Post on 16-Jul-2020
Hybrid Approach : a Tool for MultivariateCryptography
Luk Bettale1 Jean-Charles Faugère Ludovic Perret
LIP6 - SALSAUPMC, CNRS, INRIA Paris-Rocquencourt
Workshop on Tools for Cryptanalysis 2010Royal Holloway University of London
June 2010
1author partially supported by DGA/MRIS (french secretary of defense)Luk Bettale 1/25
Introduction
Algebraic CryptanalysisGeneral analysis (such as linear, differential)
ModelingSolving (or estimate difficulty)
Setting parameters of multivariate cryptosystems.
Luk Bettale Introduction 2/25
Introduction
Algebraic CryptanalysisGeneral analysis (such as linear, differential)
ModelingSolving (or estimate difficulty)
Setting parameters of multivariate cryptosystems.
Luk Bettale Introduction 2/25
Introduction
Algebraic CryptanalysisGeneral analysis (such as linear, differential)
ModelingSolving (or estimate difficulty)
Setting parameters of multivariate cryptosystems.
Luk Bettale Introduction 2/25
Multivariate cryptography
PropertiesThe public key is a quadratic systemVery efficient (hardware)Resist quantum computers.
ExamplesC∗, HFEUOV, SFLASH...
Luk Bettale Introduction 3/25
Multivariate signature
Secret keyF : Fn+r
q → Fnq Easy to invert
(x1, . . . ,xn+r) → (f1(x1, . . . ,xn+r), . . . ,fn(x1, . . . ,xn+r))
S,T ∈GLn+r(Fq)×GLn(Fq)
Public keyG : Fn+r
q → Fnq
(x1, . . . ,xn+r) → (g1(x1, . . . ,xn), . . . ,gn(x1, . . . ,xn))
G = T ◦F◦S = F(x ·S) ·T .
VerifyG (s,m): Evaluate G(s) = m
Luk Bettale Introduction 4/25
Attacks on multivariate signature schemes
Signature forgery attackGiven a message m = (m1, . . . ,mn), find a signature (s1, . . . ,sn+r)such that G(x) = m.
Solve the systemg1()−m1 = 0
...gn()−mn = 0
An Braeken, Bart Preneel, and Christopher Wolf.A Study of the Security of Unbalanced Oil and Vinegar Signature Schemes.CT-RSA 05.
Lih-Chung Wang, Yuh-Hua Hu, Feipei Lai, Chun-Yen Chou, and Bo-Yin Yang.Tractable Rational Map Signature.PKC 05.
TRMS: q = 28,n = 20.
Luk Bettale Introduction 5/25
Attacks on multivariate signature schemes
Signature forgery attackGiven a message m = (m1, . . . ,mn), find a signature (s1, . . . ,sn+r)such that G(x) = m.
Solve the systemg1(x1, . . . ,xn+r)−m1 = 0
...gn(x1, . . . ,xn+r)−mn = 0
An Braeken, Bart Preneel, and Christopher Wolf.A Study of the Security of Unbalanced Oil and Vinegar Signature Schemes.CT-RSA 05.
Lih-Chung Wang, Yuh-Hua Hu, Feipei Lai, Chun-Yen Chou, and Bo-Yin Yang.Tractable Rational Map Signature.PKC 05.
TRMS: q = 28,n = 20.
Luk Bettale Introduction 5/25
Attacks on multivariate signature schemes
Signature forgery attackGiven a message m = (m1, . . . ,mn), find a signature (s1, . . . ,sn+r)such that G(x) = m.
Solve the systemg1(x1, . . . ,xn,y1, . . . ,yr)−m1 = 0
...gn(x1, . . . ,xn,y1, . . . ,yr)−mn = 0
An Braeken, Bart Preneel, and Christopher Wolf.A Study of the Security of Unbalanced Oil and Vinegar Signature Schemes.CT-RSA 05.
Lih-Chung Wang, Yuh-Hua Hu, Feipei Lai, Chun-Yen Chou, and Bo-Yin Yang.Tractable Rational Map Signature.PKC 05.
TRMS: q = 28,n = 20.
Luk Bettale Introduction 5/25
Attacks on multivariate signature schemes
Signature forgery attackGiven a message m = (m1, . . . ,mn), find a signature (s1, . . . ,sn+r)such that G(x) = m.
Solve the systemg′1(x1, . . . ,xn)−m1 = 0
...g′n(x1, . . . ,xn)−mn = 0
An Braeken, Bart Preneel, and Christopher Wolf.A Study of the Security of Unbalanced Oil and Vinegar Signature Schemes.CT-RSA 05.
Lih-Chung Wang, Yuh-Hua Hu, Feipei Lai, Chun-Yen Chou, and Bo-Yin Yang.Tractable Rational Map Signature.PKC 05.
TRMS: q = 28,n = 20.
Luk Bettale Introduction 5/25
Attacks on multivariate signature schemes
Signature forgery attackGiven a message m = (m1, . . . ,mn), find a signature (s1, . . . ,sn+r)such that G(x) = m.
Solve the systemg′1(x1, . . . ,xn)−m1 = 0
...g′n(x1, . . . ,xn)−mn = 0
An Braeken, Bart Preneel, and Christopher Wolf.A Study of the Security of Unbalanced Oil and Vinegar Signature Schemes.CT-RSA 05.
Lih-Chung Wang, Yuh-Hua Hu, Feipei Lai, Chun-Yen Chou, and Bo-Yin Yang.Tractable Rational Map Signature.PKC 05.
TRMS: q = 28,n = 20.Luk Bettale Introduction 5/25
Polynomial System Solving
Given f1(x1, . . . ,xn), . . . ,fm(x1, . . . ,xn) of Fq[x1, . . . ,xn], doesthere exist z1, . . . ,zn ∈ Fn
q such that:
f1(z1, . . . ,zn) = 0
...fm(z1, . . . ,zn) = 0
Polynomial System Solving is NP-hardHard in practice for generic polynomials.
Luk Bettale Introduction 6/25
Polynomial System Solving
Given f1(x1, . . . ,xn), . . . ,fm(x1, . . . ,xn) of Fq[x1, . . . ,xn], doesthere exist z1, . . . ,zn ∈ Fn
q such that:
f1(z1, . . . ,zn) = 0
...fm(z1, . . . ,zn) = 0
Polynomial System Solving is NP-hardHard in practice for generic polynomials.
Luk Bettale Introduction 6/25
Known methods
Exhaustive searchGröbner bases with/without field equations...
Luk Bettale Introduction 7/25
Known methods
Exhaustive searchGröbner bases with/without field equations...
Luk Bettale Introduction 7/25
Gröbner bases algorithms
AlgorithmsBuchberger : the historical algorithmF4 : linear algebra on matricesF5 : no useless computations for semi-regular systems
GB : O((
m ·(n+dreg−1
dreg
))ω), FGLM : O (n ·Dw) ,
with 2 6 ω 6 3, D the number of solutions in K.
Jean-Charles Faugère.A new efficient algorithm for computing Gröbner bases (F4).Journal of Pure and Applied Algebra 139, June 1999.
Jean-Charles Faugère.A new efficient algorithm for computing Gröbner bases without reduction to zero(F5).ISSAC 2002, July 2002.
Luk Bettale Introduction 8/25
Semi-regular systems
Semi-regular systemsg ·fi ∈ 〈f1, . . . ,fi−1〉 ⇒ g ∈ 〈f1, . . . ,fi−1〉 if deg(g ·fi) 6 dreg.random system ⇒ semi-reg.The degree of regularity (dreg) can be known a prioriThe more equations we have, the more dreg decrease(e.g. for quadratic systems)m = n → dreg = n+1 m = n+1 → dreg = dn+1
2 e
Magali Bardet, Jean-Charles Faugère, Bruno Salvy and Bo-Yin Yang.Asymptotic Behaviour of the Degree of Regularity of Semi-Regular PolynomialSystems.MEGA 2005.
Luk Bettale Introduction 9/25
Solving a system
fi ∈ Fq[x1, . . . ,xn] for 1 6 i 6 nf1(x1, . . . ,xn) = 0
...fn(x1, . . . ,xn) = 0
Specificity (m = n)Square systems ⇒ dn solutions in the algebraic closureFq is finite and rather big (no field equations).
HypothesesRegular system ⇒ dreg = n(d−1)+1Semi-regular sub-systems.
Luk Bettale Hybrid approach 10/25
Solving a system
fi ∈ Fq[x1, . . . ,xn] for 1 6 i 6 nf1(x1, . . . ,xn) = 0
...fn(x1, . . . ,xn) = 0
Specificity (m = n)Square systems ⇒ dn solutions in the algebraic closureFq is finite and rather big (no field equations).
HypothesesRegular system ⇒ dreg = n(d−1)+1Semi-regular sub-systems.
Luk Bettale Hybrid approach 10/25
Solving a system – Hybrid approach
SolutionWe specialize k variables of the system (exhaustive search)⇒ the system becomes over-defined+ The degree of regularity decreases+ The number of solutions is 0 or 1– We have to compute qk Gröbner bases.
Luk Bettale, Jean-Charles Faugère and Ludovic Perret.Hybrid approach for solving multivariate systems over finite fields.In Journal of Mathematical Cryptology, Volume 3, issue 3. Sep 2009.
A tradeoff between exhaustive search and Gröbner basescomputation.
Luk Bettale Hybrid approach 11/25
Solving a system – Hybrid approach
SolutionWe specialize k variables of the system (exhaustive search)⇒ the system becomes over-defined+ The degree of regularity decreases+ The number of solutions is 0 or 1– We have to compute qk Gröbner bases.
Luk Bettale, Jean-Charles Faugère and Ludovic Perret.Hybrid approach for solving multivariate systems over finite fields.In Journal of Mathematical Cryptology, Volume 3, issue 3. Sep 2009.
A tradeoff between exhaustive search and Gröbner basescomputation.
Luk Bettale Hybrid approach 11/25
Complexity analysis
Proposition
Let Fq be a finite field and {f1, . . . ,fn} ⊂ Fq[x1, . . . ,xn] be asemi-regular system of equations of degree d.
O
min06k6n︸ ︷︷ ︸tradeoff
qk︸︷︷︸exh. search
(n ·(n−k−1+dreg(n−k,n,d)
dreg(n−k,n,d)))ω
︸ ︷︷ ︸GB
+n ·Dω︸ ︷︷ ︸FGLM
,
where 2 6 ω 6 3.
dreg(n,m,d) is the dreg of a semi-regular system of m equations ofdegree d in n variables.
The degree of regularity can be computed exactly.
Luk Bettale Hybrid approach 12/25
Complexity analysis
Proposition
Let Fq be a finite field and {f1, . . . ,fn} ⊂ Fq[x1, . . . ,xn] be asemi-regular system of equations of degree d.
O
min06k6n︸ ︷︷ ︸tradeoff
qk︸︷︷︸exh. search
(n ·(n−k−1+dreg(n−k,n,d)
dreg(n−k,n,d)))ω
︸ ︷︷ ︸GB
+n ·Dω︸ ︷︷ ︸FGLM
,
where 2 6 ω 6 3.
dreg(n,m,d) is the dreg of a semi-regular system of m equations ofdegree d in n variables.
The degree of regularity can be computed exactly.
Luk Bettale Hybrid approach 12/25
Complexity analysis
Proposition
Let Fq be a finite field and {f1, . . . ,fn} ⊂ Fq[x1, . . . ,xn] be asemi-regular system of equations of degree d.
O
min16k6n︸ ︷︷ ︸tradeoff
qk︸︷︷︸exh. search
(n ·(n−k−1+dreg(n−k,n,d)
dreg(n−k,n,d)))ω
︸ ︷︷ ︸GB
,
where 2 6 ω 6 3.
dreg(n,m,d) is the dreg of a semi-regular system of m equations ofdegree d in n variables.
The degree of regularity can be computed exactly.
Luk Bettale Hybrid approach 12/25
Asymptotic analysis (d = 2)
Approximation of dreg(n−k,n,2)
dreg ∼n+k
2 −√
nk +O((n−k)1/3)
when n→∞.
Magali BardetÉtude des systèmes algébriques surdéterminés. Applications aux codescorrecteurs et à la cryptographie.Ph.D. thesis, Université de Paris VI, 2004.
Approximation of the complexity
CHyb =O
(q
k
(n√
2π
)ω
( (3n−k
2 −1−√nk)(3n−k−1)/2−
√nk
(n−k−1)(n−k−1/2)(
n+k2 −
√nk)(n+k+1)/2−
√nk
)ω)
when n→∞.
Luk Bettale Hybrid approach 13/25
Borderline case (d = 2)
Classical approach(dreg = n + 1)
O((
n ·( 2n
n−1))ω)
Hybrid approach with k = 1(dreg = dn+1
2 e)
O(q(n ·(3(n−1)/2
n−2))ω)
Best tradeoff > 0
log2(q)≤ 0.6226 ·ω ·n+O(log2(n))
when n→∞.
Luk Bettale Hybrid approach 14/25
Borderline case (d = 2)
Classical approach(dreg = n + 1)
O((
n ·( 2n
n−1))ω)
Hybrid approach with k = 1(dreg = dn+1
2 e)
O(q(n ·(3(n−1)/2
n−2))ω)
Best tradeoff > 0
log2(q)≤ 0.6226 ·ω ·n+O(log2(n))
when n→∞.
Luk Bettale Hybrid approach 14/25
Finding the best tradeoff (d = 2)
Find the best tradeoff by solving ∂ log(CHyb)∂k
= 0.
log(q)+ω
(log(n−k−1)+ 1
2(n−k−1)
)
−ω
2 (1+√
n/k)
log(
3n−k
2 −1−√
nk
)+ 1
2(
3n−k2 −1−
√nk)
−ω
2 (1−√
n/k)
log(
n+k
2 −√
nk
)+ 1
2(
n+k2 −
√nk)= 0.
Luk Bettale Hybrid approach 15/25
Finding the best tradeoff (d = 2)
Find the best tradeoff by solving ∂ log(CHyb)∂k
= 0.
k ≈ n
c2
8q (c−1)3c−3 e−3/2c ln((3c+1)(c−1)) (c−1)3 (c+1)3
−((3c+1)(c−1))3/2 = 0
q 2 16 256 65521 232 264 280
c2 1.23 3.07 9.15 37.13 160.37 678.32 1073.1
Luk Bettale Hybrid approach 15/25
Comparison
Luk Bettale Hybrid approach 16/25
Comparison
Luk Bettale Hybrid approach 16/25
Comparison
Luk Bettale Hybrid approach 16/25
Overall
Luk Bettale Hybrid approach 17/25
Overall
Luk Bettale Hybrid approach 17/25
Algorithm
Input: K is finite, {f1, . . . ,fm} ⊂K[x1, . . . ,xn] iszero-dimensional, k ∈ N.
Output: S = {(z1, . . . ,zn) ∈Kn : fi(z1, . . . ,zn) = 0,1≤ i≤m}.S := ∅for all (v1, . . . ,vk) ∈Kk doFind the set of solutions S ′ ⊂K(n−k) of
f1(x1, . . . ,xn−k,v1, . . . ,vk) = 0...
fm(x1, . . . ,xn−k,v1, . . . ,vk) = 0using the zero-dim solving strategy.S := S ∪{(z′1, . . . ,z′n−k,v1, . . . ,vk) : (z′1, . . . ,z′n−k) ∈ S ′}.
end forreturn S.
Luk Bettale Hybrid approach 18/25
Algorithm (magma)
function HybridSolving(F,k)R := Universe(F); K := BaseRing(R); n := Rank(R);Rp<[x]> := PolynomialRing(K,n-k);Kev := VectorSpace(K,k);S := [ ];for e in Kev do
v := Eltseq(e);fp := [ Evaluate(f,x cat v) : f in F ];Sp := VarietySequence(Ideal(fp));S cat:= [ s cat v : s in Sp ];
end for;return S;
end function;
http://www-salsa.lip6.fr/~bettale/hybrid.html
Luk Bettale Hybrid approach 19/25
TRMS: Experimental results
q n k TF5 mem. (MB) NopF5 Nop
28 20
1 - - - -
2 51h 41940 241 257
3 2h45 4402 237 261
4 626s 912 234 266
Practical tradeoff : k = 2. Broken in < 51h on 216 proc.
Luk Bettale, Jean-Charles Faugère, and Ludovic Perret.Cryptanalysis of the TRMS Signature Scheme of PKC’05.AFRICACRYPT 2008.
Luk Bettale Hybrid approach 20/25
Analysis of several multivariate schemes
n qexpectedsecurity
Gröbnerbasis(k = 0)
hybridapproach mem.
UOV30 10 28 280 241 237 (k = 1) 2 MB
UOV60 20 28 2160 282 266 (k = 1) 139 GB
enTTS 267 (k = 2) 12 GB
Rainbow 24 28 2192 298 278 (k = 1) 10 TB
amTTS 279 (k = 2) 816 GB
Andrey Bogdanov, Thomas Eisenbarth, Andy Rupp, and Christopher Wolf.Time-Area Optimized Public-Key Engines: MQ-Cryptosystems as Replacementfor Elliptic Curves?CHES ’08: Proceedings of the 10th international workshop on CryptographicHardware and Embedded Systems.
Luk Bettale Hybrid approach 21/25
Analysis of several multivariate schemes
n qexpectedsecurity
Gröbnerbasis(k = 0)
hybridapproach mem.
UOV30 10 28 280 241 237 (k = 1) 2 MB
UOV60 20 28 2160 282 266 (k = 1) 139 GB
enTTS 267 (k = 2) 12 GB
Rainbow 24 28 2192 298 278 (k = 1) 10 TB
amTTS 279 (k = 2) 816 GB
Andrey Bogdanov, Thomas Eisenbarth, Andy Rupp, and Christopher Wolf.Time-Area Optimized Public-Key Engines: MQ-Cryptosystems as Replacementfor Elliptic Curves?CHES ’08: Proceedings of the 10th international workshop on CryptographicHardware and Embedded Systems.
Luk Bettale Hybrid approach 21/25
Block hybrid approach: Motivations
High degree polynomialsSemaev polynomials
Solving DLP on curves
Pierrick Gaudry.Index calculus for abelian varieties of small dimension and the elliptic curvediscrete logarithm problem.Journal of Symbolic Computation 2009.
Luk Bettale Hybrid approach 22/25
Previous approaches
Field equations
〈f1(x1, . . . ,xn), . . . ,fm(x1, . . . ,xn),xq1−x1, . . . ,xq
n−xn〉
xq−x =d∏
i=1(x−e1,i) . . .
d∏i=1
(x−el,i)
Hybrid approach
I = 〈f1(x1, . . . ,xn−k,v1, . . . ,vk), . . . ,fm(x1, . . . ,xn−k,v1, . . . ,vk)〉
J = 〈f1(x1, . . . ,xn), . . . ,fm(x1, . . . ,xn),xn−k+1−v1, . . . ,xn−vk〉
I = J ∩K[x1, . . . ,xn−k]
Luk Bettale Hybrid approach 23/25
Block hybrid approach
Principle
〈f1(x1, . . . ,xn), . . . ,fm(x1, . . . ,xn),d∏
i=1(x1−e1,i), . . . ,
d∏i=1
(xk−ek,i)〉
We have to compute( q
d
)k Gröbner bases.
Complexity
O
min06k6n
⌈ q
d
⌉k·CF5
n,{
d1, . . . ,dm,d, . . . ,d︸ ︷︷ ︸k
}
Luk Bettale Hybrid approach 24/25
Conclusion
Applications in cryptographyA general tool for solving random systems over finite fieldReevaluate parameters of multivariate cryptosystemsBlock hybrid approach for high degree equationsImplementation in MAGMA.http://www-salsa.lip6.fr/~bettale/hybrid.html
Luk Bettale Conclusion 25/25