Abstract
A common strategy for constructing multivariate encryption schemes is to use a central map that is easy to invert over an extension field, along with a small number of modifications to thwart potential attacks. In this work, we study the effectiveness of these modifications, by deriving estimates for the number of degree fall polynomials. After developing the necessary tools, we focus on encryption schemes using the \(C^*\) and Dobbertin central maps, with the internal perturbation (ip), and \(Q_+\) modifications. For these constructions, we are able to accurately predict the number of degree fall polynomials produced in a Gröbner basis attack, up to and including degree 5 for the Dob encryption scheme and four for \(C^*\). The predictions remain accurate even when fixing variables. Based on this new theory, we design a novel attack on Dob, which completely recovers the secret key for the parameters suggested by its designers. Due to the generality of the presented techniques, we also believe that they are of interest to the analysis of other big-field schemes.
Similar content being viewed by others
Notes
There have been different definitions for the solving degree in the literature. Here, we follow the definition of [7] (adapted to the Boolean ring).
Here, we follow the nomenclature used, for instance, in [25].
While we are not aware of a comprehensive analysis of PMI\(+\), the following is remarked in [10] p. 1026: “...the original parameters of PMI+ are easily broken by a simple modification of [6] and still larger parameters can be defeated by the new MinRank techniques developed in [17].” (The citations in the quote are changed to the enumeration used in this paper).
The authors of [27] named these two modifiers \(\oplus \) and \(``+''\). Note that in earlier literature (c.f. [39]), the \(``+''\) modification refers to a different modification than what is described in [27], and the \(\oplus \) modification has been called internal perturbation (ip). To the best of our knowledge, the \(``+''\) modification from [27] has not been used in earlier work. To avoid any confusion, we have chosen to stick with the name (ip) and use \(Q_+\) for [27]’s “+”
If \(p_R\) has degree \(\ge 3\), then the syzygy \(p_R^2 + p_R = 0\) will be of degree \(> \nu \). In this case, \(p_R\) will not be among the generators of \(\mathcal {H}\). This matters little, as \(p_R\) will be removed in the degree 2 case anyway in Sect. 7.4.
Eq. (7.10) can be derived by adapting the proof of Lemma 7 in [6] to the case of the Dobbertin permutation. Indeed, to adapt this proof we need only check that the entries of \(Ker\left( \left( \textbf{F}'\right) ^{*0}\right) \) can be chosen in \(\mathbb {F}_2\), and that the kernel of \(\left( \textbf{F}'\right) ^{*i}\) can be obtained by shifting the columns of \(Ker\left( \left( \textbf{F}'\right) ^{*0}\right) \) i places to the right. This follows from our recent discussion in the text.
References
D. Apon, D. Moody, R. Perlner, D. Smith-Tone, and J. Verbel. Combinatorial rank attacks against the rectangular simple matrix encryption scheme, in International Conference on Post-Quantum Cryptography (Springer, 2020), pp. 307–322
M. F. Atiyah, I.G. Macdonald, Introduction to commutative algebra. CRC Press, 2016
M. Bardet, M. Bros, D. Cabarcas, P. Gaborit, R. Perlner, D. Smith-Tone, J.-P. Tillich, and J. Verbel. Improvements of Algebraic Attacks for solving the Rank Decoding and MinRank problems, in International Conference on the Theory and Application of Cryptology and Information Security (Springer, 2020), pp. 507–536
M. Bardet, J.-C. Faugère, and B. Salvy. Complexity of Gröbner basis computation for Semi-regular Overdetermined sequences over \({\mathbb{F}}_{2}\) with solutions in \({\mathbb{F}}_{2}\). 2003. [Research Report] RR-5049, INRIA, inria-00071534
L. Bettale, J.-C. Faugère, L. Perret, Hybrid approach for solving multivariate systems over finite fields. J. Math. Cryptol. 3(3), 177–197 (2009)
L. Bettale, J.-C. Faugère, L. Perret, Cryptanalysis of HFE, multi-HFE and variants for odd and even characteristic. Des. Codes Cryptogr. 69(1), 1–52 (2013)
A. Caminata, E. Gorla, Solving degree, last fall degree, and related invariants. J. Symb. Comput. 114, 322–335 (2023)
C. Carlet, Vectorial Boolean functions for cryptography in Y. Crama and P. L. Hammer, editors, Boolean Models and Methods in Mathematics, Computer Science, and Engineering (Cambridge University Press, 2010), pp. 398–469
R. Cartor, D. Smith-Tone, EFLASH: A New Multivariate Encryption Scheme, in C. Cid and M. Jacobson Jr., editors, Selected Areas in Cryptography – SAC 2018. Lecture Notes in Computer Science, vol. 11349 (Springer International Publishing, 2019), pp. 281–299
R. Cartor, D. Smith-Tone, All in the \(C^*\) family. Des. Codes Cryptogr. 88(6), 1023–1036 (2020)
C.-M. Cheng, T. Chou, R. Niederhagen, B.-Y. Yang, Solving quadratic equations with XL on parallel architectures, in International Workshop on Cryptographic Hardware and Embedded Systems (Springer, 2012), pp. 356–373
D.A. Cox, J. Little, D. O’shea. Using algebraic geometry, volume 185. Springer Science & Business Media, 2006
A. Diene, J. Ding, J.E. Gower, T.J. Hodges, Z. Yin, Dimension of the linearization equations of the matsumoto-imai cryptosystems, in Ø. Ytrehus, editor, Coding and Cryptography (Springer Berlin Heidelberg, Berlin, Heidelberg, 2006), pp. 242–251
J. Ding, A new variant of the Matsumoto-Imai cryptosystem through perturbation, in International Workshop on Public Key Cryptography (Springer, 2004), pp. 305–318
J. Ding, J.E. Gower, Inoculating multivariate schemes against differential attacks, in International Workshop on Public Key Cryptography (Springer, 2006), pp. 290–301
J. Ding, T.J. Hodges, Inverting HFE systems is quasi-polynomial for all fields, in Annual Cryptology Conference (Springer, 2011), pp. 724–742
J. Ding, R. Perlner, A. Petzoldt, D. Smith-Tone, Improved cryptanalysis of HFEv- via projection, in International Conference on Post-Quantum Cryptography (Springer, 2018), pp. 375–395
J. Ding, D. Schmidt, Cryptanalysis of HFEv and internal perturbation of HFE, in International Workshop on Public Key Cryptography (Springer, 2005), pp. 288–301
H. Dobbertin, Almost perfect nonlinear power functions on gf (2/sup n/): the welch case. IEEE Trans. Inf. Theory 45(4), 1271–1275 (1999)
V. Dubois, L. Granboulan, J. Stern, Cryptanalysis of HFE with internal perturbation, in International Workshop on Public Key Cryptography (Springer, 2007), pp. 249–265
J.-C. Faugère, A new efficient algorithm for computing Gröbner bases (F4). J. Pure Appl. Algebra, 139(1-3), 61–88 (1999)
J.-C. Faugère, A. Joux, Algebraic cryptanalysis of hidden field equation (HFE) cryptosystems using Gröbner bases, in Annual International Cryptology Conference (Springer, 2003), pp. 44–60
J.-C. Faugère, F. Levy-dit Vehel, L. Perret, Cryptanalysis of MinRank, in Annual International Cryptology Conference (Springer, 2008), pp. 280–296
P.-A. Fouque, L. Granboulan, J. Stern, Differential cryptanalysis for multivariate schemes, in Annual International Conference on the Theory and Applications of Cryptographic Techniques (Springer, 2005), pp. 341–353
J. W. Hoffman, X. Jia, H. Wang, Commutative Algebra: An Introduction. Stylus Publishing, LLC, 2016
https://github.com/Simula-UiB/Attack-On-The-Dob-Encryption-Scheme
G. Macario-Rat, J. Patarin, Two-face: New public key multivariate schemes, in International Conference on Cryptology in Africa (Springer, 2018), pp. 252–265
T. Matsumoto, H. Imai, Public quadratic polynomial-tuples for efficient signature-verification and message-encryption, in D. Barstow, W. Brauer, P. Brinch Hansen, D. Gries, D. Luckham, C. Moler, A. Pnueli, G. Seegmüller, J. Stoer, N. Wirth, and C. G. Günther, editors, Advances in Cryptology—EUROCRYPT’88 (Springer Berlin Heidelberg, Berlin, Heidelberg, 1988), pp. 419–453
National Institute for Standards and Technology. Post-Quantum Cryptography Standardization, 2017. https://csrc.nist.gov/Projects/post-quantum-cryptography/post-quantum-cryptography-standardization
J. Patarin, Cryptanalysis of the Matsumoto and Imai public key scheme of Eurocrypt’88, in Annual International Cryptology Conference (Springer, 1995), pp. 248–261
J. Patarin, Hidden fields equations (HFE) and isomorphisms of polynomials (IP): Two new families of asymmetric algorithms. In International Conference on the Theory and Applications of Cryptographic Techniques (Springer, 1996), pp. 33–48
P.W. Shor, Algorithms for quantum computation: discrete logarithms and factoring, in Proceedings 35th Annual Symposium on Foundations of Computer Science (IEEE, 1994), pp. 124–134
D. Smith-Tone, J. Verbel, A rank attack against extension field cancellation, in International Conference on Post-Quantum Cryptography (Springer, 2020), pp. 381–401
A. Szepieniec, J. Ding, B. Preneel, Extension field cancellation: A new central trapdoor for multivariate quadratic systems, in Post-Quantum Cryptography (Springer, 2016), pp. 182–196
C. Tao, A. Petzoldt, J. Ding, Efficient Key Recovery for All HFE Signature Variants, in Annual International Cryptology Conference (Springer, 2021), pp. 70–93
C. Tao, H. Xiang, A. Petzoldt, J. Ding, Simple matrix—a multivariate public key cryptosystem (MPKC) for encryption. Finite Fields Appl. 35, 352–368 (2015)
Y. Wang, Y. Ikematsu, D.H. Duong, T. Takagi, The secure parameters and efficient decryption algorithm for multivariate public key cryptosystem EFC. IEICE Trans. Fundam. Electron. Commun. Comput. Sci. 102(9), 1028–1036 (2019)
D. Wiedemann, Solving sparse linear equations over finite fields. IEEE Trans. Inf. Theory 32(1), 54–62 (1986)
C. Wolf, B. Preneel, Taxonomy of public key schemes based on the problem of multivariate quadratic equations. Cryptology ePrint Archive, Report 2005/077, 2005. https://eprint.iacr.org/2005/077
C. Wolf, B. Preneel, Equivalent keys in \({\cal{M}}\)ultivariate \({\cal{Q}}\)uadratic public key systems. J. Math. Cryptol. 4(4), 375–415 (2011)
T. Yasuda, Y. Wang, T. Takagi, Multivariate encryption schemes based on polynomial equations over real numbers, in International Conference on Post-Quantum Cryptography (Springer, 2020), pp. 402–421
M. Øygarden, Algebraic Cryptanalysis of Cryptographic Schemes with Extension Field Structure. PhD thesis, University of Bergen, 2021. https://hdl.handle.net/11250/2771891
M. Øygarden, P. Felke, H. Raddum, Analysis of multivariate encryption schemes: Application to dob. Cryptology ePrint Archive, Report 2020/1442, 2020. https://ia.cr/2020/1442
M. Øygarden, P. Felke, H. Raddum, Analysis of Multivariate Encryption Schemes: Application to Dob, in IACR International Conference on Public-Key Cryptography (Springer, 2021), pp. 155–183
M. Øygarden, P. Felke, H. Raddum, C. Cid, Cryptanalysis of the multivariate encryption scheme EFLASH, in Cryptographers’ Track at the RSA Conference (Springer, 2020), pp. 85–105
Acknowledgements
Morten Øygarden has been funded by The Research Council of Norway through the project “qsIoT: Quantum safe cryptography for the Internet of Things.” The authors would like to thank Carlos Cid for useful discussions on this work.
Author information
Authors and Affiliations
Corresponding author
Additional information
Communicated by Anne Canteaut.
Publisher's Note
Springer Nature remains neutral with regard to jurisdictional claims in published maps and institutional affiliations.
This paper was reviewed by Magali Bardet and by an anonymous reviewer.
Appendices
Appendxi A: Formulas for Dob Degree Fall Polynomials at \(\nu =5\)
\(\mathbf {N_5^{(1,1)}:}\) Let us start by examining \((\mathcal {S}^{M^{(1,1)}}(\mathcal {F}^h))_5\). The polynomials involving the quadratic polynomials from \(Q_+\), namely the \(q_i^h\), are easy to classify as they would only appear as products with the 2d degree fall polynomials at \(\nu = 3\) (from Sect. ). The elements containing the ip linear forms are slightly more involved. At first glance, the \(\nu = 3\) syzygies will generate \(2d\cdot \text {dim}_2(V^1)\), but we also need to take into consideration the cancelations appearing at \(\nu = 4\) (which sums up to the \(-d\) term in Eq. (3.3)). Assuming that none of these cancelations can be factorized by a linear form in Span\((v_1,\ldots ,v_k)\) (which is highly likely when \(n \gg k\)), we will need to subtract kd to account for these cancelations.
Turning our attention to the modifiers, we can combine (v) and (ii) from Lemma 3, to get
Expecting that \((Q^2\cap V^3)_5\) is empty, and using Lemma 3 (iv), we can further rewrite this as
Example 1 1 covers dim\(_5(V^1Q^1)\), and we will deal with the intersections through ad hoc arguments. We expect \(\langle Q^2\cap V^1Q^1 \rangle _5\) to be generated by the the possible combinations \(q_iq_jv_l\), so we estimate its dimension to be \(k\left( {\begin{array}{c}t\\ 2\end{array}}\right) \). Similarly, \(\langle V^3\cap V^1Q^1 \rangle _5\) is expected to be generated by the combinations \(v_iv_jv_rq_l\), and its dimension is expected to be \(t\left( {\begin{array}{c}k\\ 3\end{array}}\right) \).
Lastly, we examine \(M^{(1,1)}M^{(2,1)}\langle \mathcal {P}^h\rangle \). At degree 5, the only possible combinations are \(v_iv_jv_rp_l\), and \(v_iq_jp_l\). All this information sums up to the following:
Remark 3
We have run tests for \(\dim _5(\mathcal {S}^{M^{(1,1)}}(\mathcal {F}^h))\), \(\dim _5(M^{(1,1)}M^{(2,1)})\) and \(\dim _5(M^{(1,1)}M^{(2,1)}\langle \mathcal {P}^h\rangle )\), and separately they agree with what we have counted above. However, when running tests for \((N_5^{(1,1)})'\) as a whole, we find that the theoretical formula presented in Eq. (A.1) consistently undershoots the number of degree fall polynomials by 4d. Hence, there is some interplay between the separate parts making up the formula that we do not yet understand. For this reason, we adjust Eq. (5.10) in the main part of the text by this value, i.e., \(N_5^{(1,1)} = \big (N_5^{(1,1)}\big )' + 4d\).
\(\mathbf {N_5^{(2,1)}:}\) The degree five part of \(\mathcal {S}^{M^{(2,1)}}(\mathcal {F}^h)\) is given by Equation (5.2). An application of Lemma 3 (iv) and (v) leads to
Example 1 (b) is used to compute \(\text {dim}_5(V^2Q^1)\), and we furthermore expect no polynomials of degree five in \(M^{(2,1)}M^{(2,1)}\langle \mathcal {P}^h\rangle \). All this sums up to the following estimate:
Similarly to what was discussed in Remark 3, we also find that the theoretically predicted \(\big (N_{5}^{(2,1)}\big ) '\) is off by 4d in experiments. Hence, we adjust for this in Eq. (5.11) by setting \(N_5^{(2,1)} = \big (N_{5}^{(2,1)}\big ) ' + 4d\).
Appendxi B: Proof of Lemma 7
By a slight abuse of notation we will consider \(\widetilde{W}_\eta \) to include integers, by listing the index of the variables it contains. Recall the (r, d)-Covering Problem, which can be stated as follows: for given d and \(r<d-1\), find \(\rho \) subsets \(\widetilde{W}_\eta \subset \{1,\ldots ,d\}\) of size \(d-r\), such that for any pair (i, j) where \(1\le i<j\le d\), \(\{i,j\}\subset \widetilde{W}_\eta \) for at least one \(\eta \).
Proof of Lemma 7
Let \(s=\lfloor (d-r)/2\rfloor \). We divide \(\{1,\ldots ,d\}\) into blocks of size s:
Let the sets \(\widetilde{W}_\eta \) for \(1\le \eta \le \left( {\begin{array}{c}\lfloor d/s\rfloor \\ 2\end{array}}\right) \) be defined as the union of \(C_a\) and \(C_b\), for all choices of \(1\le a<b\le \lfloor d/s\rfloor \). In the case \(d-r\) is odd, we also add one arbitrary extra number to each set to make sure that each \(\widetilde{W}_\eta \) contains exactly \(d-r\) numbers.
Any \(\{i,j\}\subset \{1,\ldots ,s\lfloor d/s\rfloor \}\) will then be contained in at least one \(\widetilde{W}_\eta \). If both i and j belong to the same block \(C_b\), then all \(\widetilde{W}_\eta \) involving \(C_b\) will contain \(\{i,j\}\). If \(i\in C_a\) and \(j\in C_b\) for \(a\ne b\), then the set \(\widetilde{W}_\eta =C_a\cup C_b\) will contain \(\{i,j\}\). Hence, the \(\left( {\begin{array}{c}\lfloor d/s\rfloor \\ 2\end{array}}\right) \) sets constructed will cover all pairs from \(\{1,\ldots ,s\lfloor d/s\rfloor \}\).
If s divides d we are done. Otherwise, to cover all pairs of numbers in \(\{1,\ldots ,d\}\) it is sufficient to create \(\lfloor d/s\rfloor \) new \(\widetilde{W}\)-sets consisting of \(\{s\lfloor d/s\rfloor +1,\ldots ,d\}\cup C_b\cup \{s-(d-s\lfloor d/s\rfloor ) \text{ extra } \text{ numbers }\}\), where \(1\le b\le \lfloor d/s\rfloor \), and the extra numbers are arbitrary. The total number of sets will then be \(\left( {\begin{array}{c}\lceil d/s\rceil \\ 2\end{array}}\right) \), and replacing s with \(\lfloor (d-r)/2\rfloor \) we get Lemma 7. \(\square \)
For the particular case \(d=129, r=79\) (which is used in Sect. 7.8), we get \(\rho \le 15\). Doing the exercise in practice, we find that \(\rho =11\) is sufficient to solve the problem by extending the block \(C_5\) to cover all numbers \(101,\ldots ,129\), and modifying slightly the sets involving \(C_5\).
Rights and permissions
Springer Nature or its licensor (e.g. a society or other partner) holds exclusive rights to this article under a publishing agreement with the author(s) or other rightsholder(s); author self-archiving of the accepted manuscript version of this article is solely governed by the terms of such publishing agreement and applicable law.
About this article
Cite this article
Øygarden, M., Felke, P. & Raddum, H. Analysis of Multivariate Encryption Schemes: Application to Dob and \({C}^{*}\). J Cryptol 37, 20 (2024). https://doi.org/10.1007/s00145-024-09501-w
Published:
DOI: https://doi.org/10.1007/s00145-024-09501-w