Abstract
At PQCRYPTO 2014, Porras, Baena and Ding introduced ZHFE, an interesting new technique for multivariate post-quantum encryption. The scheme is a generalization of HFE in which a single low degree polynomial in the central map is replaced by a pair of high degree polynomials with a low degree cubic polynomial contained in the ideal they generate. We present a key recovery attack for ZHFE based on the independent discoveries of the low rank property of ZHFE by Verbel and by Perlner and Smith-Tone. Thus, although the two central maps of ZHFE have high degree, their low rank property makes ZHFE vulnerable to the Kipnis-Shamir (KS) rank attack. We adapt KS attack pioneered by Bettale, Faugère and Perret in application to HFE, and asymptotically break ZHFE.
Keywords
This is a preview of subscription content, log in via an institution.
Buying options
Tax calculation will be finalised at checkout
Purchases are for personal use only
Learn about institutional subscriptionsReferences
Baena, J.B., Cabarcas, D., Escudero, D.E., Porras-Barrera, J., Verbel, J.A.: Efficient ZHFE key generation. In: Takagi [27], pp. 213–232. http://dx.doi.org/10.1007/978-3-319-29360-8_14
Bettale, L., Faugère, J.C., Perret, L.: Cryptanalysis of HFE, multi-HFE and variants for odd and even characteristic. Des. Codes Crypt. 69(1), 1–52 (2013)
Bosma, W., Cannon, J., Playoust, C.: The Magma algebra system I. The user language. J. Symbolic Comput. 24(3–4), 235–265 (1997). http://dx.doi.org/10.1006/jsco.1996.0125, computational algebra and number theory (London, 1993)
Cartor, R., Gipson, R., Smith-Tone, D., Vates, J.: On the differential security of the HFEV- signature primitive. In: Takagi [27], pp. 162–181. http://dx.doi.org/10.1007/978-3-319-29360-8_11
Chen, M.S., Yang, B.Y., Smith-Tone, D.: PFLASH - secure asymmetric signatures on smart cards. In: Lightweight Cryptography Workshop 2015 (2015). http://csrc.nist.gov/groups/ST/lwc-workshop.2015/papers/session3-smith-tone-paper.pdf
Daniels, T., Smith-Tone, D.: Differential properties of the HFE cryptosystem. In: Mosca [20] , pp. 59–75. http://dx.doi.org/10.1007/978-3-319-11659-4_4
Ding, J., Hodges, T.J.: Inverting HFE systems is quasi-polynomial for all fields. In: Rogaway, P. (ed.) CRYPTO 2011. LNCS, vol. 6841, pp. 724–742. Springer, Heidelberg (2011). http://dx.doi.org/10.1007/978-3-642-22792-9_41
Ding, J., Petzoldt, A., Wang, L.: The cubic simple matrix encryption scheme. In: Mosca [20], pp. 76–87. http://dx.doi.org/10.1007/978-3-319-11659-4_5
Ding, J., Schmidt, D.: Rainbow, a new multivariable polynomial signature scheme. In: Ioannidis, J., Keromytis, A., Yung, M. (eds.) ACNS 2005. LNCS, vol. 3531, pp. 164–175. Springer, Heidelberg (2005). http://dx.doi.org/10.1007/11496137_12
Ding, J., Yang, B.Y.: Degree of regularity for HFEV and HFEV. In: Gaborit [15], pp. 52–66. http://dx.doi.org/10.1007/978-3-642-38616-9
Dubois, V., Gama, N.: The degree of regularity of HFE systems. In: Abe, M. (ed.) ASIACRYPT 2010. LNCS, vol. 6477, pp. 557–576. Springer, Heidelberg (2010). http://dx.doi.org/10.1007/978-3-642-17373-8_32
Faugère, J.C., Din, M.S.E., Spaenlehauer, P.J.: Gröbner bases of bihomogeneous ideals generated by polynomials of bidegree: algorithms and complexity. J. Symbolic Comput. 46(4), 406–437 (2011)
Faugère, J.C., El Din, M.S., Spaenlehauer, P.J.: Computing loci of rank defects of linear matrices using gröbner bases and applications to cryptology. In: Proceedings of the 2010 International Symposium on Symbolic and Algebraic Computation, ISSAC 2010, pp. 257–264. ACM, New York (2010)
Faugère, J.-C., Gligoroski, D., Perret, L., Samardjiska, S., Thomae, E.: A polynomial-time key-recovery attack on MQQ cryptosystems. In: Katz, J. (ed.) PKC 2015. LNCS, vol. 9020, pp. 150–174. Springer, Heidelberg (2015). http://dx.doi.org/10.1007/978-3-662-46447-2_7
Gaborit, P. (ed.): PQCrypto 2013. LNCS, vol. 7932. Springer, Heidelberg (2013). http://dx.doi.org/10.1007/978-3-642-38616-9
Kipnis, A., Patarin, J., Goubin, L.: Unbalanced oil and vinegar signature schemes. In: Stern, J. (ed.) EUROCRYPT 1999. LNCS, vol. 1592, pp. 206–222. Springer, Heidelberg (1999). http://dx.doi.org/10.1007/3-540-48910-X_15
Kipnis, A., Shamir, A.: Cryptanalysis of the HFE public key cryptosystem by relinearization. In: Wiener, M. (ed.) CRYPTO 1999. LNCS, vol. 1666, pp. 19–30. Springer, Heidelberg (1999). doi:10.1007/3-540-48405-1_2
Moody, D., Perlner, R.A., Smith-Tone, D.: An asymptotically optimal structural attack on the ABC multivariate encryption scheme. In: Mosca [20], pp. 180–196. http://dx.doi.org/10.1007/978-3-319-11659-4_11
Moody, D., Perlner, R.A., Smith-Tone, D.: Key recovery attack on the cubic ABC simple matrix multivariate encryption scheme. In: Lange, T., Takagi, T. (eds.) PQCrypto 2017. LNCS, vol. 10346, pp. 289–308. Springer, Cham (2017)
Mosca, M. (ed.): PQCrypto 2014. LNCS, vol. 8772. Springer, Cham (2014). http://dx.doi.org/10.1007/978-3-319-11659-4
Patarin, J., Courtois, N., Goubin, L.: QUARTZ, 128-bit long digital signatures. In: Naccache, D. (ed.) CT-RSA 2001. LNCS, vol. 2020, pp. 282–297. Springer, Heidelberg (2001). http://dx.doi.org/10.1007/3-540-45353-9_21
Perlner, R.A., Smith-Tone, D.: A classification of differential invariants for multivariate post-quantum cryptosystems. In: Gaborit [15], pp. 165–173. http://dx.doi.org/10.1007/978-3-642-38616-9
Perlner, R.A., Smith-Tone, D.: Security analysis and key modification for ZHFE. In: Takagi[27], pp. 197–212. http://dx.doi.org/10.1007/978-3-319-29360-8_13
Porras, J., Baena, J., Ding, J.: ZHFE, a new multivariate public key encryption scheme. In: Mosca, M. (ed.) PQCrypto 2014. LNCS, vol. 8772, pp. 229–245. Springer, Cham (2014). doi:10.1007/978-3-319-11659-4_14
Shor, P.W.: Polynomial-time algorithms for prime factorization and discrete logarithms on a quantum computer. SIAM Rev. 41(2), 303–332 (1999). (electronic)
Smith-Tone, D.: On the differential security of multivariate public key cryptosystems. In: Yang, B.-Y. (ed.) PQCrypto 2011. LNCS, vol. 7071, pp. 130–142. Springer, Heidelberg (2011). doi:10.1007/978-3-642-25405-5_9
Takagi, T. (ed.): PQCrypto 2016. LNCS, vol. 9606. Springer, Cham (2016). http://dx.doi.org/10.1007/978-3-319-29360-8
Tao, C., Diene, A., Tang, S., Ding, J.: Simple matrix scheme for encryption. In: Gaborit [15], pp. 231–242. http://dx.doi.org/10.1007/978-3-642-38616-9
Verbel, J.A.: Efficiency and security of ZHFE. Master’s thesis, Universidad Nacional de Colombia, Sede Medellín (2016)
Zhang, W., Tan, C.H.: On the security and key generation of the ZHFE encryption scheme. In: Ogawa, K., Yoshioka, K. (eds.) IWSEC 2016. LNCS, vol. 9836, pp. 289–304. Springer, Cham (2016). doi:10.1007/978-3-319-44524-3_17
Acknowledgements
This work was partially supported by “Fondo Nacional de Financiamiento para la Ciencia, la Tecnología y la Innovación Francisco José de Caldas”, Colciencias (Colombia), Project No. 111865842333 and Contract No. 049-2015. We would like to thank Ludovic Perret and John B. Baena for useful discussions. We would also like to thank the reviewers of PQCrypto for some constructive reviews and suggestions.
Author information
Authors and Affiliations
Corresponding author
Editor information
Editors and Affiliations
A Appendix
A Appendix
1.1 A.1 Toy Example
We provide a small example of the MinRank attack for ZHFE with parameters \(n =8\), \(q = 3\) and \(D =9\). The small field is \(\mathbb {F} = \mathbb {F}_{q}\), the extension field is \(\mathbb {K} = \mathbb {F}/\langle g(y)\rangle \), where \(g(y) = y^8 + 2y^5 + y^4 + 2y^2 + 2y + 2 \in \mathbb {F}[y]\), and b is a primitive root of the irreducible polynomial g(y).
For ease of presentation, we consider a homogeneous public key and linear transformations. An easy adaptation for the general case can be done following the ideas expressed in [2].
The matrices associated with our private key \(\left( (F,\tilde{F}),S,T\right) \) are
and \(\mathbf T = [\mathbf T _{1}|\mathbf T _{2}]\), where
This private key gives us a public key represented by the matrices \(\mathbf P _{1},\mathbf P _{2},\ldots ,\mathbf P _{2n}.\)
Recovering T : The first and harder step to recover an equivalent linear transformation T is to solve the MinRank problem associated with the public matrices \(\mathbf P _{1},\ldots , \mathbf P _{16}\) and \(r+1\), with \(r = \lceil \log _{q} D\rceil = 2\). Using the minors modeling, we construct a degree 4 polynomial system in 2n variables. We can fix the two first coordinates of the vector \(\mathbf u '{'} = (u'_{0},u'_{1},\ldots ,u'_{7})\) as 1 and 0 respectively. A solution for this system is
Next we compute
and by solving the linear system
we get another solution
Once we have two solution for the MinRank problem we compute
with \(\mathbf U '' := [\mathbf u '\vert \cdots \vert \mathbf u '^{q^{n-1}}\vert \mathbf v '\vert \cdots \vert \mathbf v '^{q^{n-1}}]\), invert the output matrix to obtain \(\mathbf T '' = [\mathbf T _{1}''|\mathbf T _{2}'']\), with
Recovering S : To find \(\mathbf W '' := \mathbf S '' \mathbf M _{n} = [\mathbf w '' | \mathbf w ''^{q}|\cdots | \mathbf w ''^{q^{n-1}}]\), we find its first column \(\mathbf w ''\), which satisfy \(\text {Frob}_{j+1}(\mathbf K ')\mathbf w '' = \mathbf 0 \), for \(j = n - r,\ldots ,n-1 = 7,8\).
By solving the overdetermined system
we obtain \(\mathbf w '' = (b^{929}, b^{2174}, b^{2323}, b^{4231}, b^{3677}, b^{6313}, b^{2372}, b^{3245})\). We then compute
and
Recovering Core Polynomials: To find our equivalent core polynomials \(H'\) and \(\tilde{H}'\) we calculate \(\mathbf H ' = \mathbf W {''}^{-1}\left( \sum _{i=0}^{7}u{'}_{i}{} \mathbf P _{i+1}\right) \mathbf W {''}^{-t}\) as well as the value of \(\tilde{\mathbf{H }}{'} = \mathbf W ''^{-1}\left( \sum _{i=0}^{7}v{'}_{i}{} \mathbf P _{i+1} \right) \mathbf W {''}^{-t}\) and obtain
Recovering the Low Degree Polynomial: Once the core polynomials \(\mathbf H ' = [h_{ij}],\; \tilde{\mathbf{H }}' = [\tilde{h}_{ij}]\) are recovered, our target is to build the low degree polynomial \(\varPsi ''\) fundamental for the attacker to be able decrypt. So, we solve the following overdetermined systems
and we obtain the solutions \([x_{0}, x_{1}]^{\top } = [b^{1418},\; b^{222}]^{\top }\) and \( [y_{0}, y_{1}]^{\top } = [b^{2162},\; b^{2279} ]^{\top } \). Then, we compute \(b^{1418}{} \mathbf H ' + b^{222}\tilde{\mathbf{H }}'\) and \(b^{2162}{} \mathbf H ' + b^{2279}\tilde{\mathbf{H }}'\) obtaining respectively
Finally, we form the system
we a solution \([z_{0},\; z_{1}]^{\top } = [b^{1024},\; b^{5597}]^{\top }\), and we use it to compute our low degree polynomial,
1.2 A.2 Low Rank Matrix Forms
Rights and permissions
Copyright information
© 2017 Springer International Publishing AG
About this paper
Cite this paper
Cabarcas, D., Smith-Tone, D., Verbel, J.A. (2017). Key Recovery Attack for ZHFE. In: Lange, T., Takagi, T. (eds) Post-Quantum Cryptography . PQCrypto 2017. Lecture Notes in Computer Science(), vol 10346. Springer, Cham. https://doi.org/10.1007/978-3-319-59879-6_17
Download citation
DOI: https://doi.org/10.1007/978-3-319-59879-6_17
Published:
Publisher Name: Springer, Cham
Print ISBN: 978-3-319-59878-9
Online ISBN: 978-3-319-59879-6
eBook Packages: Computer ScienceComputer Science (R0)