Multivariate Cryptography

Part 1: Basics

Albrecht Petzoldt

PQCrypto Summer School 2017

Eindhoven, Netherlands
Tuesday, 20.06.2017

A. Petzoldt Multivariate Cryptography PQCrypto Summer School 1 / 24

Multivariate Cryptography [DS06]
MPKC: Multivariate Public Key Cryptosystem
Public Key: System of nonlinear multivariate polynomials
n X
n n
X (1) X (1) (1)
p (1) (x1 , . . . , xn ) = pij · xi xj + pi · xi + p0
i=1 j=i i=1
n X n n
X (2) X (2) (2)
p (2) (x1 , . . . , xn ) = pij · xi xj + pi · xi + p0
i=1 j=i i=1
..
.
n X
n n
X (m) X (m) (m)
p (m) (x1 , . . . , xn ) = pij · xi xj + pi · xi + p0
i=1 j=i i=1

d := degree of the polynomials in the system

m := # equations
n := # variables

A. Petzoldt Multivariate Cryptography PQCrypto Summer School 2 / 24

Public Key Size

size public key = m · T field elements

with T = # monomials of degree ≤ d.
!
n+d −1
# monomials of degree d =
d
!
n+d
# monomials of degree ≤ d =
d
!
n+d m≈n
⇒ size public key =m· ∼ O(nd+1 )
d
⇒ For d ≥ 2 the public key size gets very big
⇒ Most MPKCs use for efficiency reasons d = 2.

A. Petzoldt Multivariate Cryptography PQCrypto Summer School 3 / 24

Security

The security of multivariate schemes is based on the

Problem MQ: Given m multivariate quadratic polynomials

p (1) (x), . . . , p (m) (x), find a vector x̄ = (x̄1 , . . . , x̄n ) such that
p (1) (x̄) = . . . = p (m) (x̄) = 0.
proven to be NP hard [GJ78]
believed to be hard on average (both for classical and quantum
conputers) [BB08]
also known as the PoSSo Problem (especially for d > 2)

However: no direct reduction

A. Petzoldt Multivariate Cryptography PQCrypto Summer School 4 / 24

Construction

Easily invertible quadratic map F : Fn → Fm

Two invertible linear maps S : Fm → Fm and T : Fn → Fn
Public key: P = S ◦ F ◦ T supposed to look like a random system
Private key: S, F, T allows to invert the public key

A. Petzoldt Multivariate Cryptography PQCrypto Summer School 5 / 24

Isomorphism of Polynomials

Definition
Two polynomial systems G : Fn → Fm and H : Fn → Fm are called
isomorphic

⇔ ∃linear (affine) maps L1 and L2 s.t. H = L1 ◦ G ◦ L2 .

⇒ The central map F and the public key P of an MPKC are isomorphic.

A. Petzoldt Multivariate Cryptography PQCrypto Summer School 6 / 24

Isomorphism of Polynomials (2)

Due to their construction, the security of MPKCs is also based on the

Problem EIP (Extended Isomorphism of Polynomials): Given the public

key P of a multivariate public key cryptosystem, find affine maps S̄ and T̄
as well as an easily invertible quadratic map F̄ such that P = S̄ ◦ F̄ ◦ T̄ .

⇒ Hardness of the problem depends heavily on the structure of the central

map
⇒ In general, not much is known about the complexity
⇒ Security analysis of multivariate schemes is a hard task

A. Petzoldt Multivariate Cryptography PQCrypto Summer School 7 / 24

Encryption Schemes (m ≥ n)
Encryption: Given message z ∈ Fn , compute the ciphertext w ∈ Fm by
w = P(z).

Decryption: Given ciphertext w ∈ Fm , compute recursively

x = S −1 (w) ∈ Fm , y = F −1 (x) ∈ Fn and z = T −1 (y).
The condition (m ≥ n) guarantees that F is more or less injective, i.e. we
do not get too many possible plaintexts.

Important Schemes
PMI+, IPHFE+
ZHFE ( → this conference)
Simple Matrix (→ this conference)

A. Petzoldt Multivariate Cryptography PQCrypto Summer School 8 / 24

Signature Schemes (m ≤ n)
Signature Generation: Given message d, use a hash function
H : {0, 1}? → Fm to compute w = H(d) ∈ Fm . Compute recursively
x = S −1 (w) ∈ Fm , y = F −1 (x) ∈ Fn and z = T −1 (y). The signature of
the message d is z ∈ Fn .
The condition (m ≤ n) is needed for the surjectivity of the map F, i.e.
every message has a signature.

Signature Verification: To check the authenticity of a signature z ∈ Fn

for a message d, compute w ∈ H(d) ∈ Fm and w0 = P(z) ∈ Fm . If
w0 = w holds, the signature is accepted, otherwise rejected.

Important Schemes
UOV, Rainbow
HFEv-, Gui
MQDSS
pFLASH ( → this conference), TTS
A. Petzoldt Multivariate Cryptography PQCrypto Summer School 9 / 24
Signature Schemes (m ≤ n)
Signature Generation: Given message d, use a hash function
H : {0, 1}? → Fm to compute w = H(d) ∈ Fm . Compute recursively
x = S −1 (w) ∈ Fm , y = F −1 (x) ∈ Fn and z = T −1 (y). The signature of
the message d is z ∈ Fn .
The condition (m ≤ n) is needed for the surjectivity of the map F, i.e.
every message has a signature.

Signature Verification: To check the authenticity of a signature z ∈ Fn

for a message d, compute w ∈ H(d) ∈ Fm and w0 = P(z) ∈ Fm . If
w0 = w holds, the signature is accepted, otherwise rejected.

Important Schemes
UOV, Rainbow
HFEv-, Gui
MQDSS
pFLASH (→ this conference), TTS
A. Petzoldt Multivariate Cryptography PQCrypto Summer School 10 / 24
Workflow

Decryption / Signature Generation

S −1- F −1- T −1-
w ∈ Fm x ∈ Fm y ∈ Fn z ∈ Fn
6

Encryption / Signature Verification

A. Petzoldt Multivariate Cryptography PQCrypto Summer School 11 / 24

Attacks

Direct Attacks: Try to solve the public equation P(z) = w as an instance

of the MQ-Problem

all algorithms have exponential running time (for m ≈ n)

A. Petzoldt Multivariate Cryptography PQCrypto Summer School 12 / 24

XL -Algorithm
Given: nonlinear polynomials f1 , . . . , fm
1 eXtend multiply each polynomial f1 , . . . , fm by every monomial of
degree ≤ D
2 Linear Algebra Step: Apply Gaussian Elimination on the extended
system to generate a univariate polynomial p
3 Solve: Use Berlekamps algorithm to solve the polynomial p.
4 Repeat: Substitute the solution of p into the system and continue
with the simplified system.
many variations, e.g. FXL, MutantXL

!2 !
n + dreg n
Complexity = 3 · ·
dreg 2

A. Petzoldt Multivariate Cryptography PQCrypto Summer School 13 / 24

Gröbner Bases Algorithms

find a “nice” basis of the ideal hf1 , . . . , fm i

first studied by B. Buchberger
later improved by Faugère et al. (F4 , F5 ) [Fa99]
currently fastest algorithms to solve random systems (Hybrid F5
[BFP09])
!ω !
k n − k + dreg − 1
Complexity(q, m, n) = mink q ·O m·
dreg
with 2 < ω ≤ 3.

A. Petzoldt Multivariate Cryptography PQCrypto Summer School 14 / 24

Complexity of Direct Attacks

How many equations are needed to meet given levels of security?

security number of equations

level (bit) GF(16) GF(31) GF(256)
80 30 28 26
100 39 36 33
128 51 48 43
192 80 75 68
256 110 103 93

A. Petzoldt Multivariate Cryptography PQCrypto Summer School 15 / 24

Remark

Every cryptosystem can be represented as a set of nonlinear multivariate

equations

⇒ Direct attacks are used in the cryptanalysis of many cryptographic

schemes (in particular block and stream ciphers)

⇒ The MQ (or PoSSo) Problem can be seen as one of the central

problems in cryptography

A. Petzoldt Multivariate Cryptography PQCrypto Summer School 16 / 24

Structural Attacks

Try to decompose the public key P into P = S ◦ F ◦ T by using the

known structure of the central map F

MinRank attack [CSV94]: For many multivariate schemes (certain)

central equations have low rank
⇒ look for a linear combination of the public key polynomials of low rank
⇒ this linear combination corresponds to a central equation
⇒ this linear combination yields (parts) of an equivalent affine map S
⇒ further analysis: recover equivalent maps S, F and T

A. Petzoldt Multivariate Cryptography PQCrypto Summer School 17 / 24

MinRank Attack

Problem MinRank: Given m n × n matrices G1 , . . . , Gm , find a linear

combination
m
X
H= λi Gi
i=1

such that Rank(H) ≤ r .

!ω
n+r
Complexity(MinorsModelling) = O
r
with 2 < ω ≤ 3.

A. Petzoldt Multivariate Cryptography PQCrypto Summer School 18 / 24

Other Attacks

HighRank Attack: Try to recover the linear transformation of the

variables appearing the lowest time in the central equations. This
yields information about the affine transformation T and therefore
the private key.
Differential Attacks: Look for invariants or symmetries of the
differential

G(x , y ) = P(x + y ) − P(x ) − P(y ) + P(0)

These symmetries yield information about the private key.

A. Petzoldt Multivariate Cryptography PQCrypto Summer School 19 / 24

Advantages

resistant against attacks with quantum computers

very fast (much faster than RSA)
only simple arithmetic operations required
⇒ can be implemented on low cost devices
⇒ suitable for security solutions for the IoT
many practical signature schemes (UOV, Rainbow, HFEv-, . . . )
very short signatures (e.g. 120 bit signatures for 80 bit security)

A. Petzoldt Multivariate Cryptography PQCrypto Summer School 20 / 24

Disadvantages

large key sizes (public key size ∼ 10 − 100 kB)

no security proofs
But: Practical Security (attack complexities) follows closely
theoretical estimations
mainly restricted to digital signatures (and public key encryption)

A. Petzoldt Multivariate Cryptography PQCrypto Summer School 21 / 24

Lessons Learned

Multivariate Cryptography
deals with systems of nonlinear (usually quadratic) multivariate
polynomials
one of the main candidates for post-quantum cryptosystems
very efficient signature schemes (e.g. Rainbow, HFEv-) with short
signatures
not so good for encryption schemes
large public key sizes, no security proofs
But: Theoretical Security estimates match very well with
experimental data

A. Petzoldt Multivariate Cryptography PQCrypto Summer School 22 / 24

References

BB08 D.J. Bernstein, J. Buchmann, E. Dahmen (eds.): Post

Quantum Cryptography. Springer, 2009.
DG06 J. Ding, J. E. Gower, D. S. Schmidt: Multivariate Public Key
Cryptosystems. Springer, 2006.
GJ79 M. R. Garey and D. S. Johnson: Computers and
Intractability: A Guide to the Theory of NP-Completeness.

A. Petzoldt Multivariate Cryptography PQCrypto Summer School 23 / 24

References (2)

BF09 L. Bettale, L.C Faugère, L. Perret: Hybrid approach for

solving multivariate systems over finite fields. Journal of
Mathematical Cryptology 3, pp. 177-197 (2009).
Fa99 J.C. Faugère: A new efficient algorithm for computing
Gröbner bases (F4). Journal of Pure and Applied Algebra
139, pp. 61-88 (1999).
CS94 D. Coppersmith, J. Stern, S. Vaudenay: Attacks on the
Birational Signature Scheme. CRYPTO 1994, LNCS vol.
773, pp. 435 - 443. Springer, 1994.

A. Petzoldt Multivariate Cryptography PQCrypto Summer School 24 / 24