Key Recovery Attack on The Cubic ABC Simple-Matrix Encryption Scheme Dustin Moody, *Ray Perlner, Daniel Smith-Tone Outline • Multivariate Cryptography • Cubic ABC • Differential Structure (Band Spaces and Band Kernels) • Finding the Structure • Conclusion Multivariate cryptography • Public key is a system of 푚 polynomial equations in 푛 varibles over 퐹푞 E.g. 3 2 2 푦1 = 2푥1 + 푥1 푥2 + 푥2 + 3푥1 + 푥2 + 1 2 2 푦2 = 2푥1 푥2 + 3푥1푥2 + 푥1푥2 + 4푥1 • Plaintext is given by 푥푖 and ciphertext is given by 푦푖. • Solving multivariate systems of equations is NP hard in general for polynomials of degree 2 or higher. • Most schemes use degree 2 polynomials; we will be considering a degree 3 scheme. • Private key is some special structure that allows the private-key holder to solve for 푥푖. • Most known schemes only produce secure signatures; we will be considering an encryption scheme. Multivariate Cryptography 2 Butterfly Construction • In most multivariate schemes (Cubic ABC included) the public key is constructed as: 푓푝푢푏(푥) = 풯 ∘ 푓 ∘ 풰(푥) • 푓 is an easily invertible Quadratic/Cubic function 푛 • 푓 is often defined by identifying (퐹푞) with a larger algebraic structure (e.g. an extension field like 퐹푞푛.) • The ABC scheme defines 푓 using a matrix algebra over 퐹푞. • 풯 and 풰 are affine maps • E.g. 푢1 = 푥1 + 3푥2 + 4 푢2 = 3푥1 + 2푥2 + 1 • Singular maps are sometimes used for signatures. Here we use invertible maps. Cubic ABC (Ding, Petzoldt, Wang 2014) • Cubic ABC is a multivariate encryption scheme • One of the few promising candidates • Modifies the (quadratic) Simple Matrix Encryption Scheme (Tao, Dienne, Tang, Ding 2013) • Heuristic argument claiming to rule out structural attacks • Parameters • 푞: size of the finite field for the variables • 푠: dimension of matrices used in the central map • The central map has 푠2 input variables and 2푠2 output variables. Cubic ABC: The Core Map • Central map is 푠2 → 2푠2 function where the equations are grouped as the elements of two matrices 푓 푥Ԧ = 퐸1 푥Ԧ , 퐸2 푥Ԧ 퐸1 = 퐴퐵; 퐸2 = 퐴퐶 • 푏푖,푐푖 are linear functions of 푥Ԧ. • 푝푖 are quadratic functions of 푥Ԧ. • Decryption proceeds by solving: −1 (퐴(푥Ԧ)) 퐸1 = 퐵 푥Ԧ −1 (퐴(푥Ԧ)) 퐸2 = 퐶 푥Ԧ for (퐴(푥Ԧ))−1 and 푥Ԧ. (Linear) Cubic ABC: The Core Map • Central map is 푠2 → 2푠2 function where the equations are grouped as the elements of two matrices 푓 푥Ԧ = 퐸1 푥Ԧ , 퐸2 푥Ԧ 퐸1 = 퐴퐵; 퐸2 = 퐴퐶 • 푏푖,푐푖 are linear functions of 푥Ԧ. • 푝푖 are quadratic functions of 푥Ԧ. • Decryption proceeds by solving: −1 (퐴(푥Ԧ)) 퐸1 = 퐵 푥Ԧ −1 (퐴(푥Ԧ)) 퐸2 = 퐶 푥Ԧ for (퐴(푥Ԧ))−1 and 푥Ԧ. (Linear) Quadratic ABC: The Core Map • Central map is 푠2 → 2푠2 function where the equations are grouped as the elements of two matrices 푓 푥Ԧ = 퐸1 푥Ԧ , 퐸2 푥Ԧ 퐸1 = 퐴퐵; 퐸2 = 퐴퐶 • 푏푖,푐푖 are linear functions of 푥Ԧ. • 푝푖 = 푥푖. • Decryption proceeds by solving: −1 (퐴(푥Ԧ)) 퐸1 = 퐵 푥Ԧ −1 (퐴(푥Ԧ)) 퐸2 = 퐶 푥Ԧ for (퐴(푥Ԧ))−1 and 푥Ԧ. (Linear) Special structure of Quadratic ABC (Row Band Spaces) 퐴퐵 = 퐸1 푏푗 푥 푥 … 푥 푏푠+푗 퐸 푖−1 푠+1 푖−1 푠+2 푖푠 = 푖−1 푠+푗 ⋮ 푏푠2 −푠+푗 • Note that all quadratic monomials in (퐸 푖−1 푠+1, … , 퐸푖푠) contain one of the 푠 variables (푥 푖−1 푠+1, … , 푥푖푠) • We previously used this structure to cryptanalyze the quadratic ABC scheme. (Moody, Perlner, Smith-Tone 2014) Special Structure of Cubic (and Quadratic) ABC (Column Band Spaces) 퐴퐵 = 퐸1 푏푗 푝 푝 … 푝 푏푠+푗 퐸 푖−1 푠+1 푖−1 푠+2 푖푠 = 푖−1 푠+푗 ⋮ 푏푠2 −푠+푗 ′ ′ ′ ′ • Under a basis (푢 1, … 푢 푠2) where 푢 1, … 푢 푠 = (푏푗(푥Ԧ), 푏푠+푗(푥Ԧ) … 푏푠2−푠+푗(푥Ԧ)): • All cubic monomials in column 푗 of 퐸, i.e. (퐸 (푥Ԧ), 퐸 (푥Ԧ) … 퐸 2 (푥Ԧ)) ′ ′ 푗 푠+푗 푠 −푠+푗 contain at least one factor of 푢 1, … 푢 푠 • We will call these 푠 equations (and their linear combination) band-space maps • We will also define the band kernel: The space of vectors 푥Ԧ, such that ′ ′ (푢 1 푥Ԧ , … , 푢 푠 푥Ԧ ) = 0 How many band spaces are there: • Not only do the columns of 푬ퟏ = 푨푩 and 푬ퟐ = 푨푪 define band spaces, but fixed linear combinations of the columns (휷, 휸) do as well. • Band Space: • Band Kernel: (푥 ∈ ℬ풦훽,훾) A Formal Tool for Describing the Structure: The Discrete Differential • Definition: 푫풇 풙, 풂 = 풇 풙 + 풂 − 풇 풙 − 풇 풂 + 풇 ퟎ • We will be considering the structure of cubic monomials, so we will use 푫ퟐ풇(풂, 풃, 풙) • Useful properties: • Its entries are the coefficients of cubic monomials in 풇 푓 푥Ԧ = ෍ 푎푖푗푘푥푖푥푗푥푘 푖≤푗≤푘 2 2 ⇒ 퐷 푓 푎Ԧ, 푏Ԧ, 푥Ԧ = ෍ (퐷 푓)푖푗푘푎푖푏푗푥푘 ; 푖≤푗≤푘 푎푖푗푘 푖 ≠ 푗 ≠ 푘 2 (퐷 푓)푖푗푘 = ൞2푎푖푗푘 푖 = 푗 ≠ 푘 6푎푖푗푘 푖 = 푗 = 푘 • 푫ퟐ풇 is a 3-tensor: i.e for linear maps/ changes of basis 푼: 푓′ 푥Ԧ = 푓 푈푥Ԧ ⇒ 퐷2푓′ 푎Ԧ, 푏Ԧ, 푥Ԧ = 퐷2푓(푈푎Ԧ, 푈 푏Ԧ, 푈푥Ԧ) Or equivalently: 2 2 (퐷 푓′)푖푗푘 = ෍ (퐷 푓)푙푚푛푈푙푖푈푚푗푈푛푘 푙,푚,푛 The (2nd) Differential Form of Band-Space Maps Some properties of band-space differentials. (in the 푢′푖 basis) • For three vectors 푥1, 푥2, 푥3 ∈ ℬ풦훽,훾: 2 퐷 ℰ훽,훾 푥1, 푥2, 푥3 = 0 • For two vectors 푥1, 푥2 ∈ ℬ풦훽,훾: 2 ′ ′ 퐷 ℰ훽,훾 푥1, 푥2 = (푦 푢 1 , … , 푦 푢 푠 , 0, … , 0) 2 • Note that 퐷 ℰ훽,훾 maps 푥1, 푥2 to an 푠-dimensional subspace of linear forms • For one vector 푥1 ∈ ℬ풦훽,훾: 푆 − 푅 − | 퐷2ℰ 푥 = 훽,훾 1 푅푇 0 | • Note that the rank of the resulting 2-tensor (matrix) is at most 2푠. • But the components of the public key aren’t band-space maps, but linear combinations of them, under the private transformation 풯, since 푓푝푢푏(푥) = 풯 ∘ 푓 ∘ 풰(푥) Our attack strategy (Modified MinRank) 2 • Select 푠 -dimensional vectors, 푥1, 푥2, 푥3, 푥4. • Solve 2푠2 2 ෍ 푡푖퐷 ℰ푖 푥1, 푥2 = 0 푖=1 2푠2 2 ෍ 푡푖퐷 ℰ푖 푥3, 푥4 = 0 푖=1 For 푡푖. 2푠2 2 • Hope that σ푖=1 푡푖퐷 ℰ푖 ∈ 픅훽,훾 and 푥1, 푥2, 푥3, 푥4 ∈ ℬ풦훽,훾 2푠2 2 • If so, the 2-tensor σ푖=1 푡푖퐷 ℰ푖 (푥푘) will have rank at most 2푠. Setting some vectors equal • We can increase the probability that the vectors share a band kernel by setting some of them equal to one another (e.g. by solving:) 2푠2 2 ෍ 푡푖퐷 ℰ푖 푥1, 푥1 = 0 푖=1 2푠2 2 ෍ 푡푖퐷 ℰ푖 푥2, 푥2 = 0 푖=1 2 • This works in odd characteristic, but in characteristic 2, 퐷 ℰ푖 푥1, 푥1 = 0 by symmetry. So the best we can do there is: 2푠2 2 ෍ 푡푖퐷 ℰ푖 푥1, 푥2 = 0 푖=1 2푠2 2 ෍ 푡푖퐷 ℰ푖 푥1, 푥3 = 0 푖=1 How likely are random vectors to share a band kernel? • 푥1, 푥2, … share a band kernel if there is a nontrivial linear relation on the columns of the matrix at right: • If all four vectors are randomly chosen it’s a random 4푠 × 2푠 1 • Probability is ~ 푞−2푠 푞−1 • If we set a pair of vectors equal (e.g. 푥4 = 푥1) it’s a random 3푠 × 2푠 1 • Probability is ~ 푞−푠 푞−1 • If we set two pairs of vectors equal (e.g. 푥1 = 푥2; 푥3 = 푥4) it’s a random 2푠 × 2푠 1 • Probability is ~ 푞−1 If the vectors share a band kernel, how likely are we to find a band-space map? • We find a band space map if there exists nonzero (휏 , … , 휏 ) such that: 푠 1 푠 2 ෍ 휏푖퐷 ℰ훽,훾,푖 푥1, 푥2 = 0 푖=1 푠 2 ෍ 휏푖퐷 ℰ훽,훾,푖 푥3, 푥4 = 0 푖=1 푠 2 • Recall thatσ푖=1 휏푖퐷 ℰ훽,훾,푖 maps band kernel vectors to an 푠-dimensional space of linear forms. • Thus we have 2푠 (random) linear constrains on 푠 variables 1 • The probability that there is a nontrivial solution is ~ 푞−푠 푞−1 How big a space of solutions do we have to search through • Even if a low rank solution exists to 2푠2 2 ෍ 푡푖퐷 ℰ푖 푥1, 푥2 = 0 푖=1 2푠2 2 ෍ 푡푖퐷 ℰ푖 푥3, 푥4 = 0, 푖=1 it isn’t necessarily the only one. • Generically we’d expect a 0 dimensional solution space (2푠2 equations in 2푠2 variables.) However, low characteristic imposes some linear dependencies: • Characteristic 2 2푠2 2 2푠2 2 2푠2 2 2푠2 2 • σ푖=1 푡푖퐷 ℰ푖 푥1, 푥2 (푥1) = σ푖=1 푡푖퐷 ℰ푖 푥1, 푥2 (푥2) = σ푖=1 푡푖퐷 ℰ푖 푥3, 푥4 (푥3) = σ푖=1 푡푖퐷 ℰ푖 푥3, 푥4 (푥4) = 0 2푠2 2 2푠2 2 • And if 푥4=푥1: σ푖=1 푡푖퐷 ℰ푖 푥1, 푥2 푥3 + σ푖=1 푡푖퐷 ℰ푖 푥1, 푥3 (푥2) = 0 • So we expect a 5 dimensional solution space which requires 푞4 + 푞3 + 푞2 + 푞 + 1 rank computations to search. • Characteristic 3 (푥1 = 푥2; 푥3 = 푥4) 2푠2 2 2푠2 2 • σ푖=1 푡푖퐷 ℰ푖 푥1, 푥1 (푥1) = σ푖=1 푡푖퐷 ℰ푖 푥2, 푥2 (푥2) = 0 • So we expect a 2 dimensional solution space which requires 푞 + 1 rank computations to search. Putting it all together • Finding a band-space map costs approximately • 푞2푠+6푠2휔 for characteristic 2. • 푞푠+3푠2휔 for characteristic 3. • 푞푠+2푠2휔 for higher characteristic. (휔 ≈ 2.373 is the linear algebra constant.) • Once a band space map is found, a full key recovery is possible at minimal additional cost. How bad is the attack • Finding a band-space map costs approximately • 푞2푠+6푠2휔 for characteristic 2.