Abstract
At SAC 2019, Szepieniec and Preneel proposed a new variant of the Unbalanced Oil and Vinegar signature scheme (UOV) called block-anti-circulant UOV (BAC-UOV). In this scheme, the matrices representing the quadratic parts of the public key are designed to be block-anti-circulant matrices, which drastically reduces its public key size compared to UOV that originally has a relatively large public key size.
In this paper, we show that this block-anti-circulant property enables us to do a special linear transformation on variables in the public key polynomials. By executing the UOV attack on quadratic terms in partial variables of the resulting polynomial system, we obtain a polynomial system with less quadratic terms, which can be algebraically solved faster than the plain direct attack. Our proposed attack reduces the bit complexity of breaking BAC-UOV by about 20% compared with the previously known attacks. For example, the complexity of our proposed attack on 147-bit BAC-UOV parameter (claimed security level II in NIST PQC project by its authors) can be reduced only to 119 bits.
Keywords
This is a preview of subscription content, log in via an institution.
Buying options
Tax calculation will be finalised at checkout
Purchases are for personal use only
Learn about institutional subscriptionsReferences
Bardet, M.: Étude des systèms algébriques surdéterminés. Applications aux codes correcteurs et à la cryptographie. Ph.D. thesis, Université Pierre et Marie Curie-Paris VI (2004)
Bardet, M., Faugère, J.-C., Salvy, B.: Complexity of Gröbner basis computation for semi-regular overdetermined sequences over \(\mathbb{F}_2\) with solutions in \(\mathbb{F}_2\). Research Report, INRIA (2003)
Bardet, M., Faugère, J.-C., Salvy, B., Yang, B.-Y.: Asymptotic behavior of the index of regularity of quadratic semi-regular polynomial systems. In: 8th International Symposium on Effective Methods in Algebraic Geometry (2005)
Bettale, L., Faugère, J.-C., Perret, L.: Hybrid approach for solving multivariate systems over finite fields. J. Math. Cryptol. 3, 177–197 (2009)
Beullens, W., Preneel, B., Szepieniec, A., Vercauteren, F.: LUOV, signature scheme proposal for NIST PQC project. NIST PQC submission, imec-COSIC KU Leuven (2019)
Buchberger, B.: Ein Algorithmus zum Auffinden der Basiselemente des Restklassenringes nach einem nulldimensionalen Polynomideal. Ph.D. thesis, Universität Innsbruck (1965)
Courtois, N., Klimov, A., Patarin, J., Shamir, A.: Efficient algorithms for solving overdefined systems of multivariate polynomial equations. In: Preneel, B. (ed.) EUROCRYPT 2000. LNCS, vol. 1807, pp. 392–407. Springer, Heidelberg (2000). https://doi.org/10.1007/3-540-45539-6_27
Czypek, P., Heyse, S., Thomae, E.: Efficient implementations of MQPKS on constrained devices. In: Prouff, E., Schaumont, P. (eds.) CHES 2012. LNCS, vol. 7428, pp. 374–389. Springer, Heidelberg (2012). https://doi.org/10.1007/978-3-642-33027-8_22
Ding, J., Schmidt, D.: Rainbow, a new multivariable polynomial signature scheme. In: Ioannidis, J., Keromytis, A., Yung, M. (eds.) ACNS 2005. LNCS, vol. 3531, pp. 164–175. Springer, Heidelberg (2005). https://doi.org/10.1007/11496137_12
Ding, J., Yang, B.-Y., Chen, C.-H.O., Chen, M.-S., Cheng, C.-M.: New differential-algebraic attacks and reparametrization of rainbow. In: Bellovin, S.M., Gennaro, R., Keromytis, A., Yung, M. (eds.) ACNS 2008. LNCS, vol. 5037, pp. 242–257. Springer, Heidelberg (2008). https://doi.org/10.1007/978-3-540-68914-0_15
Ding, J., Zhang, Z., Deaton, J., Schmidt, K., Vishakha, F.N.U.: New attacks on lifted unbalanced oil vinegar. In: Second PQC Standardization Conference 2019. National Institute of Standards and Technology (2019)
Faugère, J.-C.: A new efficient algorithm for computing Gr\(\rm \ddot{o}\)bner bases (F4). J. Pure Appl. Algebra 139(1–3), 61–88 (1999)
Faugère, J.-C.: A new efficient algorithm for computing Gr\(\rm \ddot{o}\)bner bases without reduction to zero (F5). In: ISSAC 2002, pp. 75–83. ACM (2002)
Garey, M.-R., Johnson, D.-S.: Computers and Intractability: A Guide to the Theory of NP-Completeness. W. H. Freeman, New York (1979)
Hashimoto, Y.: Key recovery attack on circulant UOV/rainbow. JSIAM Lett. 11, 45–48 (2019)
Kipnis, A., Patarin, J., Goubin, L.: Unbalanced oil and vinegar signature schemes. In: Stern, J. (ed.) EUROCRYPT 1999. LNCS, vol. 1592, pp. 206–222. Springer, Heidelberg (1999). https://doi.org/10.1007/3-540-48910-X_15
Kipnis, A., Shamir, A.: Cryptanalysis of the oil and vinegar signature scheme. In: Krawczyk, H. (ed.) CRYPTO 1998. LNCS, vol. 1462, pp. 257–266. Springer, Heidelberg (1998). https://doi.org/10.1007/BFb0055733
NIST: Post-quantum cryptography, Round 2 submission (2019). https://csrc.nist.gov/Projects/Post-Quantum-Cryptography/Round-2-Submissions
Peng, Z., Tang, S.: Circulant UOV: a new UOV variant with shorter private key and faster signature generation. TIIS 12(3), 1376–1395 (2018)
Petzoldt, A., Buchmann, J. A.: A multivariate signature scheme with an almost cyclic public key. IACR Cryptology ePrint Archive 2009, 440. http://eprint.iacr.org/2009/440 (2009)
Szepieniec, A., Preneel, B.: Block-anti-circulant unbalanced oil and vinegar. In: Paterson, K.G., Stebila, D. (eds.) SAC 2019. LNCS, vol. 11959, pp. 574–588. Springer, Cham (2020). https://doi.org/10.1007/978-3-030-38471-5_23
Thomae, E., Wolf, C.: Solving underdetermined systems of multivariate quadratic equations revisited. In: Fischlin, M., Buchmann, J., Manulis, M. (eds.) PKC 2012. LNCS, vol. 7293, pp. 156–171. Springer, Heidelberg (2012). https://doi.org/10.1007/978-3-642-30057-8_10
Acknowledgments
This work was supported by JST CREST Grant Number JPMJCR14D6, JSPS KAKENHI Grant Number 19K20266, and 18J20866.
Author information
Authors and Affiliations
Corresponding author
Editor information
Editors and Affiliations
Appendix: Toy Example
Appendix: Toy Example
We show a toy example of the proposed attack on BAC-UOV (\(q=3,V=3,O=2,\ell =4\)).
1.1 1. Generating a BAC-UOV Public Key
- Private Key Generation
The matrix representing the linear map \(\mathcal {S}:\mathbb {F}_3^{20}\rightarrow \mathbb {F}_3^{20}\) is generated as
and the matrices associated to the quadratic form of the central map \(\mathcal {F}=(f_1,\ldots ,f_8):\mathbb {F}_3^{20}\rightarrow \mathbb {F}_3^{8}\) are generated to be
- Public Key Generation
From \(\mathcal {S}\) and \(\mathcal {F},\) we can obtain a public key \(\mathcal {P}=(p_1,\ldots ,p_8):\mathbb {F}_3^{20}\rightarrow \mathbb {F}_3^{8}\) for BAC-UOV, and the matrices associated to their quadratic forms are
1.2 2. Our Proposed Attack
We first apply a linear transformation represented by \(L_4^{(5)}\) and a permutation on the public key \(\mathcal {P}=(p_1,\ldots ,p_n)\), which is explained in Subsect. 4.1. \(L_4^{(5)}\) and the matrices representing the permutation, respectively, are
Then we construct a linear transformation \(\mathcal L\) by composing these two transformations. The matrices associated to the quadratic forms of the resulting polynomial system \(\mathcal {P}\circ \mathcal {L}=(p'_1,\ldots ,p'_8):\mathbb {F}_3^{20}\rightarrow \mathbb {F}_3^{8}\) are in the form of (8):
Then by just applying the UOV attack on the smaller upper left submatrices of those above matrices like Sect. 4.2, we obtain a linear transformation \(\mathcal {L}':\mathbb {F}_3^{20}\rightarrow \mathbb {F}_3^{20},\) whose linear representation is
and with this transformation, we obtain a new polynomial system \(\mathcal {P}\circ \mathcal {L}\circ \mathcal {L}'=(p''_1,\ldots ,p''_8)\), where its matrices associated to its quadratic terms are given by
which are in the form of (10).
Then, in the polynomial system \(\mathcal {P}\circ \mathcal {L}\circ \mathcal {L}'(x_1,\dots ,x_{20})\), by fixing \(x_1,x_2,x_3\) randomly, \(x_4,x_5\) disappear from the quadratic parts. This reduces the complexity of the direct attack.
Rights and permissions
Copyright information
© 2020 Springer Nature Switzerland AG
About this paper
Cite this paper
Furue, H., Kinjo, K., Ikematsu, Y., Wang, Y., Takagi, T. (2020). A Structural Attack on Block-Anti-Circulant UOV at SAC 2019. In: Ding, J., Tillich, JP. (eds) Post-Quantum Cryptography. PQCrypto 2020. Lecture Notes in Computer Science(), vol 12100. Springer, Cham. https://doi.org/10.1007/978-3-030-44223-1_18
Download citation
DOI: https://doi.org/10.1007/978-3-030-44223-1_18
Published:
Publisher Name: Springer, Cham
Print ISBN: 978-3-030-44222-4
Online ISBN: 978-3-030-44223-1
eBook Packages: Computer ScienceComputer Science (R0)