A Complete Cryptanalysis of the Post-Quantum Multivariate Signature Scheme Himq-3

Abstract

In 2017 Kyung-Ah Shim et al. proposed a multivariate signature scheme called Himq-3 which is a submission to National Institute of Standards and Technology (NIST) standardization process of post-quantum cryptosystems. The Himq-3 signature scheme can be classified into the oil vinegar signature scheme family. Similar to the rainbow signature scheme, the Himq-3 signature scheme uses a multilayer structure to shorten the signature size. Moreover the signing process is very fast due to a special system called L-inveritble cycle system that is used to invert the central map. In this paper, we provide a complete cryptanalysis to the Himq-3 signature scheme. We describe a new attack method called the singularity attack. This attack is based on the observation that the variables in the L-invertible cycle system are not allowed to be zero in a valid signature. For the completeness, we show step by step how variables and layers can be separated so that signature forgery can be performed. We claim that the complexity of our attack is much lower than the proposed security level.

Appendices

A Toy Example

We provide a toy example to clarify the step 3.3. In this example, we choose \(k=3\), thus our field is the finite field of \(2^3\) elements. The finite field will be represented by \(\{0,1,w,w^2,\cdots ,w^6\}\), where w is a generator in the multiplicative group of the finite field. Let \(n=2\). For the sake of clarity. We use a linear map instead of a affine map. Our linear map \(\mathcal {T}\) is randomly chosen to be the matrix

$$\begin{aligned}\begin{bmatrix} w^2 &{} w^2 \\ w^3 &{} w \end{bmatrix}.\end{aligned}$$

Suppose we obtain a set of signatures \((x_1,x_2)\):

$$\begin{aligned}&(w,w^5), (w^5,w), (w^2,1), (w^6,w^5), (0,w^2), (w^5,w^3),(1,w^6),(0,w^5),\\&(0,w^2), (1,0), (w^5,w^6), (0,w), (w^5,w^3), (1,w), (w^5,0), (w^6,1), (w^6,w^3),\\&(w,w^4), (w^2, w^5), (w^3,w), (1,w^6), (w,1), (w^2,w), (w^2,w), (w^4,w), (w^4 ,1), (w^4,w^2). \end{aligned}$$

We first construct a generic polynomial \(g= a_1x_1+a_2x_2\). We assume that this polynomial is never equal to zero. Hence, in this finite field, \(g^{2^3-1}=(a_1x_1+a_2x_2)^{2^3-1}=1\). We can rewrite this equation as: \((a_1x_1+a_2x_2)^{2^3-1}=(a_1x_1+a_2x_2)^{2^{3-1}}(a_1x_1+a_2x_2)^{2^{3-2}}(a_1x_1+a_2x_2)^{2^{3-3}}=1\). Since this is a field of characteristic 2, the equations turns out to be

$$\begin{aligned} ((a_1x_1)^{2^{3-1}}+(a_2x_2)^{2^{3-1}})((a_1x_1)^{2^{3-2}}+(a_2x_2)^{2^{3-2}})((a_1x_1)^{2^{3-3}}+(a_2x_2)^{2^{3-3}})=1. \end{aligned}$$

Multiply the product out, we have

$$\begin{aligned} a_1^7x_1^7 + a_1^6a_2x_1^6x_2 + a_1^5a_2^2x_1^5x_2^2 + a_1^4a_2^3x_1^4x_2^3 + a_1^3a_2^4x_1^3x_2^4 + a_1^2a_2^5x_1^2x_2^5 + a_1a_2^6x_1x_2^6 + a_2^7x_2^7 + 1=0. \end{aligned}$$

We view the products of \(a_i\) as variables, and \(x_i\) as coefficients. If we evaluate these coefficients at the signatures, we get \((n+1)^k=27\) vectors which will be the rows of the matrix. We apply echelon form on this matrix and then remove the zero rows. The new matrix is:

$$\begin{aligned}\begin{bmatrix} &{} 1 &{}0 &{}0 &{}0 &{}0 &{}0 &{}0 &{}0 &{}1\\ &{} 0 &{}1 &{}0 &{}0 &{}0 &{}0 &{}w^5 &{}0 &{}w^4\\ &{} 0 &{}0 &{}1 &{}0 &{}0 &{}0 &{}w^2 &{}0 &{}w^6\\ &{} 0 &{}0 &{}0 &{}1 &{}0 &{}0 &{}w^4 &{}0 &{}w^5\\ &{} 0 &{}0 &{}0 &{}0 &{}1 &{}0 &{}w^3 &{}0 &{}w\\ &{} 0 &{}0 &{}0 &{}0 &{}0 &{}1 &{}w^6 &{}0 &{}w^2\\ &{} 0 &{}0 &{}0 &{}0 &{}0 &{}0 &{}0 &{}1 &{}1\\ \end{bmatrix}\end{aligned}$$

Our next goal is to turn this matrix back to polynomials. Recall the order of the monomials, we get 7 multivariate polynomials:

$$\begin{aligned}&a_1^7 + 1\\&a_1^6a_2 + w^5a_1a_2^6 + w^4\\&a_1^5a_2^2 + w^2a_1a_2^6 + w^6\\&a_1^4a_2^3 + w^4a_1a_2^6 + w^5\\&a_1^3a_2^4 + w^3a_1a_2^6 + w\\&a_1^2a_2^5 + w^6a_1a_2^6 + w^2\\&a_2^7 + 1 \end{aligned}$$

The first and last polynomials do not help, they are trivial. Remember that we are not looking for the original values for \(a_i\), we only need solutions for \(a_i\) up to unit multiple. Therefore, we can set \(a_1=1\), and if we pick the second polynomial, we then get a univariate polynomial \(w^5a_2^6+a_2+w^4\). The roots are \(a_2=1\) and \(a_2=w^5\).

Let us check our solution with the linear map \(\mathcal {T}= \begin{bmatrix} w^2 &{} w^2 \\ w^3 &{} w \end{bmatrix}.\) It is clear that \(a_1=1\) and \(a_2=1\) are unit multiples of \(a_1=w^2\) and \(a_2=w^2\). Now if we check the second row, The original values are:

$$\begin{aligned}&a_1=w^3\\&a_2=w \end{aligned}$$

If we multiply the inverse of \(w^3\) by w, we get \(w^{-2}\) which is exactly equal to \(w^5\) in the finite field of \(2^3\) elements.

Getting Transformed \(VO_1O_2\) Space

We know that there are \(o_1\) column vectors in the \(v\times o_1\) part of each symmetric matrix \(\mathbf {Q}_i\) for \(i=o_1+1,\cdots ,o_1+o_2\). So we have \(o_1o_2\) such vectors. Assume that these \(o_1o_2\) vectors do not span the entire V space. Let us take \(v-1\) vectors and look at the span of these \(v-1\) vectors. Therefore, the probability of the next vector being in the span of these \(v-1\) vector is \(\frac{q^{v-1}-1}{q^v}\approx \frac{1}{q}\). There are \(o_1o_2-(v-1)\) vectors to check, so the probability of failing to fill the entire space is \(1/q^{o_1o_2-(v-1)}\). Thus we can conclude that if \(o_1o_2\) is larger enough than v, we can always get the full space. All the sets of proposed parameters satisfy this condition, so we do not need to worry about this case at all.