HybridApproach: aToolforMultivariate Cryptography · HybridApproach: aToolforMultivariate...

43
Hybrid Approach : a Tool for Multivariate Cryptography Luk Bettale 1 Jean-Charles Faugère Ludovic Perret LIP6 - SALSA UPMC, CNRS, INRIA Paris-Rocquencourt Workshop on Tools for Cryptanalysis 2010 Royal Holloway University of London June 2010 1 author partially supported by DGA/MRIS (french secretary of defense) Luk Bettale 1/25

Transcript of HybridApproach: aToolforMultivariate Cryptography · HybridApproach: aToolforMultivariate...

Page 1: HybridApproach: aToolforMultivariate Cryptography · HybridApproach: aToolforMultivariate Cryptography LukBettale1 Jean-CharlesFaugère LudovicPerret LIP6-SALSA UPMC,CNRS,INRIAParis-Rocquencourt

Hybrid Approach : a Tool for MultivariateCryptography

Luk Bettale1 Jean-Charles Faugère Ludovic Perret

LIP6 - SALSAUPMC, CNRS, INRIA Paris-Rocquencourt

Workshop on Tools for Cryptanalysis 2010Royal Holloway University of London

June 2010

1author partially supported by DGA/MRIS (french secretary of defense)Luk Bettale 1/25

Page 2: HybridApproach: aToolforMultivariate Cryptography · HybridApproach: aToolforMultivariate Cryptography LukBettale1 Jean-CharlesFaugère LudovicPerret LIP6-SALSA UPMC,CNRS,INRIAParis-Rocquencourt

Introduction

Algebraic CryptanalysisGeneral analysis (such as linear, differential)

ModelingSolving (or estimate difficulty)

Setting parameters of multivariate cryptosystems.

Luk Bettale Introduction 2/25

Page 3: HybridApproach: aToolforMultivariate Cryptography · HybridApproach: aToolforMultivariate Cryptography LukBettale1 Jean-CharlesFaugère LudovicPerret LIP6-SALSA UPMC,CNRS,INRIAParis-Rocquencourt

Introduction

Algebraic CryptanalysisGeneral analysis (such as linear, differential)

ModelingSolving (or estimate difficulty)

Setting parameters of multivariate cryptosystems.

Luk Bettale Introduction 2/25

Page 4: HybridApproach: aToolforMultivariate Cryptography · HybridApproach: aToolforMultivariate Cryptography LukBettale1 Jean-CharlesFaugère LudovicPerret LIP6-SALSA UPMC,CNRS,INRIAParis-Rocquencourt

Introduction

Algebraic CryptanalysisGeneral analysis (such as linear, differential)

ModelingSolving (or estimate difficulty)

Setting parameters of multivariate cryptosystems.

Luk Bettale Introduction 2/25

Page 5: HybridApproach: aToolforMultivariate Cryptography · HybridApproach: aToolforMultivariate Cryptography LukBettale1 Jean-CharlesFaugère LudovicPerret LIP6-SALSA UPMC,CNRS,INRIAParis-Rocquencourt

Multivariate cryptography

PropertiesThe public key is a quadratic systemVery efficient (hardware)Resist quantum computers.

ExamplesC∗, HFEUOV, SFLASH...

Luk Bettale Introduction 3/25

Page 6: HybridApproach: aToolforMultivariate Cryptography · HybridApproach: aToolforMultivariate Cryptography LukBettale1 Jean-CharlesFaugère LudovicPerret LIP6-SALSA UPMC,CNRS,INRIAParis-Rocquencourt

Multivariate signature

Secret keyF : Fn+r

q → Fnq Easy to invert

(x1, . . . ,xn+r) → (f1(x1, . . . ,xn+r), . . . ,fn(x1, . . . ,xn+r))

S,T ∈GLn+r(Fq)×GLn(Fq)

Public keyG : Fn+r

q → Fnq

(x1, . . . ,xn+r) → (g1(x1, . . . ,xn), . . . ,gn(x1, . . . ,xn))

G = T ◦F◦S = F(x ·S) ·T .

VerifyG (s,m): Evaluate G(s) = m

Luk Bettale Introduction 4/25

Page 7: HybridApproach: aToolforMultivariate Cryptography · HybridApproach: aToolforMultivariate Cryptography LukBettale1 Jean-CharlesFaugère LudovicPerret LIP6-SALSA UPMC,CNRS,INRIAParis-Rocquencourt

Attacks on multivariate signature schemes

Signature forgery attackGiven a message m = (m1, . . . ,mn), find a signature (s1, . . . ,sn+r)such that G(x) = m.

Solve the systemg1()−m1 = 0

...gn()−mn = 0

An Braeken, Bart Preneel, and Christopher Wolf.A Study of the Security of Unbalanced Oil and Vinegar Signature Schemes.CT-RSA 05.

Lih-Chung Wang, Yuh-Hua Hu, Feipei Lai, Chun-Yen Chou, and Bo-Yin Yang.Tractable Rational Map Signature.PKC 05.

TRMS: q = 28,n = 20.

Luk Bettale Introduction 5/25

Page 8: HybridApproach: aToolforMultivariate Cryptography · HybridApproach: aToolforMultivariate Cryptography LukBettale1 Jean-CharlesFaugère LudovicPerret LIP6-SALSA UPMC,CNRS,INRIAParis-Rocquencourt

Attacks on multivariate signature schemes

Signature forgery attackGiven a message m = (m1, . . . ,mn), find a signature (s1, . . . ,sn+r)such that G(x) = m.

Solve the systemg1(x1, . . . ,xn+r)−m1 = 0

...gn(x1, . . . ,xn+r)−mn = 0

An Braeken, Bart Preneel, and Christopher Wolf.A Study of the Security of Unbalanced Oil and Vinegar Signature Schemes.CT-RSA 05.

Lih-Chung Wang, Yuh-Hua Hu, Feipei Lai, Chun-Yen Chou, and Bo-Yin Yang.Tractable Rational Map Signature.PKC 05.

TRMS: q = 28,n = 20.

Luk Bettale Introduction 5/25

Page 9: HybridApproach: aToolforMultivariate Cryptography · HybridApproach: aToolforMultivariate Cryptography LukBettale1 Jean-CharlesFaugère LudovicPerret LIP6-SALSA UPMC,CNRS,INRIAParis-Rocquencourt

Attacks on multivariate signature schemes

Signature forgery attackGiven a message m = (m1, . . . ,mn), find a signature (s1, . . . ,sn+r)such that G(x) = m.

Solve the systemg1(x1, . . . ,xn,y1, . . . ,yr)−m1 = 0

...gn(x1, . . . ,xn,y1, . . . ,yr)−mn = 0

An Braeken, Bart Preneel, and Christopher Wolf.A Study of the Security of Unbalanced Oil and Vinegar Signature Schemes.CT-RSA 05.

Lih-Chung Wang, Yuh-Hua Hu, Feipei Lai, Chun-Yen Chou, and Bo-Yin Yang.Tractable Rational Map Signature.PKC 05.

TRMS: q = 28,n = 20.

Luk Bettale Introduction 5/25

Page 10: HybridApproach: aToolforMultivariate Cryptography · HybridApproach: aToolforMultivariate Cryptography LukBettale1 Jean-CharlesFaugère LudovicPerret LIP6-SALSA UPMC,CNRS,INRIAParis-Rocquencourt

Attacks on multivariate signature schemes

Signature forgery attackGiven a message m = (m1, . . . ,mn), find a signature (s1, . . . ,sn+r)such that G(x) = m.

Solve the systemg′1(x1, . . . ,xn)−m1 = 0

...g′n(x1, . . . ,xn)−mn = 0

An Braeken, Bart Preneel, and Christopher Wolf.A Study of the Security of Unbalanced Oil and Vinegar Signature Schemes.CT-RSA 05.

Lih-Chung Wang, Yuh-Hua Hu, Feipei Lai, Chun-Yen Chou, and Bo-Yin Yang.Tractable Rational Map Signature.PKC 05.

TRMS: q = 28,n = 20.

Luk Bettale Introduction 5/25

Page 11: HybridApproach: aToolforMultivariate Cryptography · HybridApproach: aToolforMultivariate Cryptography LukBettale1 Jean-CharlesFaugère LudovicPerret LIP6-SALSA UPMC,CNRS,INRIAParis-Rocquencourt

Attacks on multivariate signature schemes

Signature forgery attackGiven a message m = (m1, . . . ,mn), find a signature (s1, . . . ,sn+r)such that G(x) = m.

Solve the systemg′1(x1, . . . ,xn)−m1 = 0

...g′n(x1, . . . ,xn)−mn = 0

An Braeken, Bart Preneel, and Christopher Wolf.A Study of the Security of Unbalanced Oil and Vinegar Signature Schemes.CT-RSA 05.

Lih-Chung Wang, Yuh-Hua Hu, Feipei Lai, Chun-Yen Chou, and Bo-Yin Yang.Tractable Rational Map Signature.PKC 05.

TRMS: q = 28,n = 20.Luk Bettale Introduction 5/25

Page 12: HybridApproach: aToolforMultivariate Cryptography · HybridApproach: aToolforMultivariate Cryptography LukBettale1 Jean-CharlesFaugère LudovicPerret LIP6-SALSA UPMC,CNRS,INRIAParis-Rocquencourt

Polynomial System Solving

Given f1(x1, . . . ,xn), . . . ,fm(x1, . . . ,xn) of Fq[x1, . . . ,xn], doesthere exist z1, . . . ,zn ∈ Fn

q such that:

f1(z1, . . . ,zn) = 0

...fm(z1, . . . ,zn) = 0

Polynomial System Solving is NP-hardHard in practice for generic polynomials.

Luk Bettale Introduction 6/25

Page 13: HybridApproach: aToolforMultivariate Cryptography · HybridApproach: aToolforMultivariate Cryptography LukBettale1 Jean-CharlesFaugère LudovicPerret LIP6-SALSA UPMC,CNRS,INRIAParis-Rocquencourt

Polynomial System Solving

Given f1(x1, . . . ,xn), . . . ,fm(x1, . . . ,xn) of Fq[x1, . . . ,xn], doesthere exist z1, . . . ,zn ∈ Fn

q such that:

f1(z1, . . . ,zn) = 0

...fm(z1, . . . ,zn) = 0

Polynomial System Solving is NP-hardHard in practice for generic polynomials.

Luk Bettale Introduction 6/25

Page 14: HybridApproach: aToolforMultivariate Cryptography · HybridApproach: aToolforMultivariate Cryptography LukBettale1 Jean-CharlesFaugère LudovicPerret LIP6-SALSA UPMC,CNRS,INRIAParis-Rocquencourt

Known methods

Exhaustive searchGröbner bases with/without field equations...

Luk Bettale Introduction 7/25

Page 15: HybridApproach: aToolforMultivariate Cryptography · HybridApproach: aToolforMultivariate Cryptography LukBettale1 Jean-CharlesFaugère LudovicPerret LIP6-SALSA UPMC,CNRS,INRIAParis-Rocquencourt

Known methods

Exhaustive searchGröbner bases with/without field equations...

Luk Bettale Introduction 7/25

Page 16: HybridApproach: aToolforMultivariate Cryptography · HybridApproach: aToolforMultivariate Cryptography LukBettale1 Jean-CharlesFaugère LudovicPerret LIP6-SALSA UPMC,CNRS,INRIAParis-Rocquencourt

Gröbner bases algorithms

AlgorithmsBuchberger : the historical algorithmF4 : linear algebra on matricesF5 : no useless computations for semi-regular systems

GB : O((

m ·(n+dreg−1

dreg

))ω), FGLM : O (n ·Dw) ,

with 2 6 ω 6 3, D the number of solutions in K.

Jean-Charles Faugère.A new efficient algorithm for computing Gröbner bases (F4).Journal of Pure and Applied Algebra 139, June 1999.

Jean-Charles Faugère.A new efficient algorithm for computing Gröbner bases without reduction to zero(F5).ISSAC 2002, July 2002.

Luk Bettale Introduction 8/25

Page 17: HybridApproach: aToolforMultivariate Cryptography · HybridApproach: aToolforMultivariate Cryptography LukBettale1 Jean-CharlesFaugère LudovicPerret LIP6-SALSA UPMC,CNRS,INRIAParis-Rocquencourt

Semi-regular systems

Semi-regular systemsg ·fi ∈ 〈f1, . . . ,fi−1〉 ⇒ g ∈ 〈f1, . . . ,fi−1〉 if deg(g ·fi) 6 dreg.random system ⇒ semi-reg.The degree of regularity (dreg) can be known a prioriThe more equations we have, the more dreg decrease(e.g. for quadratic systems)m = n → dreg = n+1 m = n+1 → dreg = dn+1

2 e

Magali Bardet, Jean-Charles Faugère, Bruno Salvy and Bo-Yin Yang.Asymptotic Behaviour of the Degree of Regularity of Semi-Regular PolynomialSystems.MEGA 2005.

Luk Bettale Introduction 9/25

Page 18: HybridApproach: aToolforMultivariate Cryptography · HybridApproach: aToolforMultivariate Cryptography LukBettale1 Jean-CharlesFaugère LudovicPerret LIP6-SALSA UPMC,CNRS,INRIAParis-Rocquencourt

Solving a system

fi ∈ Fq[x1, . . . ,xn] for 1 6 i 6 nf1(x1, . . . ,xn) = 0

...fn(x1, . . . ,xn) = 0

Specificity (m = n)Square systems ⇒ dn solutions in the algebraic closureFq is finite and rather big (no field equations).

HypothesesRegular system ⇒ dreg = n(d−1)+1Semi-regular sub-systems.

Luk Bettale Hybrid approach 10/25

Page 19: HybridApproach: aToolforMultivariate Cryptography · HybridApproach: aToolforMultivariate Cryptography LukBettale1 Jean-CharlesFaugère LudovicPerret LIP6-SALSA UPMC,CNRS,INRIAParis-Rocquencourt

Solving a system

fi ∈ Fq[x1, . . . ,xn] for 1 6 i 6 nf1(x1, . . . ,xn) = 0

...fn(x1, . . . ,xn) = 0

Specificity (m = n)Square systems ⇒ dn solutions in the algebraic closureFq is finite and rather big (no field equations).

HypothesesRegular system ⇒ dreg = n(d−1)+1Semi-regular sub-systems.

Luk Bettale Hybrid approach 10/25

Page 20: HybridApproach: aToolforMultivariate Cryptography · HybridApproach: aToolforMultivariate Cryptography LukBettale1 Jean-CharlesFaugère LudovicPerret LIP6-SALSA UPMC,CNRS,INRIAParis-Rocquencourt

Solving a system – Hybrid approach

SolutionWe specialize k variables of the system (exhaustive search)⇒ the system becomes over-defined+ The degree of regularity decreases+ The number of solutions is 0 or 1– We have to compute qk Gröbner bases.

Luk Bettale, Jean-Charles Faugère and Ludovic Perret.Hybrid approach for solving multivariate systems over finite fields.In Journal of Mathematical Cryptology, Volume 3, issue 3. Sep 2009.

A tradeoff between exhaustive search and Gröbner basescomputation.

Luk Bettale Hybrid approach 11/25

Page 21: HybridApproach: aToolforMultivariate Cryptography · HybridApproach: aToolforMultivariate Cryptography LukBettale1 Jean-CharlesFaugère LudovicPerret LIP6-SALSA UPMC,CNRS,INRIAParis-Rocquencourt

Solving a system – Hybrid approach

SolutionWe specialize k variables of the system (exhaustive search)⇒ the system becomes over-defined+ The degree of regularity decreases+ The number of solutions is 0 or 1– We have to compute qk Gröbner bases.

Luk Bettale, Jean-Charles Faugère and Ludovic Perret.Hybrid approach for solving multivariate systems over finite fields.In Journal of Mathematical Cryptology, Volume 3, issue 3. Sep 2009.

A tradeoff between exhaustive search and Gröbner basescomputation.

Luk Bettale Hybrid approach 11/25

Page 22: HybridApproach: aToolforMultivariate Cryptography · HybridApproach: aToolforMultivariate Cryptography LukBettale1 Jean-CharlesFaugère LudovicPerret LIP6-SALSA UPMC,CNRS,INRIAParis-Rocquencourt

Complexity analysis

Proposition

Let Fq be a finite field and {f1, . . . ,fn} ⊂ Fq[x1, . . . ,xn] be asemi-regular system of equations of degree d.

O

min06k6n︸ ︷︷ ︸tradeoff

qk︸︷︷︸exh. search

(n ·(n−k−1+dreg(n−k,n,d)

dreg(n−k,n,d)))ω

︸ ︷︷ ︸GB

+n ·Dω︸ ︷︷ ︸FGLM

,

where 2 6 ω 6 3.

dreg(n,m,d) is the dreg of a semi-regular system of m equations ofdegree d in n variables.

The degree of regularity can be computed exactly.

Luk Bettale Hybrid approach 12/25

Page 23: HybridApproach: aToolforMultivariate Cryptography · HybridApproach: aToolforMultivariate Cryptography LukBettale1 Jean-CharlesFaugère LudovicPerret LIP6-SALSA UPMC,CNRS,INRIAParis-Rocquencourt

Complexity analysis

Proposition

Let Fq be a finite field and {f1, . . . ,fn} ⊂ Fq[x1, . . . ,xn] be asemi-regular system of equations of degree d.

O

min06k6n︸ ︷︷ ︸tradeoff

qk︸︷︷︸exh. search

(n ·(n−k−1+dreg(n−k,n,d)

dreg(n−k,n,d)))ω

︸ ︷︷ ︸GB

+n ·Dω︸ ︷︷ ︸FGLM

,

where 2 6 ω 6 3.

dreg(n,m,d) is the dreg of a semi-regular system of m equations ofdegree d in n variables.

The degree of regularity can be computed exactly.

Luk Bettale Hybrid approach 12/25

Page 24: HybridApproach: aToolforMultivariate Cryptography · HybridApproach: aToolforMultivariate Cryptography LukBettale1 Jean-CharlesFaugère LudovicPerret LIP6-SALSA UPMC,CNRS,INRIAParis-Rocquencourt

Complexity analysis

Proposition

Let Fq be a finite field and {f1, . . . ,fn} ⊂ Fq[x1, . . . ,xn] be asemi-regular system of equations of degree d.

O

min16k6n︸ ︷︷ ︸tradeoff

qk︸︷︷︸exh. search

(n ·(n−k−1+dreg(n−k,n,d)

dreg(n−k,n,d)))ω

︸ ︷︷ ︸GB

,

where 2 6 ω 6 3.

dreg(n,m,d) is the dreg of a semi-regular system of m equations ofdegree d in n variables.

The degree of regularity can be computed exactly.

Luk Bettale Hybrid approach 12/25

Page 25: HybridApproach: aToolforMultivariate Cryptography · HybridApproach: aToolforMultivariate Cryptography LukBettale1 Jean-CharlesFaugère LudovicPerret LIP6-SALSA UPMC,CNRS,INRIAParis-Rocquencourt

Asymptotic analysis (d = 2)

Approximation of dreg(n−k,n,2)

dreg ∼n+k

2 −√

nk +O((n−k)1/3)

when n→∞.

Magali BardetÉtude des systèmes algébriques surdéterminés. Applications aux codescorrecteurs et à la cryptographie.Ph.D. thesis, Université de Paris VI, 2004.

Approximation of the complexity

CHyb =O

(q

k

(n√

( (3n−k

2 −1−√nk)(3n−k−1)/2−

√nk

(n−k−1)(n−k−1/2)(

n+k2 −

√nk)(n+k+1)/2−

√nk

)ω)

when n→∞.

Luk Bettale Hybrid approach 13/25

Page 26: HybridApproach: aToolforMultivariate Cryptography · HybridApproach: aToolforMultivariate Cryptography LukBettale1 Jean-CharlesFaugère LudovicPerret LIP6-SALSA UPMC,CNRS,INRIAParis-Rocquencourt

Borderline case (d = 2)

Classical approach(dreg = n + 1)

O((

n ·( 2n

n−1))ω)

Hybrid approach with k = 1(dreg = dn+1

2 e)

O(q(n ·(3(n−1)/2

n−2))ω)

Best tradeoff > 0

log2(q)≤ 0.6226 ·ω ·n+O(log2(n))

when n→∞.

Luk Bettale Hybrid approach 14/25

Page 27: HybridApproach: aToolforMultivariate Cryptography · HybridApproach: aToolforMultivariate Cryptography LukBettale1 Jean-CharlesFaugère LudovicPerret LIP6-SALSA UPMC,CNRS,INRIAParis-Rocquencourt

Borderline case (d = 2)

Classical approach(dreg = n + 1)

O((

n ·( 2n

n−1))ω)

Hybrid approach with k = 1(dreg = dn+1

2 e)

O(q(n ·(3(n−1)/2

n−2))ω)

Best tradeoff > 0

log2(q)≤ 0.6226 ·ω ·n+O(log2(n))

when n→∞.

Luk Bettale Hybrid approach 14/25

Page 28: HybridApproach: aToolforMultivariate Cryptography · HybridApproach: aToolforMultivariate Cryptography LukBettale1 Jean-CharlesFaugère LudovicPerret LIP6-SALSA UPMC,CNRS,INRIAParis-Rocquencourt

Finding the best tradeoff (d = 2)

Find the best tradeoff by solving ∂ log(CHyb)∂k

= 0.

log(q)+ω

(log(n−k−1)+ 1

2(n−k−1)

)

−ω

2 (1+√

n/k)

log(

3n−k

2 −1−√

nk

)+ 1

2(

3n−k2 −1−

√nk)

−ω

2 (1−√

n/k)

log(

n+k

2 −√

nk

)+ 1

2(

n+k2 −

√nk)= 0.

Luk Bettale Hybrid approach 15/25

Page 29: HybridApproach: aToolforMultivariate Cryptography · HybridApproach: aToolforMultivariate Cryptography LukBettale1 Jean-CharlesFaugère LudovicPerret LIP6-SALSA UPMC,CNRS,INRIAParis-Rocquencourt

Finding the best tradeoff (d = 2)

Find the best tradeoff by solving ∂ log(CHyb)∂k

= 0.

k ≈ n

c2

8q (c−1)3c−3 e−3/2c ln((3c+1)(c−1)) (c−1)3 (c+1)3

−((3c+1)(c−1))3/2 = 0

q 2 16 256 65521 232 264 280

c2 1.23 3.07 9.15 37.13 160.37 678.32 1073.1

Luk Bettale Hybrid approach 15/25

Page 30: HybridApproach: aToolforMultivariate Cryptography · HybridApproach: aToolforMultivariate Cryptography LukBettale1 Jean-CharlesFaugère LudovicPerret LIP6-SALSA UPMC,CNRS,INRIAParis-Rocquencourt

Comparison

Luk Bettale Hybrid approach 16/25

Page 31: HybridApproach: aToolforMultivariate Cryptography · HybridApproach: aToolforMultivariate Cryptography LukBettale1 Jean-CharlesFaugère LudovicPerret LIP6-SALSA UPMC,CNRS,INRIAParis-Rocquencourt

Comparison

Luk Bettale Hybrid approach 16/25

Page 32: HybridApproach: aToolforMultivariate Cryptography · HybridApproach: aToolforMultivariate Cryptography LukBettale1 Jean-CharlesFaugère LudovicPerret LIP6-SALSA UPMC,CNRS,INRIAParis-Rocquencourt

Comparison

Luk Bettale Hybrid approach 16/25

Page 33: HybridApproach: aToolforMultivariate Cryptography · HybridApproach: aToolforMultivariate Cryptography LukBettale1 Jean-CharlesFaugère LudovicPerret LIP6-SALSA UPMC,CNRS,INRIAParis-Rocquencourt

Overall

Luk Bettale Hybrid approach 17/25

Page 34: HybridApproach: aToolforMultivariate Cryptography · HybridApproach: aToolforMultivariate Cryptography LukBettale1 Jean-CharlesFaugère LudovicPerret LIP6-SALSA UPMC,CNRS,INRIAParis-Rocquencourt

Overall

Luk Bettale Hybrid approach 17/25

Page 35: HybridApproach: aToolforMultivariate Cryptography · HybridApproach: aToolforMultivariate Cryptography LukBettale1 Jean-CharlesFaugère LudovicPerret LIP6-SALSA UPMC,CNRS,INRIAParis-Rocquencourt

Algorithm

Input: K is finite, {f1, . . . ,fm} ⊂K[x1, . . . ,xn] iszero-dimensional, k ∈ N.

Output: S = {(z1, . . . ,zn) ∈Kn : fi(z1, . . . ,zn) = 0,1≤ i≤m}.S := ∅for all (v1, . . . ,vk) ∈Kk doFind the set of solutions S ′ ⊂K(n−k) of

f1(x1, . . . ,xn−k,v1, . . . ,vk) = 0...

fm(x1, . . . ,xn−k,v1, . . . ,vk) = 0using the zero-dim solving strategy.S := S ∪{(z′1, . . . ,z′n−k,v1, . . . ,vk) : (z′1, . . . ,z′n−k) ∈ S ′}.

end forreturn S.

Luk Bettale Hybrid approach 18/25

Page 36: HybridApproach: aToolforMultivariate Cryptography · HybridApproach: aToolforMultivariate Cryptography LukBettale1 Jean-CharlesFaugère LudovicPerret LIP6-SALSA UPMC,CNRS,INRIAParis-Rocquencourt

Algorithm (magma)

function HybridSolving(F,k)R := Universe(F); K := BaseRing(R); n := Rank(R);Rp<[x]> := PolynomialRing(K,n-k);Kev := VectorSpace(K,k);S := [ ];for e in Kev do

v := Eltseq(e);fp := [ Evaluate(f,x cat v) : f in F ];Sp := VarietySequence(Ideal(fp));S cat:= [ s cat v : s in Sp ];

end for;return S;

end function;

http://www-salsa.lip6.fr/~bettale/hybrid.html

Luk Bettale Hybrid approach 19/25

Page 37: HybridApproach: aToolforMultivariate Cryptography · HybridApproach: aToolforMultivariate Cryptography LukBettale1 Jean-CharlesFaugère LudovicPerret LIP6-SALSA UPMC,CNRS,INRIAParis-Rocquencourt

TRMS: Experimental results

q n k TF5 mem. (MB) NopF5 Nop

28 20

1 - - - -

2 51h 41940 241 257

3 2h45 4402 237 261

4 626s 912 234 266

Practical tradeoff : k = 2. Broken in < 51h on 216 proc.

Luk Bettale, Jean-Charles Faugère, and Ludovic Perret.Cryptanalysis of the TRMS Signature Scheme of PKC’05.AFRICACRYPT 2008.

Luk Bettale Hybrid approach 20/25

Page 38: HybridApproach: aToolforMultivariate Cryptography · HybridApproach: aToolforMultivariate Cryptography LukBettale1 Jean-CharlesFaugère LudovicPerret LIP6-SALSA UPMC,CNRS,INRIAParis-Rocquencourt

Analysis of several multivariate schemes

n qexpectedsecurity

Gröbnerbasis(k = 0)

hybridapproach mem.

UOV30 10 28 280 241 237 (k = 1) 2 MB

UOV60 20 28 2160 282 266 (k = 1) 139 GB

enTTS 267 (k = 2) 12 GB

Rainbow 24 28 2192 298 278 (k = 1) 10 TB

amTTS 279 (k = 2) 816 GB

Andrey Bogdanov, Thomas Eisenbarth, Andy Rupp, and Christopher Wolf.Time-Area Optimized Public-Key Engines: MQ-Cryptosystems as Replacementfor Elliptic Curves?CHES ’08: Proceedings of the 10th international workshop on CryptographicHardware and Embedded Systems.

Luk Bettale Hybrid approach 21/25

Page 39: HybridApproach: aToolforMultivariate Cryptography · HybridApproach: aToolforMultivariate Cryptography LukBettale1 Jean-CharlesFaugère LudovicPerret LIP6-SALSA UPMC,CNRS,INRIAParis-Rocquencourt

Analysis of several multivariate schemes

n qexpectedsecurity

Gröbnerbasis(k = 0)

hybridapproach mem.

UOV30 10 28 280 241 237 (k = 1) 2 MB

UOV60 20 28 2160 282 266 (k = 1) 139 GB

enTTS 267 (k = 2) 12 GB

Rainbow 24 28 2192 298 278 (k = 1) 10 TB

amTTS 279 (k = 2) 816 GB

Andrey Bogdanov, Thomas Eisenbarth, Andy Rupp, and Christopher Wolf.Time-Area Optimized Public-Key Engines: MQ-Cryptosystems as Replacementfor Elliptic Curves?CHES ’08: Proceedings of the 10th international workshop on CryptographicHardware and Embedded Systems.

Luk Bettale Hybrid approach 21/25

Page 40: HybridApproach: aToolforMultivariate Cryptography · HybridApproach: aToolforMultivariate Cryptography LukBettale1 Jean-CharlesFaugère LudovicPerret LIP6-SALSA UPMC,CNRS,INRIAParis-Rocquencourt

Block hybrid approach: Motivations

High degree polynomialsSemaev polynomials

Solving DLP on curves

Pierrick Gaudry.Index calculus for abelian varieties of small dimension and the elliptic curvediscrete logarithm problem.Journal of Symbolic Computation 2009.

Luk Bettale Hybrid approach 22/25

Page 41: HybridApproach: aToolforMultivariate Cryptography · HybridApproach: aToolforMultivariate Cryptography LukBettale1 Jean-CharlesFaugère LudovicPerret LIP6-SALSA UPMC,CNRS,INRIAParis-Rocquencourt

Previous approaches

Field equations

〈f1(x1, . . . ,xn), . . . ,fm(x1, . . . ,xn),xq1−x1, . . . ,xq

n−xn〉

xq−x =d∏

i=1(x−e1,i) . . .

d∏i=1

(x−el,i)

Hybrid approach

I = 〈f1(x1, . . . ,xn−k,v1, . . . ,vk), . . . ,fm(x1, . . . ,xn−k,v1, . . . ,vk)〉

J = 〈f1(x1, . . . ,xn), . . . ,fm(x1, . . . ,xn),xn−k+1−v1, . . . ,xn−vk〉

I = J ∩K[x1, . . . ,xn−k]

Luk Bettale Hybrid approach 23/25

Page 42: HybridApproach: aToolforMultivariate Cryptography · HybridApproach: aToolforMultivariate Cryptography LukBettale1 Jean-CharlesFaugère LudovicPerret LIP6-SALSA UPMC,CNRS,INRIAParis-Rocquencourt

Block hybrid approach

Principle

〈f1(x1, . . . ,xn), . . . ,fm(x1, . . . ,xn),d∏

i=1(x1−e1,i), . . . ,

d∏i=1

(xk−ek,i)〉

We have to compute( q

d

)k Gröbner bases.

Complexity

O

min06k6n

⌈ q

d

⌉k·CF5

n,{

d1, . . . ,dm,d, . . . ,d︸ ︷︷ ︸k

}

Luk Bettale Hybrid approach 24/25

Page 43: HybridApproach: aToolforMultivariate Cryptography · HybridApproach: aToolforMultivariate Cryptography LukBettale1 Jean-CharlesFaugère LudovicPerret LIP6-SALSA UPMC,CNRS,INRIAParis-Rocquencourt

Conclusion

Applications in cryptographyA general tool for solving random systems over finite fieldReevaluate parameters of multivariate cryptosystemsBlock hybrid approach for high degree equationsImplementation in MAGMA.http://www-salsa.lip6.fr/~bettale/hybrid.html

Luk Bettale Conclusion 25/25