Skip to main content
SpringerLink
Log in

Cryptanalysis of the extension field cancellation cryptosystem

  • Published:
Designs, Codes and Cryptography Aims and scope Submit manuscript

Abstract

In this article, we present algebraic attacks against the Extension Field Cancellation (\(\texttt {EFC}\)) scheme, a multivariate public-key encryption scheme which was published at PQCRYPTO’2016. First, we present a successful Gröbner basis message-recovery attack on the first and second proposed parameters of the scheme. For the first challenge parameter, a Gröbner-based hybrid attack has a \(2^{65}\) bit complexity which beats the claimed 80 bit security level. We further show that the algebraic system arising from an \(\texttt {EFC}\) public-key is much easier to solve than a random system of the same size. Briefly, this is due to the apparition of many lower degree equations during the Gröbner basis computation. We present a polynomial-time method to recover such lower-degree relations and also show their usefulness in improving the Gröbner basis attack complexity on \(\texttt {EFC}\). Thus, we show that there is an algebraic structural weakness in the system of equations coming from \(\texttt {EFC}\) and hence makes the scheme not suitable for encryption.

This is a preview of subscription content, log in via an institution to check access.

Access this article

Log in via an institution

Price excludes VAT (USA)
Tax calculation will be finalised during checkout.

Instant access to the full article PDF.

Institutional subscriptions

Fig. 1

Similar content being viewed by others

References

  1. Bardet M., Faugere J.-C., Salvy B.: On the complexity of gröbner basis computation of semi-regular overdetermined algebraic equations. In: Proceedings of the International Conference on Polynomial System Solving, pp. 71–74 (2004).

  2. Bardet M., Faugère J.-C., Salvy B.: On the complexity of the f5 gröbner basis algorithm. J. Symb. Comput. 70, 49–70 (2015).

    Article  Google Scholar 

  3. Bardet M., Faugere J.-C., Salvy B., Yang B.-Y.: Asymptotic behaviour of the index of regularity of quadratic semi-regular polynomial systems. In: Gianni, P. (ed.) The Effective Methods in Algebraic Geometry Conference (MEGA’05), pp. 1–14. Citeseer (2005).

  4. Barker E., Roginsky A.: Transitions: recommendation for transitioning the use of cryptographic algorithms and key lengths. NIST Spec. Publ. 800, 131A (2011).

    Google Scholar 

  5. Berbain C., Billet O., Gilbert H.: Efficient implementations of multivariate quadratic systems. In: International Workshop on Selected Areas in Cryptography, pp. 174–187. Springer (2006).

  6. Bettale L.: Cryptanalyse algébrique: outils et applications. PhD thesis, Paris 6 (2011).

  7. Bettale L., Faugere J.-C., Perret L.: Hybrid approach for solving multivariate systems over finite fields. J. Math. Cryptol. 3(3), 177–197 (2009).

    Article  MathSciNet  Google Scholar 

  8. Bettale L., Faugère J.-C., Perret L.: Cryptanalysis of HFE, multi-HFE and variants for odd and even characteristic. Des. Codes Cryptogr. 69(1), 1–52 (2013).

    Article  MathSciNet  Google Scholar 

  9. Beullens W., Preneel B.: Field lifting for smaller UOV public keys. In: International Conference on Cryptology in India, pp. 227–246. Springer (2017).

  10. Bouillaguet C., Fouque P.-A., Macario-Rat G.: Practical key-recovery for all possible parameters of sflash. In: International Conference on the Theory and Application of Cryptology and Information Security, pp. 667–685. Springer (2011).

  11. Buchberger B.: An algorithm for finding the base elements of the residual class ring after a zero-dimensional polynomial ideal. PhD thesis, Universitat Insbruck (1965).

  12. Buchberger B.: An algorithmical criteria for the solvability of algebraic systems of equations. Aequationes Math. 4, 374–383 (1970).

    Article  MathSciNet  Google Scholar 

  13. Buchberger B.: A criterion for detecting unnecessary reductions in the construction of gröbner-bases. In: International Symposium on Symbolic and Algebraic Manipulation, pp. 3–21. Springer (1979).

  14. Buchberger B.: Grobner bases: an algorithmic method in polynomial ideal theory. Multidimensional systems theory (1985).

  15. Buchmann J.A., Ding J., Mohamed M.S.E., Mohamed W.S.E.: Mutantxl: solving multivariate polynomial equations for cryptanalysis. In: Dagstuhl Seminar Proceedings. Schloss Dagstuhl-Leibniz-Zentrum für Informatik (2009).

  16. Cabarcas D., Smith-Tone D., Verbel J.A.: Practical key recovery attack for ZHFE.

  17. Cartor R., Smith-Tone D.: Eflash: a new multivariate encryption scheme. In: International Conference on Selected Areas in Cryptography, pp. 281–299. Springer (2018).

  18. Casanova A., Faugère J.-C., Macario-Rat G., Patarin J., Perret L., Ryckeghem J.: Gemss: a great multivariate short signature. Submission to NIST (2017).

  19. Chen L., Chen L., Jordan S., Liu Y.-K., Moody D., Peralta R., Perlner R., Smith-Tone D.: Report on Post-quantum Cryptography. US Department of Commerce, National Institute of Standards and Technology (2016).

  20. Chen M.-S., Yang B.-Y., Smith-Tone D.: Pflash-secure asymmetric signatures on smart cards. In: Lightweight Cryptography Workshop (2015).

  21. Courtois N.T.: The security of hidden field equations (HFE). In: Cryptographers’ Track at the RSA Conference, pp. 266–281. Springer (2001).

  22. Devoret M.H., Schoelkopf R.J.: Superconducting circuits for quantum information: an outlook. Science 339(6124), 1169–1174 (2013).

    Article  Google Scholar 

  23. Ding J., Schmidt D.: Rainbow, a new multivariable polynomial signature scheme. In: International Conference on Applied Cryptography and Network Security, pp. 164–175. Springer (2005).

  24. Ding J., Zhang Z., Deaton J.: The singularity attack to the multivariate signature scheme HIMQ-3. Adv. Math. Commun. 15(1), 65 (2021).

    Article  MathSciNet  Google Scholar 

  25. Ding J., Zhang Z., Deaton J., Schmidt K., Vishakha F.: New attacks on lifted unbalanced oil vinegar. In: The 2nd NIST PQC Standardization Conference (2019).

  26. Dubois V., Fouque P.-A., Shamir A., Stern J.: Practical cryptanalysis of SFLASH. In: Annual International Cryptology Conference, pp. 1–12. Springer (2007).

  27. Faugere J.-C.: A new efficient algorithm for computing gröbner bases (f4). J. Pure Appl. Algebra 139(1–3), 61–88 (1999).

    Article  MathSciNet  Google Scholar 

  28. Faugère J.C.: A new efficient algorithm for computing gröbner bases without reduction to zero (f 5). In: Proceedings of the 2002 International Symposium on Symbolic and Algebraic Computation, pp. 75–83. ACM (2002).

  29. Faugere J.-C., Joux A.: Algebraic cryptanalysis of hidden field equation (hfe) cryptosystems using gröbner bases. In: Annual International Cryptology Conference, pp. 44–60. Springer (2003).

  30. Faugere J.-C., Joux A., Perret L., Treger J.: Cryptanalysis of the hidden matrix cryptosystem. In: International Conference on Cryptology and Information Security in Latin America, pp. 241–254. Springer (2010).

  31. Fröberg R.: An inequality for Hilbert series of graded algebras. Math. Scand. 56(2), 117–144 (1985).

    Article  MathSciNet  Google Scholar 

  32. Garey M.R., Johnson D.S.: Computers and Intractability, vol. 174. Freeman, San Francisco (1979).

    MATH  Google Scholar 

  33. http://magma.maths.usyd.edu.au. Magma: High performace software for algebra, number theory and geometry.

  34. Jao D., De Feo L.: Towards quantum-resistant cryptosystems from supersingular elliptic curve isogenies. In: International Workshop on Post-quantum Cryptography, pp. 19–34. Springer (2011).

  35. Kipnis A., Patarin J., Goubin L.: Unbalanced oil and vinegar signature schemes. In: International Conference on the Theory and Applications of Cryptographic Techniques, pp. 206–222. Springer (1999).

  36. Lazard D.: Gröbner bases, Gaussian elimination and resolution of systems of algebraic equations. In: European Conference on Computer Algebra, pp. 146–156. Springer (1983).

  37. Matsumoto T., Imai H: Public quadratic polynomial-tuples for efficient signature-verification and message-encryption. In: Workshop on the Theory and Application of of Cryptographic Techniques, pp. 419–453. Springer (1988).

  38. Mus K., Islam S., Sunar B.: QuantumHammer: a practical hybrid attack on the LUOV signature scheme. In: Proceedings of the 2020 ACM SIGSAC Conference on Computer and Communications Security, pp. 1071–1084 (2020).

  39. Overbeck R., Sendrier N.: Code-based cryptography. In: Post-quantum Cryptography, pp. 95–145. Springer (2009).

  40. Patarin J.: Cryptanalysis of the Matsumoto and Imai public key scheme of eurocrypt’88. In: Annual International Cryptology Conference, pp. 248–261. Springer (1995).

  41. Patarin J.: Hidden fields equations (HFE) and isomorphisms of polynomials (IP): two new families of asymmetric algorithms. In: International Conference on the Theory and Applications of Cryptographic Techniques, pp. 33–48. Springer (1996).

  42. Patarin J., Courtois N., Goubin L.: Quartz, 128-bit long digital signatures. In: Cryptographers’ Track at the RSA Conference, pp. 282–297. Springer (2001).

  43. Petzoldt A., Chen M.S., Yang B.Y., Tao C., Ding J.: Design principles for HFEv based signature schemes. In: ASIACRYPT 2015-part 1, LNCS vol. 9452, (2015).

  44. Petzoldt A., Chen M.S., Yang B.Y., Tao C., Ding J.: GUI documentation, https://csrc.nist.gov/projects/post-quantum-cryptography/round-1-submissions (2017).

  45. Regev O.: Lattice-based cryptography. In: Annual International Cryptology Conference, pp. 131–141. Springer (2006).

  46. Shamir A., Kipnis A.: Cryptanalysis of the HFE public key cryptosystem. In: Advances in Cryptology, Proceedings of Crypto, vol. 99 (1999).

  47. Shim K.-A., Park C.-M., Kim A.: Himq-3: A high speed signature scheme based on multivariate quadratic equations, NIST submission (2017). [on-line]. https://csrc.nist.gov/Projects/Post-Quantum-Cryptography/Round-1-Submissions.

  48. Smith-Tone D.: Properties of the discrete differential with cryptographic applications. In: International Workshop on Post-Quantum Cryptography, pp. 1–12. Springer (2010).

  49. Szepieniec A., Ding J., Preneel B.: Extension field cancellation: a new central trapdoor for multivariate quadratic systems. In: International Workshop on Post-quantum Cryptography, pp. 182–196. Springer (2016).

  50. Vates J., Smith-Tone D.: Key recovery attack for all parameters of HFE. In: International Workshop on Post-Quantum Cryptography, pp. 272–288. Springer (2017).

  51. Zhang W., Tan C.H.: On the security and key generation of the ZHFE encryption scheme. In: International Workshop on Security, pp. 289–304. Springer (2016).

Download references

Author information

Authors and Affiliations

  1. Laboratoire d’Informatique de Paris 6, LIP6, Sorbonne Université, 4 place Jussieu, 75005, Paris, France

    Olive Chakraborty

  2. Laboratoire d’Informatique de Paris 6, LIP6, CryptoNext Security, Sorbonne Université, 4 place Jussieu, 75005, Paris, France

    Jean-Charles Faugère & Ludovic Perret

Authors
  1. Olive Chakraborty
    View author publications

    You can also search for this author in PubMed Google Scholar

  2. Jean-Charles Faugère
    View author publications

    You can also search for this author in PubMed Google Scholar

  3. Ludovic Perret
    View author publications

    You can also search for this author in PubMed Google Scholar

Corresponding author

Correspondence to Olive Chakraborty.

Additional information

Communicated by D. Panario.

Publisher's Note

Springer Nature remains neutral with regard to jurisdictional claims in published maps and institutional affiliations.

Appendices

Appendix A: Toy example to compute the matrix \(\alpha _m({\mathbf {x}})\)

Let us consider the case of \({\mathbb {F}}_2\), with \(n=3\). Let us represent a polynomial ring over \({\mathbb {F}}_2\) as \({\mathbb {F}}_2[x_1,x_2,x_3]\) over the variables \({\mathbf {x}}=(x_1,x_2,x_3)\). So the extension field is defined by \({\mathbb {F}}_{2^3}\). Let \(\omega \) be algebraic over \({\mathbb {F}}_2\). Thus we can define \(\kappa = z^3 + z+1\) as the irreducible polynomial of \(\omega \) over \({\mathbb {F}}_2\). Now consider that the matrix \(A{\mathbf {x}}\) gives a column vector of three polynomials, say \(g_1,g_2,g_3 \in {\mathbb {F}}_2[{\mathbf {x}}]\). Hence

$$\begin{aligned} \varphi (A{\mathbf {x}}) = g_1 + \omega \cdot g_2 + \omega ^2 \cdot g_3 \in {\mathbb {F}}_{2^3}[{\mathbf {x}}] \end{aligned}$$

We now show the way to compute \(\alpha _m({\mathbf {x}}) \in \). We compute

$$\begin{aligned} \omega \cdot \varphi (A{\mathbf {x}})= & {} g_3 + \omega \cdot (g_1+g_3) + \omega ^2 \cdot g_2\\ \omega ^2 \cdot \varphi (A{\mathbf {x}})= & {} g_2 + \omega \cdot (g_2+g_3) + \omega ^2 \cdot (g_1+g_3) \end{aligned}$$

Hence the matrix that represents multiplication by \(\varphi (A{\mathbf {x}})\) with \({\mathbf {x}}\) is given by

$$\begin{aligned} \alpha _m({\mathbf {x}})= \begin{bmatrix} g_1 &{} g_2 &{} g_3 \\ g3 &{} (g_1 + g_3) &{} g_2 \\ g_2 &{} (g_2+g_3) &{} (g_1+g_3) \\ \end{bmatrix} \end{aligned}$$
Table 16 Experimental Degree of regularity observed in Magma \(\mathsf {F4}\)
Full size table

Appendix B: List of experimental degree of regularities

In the following table, we provide a table of the degree of regularities that were observed in experiments for varying parameter values of n and a for \(\texttt {EFC}_2^-(a)\). The list is partially empty because of many computations were not completed because of lack of memory. We have left those cells blank.

Rights and permissions

Reprints and permissions

About this article

Check for updates. Verify currency and authenticity via CrossMark

Cite this article

Chakraborty, O., Faugère, JC. & Perret, L. Cryptanalysis of the extension field cancellation cryptosystem. Des. Codes Cryptogr. 89, 1335–1364 (2021). https://doi.org/10.1007/s10623-021-00873-9

Download citation

  • Received:

  • Revised:

  • Accepted:

  • Published:

  • Issue Date:

  • DOI: https://doi.org/10.1007/s10623-021-00873-9

Keywords

Mathematics Subject Classification

Search

Navigation