Abstract
Extension Field Cancellation (EFC) is a multivariate-based primitive for encryption proposed by Szepieniec, Ding and Preneel in 2016. They claim to provide 80 bits of security for all the proposed variants and parameters. In this paper, we develop a rigorous security analysis and show that none of the proposed variants archive the claimed security levels. While the Joux-Vitse algorithm can perform message recovery on the variants EFC\(_{p}^{-}(2,83,10)\) and EFC\(_{pt^{2}}^{-}(2,83,8)\) in less than \(2^{80}\) bit operations, we offer a new key recovery technique based on MinRank that can break the last proposed variant EFC\(^{-}_{p}(3,59,6)\) with complexity \(2^{73}\). We also introduce a new technique based on a spectral decomposition with respect to a subfield to recover the first half of the isomorphism of polynomials in EFC\(^{-}_{p}(q,n,a)\), when \(a = 0,1\). This technique is of independent interest.
J. Verbel—This work was performed with the support of the University of Louisville facilities.
Access this chapter
Tax calculation will be finalised at checkout
Purchases are for personal use only
Notes
- 1.
In block form \(\left( \mathbf{P} _{1}, \ldots , \mathbf{P} _{2n}\right) = \left( \mathbf{G} _{1}, \ldots , \mathbf{G} _{n}, \mathbf{G} '_{1}, \ldots , \mathbf{G} '_{n} \right) \left[ \left( \left[ \mathbf{I} _{2} \otimes \mathbf{M} ^{-1} \right] \mathbf{T} \right) \otimes \mathbf {I}_n\right] \), where \(\otimes \) denotes the Kronecker product; i.e., \(\mathbf{P} _{i}=\sum _{k=1}^{n} \left( s_{k}{} \mathbf{G} _{k} + t_{k}{} \mathbf{G} '_{k}\right) \) for \(i = 1,\ldots ,2n\), where \((s_1,\ldots ,s_n,t_1,\ldots , t_n)^{\top }\) is the i-th column of \(\left[ \mathbf{I} _{2} \otimes \mathbf{M} ^{-1} \right] \mathbf{T} \).
- 2.
Any mention of commercial products does not indicate endorsement by NIST.
References
Apon, D., Moody, D., Perlner, R., Smith-Tone, D., Verbel, J.: Combinatorial rank attacks against the rectangular simple matrix encryption scheme. Concurrent Submission to PQCrypto 2020 (2020)
Bettale, L., Faugère, J.-C., Perret, L.: Cryptanalysis of HFE, multi-HFE and variants for odd and even characteristic. Des. Codes Crypt. 69(1), 1–52 (2013)
Billet, O., Gilbert, H.: Cryptanalysis of rainbow. In: De Prisco, R., Yung, M. (eds.) SCN 2006. LNCS, vol. 4116, pp. 336–347. Springer, Heidelberg (2006). https://doi.org/10.1007/11832072_23
Bosma, W., Cannon, J., Playoust, C.: The Magma algebra system I: the user language. J. Symb. Comput. 24(3–4), 235–265 (1997)
Cabarcas, D., Smith-Tone, D., Verbel, J.A.: Key recovery attack for ZHFE. In: Lange, T., Takagi, T. (eds.) PQCrypto 2017. LNCS, vol. 10346, pp. 289–308. Springer, Cham (2017). https://doi.org/10.1007/978-3-319-59879-6_17
Cartor, R., Smith-Tone, D.: An updated security analysis of PFLASH. In: Lange, T., Takagi, T. (eds.) PQCrypto 2017. LNCS, vol. 10346, pp. 241–254. Springer, Cham (2017). https://doi.org/10.1007/978-3-319-59879-6_14
Cartor, R., Smith-Tone, D.: EFLASH: a new multivariate encryption scheme. In: Cid, C., Jacobson Jr., M. (eds.) Selected Areas in Cryptography - SAC 2018, pp. 281–299. Springer, Heidelberg (2018). https://doi.org/10.1007/978-3-030-10970-7_13. 25th International Conference, Calgary, AB, Canada, August 15–17, 2018, Revised Selected Papers
Chen, M.-S., Yang, B.-Y., Smith-Tone, D.: PFLASH - secure asymmetric signatures on smart cards. Lightweight cryptography workshop 2015 (2015). http://csrc.nist.gov/groups/ST/lwc-workshop2015/papers/session3-smith-tone-paper.pdf
Ding, J., Schmidt, D.: Rainbow, a new multivariable polynomial signature scheme. In: Ioannidis, J., Keromytis, A., Yung, M. (eds.) ACNS 2005. LNCS, vol. 3531, pp. 164–175. Springer, Heidelberg (2005). https://doi.org/10.1007/11496137_12
Ding, J.: A new variant of the Matsumoto-Imai cryptosystem through perturbation. In: Bao, F., Deng, R., Zhou, J. (eds.) PKC 2004. LNCS, vol. 2947, pp. 305–318. Springer, Heidelberg (2004). https://doi.org/10.1007/978-3-540-24632-9_22
Ding, J., Kleinjung, T.: Degree of regularity for HFE. Cryptology ePrint archive, report 2011/570 (2011)
Ding, J., Petzoldt, A., Wang, L.: The cubic simple matrix encryption scheme. In: Mosca, M. (ed.) PQCrypto 2014. LNCS, vol. 8772, pp. 76–87. Springer, Cham (2014). https://doi.org/10.1007/978-3-319-11659-4_5
Ding, J., Yang, B.-Y.: Degree of regularity for HFEv and HFEv-. In: Gaborit, P. (ed.) PQCrypto 2013. LNCS, vol. 7932, pp. 52–66. Springer, Heidelberg (2013). https://doi.org/10.1007/978-3-642-38616-9_4
Dubois, V., Fouque, P.-A., Shamir, A., Stern, J.: Practical cryptanalysis of SFLASH. In: Menezes, A. (ed.) CRYPTO 2007. LNCS, vol. 4622, pp. 1–12. Springer, Heidelberg (2007). https://doi.org/10.1007/978-3-540-74143-5_1
Faugère, J.-C., Joux, A.: Algebraic cryptanalysis of hidden field equation (HFE) cryptosystems using Gröbner bases. In: Boneh, D. (ed.) CRYPTO 2003. LNCS, vol. 2729, pp. 44–60. Springer, Heidelberg (2003). https://doi.org/10.1007/978-3-540-45146-4_3
Faugère, J.-C., El Din, M.S., Spaenlehauer, P.-J.: Computing loci of rank defects of linear matrices using Gröbner bases and applications to cryptology. In: Symbolic and Algebraic Computation, International Symposium, ISSAC 2010, Munich, Germany, 25–28 July 2010, Proceedings, pp. 257–264 (2010)
Fouque, P.-A., Granboulan, L., Stern, J.: Differential cryptanalysis for multivariate schemes. In: Cramer, R. (ed.) EUROCRYPT 2005. LNCS, vol. 3494, pp. 341–353. Springer, Heidelberg (2005). https://doi.org/10.1007/11426639_20
Gaborit, P., Ruatta, O., Schrek, J.: On the complexity of the rank syndrome decoding problem. IEEE Trans. Inf. Theory 62(2), 1006–1019 (2016)
Goubin, L., Courtois, N.T.: Cryptanalysis of the TTM cryptosystem. In: Okamoto, T. (ed.) ASIACRYPT 2000. LNCS, vol. 1976, pp. 44–57. Springer, Heidelberg (2000). https://doi.org/10.1007/3-540-44448-3_4
Ikematsu, Y., Perlner, R., Smith-Tone, D., Takagi, T., Vates, J.: HFERP - a new multivariate encryption scheme. In: Lange, T., Steinwandt, R. (eds.) PQCrypto 2018. LNCS, vol. 10786, pp. 396–416. Springer, Cham (2018). https://doi.org/10.1007/978-3-319-79063-3_19
Joux, A., Vitse, V.: A crossbred algorithm for solving Boolean polynomial systems. In: Kaczorowski, J., Pieprzyk, J., Pomykała, J. (eds.) NuTMiC 2017. LNCS, vol. 10737, pp. 3–21. Springer, Cham (2018). https://doi.org/10.1007/978-3-319-76620-1_1
Kipnis, A., Patarin, J., Goubin, L.: Unbalanced oil and vinegar signature schemes. In: Stern, J. (ed.) EUROCRYPT 1999. LNCS, vol. 1592, pp. 206–222. Springer, Heidelberg (1999). https://doi.org/10.1007/3-540-48910-X_15
Kipnis, A., Shamir, A.: Cryptanalysis of the HFE public key cryptosystem by relinearization. In: Wiener, M. (ed.) CRYPTO 1999. LNCS, vol. 1666, pp. 19–30. Springer, Heidelberg (1999). https://doi.org/10.1007/3-540-48405-1_2
Moody, D., Perlner, R., Smith-Tone, D.: An asymptotically optimal structural attack on the ABC multivariate encryption scheme. In: Mosca, M. (ed.) PQCrypto 2014. LNCS, vol. 8772, pp. 180–196. Springer, Cham (2014). https://doi.org/10.1007/978-3-319-11659-4_11
Moody, D., Perlner, R., Smith-Tone, D.: Key recovery attack on the cubic ABC simple matrix multivariate encryption scheme. In: Avanzi, R., Heys, H. (eds.) SAC 2016. LNCS, vol. 10532, pp. 543–558. Springer, Cham (2017). https://doi.org/10.1007/978-3-319-69453-5_29
Moody, D., Perlner, R., Smith-Tone, D.: Improved attacks for characteristic-2 parameters of the cubic ABC simple matrix encryption scheme. In: Lange, T., Takagi, T. (eds.) PQCrypto 2017. LNCS, vol. 10346, pp. 255–271. Springer, Cham (2017). https://doi.org/10.1007/978-3-319-59879-6_15
Niederhagen, R., Ning, K.-C., Yang, B.-Y.: Implementing Joux-Vitse’s crossbred algorithm for solving \({\cal{M}\cal{Q}}\) systems over \({\mathbb{F}}_2\) on GPUs. In: Lange, T., Steinwandt, R. (eds.) PQCrypto 2018. LNCS, vol. 10786, pp. 121–141. Springer, Cham (2018). https://doi.org/10.1007/978-3-319-79063-3_6
Patarin, J.: Hidden fields equations (HFE) and isomorphisms of polynomials (IP): two new families of asymmetric algorithms. In: Maurer, U. (ed.) EUROCRYPT 1996. LNCS, vol. 1070, pp. 33–48. Springer, Heidelberg (1996). https://doi.org/10.1007/3-540-68339-9_4
Patarin, J.: Cryptanalysis of the Matsumoto and Imai public key scheme of Eurocrypt 1998. Des. Codes Cryptogr. 20, 175–209 (2000)
Patarin, J., Courtois, N., Goubin, L.: QUARTZ, 128-bit long digital signatures. In: Naccache, D. (ed.) CT-RSA 2001. LNCS, vol. 2020, pp. 282–297. Springer, Heidelberg (2001). https://doi.org/10.1007/3-540-45353-9_21
Perlner, R., Petzoldt, A., Smith-Tone, D.: Total break of the SRP encryption scheme. In: Adams, C., Camenisch, J. (eds.) SAC 2017. LNCS, vol. 10719, pp. 355–373. Springer, Cham (2018). https://doi.org/10.1007/978-3-319-72565-9_18
Petzoldt, A., Chen, M.-S., Yang, B.-Y., Tao, C., Ding, J.: Design principles for HFEv-based multivariate signature schemes. In: Iwata, T., Cheon, J.H. (eds.) ASIACRYPT 2015. LNCS, vol. 9452, pp. 311–334. Springer, Heidelberg (2015). https://doi.org/10.1007/978-3-662-48797-6_14
Shor, P.W.: Polynomial-time algorithms for prime factorization and discrete logarithms on a quantum computer. SIAM J. Comput. 26(5), 1484–1509 (1997)
Smith-Tone, D.: Properties of the discrete differential with cryptographic applications. In: Sendrier, N. (ed.) PQCrypto 2010. LNCS, vol. 6061, pp. 1–12. Springer, Heidelberg (2010). https://doi.org/10.1007/978-3-642-12929-2_1
Szepieniec, A., Ding, J., Preneel, B.: Extension field cancellation: a new central trapdoor for multivariate quadratic systems. In: Takagi, T. (ed.) PQCrypto 2016. LNCS, vol. 9606, pp. 182–196. Springer, Cham (2016). https://doi.org/10.1007/978-3-319-29360-8_12
Tao, C., Diene, A., Tang, S., Ding, J.: Simple matrix scheme for encryption. In: Gaborit, P. (ed.) PQCrypto 2013. LNCS, vol. 7932, pp. 231–242. Springer, Heidelberg (2013). https://doi.org/10.1007/978-3-642-38616-9_16
Tao, C., Xiang, H., Petzoldt, A., Ding, J.: Simple matrix - a multivariate public key cryptosystem (MPKC) for encryption. Finite Fields Appl. 35, 352–368 (2015)
Vates, J., Smith-Tone, D.: Key recovery attack for all parameters of HFE-. In: Lange, T., Takagi, T. (eds.) PQCrypto 2017. LNCS, vol. 10346, pp. 272–288. Springer, Cham (2017). https://doi.org/10.1007/978-3-319-59879-6_16
Verbel, J., Baena, J., Cabarcas, D., Perlner, R., Smith-Tone, D.: On the complexity of “Superdetermined” Minrank instances. In: Ding, J., Steinwandt, R. (eds.) PQCrypto 2019. LNCS, vol. 11505, pp. 167–186. Springer, Cham (2019). https://doi.org/10.1007/978-3-030-25510-7_10
Wiedemann, D.: Solving sparse linear equations over finite fields. IEEE Trans. Inf. Theory 32(1), 54–62 (1986)
Wolf, C., Braeken, A., Preneel, B.: On the security of stepwise triangular systems. Des. Codes Cryptogr. 40(3), 285–302 (2006)
Yasuda, T., Sakurai, K.: a multivariate encryption scheme with rainbow. In: Qing, S., Okamoto, E., Kim, K., Liu, D. (eds.) ICICS 2015. LNCS, vol. 9543, pp. 236–251. Springer, Cham (2016). https://doi.org/10.1007/978-3-319-29814-6_19
Acknowledgements
The author Javier Verbel is supported by “Fondo Nacional de Financiamiento para la Ciencia, la Tecnología y la Innovación Francisco José de Caldas”, Colciencias (Colombia). Some of the experiments were conducted on the Gauss Server, financed by “Proyecto Plan 150 \(\times \) 150 Fomento de la cultura de evaluación continua a través del apoyo a planes de mejoramiento de los programas curriculares”.
The authors would also like to thank the program committee and reviewers for their many valuable comments contributing to the quality of this manuscript.
Author information
Authors and Affiliations
Corresponding author
Editor information
Editors and Affiliations
Appendices
A Modifiers
To protect against linearization equations, Minrank, and direct algebraic attacks the basic EFC scheme is modified. Here we present these modifiers.
1.1 A.1 Minus Modifier
This modifier can be seen as a function parameterized by an integer a. It takes as input a sequence of polynomials \((p_1(\mathbf{x} ),p_2(\mathbf{x} ),\ldots ,p_{\ell }(\mathbf{x} ))\) and outputs the sequence \((p_{1}(\mathbf{x} ),p_{2}(\mathbf{x} ), \ldots , p_{\ell -a}(\mathbf{x} )\). It is well known that this modification either avoids or increases the complexity some of the aforementioned attacks [11, 13, 32, 38]. As usual, the minus modification of EFC is denoted by EFC\(^{-}\).
The efficiency of EFC is strongly affected by this modifier. In particular, Eq. (1) cannot be directly used for decryption for the modified scheme. Instead, we need to guess the vector in \(\mathbb {F}_{q}^a\) which corresponds to the output of the missed polynomials \(\left( p_{\ell -a+1}(\mathbf{x} _0 ),p_{\ell -a+2}(\mathbf{x} _0 ) \ldots ,p_{\ell }(\mathbf{x} _0 )\right) \). The expected complexity of decryption becomes \(O\left( q^a n^{2.8} \right) \) multiplications over \(\mathbb {F}_{q}\).
1.2 A.2Projection Modifier
There is another style of attack that can undermine the minus modifier. These are the well known differential attacks [14, 34]. To avoid these attacks, a kind of projection is applied inside of the central maps \(\mathcal {F}_{1}\), \(\mathcal {F}_{2}\). More precisely, instead of choosing completely at random matrices A, B, those are chosen randomly under the constraint of having rank \(n-1\). The designers also insist for n to be a prime number, and that the kernels of A B have not nontrivial intersection. The symbol EFC\(_{p}\) is used to denote a projected scheme.
1.3 A.3 Frobenius Tail Modifier
This modifier works over characteristic 2 of 3. In the characteristic two case, the central map is defined from \(\mathbb {E}\) to \(\mathbb {E}^{2}\) as follows
where \(\alpha (X)\) and \(\beta (X)\) are \(\mathbb {F}_{q}\)-linear maps. (The construction for characteristic 3 is similar using the square instead of the cube.) For decryption details see [35]. Schemes employing this modifier are denoted EFC\(_{t^{2}}\) or EFC\(_{t^{3}}\).
B Toy Example
To illustrate the attack, we present the recovery of an equivalent private key for an instance of EFC over a small odd prime field.
1.1 B.1 Key Generation
Let \(q=3\), \(d=n=7\), and \(a=1\). Let \(\mathbb {K}=\mathbb {F}_q[x]/\left\langle x^7-x^2+1\right\rangle =\mathbb {F}_q(b)\), where b is a root of this irreducible polynomial.
We randomly select two \(\mathbb {F}_q\)-linear maps \(\alpha (X)\) and \(\beta (X)\) and construct \(F_1(X)=X\cdot \alpha (X)\) and \(F_2(X)=X\cdot \beta (X)\). Explicitly, as quadratic forms on \(\mathbb {E}\), we have:
We further select two invertible \(\mathbb {F}_q\)-linear transformations T and U:
We then fix \(\varPi :\mathbb {F}_q^{2n}\rightarrow \mathbb {F}_q^{2n-1}\), the projection onto the first \(2n-1\) coordinates. The public key, \(\mathcal {P}=\varPi \circ T\circ \varphi _{2}^{-1} \circ (\mathcal {F}_1 \mathcal {F}_2)^\top \circ \varphi \circ U\) is then computed as a collection of quadratic forms, \(\mathbf {P}_i\) for \(i=0,\ldots ,12\), following Eq. (3).
1.2 B.2 Recovering an Equivalent Key
The first step in key recovery is solving a Minrank instance on the public key with target rank 2. As proven in Theorem 1, a solution to the Minrank instance exists with high probability. There are \(n=7\) solutions; specifically, the solutions are the Frobenius powers of the coordinates of
The matrix \(\mathbf {L}_1=\sum _{i=0}^{12}s_i\mathbf {P}_i\) has rank 2 as required. We concatenate a random value to \(\mathbf {s}\) to produce a vector \(\mathbf{t} _{1} \in \mathbb {E}^{2n}\) and to give it the correct dimension to represent an \(\mathbb {F}_q\)-linear transformation from \(\mathbb {K}^2\rightarrow \mathbb {K}\). The linear transformation producing this low rank matrix from the public key is then given by:
We next compute the spectral decomposition \(\mathbf {QDQ}^\top \) of \(\mathbf {L}_1\). As noted in Sect. 5.3, over \(\mathbb {F}_q\) there is a degree of freedom in choosing \(\mathbf {w}\) in the column space of \(\mathbf {Q}\) with the property that \(\mathbf {W}=\begin{bmatrix}\mathbf {w}&\mathbf {w}^q&\cdots&\mathbf {w}^{q^{n-1}}\end{bmatrix}\) produces \(\mathbf {W}^{-1}\mathbf {L}_1\mathbf {W}^{-\top }\) of the appropriate shape. We obtain \(\mathbf {w}=\begin{bmatrix}b^{1199}&b^{586}&b^{358}&b^{2144}&b^{553}&b^{199}&b^{400}\end{bmatrix},\) revealing the input transformation:
and producing the first recovered central map:
Transforming the public key \(\mathcal {P}'=\mathcal {P}\circ U'^{-1}\), we recover a linear combination of the public matrices over \(\mathbb {K}\) of the form of a central map composed with a projection. We find that the nonlinear equations defining this relationship are already in the ideal generated by the linear equations, so this step requires only the solution of a linear system. Appending an additional random coefficient to this linear combination, we obtain:
and build \(\mathbf {T}_2=\begin{bmatrix}\mathbf {t}_2^{\top }&\mathbf {t}_2^{(q)\top }&\cdots&\mathbf {t}_2^{(q^{n-1})\top }\end{bmatrix}\), from which, in conjunction with \(\mathbf {T}_1\), we recover an equivalent output transformation:
Furthermore, the recovered map:
is decomposed into the composition of the central map:
and the projection
We then find that the public key satisfies \(\mathcal {P}=\varPi \circ T'\circ [\text {Id }\varPi ']\circ [F_1' F_2']^\top \circ U'\), where \(\varPi \) is the minus modifier.
Rights and permissions
Copyright information
© 2020 This is a U.S. government work and not under copyright protection in the U.S.; foreign copyright protection may apply
About this paper
Cite this paper
Smith-Tone, D., Verbel, J. (2020). A Rank Attack Against Extension Field Cancellation. In: Ding, J., Tillich, JP. (eds) Post-Quantum Cryptography. PQCrypto 2020. Lecture Notes in Computer Science(), vol 12100. Springer, Cham. https://doi.org/10.1007/978-3-030-44223-1_21
Download citation
DOI: https://doi.org/10.1007/978-3-030-44223-1_21
Published:
Publisher Name: Springer, Cham
Print ISBN: 978-3-030-44222-4
Online ISBN: 978-3-030-44223-1
eBook Packages: Computer ScienceComputer Science (R0)