Hybrid Approach : a Tool for Multivariate Cryptography

Hybrid Approach : a Tool for Multivariate Cryptography Luk Bettale1

Jean-Charles Faugère

Ludovic Perret

LIP6 - SALSA UPMC, CNRS, INRIA Paris-Rocquencourt

Workshop on Tools for Cryptanalysis 2010 Royal Holloway University of London June 2010

1 Luk Bettale

author partially supported by DGA/MRIS (french secretary of defense) 1/25

Introduction Algebraic Cryptanalysis General analysis (such as linear, differential) Modeling Solving (or estimate difficulty)

Luk Bettale

Introduction

2/25

Introduction Algebraic Cryptanalysis General analysis (such as linear, differential) Modeling Solving (or estimate difficulty)

Luk Bettale

Introduction

2/25

Introduction Algebraic Cryptanalysis General analysis (such as linear, differential) Modeling Solving (or estimate difficulty)

Setting parameters of multivariate cryptosystems. Luk Bettale

Introduction

2/25

Multivariate cryptography

Properties The public key is a quadratic system Very efficient (hardware) Resist quantum computers. Examples C∗ , HFE UOV, SFLASH ...

Luk Bettale

Introduction

3/25

Multivariate signature Secret key F: Fn+r → Fnq Easy to invert q (x1 , . . . , xn+r ) → (f1 (x1 , . . . , xn+r ), . . . , fn (x1 , . . . , xn+r )) S, T ∈ GLn+r (Fq ) × GLn (Fq ) Public key G: Fn+r → Fnq q (x1 , . . . , xn+r ) → (g1 (x1 , . . . , xn ), . . . , gn (x1 , . . . , xn )) G = T ◦ F ◦ S = F(x · S) · T . VerifyG (s, m): Evaluate G (s) = m Luk Bettale

Introduction

4/25

Attacks on multivariate signature schemes Signature forgery attack Given a message m = (m1 , . . . , mn ), find a signature (s1 , . . . , sn+r ) such that G (x) = m.

Luk Bettale

Introduction

5/25

Attacks on multivariate signature schemes Signature forgery attack Given a message m = (m1 , . . . , mn ), find a signature (s1 , . . . , sn+r ) such that G (x) = m. Solve the system    g1 (x1 , . . . , xn+r ) − m1 = 0 .. .  

gn (x1 , . . . , xn+r ) − mn = 0

Luk Bettale

Introduction

5/25

Attacks on multivariate signature schemes Signature forgery attack Given a message m = (m1 , . . . , mn ), find a signature (s1 , . . . , sn+r ) such that G (x) = m. Solve the system    g1 (x1 , . . . , xn , y1 , . . . , yr ) − m1 = 0 .. .  

gn (x1 , . . . , xn , y1 , . . . , yr ) − mn = 0

Luk Bettale

Introduction

5/25

Attacks on multivariate signature schemes Signature forgery attack Given a message m = (m1 , . . . , mn ), find a signature (s1 , . . . , sn+r ) such that G (x) = m. Solve the system  0   g1 (x1 , . . . , xn ) − m1 = 0 .. .  

gn0 (x1 , . . . , xn ) − mn = 0

An Braeken, Bart Preneel, and Christopher Wolf. A Study of the Security of Unbalanced Oil and Vinegar Signature Schemes. CT-RSA 05.

Luk Bettale

Introduction

5/25

Attacks on multivariate signature schemes Signature forgery attack Given a message m = (m1 , . . . , mn ), find a signature (s1 , . . . , sn+r ) such that G (x) = m. Solve the system  0   g1 (x1 , . . . , xn ) − m1 = 0 .. .  

gn0 (x1 , . . . , xn ) − mn = 0

An Braeken, Bart Preneel, and Christopher Wolf. A Study of the Security of Unbalanced Oil and Vinegar Signature Schemes. CT-RSA 05. Lih-Chung Wang, Yuh-Hua Hu, Feipei Lai, Chun-Yen Chou, and Bo-Yin Yang. Tractable Rational Map Signature. PKC 05. TRMS: q = 28 , n = 20. Luk Bettale

Introduction

5/25

Polynomial System Solving

Given f1 (x1 , . . . , xn ), . . . , fm (x1 , . . . , xn ) of Fq [x1 , . . . , xn ], does there exist z1 , . . . , zn ∈ Fnq such that:    f1 (z1 , . . . , zn ) = 0  

.. . fm (z1 , . . . , zn ) = 0

Luk Bettale

Introduction

6/25

Polynomial System Solving

Given f1 (x1 , . . . , xn ), . . . , fm (x1 , . . . , xn ) of Fq [x1 , . . . , xn ], does there exist z1 , . . . , zn ∈ Fnq such that:    f1 (z1 , . . . , zn ) = 0  

.. . fm (z1 , . . . , zn ) = 0 Polynomial System Solving is NP-hard Hard in practice for generic polynomials.

Luk Bettale

Introduction

6/25

Known methods

Exhaustive search Gröbner bases with/without field equations ...

Luk Bettale

Introduction

7/25

Known methods

Exhaustive search Gröbner bases with/without field equations ...

Luk Bettale

Introduction

7/25

Gröbner bases algorithms Algorithms Buchberger : the historical algorithm F4 : linear algebra on matrices F5 : no useless computations for semi-regular systems GB : O



m·

with 2 6 ω 6 3,

n+dreg −1

ω dreg



,

FGLM : O (n · Dw ) ,

D the number of solutions in K.

Jean-Charles Faugère. A new efficient algorithm for computing Gröbner bases (F4 ). Journal of Pure and Applied Algebra 139, June 1999. Jean-Charles Faugère. A new efficient algorithm for computing Gröbner bases without reduction to zero (F5 ). ISSAC 2002, July 2002.

Luk Bettale

Introduction

8/25

Semi-regular systems

Semi-regular systems g · fi ∈ hf1 , . . . , fi−1 i ⇒ g ∈ hf1 , . . . , fi−1 i if deg(g · fi ) 6 dreg . random system ⇒ semi-reg. The degree of regularity (dreg ) can be known a priori The more equations we have, the more dreg decrease (e.g. for quadratic systems) m = n → dreg = n + 1

m = n + 1 → dreg = d n+1 2 e

Magali Bardet, Jean-Charles Faugère, Bruno Salvy and Bo-Yin Yang. Asymptotic Behaviour of the Degree of Regularity of Semi-Regular Polynomial Systems. MEGA 2005.

Luk Bettale

Introduction

9/25

Solving a system fi ∈ Fq [x1 , . . . , xn ] for 1 6 i 6 n    f1 (x1 , . . . , xn ) = 0  

.. . fn (x1 , . . . , xn ) = 0

Luk Bettale

Hybrid approach

10/25

Solving a system fi ∈ Fq [x1 , . . . , xn ] for 1 6 i 6 n    f1 (x1 , . . . , xn ) = 0  

.. . fn (x1 , . . . , xn ) = 0

Specificity (m = n) Square systems ⇒ dn solutions in the algebraic closure Fq is finite and rather big (no field equations). Hypotheses Regular system ⇒ dreg = n(d − 1) + 1 Semi-regular sub-systems.

Luk Bettale

Hybrid approach

10/25

Solving a system – Hybrid approach Solution We specialize k variables of the system (exhaustive search) ⇒ the system becomes over-defined + The degree of regularity decreases + The number of solutions is 0 or 1 – We have to compute q k Gröbner bases.

Luk Bettale, Jean-Charles Faugère and Ludovic Perret. Hybrid approach for solving multivariate systems over finite fields. In Journal of Mathematical Cryptology, Volume 3, issue 3. Sep 2009.

Luk Bettale

Hybrid approach

11/25

Solving a system – Hybrid approach Solution We specialize k variables of the system (exhaustive search) ⇒ the system becomes over-defined + The degree of regularity decreases + The number of solutions is 0 or 1 – We have to compute q k Gröbner bases.

Luk Bettale, Jean-Charles Faugère and Ludovic Perret. Hybrid approach for solving multivariate systems over finite fields. In Journal of Mathematical Cryptology, Volume 3, issue 3. Sep 2009.

A tradeoff between exhaustive search and Gröbner bases computation.

Luk Bettale

Hybrid approach

11/25

Complexity analysis Proposition Let Fq be a finite field and {f1 , . . . , fn } ⊂ Fq [x1 , . . . , xn ] be a semi-regular system of equations of degree d. 



 



O  min   06k6n  | {z }

qk |{z}

exh. search

tradeoff

    dreg (n−k,n,d)
ω ω  +n · D n · n−k−1+ , dreg (n−k,n,d) | {z } {z } FGLM  | GB

where 2 6 ω 6 3. dreg (n, m, d) is the dreg of a semi-regular system of m equations of degree d in n variables.

Luk Bettale

Hybrid approach

12/25

Complexity analysis Proposition Let Fq be a finite field and {f1 , . . . , fn } ⊂ Fq [x1 , . . . , xn ] be a semi-regular system of equations of degree d. 



 



O  min   06k6n  | {z }

qk |{z}

exh. search

tradeoff

    dreg (n−k,n,d)
ω ω  +n · D n · n−k−1+ , dreg (n−k,n,d) | {z } {z } FGLM  | GB

where 2 6 ω 6 3. dreg (n, m, d) is the dreg of a semi-regular system of m equations of degree d in n variables. The degree of regularity can be computed exactly. Luk Bettale

Hybrid approach

12/25

Complexity analysis Proposition Let Fq be a finite field and {f1 , . . . , fn } ⊂ Fq [x1 , . . . , xn ] be a semi-regular system of equations of degree d. 



 



O  min   16k6n  | {z }

qk |{z}

exh. search

    dreg (n−k,n,d)
ω   n · n−k−1+  , dreg (n−k,n,d) {z }  | GB

tradeoff

where 2 6 ω 6 3. dreg (n, m, d) is the dreg of a semi-regular system of m equations of degree d in n variables. The degree of regularity can be computed exactly. Luk Bettale

Hybrid approach

12/25

Asymptotic analysis (d = 2) Approximation of dreg (n − k, n, 2) dreg ∼

n+k √ − nk + O((n − k)1/3 ) 2

when n → ∞. Magali Bardet Étude des systèmes algébriques surdéterminés. Applications aux codes correcteurs et à la cryptographie. Ph.D. thesis, Université de Paris VI, 2004.

Approximation of the complexity √

CHyb = O

q

k



n √ 2π

ω

3n−k 2

−1−

(n − k − 1)(n−k−1/2)

√ (3n−k−1)/2− nk nk




n+k 2

−

√

nk

!ω !


(n+k+1)/2−√nk

when n → ∞. Luk Bettale

Hybrid approach

13/25

Borderline case (d = 2) Classical approach

Hybrid approach with k = 1

(dreg = n + 1)

e) (dreg = d n+1 2

O



n·

  2n
ω n−1

 

O q n·

  3(n−1)/2
ω n−2

Best tradeoff > 0 log2 (q) ≤ 0.6226 · ω · n + O(log2 (n)) when n → ∞.

Luk Bettale

Hybrid approach

14/25

Borderline case (d = 2) Classical approach

Hybrid approach with k = 1

(dreg = n + 1)

e) (dreg = d n+1 2

O



n·

  2n
ω n−1

 

O q n·

  3(n−1)/2
ω n−2

Best tradeoff > 0 log2 (q) ≤ 0.6226 · ω · n + O(log2 (n)) when n → ∞.

Luk Bettale

Hybrid approach

14/25

Finding the best tradeoff (d = 2)

Find the best tradeoff by solving

∂ log(CHyb ) = 0. ∂k

 log (q) + ω log (n − k − 1) + 



√

1 2(n − k − 1)







3n − k 1 − 1 − nk +  √  3n−k 2 2 − 1 − nk 2     p n+k √ ω 1 − (1 − n/k) log − nk +  √   = 0. n+k 2 2 2 − nk

ω − (1 + 2

p

n/k) log

2

Luk Bettale

Hybrid approach

15/25

Finding the best tradeoff (d = 2)

∂ log(CHyb ) = 0. ∂k

Find the best tradeoff by solving

k≈

n c2

8 q (c − 1)3 c−3 e−3/2 c ln((3 c+1)(c−1)) (c − 1)3 (c + 1)3 − ((3 c + 1) (c − 1))3/2 = 0 q

2

16

256

65521

232

264

280

c2

1.23

3.07

9.15

37.13

160.37

678.32

1073.1

Luk Bettale

Hybrid approach

15/25

Comparison

Luk Bettale

Hybrid approach

16/25

Comparison

Luk Bettale

Hybrid approach

16/25

Comparison

Luk Bettale

Hybrid approach

16/25

Overall

Luk Bettale

Hybrid approach

17/25

Overall

Luk Bettale

Hybrid approach

17/25

Algorithm

Input: K is finite, {f1 , . . . , fm } ⊂ K[x1 , . . . , xn ] is zero-dimensional, k ∈ N. Output: S = {(z1 , . . . , zn ) ∈ Kn : fi (z1 , . . . , zn ) = 0, 1 ≤ i ≤ m}. S := ∅ for all (v1 , . . . , vk ) ∈ Kk do 0 (n−k) of Find  the set of solutions S ⊂ K f (x , . . . , x , v , . . . , v ) = 0  n−k 1 k  1 1 .. .  

fm (x1 , . . . , xn−k , v1 , . . . , vk ) = 0 using the zero-dim solving strategy. 0 0 S := S ∪ {(z10 , . . . , zn−k , v1 , . . . , vk ) : (z10 , . . . , zn−k ) ∈ S 0 }. end for return S.

Luk Bettale

Hybrid approach

18/25

Algorithm (magma)

function HybridSolving(F,k) R := Universe(F); K := BaseRing(R); n := Rank(R); Rp := PolynomialRing(K,n-k); Kev := VectorSpace(K,k); S := [ ]; for e in Kev do v := Eltseq(e); fp := [ Evaluate(f,x cat v) : f in F ]; Sp := VarietySequence(Ideal(fp)); S cat:= [ s cat v : s in Sp ]; end for; return S; end function;

http://www-salsa.lip6.fr/~bettale/hybrid.html

Luk Bettale

Hybrid approach

19/25

TRMS: Experimental results

q

28

n

20

k

TF5

mem. (MB)

NopF5

Nop

1

-

-

-

257

2

51h

41940

241

3

2h45

4402

237

261

4

626s

912

234

266

Practical tradeoff : k = 2. Broken in < 51h on 216 proc. Luk Bettale, Jean-Charles Faugère, and Ludovic Perret. Cryptanalysis of the TRMS Signature Scheme of PKC’05. AFRICACRYPT 2008.

Luk Bettale

Hybrid approach

20/25

Analysis of several multivariate schemes

expected security

Gröbner basis

mem.

(k = 0)

hybrid approach 237 (k = 1)

2 MB

266 (k = 1)

139 GB

enTTS

267 (k = 2)

12 GB

Rainbow

278 (k = 1)

10 TB

279 (k = 2)

816 GB

n UOV30 UOV60

q

10

28

280

241

20

28

2160

282

24

28

2192

298

amTTS

Andrey Bogdanov, Thomas Eisenbarth, Andy Rupp, and Christopher Wolf. Time-Area Optimized Public-Key Engines: MQ-Cryptosystems as Replacement for Elliptic Curves? CHES ’08: Proceedings of the 10th international workshop on Cryptographic Hardware and Embedded Systems.

Luk Bettale

Hybrid approach

21/25

Analysis of several multivariate schemes

expected security

Gröbner basis

mem.

(k = 0)

hybrid approach 237 (k = 1)

2 MB

266 (k = 1)

139 GB

enTTS

267 (k = 2)

12 GB

Rainbow

278 (k = 1)

10 TB

279 (k = 2)

816 GB

n UOV30 UOV60

q

10

28

280

241

20

28

2160

282

24

28

2192

298

amTTS

Andrey Bogdanov, Thomas Eisenbarth, Andy Rupp, and Christopher Wolf. Time-Area Optimized Public-Key Engines: MQ-Cryptosystems as Replacement for Elliptic Curves? CHES ’08: Proceedings of the 10th international workshop on Cryptographic Hardware and Embedded Systems.

Luk Bettale

Hybrid approach

21/25

Block hybrid approach: Motivations

High degree polynomials Semaev polynomials Solving DLP on curves

Pierrick Gaudry. Index calculus for abelian varieties of small dimension and the elliptic curve discrete logarithm problem. Journal of Symbolic Computation 2009.

Luk Bettale

Hybrid approach

22/25

Previous approaches Field equations hf1 (x1 , . . . , xn ), . . . , fm (x1 , . . . , xn ), xq1 − x1 , . . . , xqn − xn i xq − x =

d Y

(x − e1,i ) . . .

i=1

d Y

(x − el,i )

i=1

Hybrid approach I = hf1 (x1 , . . . , xn−k , v1 , . . . , vk ), . . . , fm (x1 , . . . , xn−k , v1 , . . . , vk )i J = hf1 (x1 , . . . , xn ), . . . , fm (x1 , . . . , xn ), xn−k+1 − v1 , . . . , xn − vk i I = J ∩ K[x1 , . . . , xn−k ]

Luk Bettale

Hybrid approach

23/25

Block hybrid approach

Principle

hf1 (x1 , . . . , xn ), . . . , fm (x1 , . . . , xn ),

d Y

(x1 − e1,i ), . . . ,

i=1 q
k d

We have to compute

d Y

(xk − ek,i )i

i=1

Gröbner bases.

Complexity  O  min

06k6n



l q mk d

  · CF5 n, d1 , . . . , dm , d, . . . , d  | {z } k

Luk Bettale

Hybrid approach

24/25

Conclusion

Applications in cryptography A general tool for solving random systems over finite field Reevaluate parameters of multivariate cryptosystems Block hybrid approach for high degree equations Implementation in MAGMA. http://www-salsa.lip6.fr/~bettale/hybrid.html

Luk Bettale

Conclusion

25/25