Transcript
Page 1: Some new aspects concerning the  Analysis of HFE type Cryptosystems

RuhrRuhrUniversityUniversityBochumBochum

Faculty of MathematicsFaculty of MathematicsInformation-Security and CryptologyInformation-Security and Cryptology

Some new aspects concerning the Some new aspects concerning the

Analysis ofAnalysis of

HFE type CryptosystemsHFE type Cryptosystems

Magnus DaumMagnus Daum Patrick FelkePatrick Felke

Page 2: Some new aspects concerning the  Analysis of HFE type Cryptosystems

RuhrRuhrUniversityUniversityBochumBochumFaculty of MathematicsFaculty of MathematicsInformation-Security and CryptologyInformation-Security and Cryptology

RuhrRuhrUniversityUniversityBochumBochum

Faculty of MathematicsFaculty of MathematicsInformation-Security and CryptologyInformation-Security and Cryptology

06.06.2002 Some new aspects concerning the Analysis of HFE type Cryptosystems

• What is HFE?

• Some Experimental Results on Attacking HFE with Buchberger Algorithm

• An improved Algorithm for Separating Branches

OverviewOverview

Page 3: Some new aspects concerning the  Analysis of HFE type Cryptosystems

What is HFE?What is HFE?

Page 4: Some new aspects concerning the  Analysis of HFE type Cryptosystems

RuhrRuhrUniversityUniversityBochumBochumFaculty of MathematicsFaculty of MathematicsInformation-Security and CryptologyInformation-Security and Cryptology

06.06.2002 Some new aspects concerning the Analysis of HFE type Cryptosystems

Secret Key

Public Key

Trapdoor

Basic HFEBasic HFE

one-way trapdoor function

Page 5: Some new aspects concerning the  Analysis of HFE type Cryptosystems

RuhrRuhrUniversityUniversityBochumBochumFaculty of MathematicsFaculty of MathematicsInformation-Security and CryptologyInformation-Security and Cryptology

06.06.2002 Some new aspects concerning the Analysis of HFE type Cryptosystems

Basic HFE: ExampleBasic HFE: Example

Page 6: Some new aspects concerning the  Analysis of HFE type Cryptosystems

RuhrRuhrUniversityUniversityBochumBochumFaculty of MathematicsFaculty of MathematicsInformation-Security and CryptologyInformation-Security and Cryptology

06.06.2002 Some new aspects concerning the Analysis of HFE type Cryptosystems

Basic HFE: ExampleBasic HFE: Example

Page 7: Some new aspects concerning the  Analysis of HFE type Cryptosystems

RuhrRuhrUniversityUniversityBochumBochumFaculty of MathematicsFaculty of MathematicsInformation-Security and CryptologyInformation-Security and Cryptology

06.06.2002 Some new aspects concerning the Analysis of HFE type Cryptosystems

Basic HFE: ExampleBasic HFE: Example

Encryption

Page 8: Some new aspects concerning the  Analysis of HFE type Cryptosystems

RuhrRuhrUniversityUniversityBochumBochumFaculty of MathematicsFaculty of MathematicsInformation-Security and CryptologyInformation-Security and Cryptology

06.06.2002 Some new aspects concerning the Analysis of HFE type Cryptosystems

Basic HFE: ExampleBasic HFE: Example

Decryption

Page 9: Some new aspects concerning the  Analysis of HFE type Cryptosystems

RuhrRuhrUniversityUniversityBochumBochumFaculty of MathematicsFaculty of MathematicsInformation-Security and CryptologyInformation-Security and Cryptology

06.06.2002 Some new aspects concerning the Analysis of HFE type Cryptosystems

Basic HFE: ExampleBasic HFE: Example

Signing Verifying/

Page 10: Some new aspects concerning the  Analysis of HFE type Cryptosystems

RuhrRuhrUniversityUniversityBochumBochumFaculty of MathematicsFaculty of MathematicsInformation-Security and CryptologyInformation-Security and Cryptology

06.06.2002 Some new aspects concerning the Analysis of HFE type Cryptosystems

Parameters of HFEParameters of HFE

• n Number of unknowns and equations

• q Size of smaller finite field K

• d Degree of hidden polynomial

Page 11: Some new aspects concerning the  Analysis of HFE type Cryptosystems

RuhrRuhrUniversityUniversityBochumBochumFaculty of MathematicsFaculty of MathematicsInformation-Security and CryptologyInformation-Security and Cryptology

06.06.2002 Some new aspects concerning the Analysis of HFE type Cryptosystems

– General Approach with Buchberger Algorithm– Why HFE systems are special– Simulations– Perturbations

• What is HFE?

• Some Experimental Results on Attacking HFE with Buchberger Algorithm

• An improved Algorithm for Separating Branches

OverviewOverview

Page 12: Some new aspects concerning the  Analysis of HFE type Cryptosystems

General ApproachGeneral Approach

Page 13: Some new aspects concerning the  Analysis of HFE type Cryptosystems

RuhrRuhrUniversityUniversityBochumBochumFaculty of MathematicsFaculty of MathematicsInformation-Security and CryptologyInformation-Security and Cryptology

06.06.2002 Some new aspects concerning the Analysis of HFE type Cryptosystems

General Approach: ExampleGeneral Approach: Example

Signing Decryption/

Page 14: Some new aspects concerning the  Analysis of HFE type Cryptosystems

RuhrRuhrUniversityUniversityBochumBochumFaculty of MathematicsFaculty of MathematicsInformation-Security and CryptologyInformation-Security and Cryptology

06.06.2002 Some new aspects concerning the Analysis of HFE type Cryptosystems

Buchberger Algorithm

General Approach: ExampleGeneral Approach: Example

Page 15: Some new aspects concerning the  Analysis of HFE type Cryptosystems

RuhrRuhrUniversityUniversityBochumBochumFaculty of MathematicsFaculty of MathematicsInformation-Security and CryptologyInformation-Security and Cryptology

06.06.2002 Some new aspects concerning the Analysis of HFE type Cryptosystems

General Approach: ProblemsGeneral Approach: Problems

• degree of output poly-nomials may get very big

• Buchberger algorithm has exponential worst case complexity

• compute all solutions in algebraic closure

• …

in general only feasible for very few unknowns

Page 16: Some new aspects concerning the  Analysis of HFE type Cryptosystems

HFE SystemsHFE Systemsare Specialare Special

Page 17: Some new aspects concerning the  Analysis of HFE type Cryptosystems

RuhrRuhrUniversityUniversityBochumBochumFaculty of MathematicsFaculty of MathematicsInformation-Security and CryptologyInformation-Security and Cryptology

06.06.2002 Some new aspects concerning the Analysis of HFE type Cryptosystems

HFE Systems are SpecialHFE Systems are Special

•defined over a very small finite field

•include only quadratic polynomials

•need only solutions in the base field Fq

•hidden polynomial of low degree

Page 18: Some new aspects concerning the  Analysis of HFE type Cryptosystems

RuhrRuhrUniversityUniversityBochumBochumFaculty of MathematicsFaculty of MathematicsInformation-Security and CryptologyInformation-Security and Cryptology

06.06.2002 Some new aspects concerning the Analysis of HFE type Cryptosystems

Solutions in the Base FieldSolutions in the Base Field

solutions we are looking for fulfil

Proposition:

Page 19: Some new aspects concerning the  Analysis of HFE type Cryptosystems

RuhrRuhrUniversityUniversityBochumBochumFaculty of MathematicsFaculty of MathematicsInformation-Security and CryptologyInformation-Security and Cryptology

06.06.2002 Some new aspects concerning the Analysis of HFE type Cryptosystems

Solutions in the Base FieldSolutions in the Base Field

Buchberger

AlgorithmAdvantages:

• we compute only information we need

• degree of polynomials involved in this computation is bounded

Buchberger Algorithm

Page 20: Some new aspects concerning the  Analysis of HFE type Cryptosystems

RuhrRuhrUniversityUniversityBochumBochumFaculty of MathematicsFaculty of MathematicsInformation-Security and CryptologyInformation-Security and Cryptology

06.06.2002 Some new aspects concerning the Analysis of HFE type Cryptosystems

HFE Systems are SpecialHFE Systems are Special

•defined over a very small finite field

•include only quadratic polynomials

•need only solutions in the base field Fq

•hidden polynomial of low degree

Page 21: Some new aspects concerning the  Analysis of HFE type Cryptosystems

RuhrRuhrUniversityUniversityBochumBochumFaculty of MathematicsFaculty of MathematicsInformation-Security and CryptologyInformation-Security and Cryptology

06.06.2002 Some new aspects concerning the Analysis of HFE type Cryptosystems

• Attack on C* (Patarin / Dobbertin):– For C*-systems there are many linear relations

between the public polynomials.

Hidden PolynomialHidden Polynomial

• Courtois:– For general HFE there are also some relations,

but they are more complex.– lower degree d more relations

• One main idea of Buchberger Algorithm can be described as making use of relations between the input polynomials in a sophisticated way

Page 22: Some new aspects concerning the  Analysis of HFE type Cryptosystems

RuhrRuhrUniversityUniversityBochumBochumFaculty of MathematicsFaculty of MathematicsInformation-Security and CryptologyInformation-Security and Cryptology

06.06.2002 Some new aspects concerning the Analysis of HFE type Cryptosystems

HFE Systems are SpecialHFE Systems are Special

•defined over a very small finite field

•include only quadratic polynomials

•need only solutions in the base field Fq

•hidden polynomial of low degree

Page 23: Some new aspects concerning the  Analysis of HFE type Cryptosystems

SimulationsSimulations

Page 24: Some new aspects concerning the  Analysis of HFE type Cryptosystems

RuhrRuhrUniversityUniversityBochumBochumFaculty of MathematicsFaculty of MathematicsInformation-Security and CryptologyInformation-Security and Cryptology

06.06.2002 Some new aspects concerning the Analysis of HFE type Cryptosystems

• in each simulation:– generate system of quadratic equations

(HFE or random)– add polynomials – solve by applying Buchberger Algorithm (with

FGLM)

• about 100.000 simulations in SINGULAR• parameters: mostly• HFE systems and random quadratic systems

SimulationsSimulations

Page 25: Some new aspects concerning the  Analysis of HFE type Cryptosystems

RuhrRuhrUniversityUniversityBochumBochumFaculty of MathematicsFaculty of MathematicsInformation-Security and CryptologyInformation-Security and Cryptology

06.06.2002 Some new aspects concerning the Analysis of HFE type Cryptosystems

Simulations: Dependence on Simulations: Dependence on nn

Page 26: Some new aspects concerning the  Analysis of HFE type Cryptosystems

RuhrRuhrUniversityUniversityBochumBochumFaculty of MathematicsFaculty of MathematicsInformation-Security and CryptologyInformation-Security and Cryptology

06.06.2002 Some new aspects concerning the Analysis of HFE type Cryptosystems

Simulations: Dependence on Simulations: Dependence on nn

q=3, random

q=3, d=12

q=2, d=20

q=3, d=30

q=2, d=128

q=2, random

20,0019,00

18,0017,00

16,0015,00

14,0013,00

12,0011,00

10,009,00

8,007,00

6,00

log(time)

n

exponential time complexity !?

20,0019,00

18,0017,00

16,0015,00

14,0013,00

12,0011,00

10,009,00

8,007,00

6,00

log(time)

26,0025,00

24,0023,00

22,0021,00

q=2, C*

Page 27: Some new aspects concerning the  Analysis of HFE type Cryptosystems

RuhrRuhrUniversityUniversityBochumBochumFaculty of MathematicsFaculty of MathematicsInformation-Security and CryptologyInformation-Security and Cryptology

06.06.2002 Some new aspects concerning the Analysis of HFE type Cryptosystems

Simulations: Dependence on Simulations: Dependence on dd

time depends on rather than on d

Page 28: Some new aspects concerning the  Analysis of HFE type Cryptosystems

RuhrRuhrUniversityUniversityBochumBochumFaculty of MathematicsFaculty of MathematicsInformation-Security and CryptologyInformation-Security and Cryptology

06.06.2002 Some new aspects concerning the Analysis of HFE type Cryptosystems

and usually logq(d)<<n (e.g. HFE Challenge 1: q=2, n=80, d=96 ! dlogq(d)e=7 << 40)

if d is large (approx. )HFE systems behave like systems of random quadratic equations (random systems correspond to dlogqde=n)

if d is small (approx. )Solving HFE systems becomes much easier !!

Simulations: Dependence on Simulations: Dependence on ddloglogqqddee

∙3 ∙3 ∙3

∙8 ∙11 ∙7

Page 29: Some new aspects concerning the  Analysis of HFE type Cryptosystems

RuhrRuhrUniversityUniversityBochumBochumFaculty of MathematicsFaculty of MathematicsInformation-Security and CryptologyInformation-Security and Cryptology

06.06.2002 Some new aspects concerning the Analysis of HFE type Cryptosystems

Simulations: Dependence on Simulations: Dependence on ddloglogqqddee

• Usually dlogq(d)e<<n– e.g. HFE Challenge 1: q=2, n=80, d=96

dlogq(d)e=7 << 80 )

• Extrapolating the times needed for d=96,solving this challenge seems out of reach

20,0019,00

18,0017,00

16,0015,00

14,0013,00

12,0011,00

10,009,00

8,007,00

6,00

log(time)

26,0025,00

24,0023,00

22,0021,00

• By applying a highly optimized variant of theBuchberger Algorithm in the future it might bepossible to solve certain instances of HFE with very small d in some feasible time.

• By applying F5/2 now it is possible to solve HFE Challenge 1 in 96 h.

Page 30: Some new aspects concerning the  Analysis of HFE type Cryptosystems

RuhrRuhrUniversityUniversityBochumBochumFaculty of MathematicsFaculty of MathematicsInformation-Security and CryptologyInformation-Security and Cryptology

06.06.2002 Some new aspects concerning the Analysis of HFE type Cryptosystems

PerturbationsPerturbations

Page 31: Some new aspects concerning the  Analysis of HFE type Cryptosystems

RuhrRuhrUniversityUniversityBochumBochumFaculty of MathematicsFaculty of MathematicsInformation-Security and CryptologyInformation-Security and Cryptology

06.06.2002 Some new aspects concerning the Analysis of HFE type Cryptosystems

PerturbationsPerturbations

• Little changes on the multivariate side of the cryptosystem which are used to hide the underlying algebraic structure

• e.g. „-“ (i.e. removing polynomials):Public Key

Page 32: Some new aspects concerning the  Analysis of HFE type Cryptosystems

RuhrRuhrUniversityUniversityBochumBochumFaculty of MathematicsFaculty of MathematicsInformation-Security and CryptologyInformation-Security and Cryptology

06.06.2002 Some new aspects concerning the Analysis of HFE type Cryptosystems

PerturbationsPerturbations

• Little changes on the multivariate side of the cryptosystem which are used to hide the underlying algebraic structure

• e.g. „+“ (i.e. adding some random polynomials):

Public Key(after „mixing“ with S and T)

Page 33: Some new aspects concerning the  Analysis of HFE type Cryptosystems

RuhrRuhrUniversityUniversityBochumBochumFaculty of MathematicsFaculty of MathematicsInformation-Security and CryptologyInformation-Security and Cryptology

06.06.2002 Some new aspects concerning the Analysis of HFE type Cryptosystems

PerturbationsPerturbations

• Little changes on the multivariate side of the cryptosystem which are used to hide the underlying algebraic structure

• Perturbated HFE systems are claimed to be more secure than Basic HFE systems

• All proposed HFE systems (e.g. SFLASH, QUARTZ) use perturbations

Page 34: Some new aspects concerning the  Analysis of HFE type Cryptosystems

RuhrRuhrUniversityUniversityBochumBochumFaculty of MathematicsFaculty of MathematicsInformation-Security and CryptologyInformation-Security and Cryptology

06.06.2002 Some new aspects concerning the Analysis of HFE type Cryptosystems

Simulations on PerturbationsSimulations on Perturbations

• Simulations in the case q=2, n=15

• included systems generated– from HFE with d2{ 5,9,17 }– randomly

• added / removed / replaced between 0 and 5 polynomials

Page 35: Some new aspects concerning the  Analysis of HFE type Cryptosystems

RuhrRuhrUniversityUniversityBochumBochumFaculty of MathematicsFaculty of MathematicsInformation-Security and CryptologyInformation-Security and Cryptology

06.06.2002 Some new aspects concerning the Analysis of HFE type Cryptosystems

Simulations on PerturbationsSimulations on Perturbations

0

12

34

5

plus

1000,00

2000,00

3000,00

4000,00

tim

e_1

5

4

3

2minus

1

0

random

01

23

45

plus

0,00

1000,00

2000,00

3000,00ti

me_

1

5

4

3

2minus

1

0

d=5

Better consider the ratio of needed times for HFE systems to that for random systems

Page 36: Some new aspects concerning the  Analysis of HFE type Cryptosystems

RuhrRuhrUniversityUniversityBochumBochumFaculty of MathematicsFaculty of MathematicsInformation-Security and CryptologyInformation-Security and Cryptology

06.06.2002 Some new aspects concerning the Analysis of HFE type Cryptosystems

Simulations on PerturbationsSimulations on Perturbations

01

23

45

plus

0,20

0,40

0,60

0,80

1,00

rati

o

5

4

3

2minus1

0 d=5

01

23

45

plus

0,20

0,40

0,60

0,80

1,00

rati

o

5

4

3

2minus1

0 d=90

12

34

plus

0,20

0,40

0,60

0,80

1,00

rati

o

5

4

3

2minus

1

0 d=17

Better consider the ratio of needed times for HFE systems to that for random systems

• adding/removing just some few polynomials makes solving HFE systems significantly more difficult

• Perturbated HFE seems to be more secure than Basic HFE

Page 37: Some new aspects concerning the  Analysis of HFE type Cryptosystems

RuhrRuhrUniversityUniversityBochumBochumFaculty of MathematicsFaculty of MathematicsInformation-Security and CryptologyInformation-Security and Cryptology

06.06.2002 Some new aspects concerning the Analysis of HFE type Cryptosystems

Conclusion of this partConclusion of this part

• Time complexity of solving HFE systems by applying Buchberger Algorithm depends …– nearly exponentially on number n of unknowns

– strongly on dlogq(d)e

• Security of HFE depends significantly on the degree of the hidden polynomial

• Perturbations seem to make HFE more secure

Page 38: Some new aspects concerning the  Analysis of HFE type Cryptosystems

RuhrRuhrUniversityUniversityBochumBochumFaculty of MathematicsFaculty of MathematicsInformation-Security and CryptologyInformation-Security and Cryptology

06.06.2002 Some new aspects concerning the Analysis of HFE type Cryptosystems

• What is HFE?

• Some Experimental Results on Attacking HFE with Buchberger Algorithm

• An improved Algorithm for Separating Branches

OverviewOverview


Top Related