Analysis of Multivariate Encryption Schemes: Application to Dob and \({C}^{*}\)

Abstract

A common strategy for constructing multivariate encryption schemes is to use a central map that is easy to invert over an extension field, along with a small number of modifications to thwart potential attacks. In this work, we study the effectiveness of these modifications, by deriving estimates for the number of degree fall polynomials. After developing the necessary tools, we focus on encryption schemes using the \(C^*\) and Dobbertin central maps, with the internal perturbation (ip), and \(Q_+\) modifications. For these constructions, we are able to accurately predict the number of degree fall polynomials produced in a Gröbner basis attack, up to and including degree 5 for the Dob encryption scheme and four for \(C^*\). The predictions remain accurate even when fixing variables. Based on this new theory, we design a novel attack on Dob, which completely recovers the secret key for the parameters suggested by its designers. Due to the generality of the presented techniques, we also believe that they are of interest to the analysis of other big-field schemes.

Appendices

Appendxi A: Formulas for Dob Degree Fall Polynomials at \(\nu =5\)

\(\mathbf {N_5^{(1,1)}:}\) Let us start by examining \((\mathcal {S}^{M^{(1,1)}}(\mathcal {F}^h))_5\). The polynomials involving the quadratic polynomials from \(Q_+\), namely the \(q_i^h\), are easy to classify as they would only appear as products with the 2d degree fall polynomials at \(\nu = 3\) (from Sect. ). The elements containing the ip linear forms are slightly more involved. At first glance, the \(\nu = 3\) syzygies will generate \(2d\cdot \text {dim}_2(V^1)\), but we also need to take into consideration the cancelations appearing at \(\nu = 4\) (which sums up to the \(-d\) term in Eq. (3.3)). Assuming that none of these cancelations can be factorized by a linear form in Span\((v_1,\ldots ,v_k)\) (which is highly likely when \(n \gg k\)), we will need to subtract kd to account for these cancelations.

Turning our attention to the modifiers, we can combine (v) and (ii) from Lemma 3, to get

$$\begin{aligned} \text {dim}_5(M^{(2,1)}M^{(1,1)}) = \text {dim}_5(M^{(3,2)}) + \text {dim}_5(V^{1}Q^{1}) - \text {dim}_5(M^{(3,2)}\cap V^{1}Q^{1}). \end{aligned}$$

Expecting that \((Q^2\cap V^3)_5\) is empty, and using Lemma 3 (iv), we can further rewrite this as

$$\begin{aligned} \text {dim}_5(M^{(2,1)}M^{(1,1)})&= \text {dim}_5(Q^2) + \text {dim}_5(V^3) + \text {dim}_5(V^1Q^1) \\&\quad - \text {dim}_5(Q^2\cap V^1Q^1) - \text {dim}_5(V^3\cap V^1Q^1). \end{aligned}$$

Example 1 1 covers dim\(_5(V^1Q^1)\), and we will deal with the intersections through ad hoc arguments. We expect \(\langle Q^2\cap V^1Q^1 \rangle _5\) to be generated by the the possible combinations \(q_iq_jv_l\), so we estimate its dimension to be \(k\left( {\begin{array}{c}t\\ 2\end{array}}\right) \). Similarly, \(\langle V^3\cap V^1Q^1 \rangle _5\) is expected to be generated by the combinations \(v_iv_jv_rq_l\), and its dimension is expected to be \(t\left( {\begin{array}{c}k\\ 3\end{array}}\right) \).

Lastly, we examine \(M^{(1,1)}M^{(2,1)}\langle \mathcal {P}^h\rangle \). At degree 5, the only possible combinations are \(v_iv_jv_rp_l\), and \(v_iq_jp_l\). All this information sums up to the following:

$$\begin{aligned} \big (N_5^{(1,1)}\big )'&= \overbrace{d\bigg (2k(n-k) + 2\left( {\begin{array}{c}k\\ 2\end{array}}\right) + 2t - k\bigg )}^{\text {dim}_5(\mathcal {S}^{M^{(1,1)}}(\mathcal {F}^h))} - \overbrace{\left( {\begin{array}{c}t\\ 2\end{array}}\right) n}^{\text {dim}_5(Q^2)} \nonumber \\&\quad - \overbrace{\bigg (\left( {\begin{array}{c}k\\ 3\end{array}}\right) \left( {\begin{array}{c}n-k\\ 2\end{array}}\right) + \left( {\begin{array}{c}k\\ 4\end{array}}\right) (n-k) + \left( {\begin{array}{c}k\\ 5\end{array}}\right) \bigg )}^{\text {dim}_5(V^3)} \nonumber \\&\quad - \overbrace{t\bigg (k\left( {\begin{array}{c}n-k\\ 2\end{array}}\right) + \left( {\begin{array}{c}k\\ 2\end{array}}\right) (n-k) + \left( {\begin{array}{c}k\\ 3\end{array}}\right) \bigg ) + k\bigg (t^2 - \left( {\begin{array}{c}t\\ 2\end{array}}\right) \bigg )}^{\text {dim}_5(Q^1V^1)} \nonumber \\&\quad + \overbrace{\left( {\begin{array}{c}t\\ 2\end{array}}\right) k}^{\text {dim}_5(Q^2\cap V^1Q^1)} + \overbrace{\left( {\begin{array}{c}k\\ 3\end{array}}\right) t}^{\text {dim}_5(V^3\cap V^1Q^1)} \nonumber \\&\quad + \overbrace{d\bigg (kt + \left( {\begin{array}{c}k\\ 3\end{array}}\right) \bigg )}^{\text {dim}_5\left( M^{(1,1)}M^{(2,1)}\langle \mathcal {P}^h\rangle \right) }. \end{aligned}$$

(A.1)

Remark 3

We have run tests for \(\dim _5(\mathcal {S}^{M^{(1,1)}}(\mathcal {F}^h))\), \(\dim _5(M^{(1,1)}M^{(2,1)})\) and \(\dim _5(M^{(1,1)}M^{(2,1)}\langle \mathcal {P}^h\rangle )\), and separately they agree with what we have counted above. However, when running tests for \((N_5^{(1,1)})'\) as a whole, we find that the theoretical formula presented in Eq. (A.1) consistently undershoots the number of degree fall polynomials by 4d. Hence, there is some interplay between the separate parts making up the formula that we do not yet understand. For this reason, we adjust Eq. (5.10) in the main part of the text by this value, i.e., \(N_5^{(1,1)} = \big (N_5^{(1,1)}\big )' + 4d\).

\(\mathbf {N_5^{(2,1)}:}\) The degree five part of \(\mathcal {S}^{M^{(2,1)}}(\mathcal {F}^h)\) is given by Equation (5.2). An application of Lemma 3 (iv) and (v) leads to

$$\begin{aligned} \text {dim}_5(M^{(2,1)}M^{(2,1)}) = \text {dim}_5(V^4) + \text {dim}_5(Q^2) + \text {dim}_5(V^2Q^1). \end{aligned}$$

Example 1 (b) is used to compute \(\text {dim}_5(V^2Q^1)\), and we furthermore expect no polynomials of degree five in \(M^{(2,1)}M^{(2,1)}\langle \mathcal {P}^h\rangle \). All this sums up to the following estimate:

$$\begin{aligned} \big (N_{5}^{(2,1)}\big ) '&= \overbrace{2d\bigg (\left( {\begin{array}{c}k\\ 2\end{array}}\right) + t\bigg )}^{\text {dim}_5(\mathcal {S}^{M^{(2,1)}}(\mathcal {F}^h))} - \overbrace{\bigg (\left( {\begin{array}{c}k\\ 4\end{array}}\right) (n-k) + \left( {\begin{array}{c}k\\ 5\end{array}}\right) \bigg )}^{\text {dim}_5(V^4)} \nonumber \\&\quad - \overbrace{t\bigg (\left( {\begin{array}{c}k\\ 2\end{array}}\right) (n-k) + \left( {\begin{array}{c}k\\ 3\end{array}}\right) \bigg )}^{\text {dim}_5(Q^1V^2)} - \overbrace{\left( {\begin{array}{c}t\\ 2\end{array}}\right) n}^{\text {dim}_5(Q^2)}. \end{aligned}$$

(A.2)

Similarly to what was discussed in Remark 3, we also find that the theoretically predicted \(\big (N_{5}^{(2,1)}\big ) '\) is off by 4d in experiments. Hence, we adjust for this in Eq. (5.11) by setting \(N_5^{(2,1)} = \big (N_{5}^{(2,1)}\big ) ' + 4d\).

Appendxi B: Proof of Lemma 7

By a slight abuse of notation we will consider \(\widetilde{W}_\eta \) to include integers, by listing the index of the variables it contains. Recall the (r, d)-Covering Problem, which can be stated as follows: for given d and \(r<d-1\), find \(\rho \) subsets \(\widetilde{W}_\eta \subset \{1,\ldots ,d\}\) of size \(d-r\), such that for any pair (i, j) where \(1\le i<j\le d\), \(\{i,j\}\subset \widetilde{W}_\eta \) for at least one \(\eta \).

Proof of Lemma 7

Let \(s=\lfloor (d-r)/2\rfloor \). We divide \(\{1,\ldots ,d\}\) into blocks of size s:

$$\begin{aligned} C_b=\{(b-1)s+1,\ldots ,bs\}, \text{ for } 1\le b\le \lfloor d/s\rfloor . \end{aligned}$$

Let the sets \(\widetilde{W}_\eta \) for \(1\le \eta \le \left( {\begin{array}{c}\lfloor d/s\rfloor \\ 2\end{array}}\right) \) be defined as the union of \(C_a\) and \(C_b\), for all choices of \(1\le a<b\le \lfloor d/s\rfloor \). In the case \(d-r\) is odd, we also add one arbitrary extra number to each set to make sure that each \(\widetilde{W}_\eta \) contains exactly \(d-r\) numbers.

Any \(\{i,j\}\subset \{1,\ldots ,s\lfloor d/s\rfloor \}\) will then be contained in at least one \(\widetilde{W}_\eta \). If both i and j belong to the same block \(C_b\), then all \(\widetilde{W}_\eta \) involving \(C_b\) will contain \(\{i,j\}\). If \(i\in C_a\) and \(j\in C_b\) for \(a\ne b\), then the set \(\widetilde{W}_\eta =C_a\cup C_b\) will contain \(\{i,j\}\). Hence, the \(\left( {\begin{array}{c}\lfloor d/s\rfloor \\ 2\end{array}}\right) \) sets constructed will cover all pairs from \(\{1,\ldots ,s\lfloor d/s\rfloor \}\).

If s divides d we are done. Otherwise, to cover all pairs of numbers in \(\{1,\ldots ,d\}\) it is sufficient to create \(\lfloor d/s\rfloor \) new \(\widetilde{W}\)-sets consisting of \(\{s\lfloor d/s\rfloor +1,\ldots ,d\}\cup C_b\cup \{s-(d-s\lfloor d/s\rfloor ) \text{ extra } \text{ numbers }\}\), where \(1\le b\le \lfloor d/s\rfloor \), and the extra numbers are arbitrary. The total number of sets will then be \(\left( {\begin{array}{c}\lceil d/s\rceil \\ 2\end{array}}\right) \), and replacing s with \(\lfloor (d-r)/2\rfloor \) we get Lemma 7. \(\square \)

For the particular case \(d=129, r=79\) (which is used in Sect. 7.8), we get \(\rho \le 15\). Doing the exercise in practice, we find that \(\rho =11\) is sufficient to solve the problem by extending the block \(C_5\) to cover all numbers \(101,\ldots ,129\), and modifying slightly the sets involving \(C_5\).