A Rank Attack Against Extension Field Cancellation

Abstract

Extension Field Cancellation (EFC) is a multivariate-based primitive for encryption proposed by Szepieniec, Ding and Preneel in 2016. They claim to provide 80 bits of security for all the proposed variants and parameters. In this paper, we develop a rigorous security analysis and show that none of the proposed variants archive the claimed security levels. While the Joux-Vitse algorithm can perform message recovery on the variants EFC\(_{p}^{-}(2,83,10)\) and EFC\(_{pt^{2}}^{-}(2,83,8)\) in less than \(2^{80}\) bit operations, we offer a new key recovery technique based on MinRank that can break the last proposed variant EFC\(^{-}_{p}(3,59,6)\) with complexity \(2^{73}\). We also introduce a new technique based on a spectral decomposition with respect to a subfield to recover the first half of the isomorphism of polynomials in EFC\(^{-}_{p}(q,n,a)\), when \(a = 0,1\). This technique is of independent interest.

J. Verbel—This work was performed with the support of the University of Louisville facilities.

Appendices

A Modifiers

To protect against linearization equations, Minrank, and direct algebraic attacks the basic EFC scheme is modified. Here we present these modifiers.

1.1 A.1 Minus Modifier

This modifier can be seen as a function parameterized by an integer a. It takes as input a sequence of polynomials \((p_1(\mathbf{x} ),p_2(\mathbf{x} ),\ldots ,p_{\ell }(\mathbf{x} ))\) and outputs the sequence \((p_{1}(\mathbf{x} ),p_{2}(\mathbf{x} ), \ldots , p_{\ell -a}(\mathbf{x} )\). It is well known that this modification either avoids or increases the complexity some of the aforementioned attacks [11, 13, 32, 38]. As usual, the minus modification of EFC is denoted by EFC\(^{-}\).

The efficiency of EFC is strongly affected by this modifier. In particular, Eq. (1) cannot be directly used for decryption for the modified scheme. Instead, we need to guess the vector in \(\mathbb {F}_{q}^a\) which corresponds to the output of the missed polynomials \(\left( p_{\ell -a+1}(\mathbf{x} _0 ),p_{\ell -a+2}(\mathbf{x} _0 ) \ldots ,p_{\ell }(\mathbf{x} _0 )\right) \). The expected complexity of decryption becomes \(O\left( q^a n^{2.8} \right) \) multiplications over \(\mathbb {F}_{q}\).

1.2 A.2Projection Modifier

There is another style of attack that can undermine the minus modifier. These are the well known differential attacks [14, 34]. To avoid these attacks, a kind of projection is applied inside of the central maps \(\mathcal {F}_{1}\), \(\mathcal {F}_{2}\). More precisely, instead of choosing completely at random matrices A, B, those are chosen randomly under the constraint of having rank \(n-1\). The designers also insist for n to be a prime number, and that the kernels of A B have not nontrivial intersection. The symbol EFC\(_{p}\) is used to denote a projected scheme.

1.3 A.3 Frobenius Tail Modifier

This modifier works over characteristic 2 of 3. In the characteristic two case, the central map is defined from \(\mathbb {E}\) to \(\mathbb {E}^{2}\) as follows

$$\begin{aligned} X \mapsto \left( \begin{array}{c} \alpha (X) X + \beta (X)^{3} \\ \beta (X) X + \alpha (X)^{3} \end{array}\right) , \end{aligned}$$

where \(\alpha (X)\) and \(\beta (X)\) are \(\mathbb {F}_{q}\)-linear maps. (The construction for characteristic 3 is similar using the square instead of the cube.) For decryption details see [35]. Schemes employing this modifier are denoted EFC\(_{t^{2}}\) or EFC\(_{t^{3}}\).

B Toy Example

To illustrate the attack, we present the recovery of an equivalent private key for an instance of EFC over a small odd prime field.

1.1 B.1 Key Generation

Let \(q=3\), \(d=n=7\), and \(a=1\). Let \(\mathbb {K}=\mathbb {F}_q[x]/\left\langle x^7-x^2+1\right\rangle =\mathbb {F}_q(b)\), where b is a root of this irreducible polynomial.

We randomly select two \(\mathbb {F}_q\)-linear maps \(\alpha (X)\) and \(\beta (X)\) and construct \(F_1(X)=X\cdot \alpha (X)\) and \(F_2(X)=X\cdot \beta (X)\). Explicitly, as quadratic forms on \(\mathbb {E}\), we have:

$$\begin{aligned} \begin{aligned} F_1&= \begin{bmatrix} b^{1267} &{} b^{398} &{} b^{1100} &{} b^{1036} &{} b^{1905} &{} b^{521} &{} b^{1334}\\ b^{398} &{} 0 &{} 0 &{} 0 &{} 0 &{} 0 &{} 0\\ b^{1100} &{} 0 &{} 0 &{} 0 &{} 0 &{} 0 &{} 0\\ b^{1036} &{} 0 &{} 0 &{} 0 &{} 0 &{} 0 &{} 0\\ b^{1905} &{} 0 &{} 0 &{} 0 &{} 0 &{} 0 &{} 0\\ b^{521} &{} 0 &{} 0 &{} 0 &{} 0 &{} 0 &{} 0\\ b^{1334} &{} 0 &{} 0 &{} 0 &{} 0 &{} 0 &{} 0\end{bmatrix},\\ F_2&= \begin{bmatrix} b^{1818} &{} b^{842} &{} b^{1991} &{} b^{1157} &{} b^{380} &{} b^{596} &{} b^{895}\\ b^{842} &{} 0 &{} 0 &{} 0 &{} 0 &{} 0 &{} 0\\ b^{1991} &{} 0 &{} 0 &{} 0 &{} 0 &{} 0 &{} 0\\ b^{1157} &{} 0 &{} 0 &{} 0 &{} 0 &{} 0 &{} 0\\ b^{380} &{} 0 &{} 0 &{} 0 &{} 0 &{} 0 &{} 0\\ b^{596} &{} 0 &{} 0 &{} 0 &{} 0 &{} 0 &{} 0\\ b^{895} &{} 0 &{} 0 &{} 0 &{} 0 &{} 0 &{} 0\end{bmatrix} \end{aligned} \end{aligned}$$

We further select two invertible \(\mathbb {F}_q\)-linear transformations T and U:

$$\begin{aligned} \mathbf {T} = \left[ \begin{array}{*{14}c} 0 &{} 2 &{} 1 &{} 2 &{} 0 &{} 2 &{} 2 &{} 1 &{} 0 &{} 2 &{} 2 &{} 0 &{} 1 &{} 2\\ 1 &{} 1 &{} 1 &{} 0 &{} 1 &{} 1 &{} 1 &{} 1 &{} 2 &{} 1 &{} 0 &{} 0 &{} 2 &{} 1\\ 2 &{} 0 &{} 0 &{} 1 &{} 1 &{} 1 &{} 2 &{} 2 &{} 0 &{} 1 &{} 1 &{} 1 &{} 1 &{} 0\\ 0 &{} 2 &{} 0 &{} 2 &{} 2 &{} 1 &{} 0 &{} 2 &{} 0 &{} 2 &{} 1 &{} 1 &{} 2 &{} 2\\ 1 &{} 1 &{} 0 &{} 1 &{} 0 &{} 1 &{} 1 &{} 2 &{} 1 &{} 1 &{} 2 &{} 0 &{} 1 &{} 0\\ 1 &{} 1 &{} 2 &{} 0 &{} 0 &{} 2 &{} 1 &{} 0 &{} 1 &{} 0 &{} 1 &{} 0 &{} 0 &{} 1\\ 0 &{} 2 &{} 0 &{} 1 &{} 1 &{} 0 &{} 0 &{} 2 &{} 0 &{} 1 &{} 1 &{} 1 &{} 1 &{} 0\\ 1 &{} 1 &{} 2 &{} 1 &{} 0 &{} 1 &{} 0 &{} 0 &{} 2 &{} 2 &{} 0 &{} 1 &{} 0 &{} 1\\ 0 &{} 1 &{} 1 &{} 0 &{} 0 &{} 1 &{} 0 &{} 1 &{} 0 &{} 1 &{} 0 &{} 0 &{} 0 &{} 0\\ 1 &{} 2 &{} 1 &{} 0 &{} 2 &{} 2 &{} 0 &{} 0 &{} 0 &{} 1 &{} 1 &{} 1 &{} 2 &{} 2\\ 1 &{} 0 &{} 1 &{} 0 &{} 1 &{} 2 &{} 0 &{} 2 &{} 0 &{} 1 &{} 0 &{} 1 &{} 1 &{} 2\\ 0 &{} 2 &{} 2 &{} 2 &{} 0 &{} 1 &{} 2 &{} 1 &{} 0 &{} 2 &{} 0 &{} 0 &{} 0 &{} 1\\ 0 &{} 0 &{} 1 &{} 2 &{} 0 &{} 1 &{} 0 &{} 0 &{} 1 &{} 2 &{} 1 &{} 1 &{} 1 &{} 2\\ 1 &{} 2 &{} 1 &{} 2 &{} 0 &{} 2 &{} 1 &{} 2 &{} 2 &{} 0 &{} 0 &{} 0 &{} 1 &{} 0\end{array}\right] , \mathbf {U} = \begin{bmatrix} 1 &{} 2 &{} 0 &{} 1 &{} 0 &{} 1 &{} 0\\ 0 &{} 0 &{} 1 &{} 0 &{} 2 &{} 1 &{} 2\\ 2 &{} 0 &{} 2 &{} 2 &{} 2 &{} 0 &{} 0\\ 1 &{} 0 &{} 1 &{} 0 &{} 1 &{} 1 &{} 1\\ 1 &{} 0 &{} 0 &{} 0 &{} 2 &{} 1 &{} 0\\ 1 &{} 0 &{} 0 &{} 0 &{} 0 &{} 0 &{} 2\\ 0 &{} 1 &{} 2 &{} 1 &{} 1 &{} 2 &{} 2\end{bmatrix}. \end{aligned}$$

We then fix \(\varPi :\mathbb {F}_q^{2n}\rightarrow \mathbb {F}_q^{2n-1}\), the projection onto the first \(2n-1\) coordinates. The public key, \(\mathcal {P}=\varPi \circ T\circ \varphi _{2}^{-1} \circ (\mathcal {F}_1 \mathcal {F}_2)^\top \circ \varphi \circ U\) is then computed as a collection of quadratic forms, \(\mathbf {P}_i\) for \(i=0,\ldots ,12\), following Eq. (3).

1.2 B.2 Recovering an Equivalent Key

The first step in key recovery is solving a Minrank instance on the public key with target rank 2. As proven in Theorem 1, a solution to the Minrank instance exists with high probability. There are \(n=7\) solutions; specifically, the solutions are the Frobenius powers of the coordinates of

$$ \mathbf {s}=\left( \begin{array}{*{13}c}1&b^{873}&b^{1492}&b^{1983}&b^{899}&b^{359}&b^{1463}&b^{2062}&b^{1982}&b^{689}&b^{422}&b^{665}&b^{1371}\end{array}\right) . $$

The matrix \(\mathbf {L}_1=\sum _{i=0}^{12}s_i\mathbf {P}_i\) has rank 2 as required. We concatenate a random value to \(\mathbf {s}\) to produce a vector \(\mathbf{t} _{1} \in \mathbb {E}^{2n}\) and to give it the correct dimension to represent an \(\mathbb {F}_q\)-linear transformation from \(\mathbb {K}^2\rightarrow \mathbb {K}\). The linear transformation producing this low rank matrix from the public key is then given by:

$$ \mathbf {T}_1=\begin{bmatrix}\mathbf {t}_{1}^{\top }&\mathbf {t}_{1}^{(q)\top }&\cdots&\mathbf {t}_{1}^{(q^{n-1})\top }\end{bmatrix}. $$

We next compute the spectral decomposition \(\mathbf {QDQ}^\top \) of \(\mathbf {L}_1\). As noted in Sect. 5.3, over \(\mathbb {F}_q\) there is a degree of freedom in choosing \(\mathbf {w}\) in the column space of \(\mathbf {Q}\) with the property that \(\mathbf {W}=\begin{bmatrix}\mathbf {w}&\mathbf {w}^q&\cdots&\mathbf {w}^{q^{n-1}}\end{bmatrix}\) produces \(\mathbf {W}^{-1}\mathbf {L}_1\mathbf {W}^{-\top }\) of the appropriate shape. We obtain \(\mathbf {w}=\begin{bmatrix}b^{1199}&b^{586}&b^{358}&b^{2144}&b^{553}&b^{199}&b^{400}\end{bmatrix},\) revealing the input transformation:

$$ \mathbf {U}' = \begin{bmatrix} 0 &{} 0 &{} 0 &{} 1 &{} 2 &{} 2 &{} 1\\ 0 &{} 2 &{} 1 &{} 0 &{} 1 &{} 1 &{} 0\\ 0 &{} 1 &{} 0 &{} 0 &{} 2 &{} 2 &{} 1\\ 2 &{} 1 &{} 1 &{} 1 &{} 0 &{} 2 &{} 0\\ 1 &{} 2 &{} 0 &{} 1 &{} 2 &{} 1 &{} 2\\ 2 &{} 2 &{} 0 &{} 1 &{} 1 &{} 0 &{} 0\\ 2 &{} 2 &{} 0 &{} 2 &{} 0 &{} 2 &{} 2\end{bmatrix}, $$

and producing the first recovered central map:

$$ \mathbf {F}_{1}' = \begin{bmatrix} b^{1182} &{} b^{1997} &{} b^{274} &{} b^{994} &{} b^{1902} &{} b^{253} &{} b^{652}\\ b^{1997} &{} 0 &{} 0 &{} 0 &{} 0 &{} 0 &{} 0\\ b^{274} &{} 0 &{} 0 &{} 0 &{} 0 &{} 0 &{} 0\\ b^{994} &{} 0 &{} 0 &{} 0 &{} 0 &{} 0 &{} 0\\ b^{1902} &{} 0 &{} 0 &{} 0 &{} 0 &{} 0 &{} 0\\ b^{253} &{} 0 &{} 0 &{} 0 &{} 0 &{} 0 &{} 0\\ b^{652} &{} 0 &{} 0 &{} 0 &{} 0 &{} 0 &{} 0\end{bmatrix}. $$

Transforming the public key \(\mathcal {P}'=\mathcal {P}\circ U'^{-1}\), we recover a linear combination of the public matrices over \(\mathbb {K}\) of the form of a central map composed with a projection. We find that the nonlinear equations defining this relationship are already in the ideal generated by the linear equations, so this step requires only the solution of a linear system. Appending an additional random coefficient to this linear combination, we obtain:

$$ \mathbf {t}_2=\left( \begin{array}{*{14}c}b^{569}&b^{1471}&b^{31}&b^{1373}&b^{613}&b^{1670}&b^{698}&b^{1749}&b^{1445}&b^{400}&b^{239}&b^{1441}&b^{1598}&b^{1127}\end{array}\right) . $$

and build \(\mathbf {T}_2=\begin{bmatrix}\mathbf {t}_2^{\top }&\mathbf {t}_2^{(q)\top }&\cdots&\mathbf {t}_2^{(q^{n-1})\top }\end{bmatrix}\), from which, in conjunction with \(\mathbf {T}_1\), we recover an equivalent output transformation:

$$ \mathbf {T}'^{-1} = \begin{bmatrix}\mathbf {T}_1\mathbf {M}^{-1}&\mathbf {T}_2\mathbf {M}^{-1}\end{bmatrix}=\left[ \begin{array}{*{14}c} 1 &{} 0 &{} 0 &{} 0 &{} 0 &{} 0 &{} 0 &{} 0 &{} 2 &{} 2 &{} 2 &{} 2 &{} 2 &{} 1\\ 0 &{} 1 &{} 2 &{} 2 &{} 0 &{} 0 &{} 2 &{} 1 &{} 0 &{} 2 &{} 1 &{} 1 &{} 2 &{} 1\\ 1 &{} 1 &{} 1 &{} 0 &{} 1 &{} 1 &{} 2 &{} 0 &{} 0 &{} 1 &{} 1 &{} 1 &{} 2 &{} 1\\ 2 &{} 2 &{} 2 &{} 0 &{} 0 &{} 2 &{} 0 &{} 2 &{} 0 &{} 2 &{} 1 &{} 2 &{} 1 &{} 1\\ 1 &{} 0 &{} 0 &{} 2 &{} 1 &{} 1 &{} 1 &{} 2 &{} 2 &{} 1 &{} 0 &{} 0 &{} 0 &{} 1\\ 2 &{} 0 &{} 2 &{} 0 &{} 0 &{} 2 &{} 2 &{} 1 &{} 2 &{} 2 &{} 0 &{} 2 &{} 0 &{} 0\\ 2 &{} 2 &{} 2 &{} 2 &{} 0 &{} 1 &{} 1 &{} 0 &{} 1 &{} 1 &{} 1 &{} 1 &{} 2 &{} 0\\ 1 &{} 2 &{} 1 &{} 0 &{} 2 &{} 0 &{} 1 &{} 2 &{} 2 &{} 0 &{} 2 &{} 2 &{} 1 &{} 0\\ 2 &{} 1 &{} 0 &{} 0 &{} 2 &{} 0 &{} 1 &{} 0 &{} 0 &{} 1 &{} 0 &{} 1 &{} 2 &{} 0\\ 0 &{} 2 &{} 1 &{} 2 &{} 1 &{} 2 &{} 2 &{} 2 &{} 2 &{} 0 &{} 2 &{} 0 &{} 2 &{} 2\\ 1 &{} 0 &{} 0 &{} 2 &{} 1 &{} 0 &{} 2 &{} 2 &{} 1 &{} 0 &{} 0 &{} 1 &{} 2 &{} 2\\ 1 &{} 2 &{} 2 &{} 0 &{} 0 &{} 0 &{} 2 &{} 2 &{} 2 &{} 0 &{} 0 &{} 0 &{} 2 &{} 0\\ 1 &{} 1 &{} 2 &{} 1 &{} 1 &{} 1 &{} 0 &{} 0 &{} 1 &{} 0 &{} 2 &{} 2 &{} 2 &{} 2\\ 2 &{} 0 &{} 2 &{} 1 &{} 0 &{} 2 &{} 0 &{} 1 &{} 2 &{} 0 &{} 1 &{} 2 &{} 2 &{} 2\end{array}\right] . $$

Furthermore, the recovered map:

$$ \mathbf {L}_2 = \begin{bmatrix} b^{863} &{} b^{260} &{} b^{889} &{} b^{2123} &{} b^{265} &{} b^{1375} &{} b^{375}\\ b^{260} &{} b^{1730} &{} b^{1077} &{} b^{1808} &{} b^{1138} &{} b^{2122} &{} b^{1080}\\ b^{889} &{} b^{1077} &{} 0 &{} 0 &{} 0 &{} 0 &{} 0\\ b^{2123} &{} b^{1808} &{} 0 &{} 0 &{} 0 &{} 0 &{} 0\\ b^{265} &{} b^{1138} &{} 0 &{} 0 &{} 0 &{} 0 &{} 0\\ b^{1375} &{} b^{2122} &{} 0 &{} 0 &{} 0 &{} 0 &{} 0\\ b^{375} &{} b^{1080} &{} 0 &{} 0 &{} 0 &{} 0 &{} 0\end{bmatrix} $$

is decomposed into the composition of the central map:

$$ \mathbf {F}_{2}' = \begin{bmatrix} b^{863} &{} b^{1374} &{} b^{889} &{} b^{2123} &{} b^{265} &{} b^{1375} &{} b^{375}\\ b^{1374} &{} 0 &{} 0 &{} 0 &{} 0 &{} 0 &{} 0\\ b^{889} &{} 0 &{} 0 &{} 0 &{} 0 &{} 0 &{} 0\\ b^{2123} &{} 0 &{} 0 &{} 0 &{} 0 &{} 0 &{} 0\\ b^{265} &{} 0 &{} 0 &{} 0 &{} 0 &{} 0 &{} 0\\ b^{1375} &{} 0 &{} 0 &{} 0 &{} 0 &{} 0 &{} 0\\ b^{375} &{} 0 &{} 0 &{} 0 &{} 0 &{} 0 &{} 0\end{bmatrix} $$

and the projection

$$ \varPi ' (X)=X+b^{1327}X^q. $$

We then find that the public key satisfies \(\mathcal {P}=\varPi \circ T'\circ [\text {Id }\varPi ']\circ [F_1' F_2']^\top \circ U'\), where \(\varPi \) is the minus modifier.