Masaryk University Faculty of Informatics Algebraic cryptanalysis of Hidden Field Equations family Bachelor's Thesis Adam Janovsk´y Brno, Spring 2016 Declaration I declare that this paper is my original authorial work, which I have worked out on my own. All sources, references, and literature used or excerpted during elaboration of this work are properly cited and listed in complete reference to the due source. Adam Janovsk´y Advisor: prof. RNDr. Jan Slov´ak,DrSc. i Abstract The goal of this thesis is to present a Gr¨obnerbasis as a tool for algebraic cryptanalysis. Firtst, the thesis shortly introduces asymmetric cryptography. Next, a Gr¨obnerbasis is presented and it is explained how a Gr¨obnerbasis can be used to algorithmic equation solving. Further, fast algorithm for the Gr¨obnerbasis computation, the F4, is presented. The thesis then introduces basic variant of Hidden field equations cryptosystem and discusses its vulnerability to algebraic attacks from Gr¨obnerbasis perspective. Finally, the thesis gives an overview of recent results in algebraic cryptanalysis of Hidden Field Equations and suggests parameters that could make the algebraical attacks intractable. ii Keywords Gr¨obnerbasis, cryptanalysis, Hidden Field Equations, F4 iii Contents 1 Introduction ...........................1 1.1 Notation ...........................2 2 Preliminaries ..........................3 2.1 Asymmetric cryptography .................3 2.1.1 Overview . .3 2.1.2 RSA . .5 2.2 Gr¨obnerbasis ........................7 2.3 Equation solving ...................... 14 3 F4 algorithm for computing a Gr¨obnerbasis ...... 19 4 Hidden Field Equations ................... 27 4.1 Overview of HFE ...................... 27 4.1.1 Parameters of HFE . 27 4.2 Encryption and Decryption ................ 29 4.2.1 Encryption . 29 4.2.2 Decryption . 31 4.3 Public key derivation .................... 32 5 Algebraic attacks on HFE .................. 35 5.1 Algebraic attack for q =2 ................. 35 5.2 Algebraic attack for odd q ................. 37 6 Conclusions ........................... 41 Appendices . 42 A SAGE code ........................... 43 B Gr¨obnerbasis for q = 11.................... 47 v 1 Introduction The thesis studies algebraic attacks against basic variant of Hidden Field Equations (HFE) cipher. Results for various attack parameters are examined and precautions to achieve higher security of HFE against algebraic attacks suggested. HFE family is an alternative to various ciphers based on factorizing integers or discrete logarithm problem. These are proven to be insecure against quantum algorithms which does not hold for HFE. Therefore it is important to understand vulnerability of HFE against algebraic attacks in order to decide about its overall security in case the number theory ciphers become practically insecure. We restrict our attention to attacks from a Gr¨obnerbasis perspective and we develop necessary theory throughout the text. Only a minimum amount of background is given in cryptography area. For introduction to cryptography, one can see [1]. More theory is given in Gr¨obnerbases. However, proofs are often omitted and only basic context is provided. Great introductory text to Gr¨obnerbases is [2]. In the second chapter asymmetric cryptography is presented and its concepts demonstrated on example. Further we study a Gr¨obner basis, we give the Buchberger's algorithm for finding such a basis and we show how it can be used to solve a system of polynomial equations algorithmically. In the third chapter we discuss possible improvements on the Buchberger's algorithm and we present Faug`ere'salgorithm for fast Gr¨obnerbasis computation, the F4. In the Chapter 4 we present basic HFE variant and study its properties. We demonstrate how encryption and decryption are performed on example and show how a public key is derived. Finally, the Chapter 5 describes an algebraic attack against HFE. Different parameters of such attacks are discussed. The thesis suggests parameters that could make the algebraic attack against HFE intractable. 1 1. Introduction 1.1 Notation N; N0; Z Positive integers, non-negative integers, integers; Zn integers modulo n; φ(n) Euler's phi function for n; a ≡ b ( mod n) a is congruent b modulo n, i.e. a − bjn; [x1; : : : ; xn] monomials over x1; : : : ; xn; k[x1; : : : ; xn] ring of polynomials over k in variables x1; : : : ; xn; gcd(f; g) greatest common divisor of f and g; LCM(f; g) least common multiple of f and g; Matm;s(k) set of matrices with m rows and s columns over k; GF (q) Galois filed with q elements where q is power of prime; k[t]=hg(t)i vector space generated by the irreducible polynomial g; 2 2 Preliminaries The purpose of this chapter is to provide theory and notation neces- sary to discuss algorithmic solving of multivariate polynomial systems. Also, the chapter introduces asymmetric cryptography and shows, how solving a system of equations may lead to breaking a cipher. First, the asymmetric cryptography is introduced. Next, a Gr¨obnerbasis is presented. Finally, we describe how a Gr¨obnerbasis can be used for solving a system of multivariate polynomial equations. We make no claim of self-sufficiency of this chapter. In the relevant parts of the text we the refer reader to recommended literature. 2.1 Asymmetric cryptography In this section some basics of asymmetric cryptography are introduced. Further, we illustrate concepts of asymmetric cryptography on the oldest asymmetric cipher, the RSA. For great introduction to cryptography one can look into [1]. We note, that asymmetric cryptography is commonly referred public-key cryptography and both titles appear in the text. 2.1.1 Overview In the following text, consider this setting: Alice and Bob are two friends somewhere on earth, who want to communicate securely over insecure channel. Evil Eve wants to eavesdrop their communication. For secure communication, Alice uses her secret key to encrypt a message into a ciphertext and sends it to Bob. Then Bob uses his secret key to decrypt the ciphertext in order to recover the original message. We begin with a formal definition of a cryptosystem. Definition. A cryptosystem is a five-tuple (P; C; K; E; D) where the following conditions are satisfied: 1. P is a finite set of possible plaintexts; 2. C is a finite set of possible ciphertexts; 3. K, the keyspace, is a finite set of possible keys; 3 2. Preliminaries 4. For each k 2 K, there is an encryption rule ek 2 E and a corresponding decryption rule dk 2 D. Each ek : P!C and dk : C!P are functions such that dk(ek(x)) = x for every plaintext x 2 P. Modern cryptosystems can be divided into two main areas of study, symmetric cryptosystems and public-key cryptosystems. In symmetric cryptosystems Alice and Bob usually share the same key. Less com- monly their keys differ, but are related in an easily computable way. Consequently, exposure of any of their keys to Eve renders the system insecure. The drawback of a symmetric key cryptosystem is the need of prior communication of Alice and Bob over a secure channel, in order to agree on a secret key. In practice, this may be very difficult to achieve as Alice and Bob can be anywhere around the globe. The idea behind a public-key cryptosystem is that there might exist such a functions that it is infeasible to obtain a decryption rule given an encryption rule. The encryption rule ek then can be made public (hence public-key cryptography) and everyone can encrypt messages with the encryption rule ek. In order to decrypt a ciphertext, Bob holds additional piece of information about the function ek, the trapdoor. To decrypt the ciphertext, one has to invert ek, which is feasible only with knowledge of the trapdoor. Thus only Bob can decrypt the ciphertext. Such a function is called a one-way trapdoor function. Definition. A function f : A ! B is called a one-way trapdoor function if the following three conditions hold: 1. Easy to compute: It is computationally easy to find f(x) given an arbitrary x 2 A; 2. Hard to invert: For almost all y 2 B is computationally infeasi- ble to find x 2 A such that f(x) = y; 3. Easy to invert with a trapdoor: with some additional piece of information, it is easy to obtain x 2 A such that f(x) = y given y 2 B. Our definition of a one-way trapdoor function is vague. Yet, for our purposes it is sufficient to understand the idea behind it, not concerning details, e.g. what computationally easy, computationally infeasible or 4 2. Preliminaries almost all mean precisely. Intuitively, one can compute f(x) quickly on computer and inverting f without knowledge of a trapdoor is not within reach of computational power. Using a one-way trapdoor function, Bob can now communicate securely with Alice in the following way: 1. Bob chooses a one-way trapdoor bijection f and has knowledge of the corresponding trapdoor; 2. Bob makes f public and sends it to Alice through a (insecure) channel; 3. Alice encrypts an arbitrary message m with f and sends f(m) to Bob; 4. Since Bob knows the trapdoor for f, he can invert f and apply it to the ciphertext f(m). By that he obtains the original message m. If Eve eavesdrops a public key f or a ciphertext f(m), she cannot recover a message m efficiently since inverting f is computationally infeasible. However, she could try to encrypt all possible plaintexts p by herself and eventually find the one, such that f(p) = f(m). Then p = m since function f is bijection. Probability of this event should be negligible. Unfortunately, it is not clear whether a one-way trapdoor function exists. Necessary condition for that to be true is that N 6= NP. Never- theless, there are functions believed to be one-way and are widely used in practice.
Details
-
File Typepdf
-
Upload Time-
-
Content LanguagesEnglish
-
Upload UserAnonymous/Not logged-in
-
File Pages61 Page
-
File Size-