =.Hence,for=0,1,...,−1, 2.1. Notations. Let F be a -order finite field with being aprimepower.Let() be an irreducible polynomial −2 −1 −1 () () () F F = F []/⟨()⟩ with degree over ;then forms a = (m) = ∑ ∑ + ∑ + degree- extension field. The construction admits a standard =0 =+1 =0 F isomorphism between the extension field and the vector −2 −1 −1 −1 F () = ∑ ∈ F () () () () space ;namely,foranelement =0 ,we = ∑ ∑ + ∑ ( + ) + have (())0 =( ,...,−1)∈F .Wedenotetheinverseof =0 =+1 =0 (4) −1 map as .NotethattheFrobeniusmapsT() = for −1 −2 −1 −1 () 2 () () () =0,1,...,−1 F F defined over are -linear; namely, when = ∑ + ∑ ∑ + ∑ + expressed in the base field F, T() will be -dimensional =0 =0 =+1 =0 linear functions over F. = (m) . 2.2. Description. The encryption scheme consists of three −1 So c = Q(m)=P(m)=L1 ∘∘F ∘ ∘ L2(m).The subalgorithms: key generation, encryption, and decryption. modified HFE decryption recovers the plaintext m by peeling off the composition one by one from the leftmost side. Key Generation. The system parameters consist of an irre- ducible polynomial () with degree over F3, the extension Remarks. The original HFE scheme [5] works on any field F field F3 = F3[]/⟨()⟩, and the isomorphism between and its extension F . In fact, the quadratic polynomial map F F F() 3 and 3 . Firstly, we define an HFE map in (1) P is exactly the public key of the original HFE scheme, and and randomly choose two invertible affine transformations the secret key of the original scheme also consists of F(), L1 : F3 → F3 and L2 : F3 → F3 .Thenwecompute −1 −1 −1 −1 L1 ,andL2 . The encryption of the original HFE scheme their inverses L1 and L2 and the -variable quadratic c = P(m) m F −1 is just to compute , where the plaintext is in polynomials P = L1 ∘∘F ∘ ∘ L2 =(0,1,...,−1). M = {0, 1} x =(, ,..., ) but not necessarily in .Thedecryptionalgorithm For 0 1 −1 ,weset of the modified HFE scheme is exactly the original HFE decryption. −1 −2 −1 −1 () 2 () () () (x) = ∑ + ∑ ∑ + ∑ + , (2) 2.3. Performance and Comparisons. To make a comparison =0 =0 =+1 =0 between the proposed HFE modification and the original HFE schemes in a uniform platform, we consider the HFE scheme defined over F3 and its extension field F3 .Itcan whereallthecoefficientsareinF3 for = 0,...,−1.Then be easily seen that both the modified and the original we merge the coefficients of the square and linear terms of , HFE schemes share a common secret key and decryption () () () that is, = + for ,= 0,1,...,−1,andgetthe algorithm. So both schemes have the same secret key sizes public key of the modified HFE scheme, namely, quadratic anddecryptioncosts.Inthemodifiedscheme,thepublickey polynomials Q =(0,1,...,−1),where,for=0,...,−1, is Q, and hence we need not to store the coefficients of the square terms of the public key P. So the proposed scheme 2 reduces the public key size by O( ) bits. During encryption, −2 −1 −1 (x) = ∑ ∑ () + ∑() +(). the proposed modification HFE scheme does not need to do (3) the square computations, so the proposed encryption reduces =0 =+1 =0 2 the computational costs by O( ) bit operations. −1 −1 The secret key consists of F(), L1 ,andL2 . 3. Security Encryption. The plaintext space is M = {0, 1} . For a plaintext We analyze the security of the proposed HFE modified m ∈ M,wejustcomputec =(0,...,−1)=Q(m)∈F3 as encryption scheme. We first review the basic idea of known the ciphertext. attacks and then illustrate why the proposal is secure against these attacks. Decryption. Given a ciphertext c ∈ F3 ,wecomputey = −1 −1 L1 (c) and = (y)∈F3 ,andweusetheBerlekamp 3.1. Linearization Equations Attack algorithm [6] to compute all the preimages ∈F3 such that F() =,and,foreach ,wecomputex =()∈F3 . Basic Idea. Linearization equations attack [18] was found m = L−1(x) m ∈ M by Patarin on the Matsumoto-Imai scheme [19]. In the Finally, we compute 2 .If ;thenweoutput +1 m as the plaintext. If we fail to derive a vector in M form Matsumoto-Imai scheme, a permutation F() = over all the preimages ,weoutputthesymbol⊥ designating an F with characteristic 2 is defined such that gcd( −1, + invalid ciphertext. 1) = 1,thenusingtwoinvertibleaffinetransformationsL1 Security and Communication Networks 3 ∗ and L2 to disguise the central map F into a quadratic map in F() in (1). We then can look at F as a quadratic form P over F,namely, about −1 −1 X =(,,..., ); P = L1 ∘∘F ∘ ∘ L2. (5) (10) ∗ The basic idea of the attack is as follows. Note that = then we associate with F asymmetric-dimensional square +1 2 F() = implies − =0.Bysetting matrix F such that F∗ () = XFX. x =(0,...,−1)=() , (11) The symmetric matrix F is of low rank, and it is the special y =(0,...,−1)=() =(F ()) (6) structure of the symmetric matrix F that makes the original =(F (−1 (x))) , HFE scheme insecure. We recall 0≤≤<, + ≤ and denote the smallest integer smaller than or equal to 2 ( − 1) +1 we can express − =0as bilinear equations about log as , and we will find that all the elements of −1 − F input x and output y of function ∘F ∘ : the last columns (rows, resp.) of are zero. So the rank of the symmetric matrix F is at most .Looselyspeaking,when −1 −1 we apply two linear transformations on the input and output ∑ ∑() =0, ∗ (7) of the map F , the rank of the corresponding matrix remains =0 =0 at most . We define the quadratic part of P = L1 ∘∘F ∘ −1 ∗ ∗ ∗ () ∘ L2 as P =(0 ,...,−1),namely,for=0,...,−1, where ,,=0,...,−1and ∈ F. Given a ciphertext c = −1 −2 −1 (0,...,−1)=P(m), we want to recover the corresponding ∗ (x) = ∑()2 + ∑ ∑ () . plaintext m =(0,...,−1).Notethatm (c,resp.)isan (12) =0 =0 =+1 affine transformation L2 (L1,resp.)ontheinput(output, −1 ∘F ∘ m c ∗ resp.) of the function .So and satisfy the Note that F () canbeexpressedas homogeneous following equations derived from the bilinear equations, quadraticpolynomialsoverthebasefieldF; then the applica- namely, tion of two linear transformations on the input and output of ∗ −1 −1 −1 −1 F () will also give homogeneous quadratic polynomials () () () () ∑ ∑ + ∑ + ∑ + =0, (8) overthebasefieldF.Thatistosay =0 =0 =0 =0 ∗ ∗ −1 P = L1 ∘∘F ∘ ∘ L2.