Key Recovery Attack for ZHFE

Abstract

At PQCRYPTO 2014, Porras, Baena and Ding introduced ZHFE, an interesting new technique for multivariate post-quantum encryption. The scheme is a generalization of HFE in which a single low degree polynomial in the central map is replaced by a pair of high degree polynomials with a low degree cubic polynomial contained in the ideal they generate. We present a key recovery attack for ZHFE based on the independent discoveries of the low rank property of ZHFE by Verbel and by Perlner and Smith-Tone. Thus, although the two central maps of ZHFE have high degree, their low rank property makes ZHFE vulnerable to the Kipnis-Shamir (KS) rank attack. We adapt KS attack pioneered by Bettale, Faugère and Perret in application to HFE, and asymptotically break ZHFE.

A Appendix

1.1 A.1 Toy Example

We provide a small example of the MinRank attack for ZHFE with parameters \(n =8\), \(q = 3\) and \(D =9\). The small field is \(\mathbb {F} = \mathbb {F}_{q}\), the extension field is \(\mathbb {K} = \mathbb {F}/\langle g(y)\rangle \), where \(g(y) = y^8 + 2y^5 + y^4 + 2y^2 + 2y + 2 \in \mathbb {F}[y]\), and b is a primitive root of the irreducible polynomial g(y).

For ease of presentation, we consider a homogeneous public key and linear transformations. An easy adaptation for the general case can be done following the ideas expressed in [2].

The matrices associated with our private key \(\left( (F,\tilde{F}),S,T\right) \) are

and \(\mathbf T = [\mathbf T _{1}|\mathbf T _{2}]\), where

This private key gives us a public key represented by the matrices \(\mathbf P _{1},\mathbf P _{2},\ldots ,\mathbf P _{2n}.\)

Recovering T : The first and harder step to recover an equivalent linear transformation T is to solve the MinRank problem associated with the public matrices \(\mathbf P _{1},\ldots , \mathbf P _{16}\) and \(r+1\), with \(r = \lceil \log _{q} D\rceil = 2\). Using the minors modeling, we construct a degree 4 polynomial system in 2n variables. We can fix the two first coordinates of the vector \(\mathbf u '{'} = (u'_{0},u'_{1},\ldots ,u'_{7})\) as 1 and 0 respectively. A solution for this system is

$$\mathbf u ' = (1, 0, b^{5854}, b^{4879}, b^{2843}, b^{2676}, b^{6279}, b^{1845}, b^{6102}, b^{5619}, b^{5448}, b^{6022}, b^{1721}, b^{2632}, b^{3738}, b^{6170}).$$

Next we compute

$$\begin{aligned} \mathbf K {'}=\ker \left( \sum _{i = 0}^{2n-1} u'_{i}{} \mathbf P _{i+1}\right) = \begin{pmatrix} 1 &{} 0 &{} 0 &{} 0 &{} 0 &{}b^{6158} &{} b^{1567} &{} b^{6415}\\ 0 &{} 1 &{} 0 &{} 0 &{} 0 &{} b^{3943} &{} b^{4591} &{} b^{95}\\ 0 &{} 0 &{} 1 &{} 0 &{} 0 &{} b^{4461} &{} b^{4216} &{} b^{3027}\\ 0 &{} 0 &{} 0 &{} 1 &{} 0 &{} b^{3577} &{} b^{5899} &{}b^{1096}\\ 0 &{} 0 &{} 0 &{} 0 &{} 1 &{} b^{6554} &{} b^{4266} &{} b^{907} \end{pmatrix}, \end{aligned}$$

and by solving the linear system

$$\begin{aligned} \mathbf K {'} \left( \sum _{i=0}^{2n-1} x_{i}{} \mathbf P _{i+1}\right) = \mathbf 0 _{(n-r)\times n}, \end{aligned}$$

we get another solution

$$\mathbf v '\! :=\! (b^{1519 }\!, b^{4750 }\!, b^{4454 }\!, b^{3326 }\!, b^{2077 }\!, b^{4519 }\!, b^{3525}\!, b^{1978}, b^{5511}, b^{315}, b^{715}, b^{4722}, b^{5003}, b^{1895 }, b^{2665 }, b^{4505}).$$

Once we have two solution for the MinRank problem we compute

$$\begin{aligned} \mathbf T ''^{-1} = \mathbf U'' {} \mathbf M _{16}^{-1}, \end{aligned}$$

with \(\mathbf U '' := [\mathbf u '\vert \cdots \vert \mathbf u '^{q^{n-1}}\vert \mathbf v '\vert \cdots \vert \mathbf v '^{q^{n-1}}]\), invert the output matrix to obtain \(\mathbf T '' = [\mathbf T _{1}''|\mathbf T _{2}'']\), with

$$ \mathbf T _{1} '' = \begin{pmatrix} 2 &{} 0 &{} 2 &{} 1 &{} 1 &{} 0 &{} 1 &{} 0 \\ 1 &{} 2 &{} 2 &{} 2 &{} 0 &{} 2 &{} 0 &{} 0 \\ 1 &{} 1 &{} 0 &{} 2 &{} 0 &{} 0 &{} 0 &{} 2 \\ 2 &{} 2 &{} 1 &{} 2 &{} 0 &{} 1 &{} 0 &{} 0 \\ 0 &{} 2 &{} 2 &{} 0 &{} 2 &{} 0 &{} 0 &{} 0 \\ 2 &{} 1 &{} 0 &{} 1 &{} 1 &{} 2 &{} 0 &{} 0 \\ 2 &{} 1 &{} 1 &{} 1 &{} 1 &{} 1 &{} 0 &{} 0 \\ 2 &{} 2 &{} 1 &{} 0 &{} 2 &{} 1 &{} 0 &{} 1 \\ 0 &{} 0 &{} 2 &{} 0 &{} 0 &{} 1 &{} 2 &{} 0 \\ 1 &{} 2 &{} 2 &{} 0 &{} 0 &{} 0 &{} 0 &{} 1 \\ 0 &{} 1 &{} 1 &{} 2 &{} 2 &{} 2 &{} 2 &{} 2 \\ 2 &{} 2 &{} 0 &{} 1 &{} 0 &{} 1 &{} 2 &{} 1 \\ 1 &{} 0 &{} 0 &{} 1 &{} 1 &{} 0 &{} 0 &{} 1 \\ 1 &{} 2 &{} 2 &{} 1 &{} 1 &{} 2 &{} 1 &{} 0 \\ 1 &{} 0 &{} 0 &{} 1 &{} 1 &{} 0 &{} 1 &{} 0 \\ 0 &{} 0 &{} 2 &{} 0 &{} 2 &{} 2 &{} 1 &{} 1 \end{pmatrix}, \mathbf T _{2} '' = \begin{pmatrix} 1 &{} 1 &{} 0 &{} 0 &{} 2 &{} 1 &{} 1 &{} 1 \\ 1 &{} 0 &{} 0 &{} 1 &{} 0 &{} 2 &{} 1 &{} 1 \\ 2 &{} 1 &{} 1 &{} 2 &{} 2 &{} 1 &{} 1 &{} 0 \\ 1 &{} 2 &{} 2 &{} 1 &{} 2 &{} 2 &{} 0 &{} 0 \\ 0 &{} 1 &{} 1 &{} 2 &{} 0 &{} 1 &{} 2 &{} 1 \\ 2 &{} 0 &{} 2 &{} 1 &{} 2 &{} 0 &{} 1 &{} 2 \\ 2 &{} 0 &{} 2 &{} 2 &{} 2 &{} 0 &{} 2 &{} 1 \\ 2 &{} 2 &{} 1 &{} 0 &{} 2 &{} 2 &{} 0 &{} 1 \\ 2 &{} 1 &{} 0 &{} 1 &{} 2 &{} 1 &{} 1 &{} 0 \\ 0 &{} 1 &{} 2 &{} 1 &{} 0 &{} 2 &{} 1 &{} 1 \\ 2 &{} 2 &{} 2 &{} 1 &{} 1 &{} 0 &{} 1 &{} 2 \\ 0 &{} 0 &{} 0 &{} 0 &{} 1 &{} 2 &{} 2 &{} 0 \\ 0 &{} 2 &{} 0 &{} 0 &{} 2 &{} 1 &{} 1 &{} 0 \\ 0 &{} 1 &{} 2 &{} 0 &{} 1 &{} 1 &{} 2 &{} 1 \\ 1 &{} 2 &{} 0 &{} 2 &{} 0 &{} 1 &{} 2 &{} 1 \\ 1 &{} 2 &{} 0 &{} 0 &{} 0 &{} 1 &{} 1 &{} 0 \end{pmatrix}$$

Recovering S : To find \(\mathbf W '' := \mathbf S '' \mathbf M _{n} = [\mathbf w '' | \mathbf w ''^{q}|\cdots | \mathbf w ''^{q^{n-1}}]\), we find its first column \(\mathbf w ''\), which satisfy \(\text {Frob}_{j+1}(\mathbf K ')\mathbf w '' = \mathbf 0 \), for \(j = n - r,\ldots ,n-1 = 7,8\).

By solving the overdetermined system

$$\begin{aligned} \begin{pmatrix} \mathbf K ' \\ \text {Frob}_{7}(\mathbf K ') \end{pmatrix}{} \mathbf w '' = \begin{pmatrix} 1 &{} 0 &{} 0 &{} 0 &{} 0 &{} b^{6158 } &{}b^{1567 } &{}b^{6415} \\ 0 &{} 1 &{} 0 &{} 0 &{} 0 &{} b^{3943 } &{}b^{4591} &{}b^{95} \\ 0 &{} 0 &{} 1 &{} 0 &{} 0 &{} b^{4461} &{}b^{4216 } &{}b^{3027} \\ 0 &{} 0 &{} 0 &{} 1 &{} 0 &{} b^{3577 } &{}b^{5899 } &{}b^{1096} \\ 0 &{} 0 &{} 0 &{} 0 &{} 1 &{} b^{6554 } &{}b^{4266 } &{}b^{907} \\ 1 &{} 0 &{} 0 &{} 0 &{} 0 &{} b^{6426 } &{}b^{2709 } &{}b^{4325} \\ 0 &{} 1 &{} 0 &{} 0 &{} 0 &{} b^{3501 } &{}b^{3717 } &{}b^{4405} \\ 0 &{} 0 &{} 1 &{} 0 &{} 0 &{} b^{1487 } &{}b^{3592 } &{}b^{1009} \\ 0 &{} 0 &{} 0 &{} 1 &{} 0 &{} b^{3379 } &{}b^{4153 } &{}b^{2552} \\ 0 &{} 0 &{} 0 &{} 0 &{} 1 &{} b^{6558 } &{}b^{1422 } &{}b^{2489} \end{pmatrix}{} \mathbf w '' =\mathbf 0 , \end{aligned}$$

we obtain \(\mathbf w '' = (b^{929}, b^{2174}, b^{2323}, b^{4231}, b^{3677}, b^{6313}, b^{2372}, b^{3245})\). We then compute

$$\begin{aligned} \mathbf W '' = \begin{pmatrix} b^{929 } &{} b^{2787 } &{} b^{1801 } &{} b^{5403 } &{} b^{3089 } &{} b^{2707 } &{} b^{1561 } &{} b^{4683} \\ b^{2174 } &{} b^{6522 } &{} b^{6446 } &{} b^{6218 } &{} b^{5534 } &{} b^{3482 } &{} b^{3886 } &{} b^{5098} \\ b^{2323 } &{} b^{409 } &{} b^{1227 } &{} b^{3681 } &{} b^{4483 } &{} b^{329 } &{} b^{987 } &{} b^{2961} \\ b^{4231 } &{} b^{6133 } &{} b^{5279 } &{} b^{2717 } &{} b^{1591 } &{} b^{4773 } &{} b^{1199 } &{} b^{3597} \\ b^{3677 } &{} b^{4471 } &{} b^{293 } &{} b^{879 } &{} b^{2637 } &{} b^{1351 } &{} b^{4053 } &{} b^{5599} \\ b^{6313 } &{} b^{5819 } &{} b^{4337 } &{} b^{6451 } &{} b^{6233 } &{} b^{5579 } &{} b^{3617 } &{} b^{4291} \\ b^{2372 } &{} b^{556 } &{} b^{1668 } &{} b^{5004 } &{} b^{1892 } &{} b^{5676 } &{} b^{3908 } &{} b^{5164} \\ b^{3245 } &{} b^{3175 } &{} b^{2965 } &{} b^{2335 } &{} b^{445 } &{} b^{1335 } &{} b^{4005 } &{} b^{5455} \end{pmatrix}, \end{aligned}$$

and

$$\begin{aligned} \mathbf S '' = \mathbf W '' \mathbf M _{8}^{-1} = \begin{pmatrix} 2 &{} 2 &{} 2 &{} 1 &{} 2 &{} 0 &{} 0 &{} 2\\ 1 &{} 2 &{} 1 &{} 1 &{} 2 &{} 0 &{} 1 &{} 2\\ 2 &{} 1 &{} 0 &{} 2 &{} 0 &{} 2 &{} 1 &{} 0\\ 2 &{} 2 &{} 1 &{} 1 &{} 2 &{} 1 &{} 2 &{} 2\\ 0 &{} 2 &{} 1 &{} 2 &{} 0 &{} 0 &{} 0 &{} 2\\ 1 &{} 0 &{} 1 &{} 0 &{} 1 &{} 1 &{} 1 &{} 2\\ 1 &{} 0 &{} 2 &{} 0 &{} 1 &{} 2 &{} 2 &{} 0\\ 0 &{} 1 &{} 1 &{} 0 &{} 2 &{} 2 &{} 0 &{} 1 \end{pmatrix} \end{aligned}$$

Recovering Core Polynomials: To find our equivalent core polynomials \(H'\) and \(\tilde{H}'\) we calculate \(\mathbf H ' = \mathbf W {''}^{-1}\left( \sum _{i=0}^{7}u{'}_{i}{} \mathbf P _{i+1}\right) \mathbf W {''}^{-t}\) as well as the value of \(\tilde{\mathbf{H }}{'} = \mathbf W ''^{-1}\left( \sum _{i=0}^{7}v{'}_{i}{} \mathbf P _{i+1} \right) \mathbf W {''}^{-t}\) and obtain

Recovering the Low Degree Polynomial: Once the core polynomials \(\mathbf H ' = [h_{ij}],\; \tilde{\mathbf{H }}' = [\tilde{h}_{ij}]\) are recovered, our target is to build the low degree polynomial \(\varPsi ''\) fundamental for the attacker to be able decrypt. So, we solve the following overdetermined systems

$$\begin{aligned} \begin{bmatrix} h_{1, r + 1}&h_{1, r + 2}&\cdots&h_{1, n-1}&h_{1, n} \\ \tilde{h}_{1, r + 1}&\tilde{h}_{1, r + 2}&\cdots&\tilde{h}_{1, n- 1}&\tilde{h}_{1, n} \end{bmatrix}^{\top }\begin{bmatrix} x_{0} \\ x_{1} \end{bmatrix}= & {} \begin{bmatrix} b^{5159}&b^{4953}&b^{4144}&b^{6518}&b^{3920}&b^{4127} \\ b^{3075}&b^{2869}&b^{2060}&b^{4434}&b^{1836}&b^{2043} \end{bmatrix}^{\top } \begin{bmatrix} x_{0} \\ x_{1} \end{bmatrix} = \mathbf 0 , \\ \\ \begin{bmatrix} h_{2, r + 1}&h_{2, r + 2}&\cdots&h_{2, n-1}&h_{2, n} \\ \tilde{h}_{2, r + 1}&\tilde{h}_{2, r + 2}&\cdots&\tilde{h}_{2, n- 1}&\tilde{h}_{2, n} \end{bmatrix}^{\top }\begin{bmatrix} y_{0} \\ y_{1} \end{bmatrix}= & {} \begin{bmatrix} b^{5229}&b^{5023}&b^{4214 }&b^{28}&b^{3990}&b^{4197} \\ b^{1832}&b^{1626 }&b^{817}&b^{3191 }&b^{593 }&b^{800} \end{bmatrix}^{\top }\begin{bmatrix} y_{0} \\ y_{1} \end{bmatrix} = \mathbf 0 , \end{aligned}$$

and we obtain the solutions \([x_{0}, x_{1}]^{\top } = [b^{1418},\; b^{222}]^{\top }\) and \( [y_{0}, y_{1}]^{\top } = [b^{2162},\; b^{2279} ]^{\top } \). Then, we compute \(b^{1418}{} \mathbf H ' + b^{222}\tilde{\mathbf{H }}'\) and \(b^{2162}{} \mathbf H ' + b^{2279}\tilde{\mathbf{H }}'\) obtaining respectively

$$\begin{aligned} \begin{pmatrix} b^{106} &{} b^{6092} &{} 0 &{} 0 &{} 0 &{} 0 &{} 0 &{} 0\\ b^{6092}&{} b^{3643}&{} b^{4437}&{} b^{4231}&{} b^{3422}&{} b^{5796} &{} b^{3198}&{} b^{3405}\\ 0 &{} b^{4437} &{} 0 &{} 0 &{} 0 &{} 0 &{} 0 &{} 0\\ 0 &{} b^{4231} &{} 0 &{} 0 &{} 0 &{} 0 &{} 0 &{} 0\\ 0 &{} b^{3422} &{} 0 &{} 0 &{} 0 &{} 0 &{} 0 &{} 0\\ 0 &{} b^{5796} &{} 0 &{} 0 &{} 0 &{} 0 &{} 0 &{} 0\\ 0 &{} b^{3198} &{} 0 &{} 0 &{} 0 &{} 0 &{} 0 &{} 0\\ 0 &{} b^{3405} &{} 0 &{} 0 &{} 0 &{} 0 &{} 0 &{} 0 \end{pmatrix}, \begin{pmatrix} b^{1294 }&{} b^{536} &{} b^{3144} &{} b^{2938} &{} b^{2129} &{} b^{4403} &{} b^{1905} &{} b^{2112}\\ b^{536} &{} b^{844} &{} 0 &{} 0 &{} 0 &{} 0 &{} 0 &{} 0\\ b^{3144} &{} 0 &{} 0 &{} 0 &{} 0 &{} 0 &{} 0 &{} 0\\ b^{2938} &{} 0 &{} 0 &{} 0 &{} 0 &{} 0 &{} 0 &{} 0\\ b^{2129} &{} 0 &{} 0 &{} 0 &{} 0 &{} 0 &{} 0 &{} 0\\ b^{4503} &{} 0 &{} 0 &{} 0 &{} 0 &{} 0 &{} 0 &{} 0\\ b^{1905} &{} 0 &{} 0 &{} 0 &{} 0 &{} 0 &{} 0 &{} 0\\ b^{2112} &{} 0 &{} 0 &{} 0 &{} 0 &{} 0 &{} 0 &{} 0 \end{pmatrix}. \end{aligned}$$

Finally, we form the system

$$\begin{aligned} \begin{bmatrix} b^{4437}&b^{4231}&b^{3422}&b^{5796}&b^{3198}&b^{3405} \\ b^{3144}&b^{2938}&b^{2129}&b^{4403}&b^{1905}&b^{2112} \end{bmatrix}^{\top } \begin{bmatrix} z_{0} \\ z_{1} \end{bmatrix} = \mathbf 0 , \end{aligned}$$

we a solution \([z_{0},\; z_{1}]^{\top } = [b^{1024},\; b^{5597}]^{\top }\), and we use it to compute our low degree polynomial,

$$\begin{aligned} \varPsi ''&= b^{1024}X(b^{1418}H' + b^{222}\tilde{H}' ) +X^{q}(b^{2162}H' + b^{2279}\tilde{H}') \\&= b^{6441}X^{9} + b^{2097}X^{7} + b^{852}X^{5} + b^{1130}X^{3} \end{aligned}$$

1.2 A.2 Low Rank Matrix Forms