Abstract
The problem of Isomorphism of Polynomials (IP problem) is known to be important to study the security of multivariate public key cryptosystems, one of major candidates of post-quantum cryptography, against key recovery attacks. In these years, several schemes based on the IP problem itself or its generalization have been proposed. At PQCrypto 2020, Santoso introduced a generalization of the problem of Isomorphism of Polynomials, called the problem of Blockwise Isomorphism of Polynomials (BIP problem), and proposed a new Diffie-Hellman type encryption scheme based on this problem with Circulant matrices (BIPC problem). Quite recently, Ikematsu et al. proposed an attack called the linear stack attack to recover an equivalent key of Santoso’s encryption scheme. While this attack reduced the security of the scheme, it does not contribute to solve the BIPC problem itself. In the present paper, we describe how to solve the BIPC problem directly by simplifying the BIPC problem due to the conjugation property of circulant matrices. In fact, we experimentally solved the BIPC problem with the parameter, which has 256 bit security by Santoso’s security analysis and has 72.7 bit security against the linear stack attack, by about 10 min.
Access this chapter
Tax calculation will be finalised at checkout
Purchases are for personal use only
Similar content being viewed by others
References
Bouillaguet, C., Faugére, J.-C., Fouque, P.-A., Perret, L.: Isomorphism of Polynomials: New Results (2009). http://citeseerx.ist.psu.edu/viewdoc/download;jsessionid=20524EF65899B40DEE494630B0574F53?doi=10.1.1.156.9570&rep=rep1&type=pdf
Casanova, A., Faugère, J.C., Macario-Rat, G., Patarin, J., Perret, L., Ryckeghem, J.: GeMSS: A Great Multivariate Short Signature. https://www-polsys.lip6.fr/Links/NIST/GeMSS.html
Chen, J., Tan, C.H., Li, X.: Practical cryptanalysis of a public key cryptosystem based on the morphism of polynomials problem. Tsinghua Sci. Technol. 23, 671–679 (2018)
Chen, M.-S., et al.: Rainbow Signature. https://www.pqcrainbow.org/
Faugère, J.-C., Perret, L.: Polynomial equivalence problems: algorithmic and theoretical aspects. In: Vaudenay, S. (ed.) EUROCRYPT 2006. LNCS, vol. 4004, pp. 30–47. Springer, Heidelberg (2006). https://doi.org/10.1007/11761679_3
Ikematsu, Y., Nakamura, S., Santoso, B., Yasuda, T.: Security Analysis on an El-Gamal-like Multivariate Encryption Scheme Based on Isomorphism of Polynomials (2021). https://eprint.iacr.org/2021/169
NIST, Post-Quantum Cryptography, Round 3 submissions. https://csrc.nist.gov/projects/post-quantum-cryptography/round-3-submissions
Patarin, J.: Hidden fields equations (HFE) and isomorphisms of polynomials (IP): two new families of asymmetric algorithms. In: Maurer, U. (ed.) EUROCRYPT 1996. LNCS, vol. 1070, pp. 33–48. Springer, Heidelberg (1996). https://doi.org/10.1007/3-540-68339-9_4
Santoso, B.: Generalization of isomorphism of polynomials with two secrets and its application to public key encryption. In: Ding, J., Tillich, J.-P. (eds.) PQCrypto 2020. LNCS, vol. 12100, pp. 340–359. Springer, Cham (2020). https://doi.org/10.1007/978-3-030-44223-1_19
Wang, H., Zhang, H., Mao, S., Wu, W., Zhang, L.: New public-key cryptosystem based on the morphism of polynomials problem. Tsinghua Sci. Technol. 21, 302–311 (2016)
Acknowledgments
The author would like to thank the anonymous reviewers for reading the previous draft of this paper carefully and giving helpful comments. He was supported by JST CREST no. JPMJCR14D6 and JSPS Grant-in-Aid for Scientific Research (C) no. 17K05181.
Author information
Authors and Affiliations
Corresponding author
Editor information
Editors and Affiliations
A Toy Example
A Toy Example
We now demonstrate how to solve the BIPC problem for \((q,n,m,k)=(2,6,2,2)\) as a toy example. The public keys \(\mathbf {f}=(\mathbf {f}_{1},\mathbf {f}_{2})=(f_{11},f_{12},f_{21},f_{22})\) and \(\mathbf {g}=(\mathbf {g}_{1},\mathbf {g}_{2})=(g_{11},g_{12},g_{21},g_{22})\) are as follows.
where the coefficient matrices are expressed by triangular matrices. Our aim is to recover \(S_{1},S_{2}\in \mathrm {Circ}(6)\), \(T_{1},T_{2}\in \mathrm {Circ}(2)\) satisfying
Let \(\theta \) be a cubic root of 1 (i.e. \(\theta ^{2}+\theta +1=0\)),
and \(Q_{6}:=K_{6}\left( \varTheta _{3}\otimes B_{2}\right) \). Then \(\bar{\mathbf {f}}_{1}=Q_{2}^{-1}\circ \mathbf {f}_{1} \circ Q_{6}=(\bar{f}_{11},\bar{f}_{12})\), \(\bar{\mathbf {f}}_{2}=Q_{2}^{-1}\circ \mathbf {f}_{2} \circ Q_{6}=(\bar{f}_{21},\bar{f}_{22})\), \(\bar{\mathbf {g}}_{1}=Q_{2}^{-1}\circ \mathbf {g}_{1} \circ Q_{6}=(\bar{g}_{11},\bar{g}_{12})\), \(\bar{\mathbf {g}}_{2}=Q_{2}^{-1}\circ \mathbf {g}_{2} \circ Q_{6}=(\bar{g}_{21},\bar{g}_{22})\) are as follows.
Then the problem of recovering \(S_{1},S_{2},T_{1},T_{2}\) with (8) is reduced to the problem of recovering \(\bar{S}_{1}=Q_{6}^{-1}\circ S_{1}\circ Q_{6}\), \(\bar{S}_{2}=Q_{6}^{-1}\circ S_{2}\circ Q_{6}\), \(\bar{T}_{1}=Q_{2}^{-1}\circ T_{1}\circ Q_{2}\), \(\bar{T}_{2}=Q_{2}^{-1}\circ T_{2}\circ Q_{2}\) satisfying
Due to Lemma 2, we see that \(\bar{S}_{1},\bar{S}_{2},\bar{T}_{1},\bar{T}_{2}\) are written by
We first study the coefficients of \(x_{1}^{2}\) in \(\bar{g}_{12},\bar{g}_{22}\). The relation (9) gives the following equations.
We then get \(t_{1}^{(1)}=1\) and \(t_{1}^{(2)}=1\). Similarly, from the coefficients of \(x_{1}^{2}\) in \(\bar{g}_{11},\bar{g}_{21}\), we have
From the equations above, we obtain \(t_{2}^{(1)}=1\) and \(t_{2}^{(2)}=0\). We thus have \(T_{1},T_{2}\) as
Next, we study the coefficient of \(x_{1}x_{3}\) in \(\bar{g}_{12},\bar{g}_{22}\). From (9) and (10), we have
We then get \(s_{21}^{(1)}=1\), \(s_{21}^{(2)}=\theta \). Similarly, the following equations are derived from the coefficients of \(x_{1}x_{4}\), \(x_{1}x_{5}\) and \(x_{1}x_{6}\) in \(\bar{g}_{12},\bar{g}_{22}\).
Then we get \(s_{22}^{(1)}=1\), \(s_{22}^{(2)}=0\), \(s_{31}^{(1)}=1\), \(s_{31}^{(2)}=\theta ^{2}\), \(s_{32}^{(1)}=1\) and \(s_{32}^{(2)}=0\). To recover the remaining parameters \(s_{12}^{(1)},s_{12}^{(2)}\), we study the coefficients of \(x_{2}^{2}\) in \(\bar{g}_{12},\bar{g}_{22}\) and have
Since \(s_{12}^{(1)},s_{12}^{(2)}\in \mathbf{F}_{2}\), the solution of the equations above is \(s_{12}^{(1)}=s_{12}^{(2)}\). To fix \(s_{12}^{(1)},s_{12}^{(2)}\) uniquely, we further study the coefficients \(x_{2}x_{3}\) in \(\bar{g}_{12},\bar{g}_{22}\) and have the equations
Since \(s_{21}^{(1)}=1\), \(s_{21}^{(2)}=\theta \), we obtain \(s_{12}^{(1)}=s_{12}^{(2)}=0\). We thus conclude that
The solution of this BIPC problem is given by (10) and (11). \(\square \)
Rights and permissions
Copyright information
© 2021 Springer Nature Switzerland AG
About this paper
Cite this paper
Hashimoto, Y. (2021). Solving the Problem of Blockwise Isomorphism of Polynomials with Circulant Matrices. In: Nakanishi, T., Nojima, R. (eds) Advances in Information and Computer Security. IWSEC 2021. Lecture Notes in Computer Science(), vol 12835. Springer, Cham. https://doi.org/10.1007/978-3-030-85987-9_8
Download citation
DOI: https://doi.org/10.1007/978-3-030-85987-9_8
Published:
Publisher Name: Springer, Cham
Print ISBN: 978-3-030-85986-2
Online ISBN: 978-3-030-85987-9
eBook Packages: Computer ScienceComputer Science (R0)