Multivariate Cryptography Part 3: HFE (Hidden Field Equations) Albrecht Petzoldt PQCrypto Summer School 2017 Eindhoven, Netherlands Friday, 23.06.2017 A. Petzoldt Multivariate Cryptography PQCrypto Summer School 1 / 53 Reminder: Construction of MPKCs n m Easily invertible quadratic map F : F → F (central map) m m n n Two invertible linear maps S : F → F and T : F → F Public key: P = S ◦ F ◦ T supposed to look like a random system Private key: S, F, T allows to invert the public key A. Petzoldt Multivariate Cryptography PQCrypto Summer School 2 / 53 Workflow Decryption / Signature Generation −1 −1 −1 m S - m F - n T - n w ∈ F x ∈ F y ∈ F z ∈ F 6 P Encryption / Signature Verification A. Petzoldt Multivariate Cryptography PQCrypto Summer School 3 / 53 Big Field Schemes Central map F is defined over a degree n extension field E of F −1 n n F¯ = Φ ◦ F ◦ Φ: F → F quadratic Decryption / Signature Generation −1 X ∈ E F -Y ∈ E 6 Φ Φ−1 −1 −1 ? −1 n S- n F¯- n T- n w ∈ F x ∈ F y ∈ F z ∈ F 6 P Encryption / Signature Verification A. Petzoldt Multivariate Cryptography PQCrypto Summer School 4 / 53 Extension Fields Fq: finite field with q elements g(X) irreducible polynomial in F[X] of degree n ∼ n ⇒ Fqn = F[X]/hg(X)i finite field with q elements n Pn i−1 isomorphism φ : Fq → Fqn ,(a1,..., an) 7→ i=1 ai · X Addition in Fqn : Addition in Fq[X] Multiplication in Fqn : Multiplication in Fq[X] modulo g(X) A. Petzoldt Multivariate Cryptography PQCrypto Summer School 5 / 53 Example: The field GF(22) Start with the field F2 = {0, 1} of two elements Choose an irreducible polynomial g(X) of degree 2 in F2[X], i.e. g(X) = X 2 + X + 1 ∼ 2 ⇒ F22 = F2[X]/hX + X + 1i = {0, 1, X, X + 1} =∼ {0, 1, w, w 2} for a root w of g(X) + 0 1 w w 2 × 0 1 w w 2 0 0 1 w w 2 0 0 0 0 0 1 1 0 w 2 w 1 0 1 w w 2 w w w 2 0 1 w 0 w w 2 1 w 2 w 2 w 1 0 w 2 0 w 2 1 w A. Petzoldt Multivariate Cryptography PQCrypto Summer School 6 / 53 The HFE Cryptosystem [Pa96] “ Hidden Field Equations” proposed by Patarin in 1995 BigField Scheme can be used both for encryption and signatures n finite field F, extension field E of degree n, isomorphism Φ : F → E A. Petzoldt Multivariate Cryptography PQCrypto Summer School 7 / 53 HFE - Key Generation central map F : E → E, qi +qj ≤D qi ≤D X qi +qj X qi F(X) = αij X + βi · X + γ 0≤i≤j i=0 −1 n n ⇒ F¯ = Φ ◦ F ◦ Φ: F → F quadratic degree bound D needed for efficient decryption / signature generation n n linear maps S, T : F → F n n public key: P = S ◦ F¯ ◦ T : F → F private key: S, F, T A. Petzoldt Multivariate Cryptography PQCrypto Summer School 8 / 53 Encryption n Given: message (plaintext) z ∈ F n Compute ciphertext w ∈ F by w = P(z). A. Petzoldt Multivariate Cryptography PQCrypto Summer School 9 / 53 Decryption n Given: ciphertext w ∈ F −1 n 1 Compute x = S (w) ∈ F and X = Φ(x) ∈ E 2 Solve F(Y ) = X over E via Berlekamp’s algorithm −1 n −1 3 Compute y = Φ (Y ) ∈ F and z = T (y) n Plaintext: z ∈ F . A. Petzoldt Multivariate Cryptography PQCrypto Summer School 10 / 53 Remark HFE central map is not bijective ⇒ Decryption process does not neccessarily produce unique solution ⇒ Use redundancy in the plaintext A. Petzoldt Multivariate Cryptography PQCrypto Summer School 11 / 53 Signature Generation Given: message d ? n 1 Use hash function H : {0, 1} → F to compute w = H(d) −1 n 2 Compute x = S (w) ∈ F and X = Φ(x) ∈ E 3 Solve F(Y ) = X over E via Berlekamp’s algorithm −1 n −1 4 Compute y = Φ (Y ) ∈ F and z = T (y) n Signature: z ∈ F . A. Petzoldt Multivariate Cryptography PQCrypto Summer School 12 / 53 Signature Verification n Given: signature z ∈ F , message d n Compute w = H(d) ∈ F 0 n Compute w = P(z) ∈ F Accept the signature z ⇔ w0 = w. A. Petzoldt Multivariate Cryptography PQCrypto Summer School 13 / 53 Remark HFE central map is not bijective ⇒ Signature generation process does not output a signature for every input message ⇒ Append a counter to the message d A. Petzoldt Multivariate Cryptography PQCrypto Summer School 14 / 53 The Attack of Kipnis and Shamir [KS99] Idea: Look at the scheme over the extemsion field E the linear maps S and T relate to univariate maps ? Pn−1 qi ? Pn−1 qi S (X) = i=1 si · X amd T (X) = i=1 ti · X with (unknown) coefficients si and ti ∈ E. the public key P? can be expressed as n−1 n−1 ? X X ? qi +qj ? T P (X) = pij X = X · P · X , i=0 j=0 ? ? q0 q1 qn−1 where P = [pij ] and X = (X , X ,..., X ). The components of the matrix P? can be found by polynomial interpolation. A. Petzoldt Multivariate Cryptography PQCrypto Summer School 15 / 53 The attack of Kipnis and Shamir (2) the relation P?(X) = S? ◦ F ◦ T ?(X) yields (S?)−1 ◦ P?(X) = F ◦ T ?(X) and n−1 X ?k T P˜ = sk · G = W · F · W k=0 ? k ? qk qi with gij = (p i−k mod n,j−k mod n) , wij = sj−i mod n. ! ? 0 We know that F has the form F = . 0 0 ⇒ Rank(F ) ≤ r with r = blogq D − 1c + 1. ⇒ Rank(W · F · W T ) ≤ r ⇒ We can recover the coefficients sk by solving a MinRank problem over the extension field E. A. Petzoldt Multivariate Cryptography PQCrypto Summer School 16 / 53 MinRank attack on HFE Computing the map P? is very costly ⇒ The attack of Kipnis and Shamir is not very efficient. Work of Bettale et al: Perform the MinRank attack without recovering P? ⇒ HFE can be broken by using a MinRank problem over the base field F. !ω n + r Complexity = MinRank r with 2 < ω ≤ 3 and r = blogq(D − 1)c + 1. A. Petzoldt Multivariate Cryptography PQCrypto Summer School 17 / 53 Direct Attacks Experiments: Public Systems of HFE can be solved much faster than random systems Theoretical Explanation: Upper bound for dreg ( (q−1)·(r−1) 2 + 2 q even and r odd, dreg ≤ (q−1)·r , 2 + 2 otherwise. with r = blogq(D − 1)c + 1. ⇒ Basic version of HFE is not secure A. Petzoldt Multivariate Cryptography PQCrypto Summer School 18 / 53 HFE Variants Encryption Schemes IPHFE+ (not very efficient) ZHFE ( → this conference) HFE- (for small minus parameter; → this conference) Signature Schemes HFEv-, Gui MHFEv (→ this conference) A. Petzoldt Multivariate Cryptography PQCrypto Summer School 19 / 53 HFE Variants Encryption Schemes IPHFE+ (not very efficient) ZHFE (→ this conference) HFE- (for small minus parameter; → this conference) Signature Schemes HFEv-, Gui MHFEv (→ this conference) A. Petzoldt Multivariate Cryptography PQCrypto Summer School 20 / 53 HFEv- - Key Generation n finite field F, extension field E of degree n, isomorphism Φ : F → E v central map F : F × E → E, qi +qj ≤D qi ≤D X qi +qj X qi F(X) = αij X + βi (v1,..., vv ) · X + γ(v1,..., vv ) 0≤i≤j i=0 ¯ −1 n+v n ⇒ F = Φ ◦ F ◦ (Φ × idv ) quadratic map: F → F n n−a n+v n+v linear maps S : F → F and T : F → F of maximal rank n+v n−a public key: P = S ◦ F¯ ◦ T : F → F private key: S, F, T A. Petzoldt Multivariate Cryptography PQCrypto Summer School 21 / 53 Signature Generation n−a Given: message (hash value) w ∈ F −1 n 1 Compute x = S (w) ∈ F and X = Φ(x) ∈ E 2 Choose random values for the vinegar variables v1,..., vv Solve Fv1,...,vv (Y ) = X over E via Berlekamps algorithm −1 n −1 3 Compute y = Φ (Y ) ∈ F and z = T (y||v1|| ... ||vv ) n+v Signature: z ∈ F . A. Petzoldt Multivariate Cryptography PQCrypto Summer School 22 / 53 Signature Verification n+v n−a Given: signature z ∈ F , message (hash value) w ∈ F 0 n−a Compute w = P(z) ∈ F Accept the signature z ⇔ w0 = w. A. Petzoldt Multivariate Cryptography PQCrypto Summer School 23 / 53 Workflow of HFEv- Signature Generation −1 X ∈ E F -Y ∈ E 6 v1,...,vv Φ Φ−1 −1 −1 ? −1 n−a S- n F¯- n+v T- n+v w ∈ F x ∈ F y ∈ F z ∈ F 6 P Signature Verification A. Petzoldt Multivariate Cryptography PQCrypto Summer School 24 / 53 Toy Example - Key Generation (q, n, D, a, v) = (4, 3, 17, 0, 1). w is a generator of the field F = GF(4). 3 3 Extension field E = GF(4 ), E = F[b]/hb + wi 3 2 isomorphism φ : F → E, (a1, a2, a3) = a1 + a2 · b + a3 · b . 3 3 affine map S : F → F , w w 1 x1 w S(x1,..., x3) = w 1 0 · x2 + 0 2 w 0 w x3 1 4 4 affine map T : F → F , 0 w w 1 w 2 x1 w 2 0 w w 2 w . T (x1,..., x4) = 2 2 2 · . + w 1 w w w w 2 0 1 w 2 x4 w 2 A. Petzoldt Multivariate Cryptography PQCrypto Summer School 25 / 53 Key Generation (2) The central map F : E × F → E is given by 17 8 5 2 F = α17X + α8X + α5X + α2X 16 4 2 + β16(x4) · X + β4(x4) · X + β2(x4) · X + β1(x4) · X + γ(x4) 2 2 2 2 2 2 with α17 = b + b + w, α8 = w , α5 = w b + w , α2 = wb + wb + 1, 2 2 2 β16 = (w x4 + 1) · b + (wx4 + 1) · b + wx4 + w , 2 β4 = x4b + (x4 + w) · b + x4 + w, 2 2 2 2 β1 = (w x4 + w ) · b + (w x4 + w) · b + x4 + 1 and 2 2 2 2 γ = (x4 + w) · b + (wx4 + x4) · b + x4 + wx4 + w.