![Page 1: Some new aspects concerning the Analysis of HFE type Cryptosystems](https://reader035.vdocuments.us/reader035/viewer/2022062423/56814dd1550346895dbb2e82/html5/thumbnails/1.jpg)
RuhrRuhrUniversityUniversityBochumBochum
Faculty of MathematicsFaculty of MathematicsInformation-Security and CryptologyInformation-Security and Cryptology
Some new aspects concerning the Some new aspects concerning the
Analysis ofAnalysis of
HFE type CryptosystemsHFE type Cryptosystems
Magnus DaumMagnus Daum Patrick FelkePatrick Felke
![Page 2: Some new aspects concerning the Analysis of HFE type Cryptosystems](https://reader035.vdocuments.us/reader035/viewer/2022062423/56814dd1550346895dbb2e82/html5/thumbnails/2.jpg)
RuhrRuhrUniversityUniversityBochumBochumFaculty of MathematicsFaculty of MathematicsInformation-Security and CryptologyInformation-Security and Cryptology
RuhrRuhrUniversityUniversityBochumBochum
Faculty of MathematicsFaculty of MathematicsInformation-Security and CryptologyInformation-Security and Cryptology
06.06.2002 Some new aspects concerning the Analysis of HFE type Cryptosystems
• What is HFE?
• Some Experimental Results on Attacking HFE with Buchberger Algorithm
• An improved Algorithm for Separating Branches
OverviewOverview
![Page 3: Some new aspects concerning the Analysis of HFE type Cryptosystems](https://reader035.vdocuments.us/reader035/viewer/2022062423/56814dd1550346895dbb2e82/html5/thumbnails/3.jpg)
What is HFE?What is HFE?
![Page 4: Some new aspects concerning the Analysis of HFE type Cryptosystems](https://reader035.vdocuments.us/reader035/viewer/2022062423/56814dd1550346895dbb2e82/html5/thumbnails/4.jpg)
RuhrRuhrUniversityUniversityBochumBochumFaculty of MathematicsFaculty of MathematicsInformation-Security and CryptologyInformation-Security and Cryptology
06.06.2002 Some new aspects concerning the Analysis of HFE type Cryptosystems
Secret Key
Public Key
Trapdoor
Basic HFEBasic HFE
one-way trapdoor function
![Page 5: Some new aspects concerning the Analysis of HFE type Cryptosystems](https://reader035.vdocuments.us/reader035/viewer/2022062423/56814dd1550346895dbb2e82/html5/thumbnails/5.jpg)
RuhrRuhrUniversityUniversityBochumBochumFaculty of MathematicsFaculty of MathematicsInformation-Security and CryptologyInformation-Security and Cryptology
06.06.2002 Some new aspects concerning the Analysis of HFE type Cryptosystems
Basic HFE: ExampleBasic HFE: Example
![Page 6: Some new aspects concerning the Analysis of HFE type Cryptosystems](https://reader035.vdocuments.us/reader035/viewer/2022062423/56814dd1550346895dbb2e82/html5/thumbnails/6.jpg)
RuhrRuhrUniversityUniversityBochumBochumFaculty of MathematicsFaculty of MathematicsInformation-Security and CryptologyInformation-Security and Cryptology
06.06.2002 Some new aspects concerning the Analysis of HFE type Cryptosystems
Basic HFE: ExampleBasic HFE: Example
![Page 7: Some new aspects concerning the Analysis of HFE type Cryptosystems](https://reader035.vdocuments.us/reader035/viewer/2022062423/56814dd1550346895dbb2e82/html5/thumbnails/7.jpg)
RuhrRuhrUniversityUniversityBochumBochumFaculty of MathematicsFaculty of MathematicsInformation-Security and CryptologyInformation-Security and Cryptology
06.06.2002 Some new aspects concerning the Analysis of HFE type Cryptosystems
Basic HFE: ExampleBasic HFE: Example
Encryption
![Page 8: Some new aspects concerning the Analysis of HFE type Cryptosystems](https://reader035.vdocuments.us/reader035/viewer/2022062423/56814dd1550346895dbb2e82/html5/thumbnails/8.jpg)
RuhrRuhrUniversityUniversityBochumBochumFaculty of MathematicsFaculty of MathematicsInformation-Security and CryptologyInformation-Security and Cryptology
06.06.2002 Some new aspects concerning the Analysis of HFE type Cryptosystems
Basic HFE: ExampleBasic HFE: Example
Decryption
![Page 9: Some new aspects concerning the Analysis of HFE type Cryptosystems](https://reader035.vdocuments.us/reader035/viewer/2022062423/56814dd1550346895dbb2e82/html5/thumbnails/9.jpg)
RuhrRuhrUniversityUniversityBochumBochumFaculty of MathematicsFaculty of MathematicsInformation-Security and CryptologyInformation-Security and Cryptology
06.06.2002 Some new aspects concerning the Analysis of HFE type Cryptosystems
Basic HFE: ExampleBasic HFE: Example
Signing Verifying/
![Page 10: Some new aspects concerning the Analysis of HFE type Cryptosystems](https://reader035.vdocuments.us/reader035/viewer/2022062423/56814dd1550346895dbb2e82/html5/thumbnails/10.jpg)
RuhrRuhrUniversityUniversityBochumBochumFaculty of MathematicsFaculty of MathematicsInformation-Security and CryptologyInformation-Security and Cryptology
06.06.2002 Some new aspects concerning the Analysis of HFE type Cryptosystems
Parameters of HFEParameters of HFE
• n Number of unknowns and equations
• q Size of smaller finite field K
• d Degree of hidden polynomial
![Page 11: Some new aspects concerning the Analysis of HFE type Cryptosystems](https://reader035.vdocuments.us/reader035/viewer/2022062423/56814dd1550346895dbb2e82/html5/thumbnails/11.jpg)
RuhrRuhrUniversityUniversityBochumBochumFaculty of MathematicsFaculty of MathematicsInformation-Security and CryptologyInformation-Security and Cryptology
06.06.2002 Some new aspects concerning the Analysis of HFE type Cryptosystems
– General Approach with Buchberger Algorithm– Why HFE systems are special– Simulations– Perturbations
• What is HFE?
• Some Experimental Results on Attacking HFE with Buchberger Algorithm
• An improved Algorithm for Separating Branches
OverviewOverview
![Page 12: Some new aspects concerning the Analysis of HFE type Cryptosystems](https://reader035.vdocuments.us/reader035/viewer/2022062423/56814dd1550346895dbb2e82/html5/thumbnails/12.jpg)
General ApproachGeneral Approach
![Page 13: Some new aspects concerning the Analysis of HFE type Cryptosystems](https://reader035.vdocuments.us/reader035/viewer/2022062423/56814dd1550346895dbb2e82/html5/thumbnails/13.jpg)
RuhrRuhrUniversityUniversityBochumBochumFaculty of MathematicsFaculty of MathematicsInformation-Security and CryptologyInformation-Security and Cryptology
06.06.2002 Some new aspects concerning the Analysis of HFE type Cryptosystems
General Approach: ExampleGeneral Approach: Example
Signing Decryption/
![Page 14: Some new aspects concerning the Analysis of HFE type Cryptosystems](https://reader035.vdocuments.us/reader035/viewer/2022062423/56814dd1550346895dbb2e82/html5/thumbnails/14.jpg)
RuhrRuhrUniversityUniversityBochumBochumFaculty of MathematicsFaculty of MathematicsInformation-Security and CryptologyInformation-Security and Cryptology
06.06.2002 Some new aspects concerning the Analysis of HFE type Cryptosystems
Buchberger Algorithm
General Approach: ExampleGeneral Approach: Example
![Page 15: Some new aspects concerning the Analysis of HFE type Cryptosystems](https://reader035.vdocuments.us/reader035/viewer/2022062423/56814dd1550346895dbb2e82/html5/thumbnails/15.jpg)
RuhrRuhrUniversityUniversityBochumBochumFaculty of MathematicsFaculty of MathematicsInformation-Security and CryptologyInformation-Security and Cryptology
06.06.2002 Some new aspects concerning the Analysis of HFE type Cryptosystems
General Approach: ProblemsGeneral Approach: Problems
• degree of output poly-nomials may get very big
• Buchberger algorithm has exponential worst case complexity
• compute all solutions in algebraic closure
• …
in general only feasible for very few unknowns
![Page 16: Some new aspects concerning the Analysis of HFE type Cryptosystems](https://reader035.vdocuments.us/reader035/viewer/2022062423/56814dd1550346895dbb2e82/html5/thumbnails/16.jpg)
HFE SystemsHFE Systemsare Specialare Special
![Page 17: Some new aspects concerning the Analysis of HFE type Cryptosystems](https://reader035.vdocuments.us/reader035/viewer/2022062423/56814dd1550346895dbb2e82/html5/thumbnails/17.jpg)
RuhrRuhrUniversityUniversityBochumBochumFaculty of MathematicsFaculty of MathematicsInformation-Security and CryptologyInformation-Security and Cryptology
06.06.2002 Some new aspects concerning the Analysis of HFE type Cryptosystems
HFE Systems are SpecialHFE Systems are Special
•defined over a very small finite field
•include only quadratic polynomials
•need only solutions in the base field Fq
•hidden polynomial of low degree
![Page 18: Some new aspects concerning the Analysis of HFE type Cryptosystems](https://reader035.vdocuments.us/reader035/viewer/2022062423/56814dd1550346895dbb2e82/html5/thumbnails/18.jpg)
RuhrRuhrUniversityUniversityBochumBochumFaculty of MathematicsFaculty of MathematicsInformation-Security and CryptologyInformation-Security and Cryptology
06.06.2002 Some new aspects concerning the Analysis of HFE type Cryptosystems
Solutions in the Base FieldSolutions in the Base Field
solutions we are looking for fulfil
Proposition:
![Page 19: Some new aspects concerning the Analysis of HFE type Cryptosystems](https://reader035.vdocuments.us/reader035/viewer/2022062423/56814dd1550346895dbb2e82/html5/thumbnails/19.jpg)
RuhrRuhrUniversityUniversityBochumBochumFaculty of MathematicsFaculty of MathematicsInformation-Security and CryptologyInformation-Security and Cryptology
06.06.2002 Some new aspects concerning the Analysis of HFE type Cryptosystems
Solutions in the Base FieldSolutions in the Base Field
Buchberger
AlgorithmAdvantages:
• we compute only information we need
• degree of polynomials involved in this computation is bounded
Buchberger Algorithm
![Page 20: Some new aspects concerning the Analysis of HFE type Cryptosystems](https://reader035.vdocuments.us/reader035/viewer/2022062423/56814dd1550346895dbb2e82/html5/thumbnails/20.jpg)
RuhrRuhrUniversityUniversityBochumBochumFaculty of MathematicsFaculty of MathematicsInformation-Security and CryptologyInformation-Security and Cryptology
06.06.2002 Some new aspects concerning the Analysis of HFE type Cryptosystems
HFE Systems are SpecialHFE Systems are Special
•defined over a very small finite field
•include only quadratic polynomials
•need only solutions in the base field Fq
•hidden polynomial of low degree
![Page 21: Some new aspects concerning the Analysis of HFE type Cryptosystems](https://reader035.vdocuments.us/reader035/viewer/2022062423/56814dd1550346895dbb2e82/html5/thumbnails/21.jpg)
RuhrRuhrUniversityUniversityBochumBochumFaculty of MathematicsFaculty of MathematicsInformation-Security and CryptologyInformation-Security and Cryptology
06.06.2002 Some new aspects concerning the Analysis of HFE type Cryptosystems
• Attack on C* (Patarin / Dobbertin):– For C*-systems there are many linear relations
between the public polynomials.
Hidden PolynomialHidden Polynomial
• Courtois:– For general HFE there are also some relations,
but they are more complex.– lower degree d more relations
• One main idea of Buchberger Algorithm can be described as making use of relations between the input polynomials in a sophisticated way
![Page 22: Some new aspects concerning the Analysis of HFE type Cryptosystems](https://reader035.vdocuments.us/reader035/viewer/2022062423/56814dd1550346895dbb2e82/html5/thumbnails/22.jpg)
RuhrRuhrUniversityUniversityBochumBochumFaculty of MathematicsFaculty of MathematicsInformation-Security and CryptologyInformation-Security and Cryptology
06.06.2002 Some new aspects concerning the Analysis of HFE type Cryptosystems
HFE Systems are SpecialHFE Systems are Special
•defined over a very small finite field
•include only quadratic polynomials
•need only solutions in the base field Fq
•hidden polynomial of low degree
![Page 23: Some new aspects concerning the Analysis of HFE type Cryptosystems](https://reader035.vdocuments.us/reader035/viewer/2022062423/56814dd1550346895dbb2e82/html5/thumbnails/23.jpg)
SimulationsSimulations
![Page 24: Some new aspects concerning the Analysis of HFE type Cryptosystems](https://reader035.vdocuments.us/reader035/viewer/2022062423/56814dd1550346895dbb2e82/html5/thumbnails/24.jpg)
RuhrRuhrUniversityUniversityBochumBochumFaculty of MathematicsFaculty of MathematicsInformation-Security and CryptologyInformation-Security and Cryptology
06.06.2002 Some new aspects concerning the Analysis of HFE type Cryptosystems
• in each simulation:– generate system of quadratic equations
(HFE or random)– add polynomials – solve by applying Buchberger Algorithm (with
FGLM)
• about 100.000 simulations in SINGULAR• parameters: mostly• HFE systems and random quadratic systems
SimulationsSimulations
![Page 25: Some new aspects concerning the Analysis of HFE type Cryptosystems](https://reader035.vdocuments.us/reader035/viewer/2022062423/56814dd1550346895dbb2e82/html5/thumbnails/25.jpg)
RuhrRuhrUniversityUniversityBochumBochumFaculty of MathematicsFaculty of MathematicsInformation-Security and CryptologyInformation-Security and Cryptology
06.06.2002 Some new aspects concerning the Analysis of HFE type Cryptosystems
Simulations: Dependence on Simulations: Dependence on nn
![Page 26: Some new aspects concerning the Analysis of HFE type Cryptosystems](https://reader035.vdocuments.us/reader035/viewer/2022062423/56814dd1550346895dbb2e82/html5/thumbnails/26.jpg)
RuhrRuhrUniversityUniversityBochumBochumFaculty of MathematicsFaculty of MathematicsInformation-Security and CryptologyInformation-Security and Cryptology
06.06.2002 Some new aspects concerning the Analysis of HFE type Cryptosystems
Simulations: Dependence on Simulations: Dependence on nn
q=3, random
q=3, d=12
q=2, d=20
q=3, d=30
q=2, d=128
q=2, random
20,0019,00
18,0017,00
16,0015,00
14,0013,00
12,0011,00
10,009,00
8,007,00
6,00
log(time)
n
exponential time complexity !?
20,0019,00
18,0017,00
16,0015,00
14,0013,00
12,0011,00
10,009,00
8,007,00
6,00
log(time)
26,0025,00
24,0023,00
22,0021,00
q=2, C*
![Page 27: Some new aspects concerning the Analysis of HFE type Cryptosystems](https://reader035.vdocuments.us/reader035/viewer/2022062423/56814dd1550346895dbb2e82/html5/thumbnails/27.jpg)
RuhrRuhrUniversityUniversityBochumBochumFaculty of MathematicsFaculty of MathematicsInformation-Security and CryptologyInformation-Security and Cryptology
06.06.2002 Some new aspects concerning the Analysis of HFE type Cryptosystems
Simulations: Dependence on Simulations: Dependence on dd
time depends on rather than on d
![Page 28: Some new aspects concerning the Analysis of HFE type Cryptosystems](https://reader035.vdocuments.us/reader035/viewer/2022062423/56814dd1550346895dbb2e82/html5/thumbnails/28.jpg)
RuhrRuhrUniversityUniversityBochumBochumFaculty of MathematicsFaculty of MathematicsInformation-Security and CryptologyInformation-Security and Cryptology
06.06.2002 Some new aspects concerning the Analysis of HFE type Cryptosystems
and usually logq(d)<<n (e.g. HFE Challenge 1: q=2, n=80, d=96 ! dlogq(d)e=7 << 40)
if d is large (approx. )HFE systems behave like systems of random quadratic equations (random systems correspond to dlogqde=n)
if d is small (approx. )Solving HFE systems becomes much easier !!
Simulations: Dependence on Simulations: Dependence on ddloglogqqddee
∙3 ∙3 ∙3
∙8 ∙11 ∙7
![Page 29: Some new aspects concerning the Analysis of HFE type Cryptosystems](https://reader035.vdocuments.us/reader035/viewer/2022062423/56814dd1550346895dbb2e82/html5/thumbnails/29.jpg)
RuhrRuhrUniversityUniversityBochumBochumFaculty of MathematicsFaculty of MathematicsInformation-Security and CryptologyInformation-Security and Cryptology
06.06.2002 Some new aspects concerning the Analysis of HFE type Cryptosystems
Simulations: Dependence on Simulations: Dependence on ddloglogqqddee
• Usually dlogq(d)e<<n– e.g. HFE Challenge 1: q=2, n=80, d=96
dlogq(d)e=7 << 80 )
• Extrapolating the times needed for d=96,solving this challenge seems out of reach
20,0019,00
18,0017,00
16,0015,00
14,0013,00
12,0011,00
10,009,00
8,007,00
6,00
log(time)
26,0025,00
24,0023,00
22,0021,00
• By applying a highly optimized variant of theBuchberger Algorithm in the future it might bepossible to solve certain instances of HFE with very small d in some feasible time.
• By applying F5/2 now it is possible to solve HFE Challenge 1 in 96 h.
![Page 30: Some new aspects concerning the Analysis of HFE type Cryptosystems](https://reader035.vdocuments.us/reader035/viewer/2022062423/56814dd1550346895dbb2e82/html5/thumbnails/30.jpg)
RuhrRuhrUniversityUniversityBochumBochumFaculty of MathematicsFaculty of MathematicsInformation-Security and CryptologyInformation-Security and Cryptology
06.06.2002 Some new aspects concerning the Analysis of HFE type Cryptosystems
PerturbationsPerturbations
![Page 31: Some new aspects concerning the Analysis of HFE type Cryptosystems](https://reader035.vdocuments.us/reader035/viewer/2022062423/56814dd1550346895dbb2e82/html5/thumbnails/31.jpg)
RuhrRuhrUniversityUniversityBochumBochumFaculty of MathematicsFaculty of MathematicsInformation-Security and CryptologyInformation-Security and Cryptology
06.06.2002 Some new aspects concerning the Analysis of HFE type Cryptosystems
PerturbationsPerturbations
• Little changes on the multivariate side of the cryptosystem which are used to hide the underlying algebraic structure
• e.g. „-“ (i.e. removing polynomials):Public Key
![Page 32: Some new aspects concerning the Analysis of HFE type Cryptosystems](https://reader035.vdocuments.us/reader035/viewer/2022062423/56814dd1550346895dbb2e82/html5/thumbnails/32.jpg)
RuhrRuhrUniversityUniversityBochumBochumFaculty of MathematicsFaculty of MathematicsInformation-Security and CryptologyInformation-Security and Cryptology
06.06.2002 Some new aspects concerning the Analysis of HFE type Cryptosystems
PerturbationsPerturbations
• Little changes on the multivariate side of the cryptosystem which are used to hide the underlying algebraic structure
• e.g. „+“ (i.e. adding some random polynomials):
Public Key(after „mixing“ with S and T)
![Page 33: Some new aspects concerning the Analysis of HFE type Cryptosystems](https://reader035.vdocuments.us/reader035/viewer/2022062423/56814dd1550346895dbb2e82/html5/thumbnails/33.jpg)
RuhrRuhrUniversityUniversityBochumBochumFaculty of MathematicsFaculty of MathematicsInformation-Security and CryptologyInformation-Security and Cryptology
06.06.2002 Some new aspects concerning the Analysis of HFE type Cryptosystems
PerturbationsPerturbations
• Little changes on the multivariate side of the cryptosystem which are used to hide the underlying algebraic structure
• Perturbated HFE systems are claimed to be more secure than Basic HFE systems
• All proposed HFE systems (e.g. SFLASH, QUARTZ) use perturbations
![Page 34: Some new aspects concerning the Analysis of HFE type Cryptosystems](https://reader035.vdocuments.us/reader035/viewer/2022062423/56814dd1550346895dbb2e82/html5/thumbnails/34.jpg)
RuhrRuhrUniversityUniversityBochumBochumFaculty of MathematicsFaculty of MathematicsInformation-Security and CryptologyInformation-Security and Cryptology
06.06.2002 Some new aspects concerning the Analysis of HFE type Cryptosystems
Simulations on PerturbationsSimulations on Perturbations
• Simulations in the case q=2, n=15
• included systems generated– from HFE with d2{ 5,9,17 }– randomly
• added / removed / replaced between 0 and 5 polynomials
![Page 35: Some new aspects concerning the Analysis of HFE type Cryptosystems](https://reader035.vdocuments.us/reader035/viewer/2022062423/56814dd1550346895dbb2e82/html5/thumbnails/35.jpg)
RuhrRuhrUniversityUniversityBochumBochumFaculty of MathematicsFaculty of MathematicsInformation-Security and CryptologyInformation-Security and Cryptology
06.06.2002 Some new aspects concerning the Analysis of HFE type Cryptosystems
Simulations on PerturbationsSimulations on Perturbations
0
12
34
5
plus
1000,00
2000,00
3000,00
4000,00
tim
e_1
5
4
3
2minus
1
0
random
01
23
45
plus
0,00
1000,00
2000,00
3000,00ti
me_
1
5
4
3
2minus
1
0
d=5
Better consider the ratio of needed times for HFE systems to that for random systems
![Page 36: Some new aspects concerning the Analysis of HFE type Cryptosystems](https://reader035.vdocuments.us/reader035/viewer/2022062423/56814dd1550346895dbb2e82/html5/thumbnails/36.jpg)
RuhrRuhrUniversityUniversityBochumBochumFaculty of MathematicsFaculty of MathematicsInformation-Security and CryptologyInformation-Security and Cryptology
06.06.2002 Some new aspects concerning the Analysis of HFE type Cryptosystems
Simulations on PerturbationsSimulations on Perturbations
01
23
45
plus
0,20
0,40
0,60
0,80
1,00
rati
o
5
4
3
2minus1
0 d=5
01
23
45
plus
0,20
0,40
0,60
0,80
1,00
rati
o
5
4
3
2minus1
0 d=90
12
34
plus
0,20
0,40
0,60
0,80
1,00
rati
o
5
4
3
2minus
1
0 d=17
Better consider the ratio of needed times for HFE systems to that for random systems
• adding/removing just some few polynomials makes solving HFE systems significantly more difficult
• Perturbated HFE seems to be more secure than Basic HFE
![Page 37: Some new aspects concerning the Analysis of HFE type Cryptosystems](https://reader035.vdocuments.us/reader035/viewer/2022062423/56814dd1550346895dbb2e82/html5/thumbnails/37.jpg)
RuhrRuhrUniversityUniversityBochumBochumFaculty of MathematicsFaculty of MathematicsInformation-Security and CryptologyInformation-Security and Cryptology
06.06.2002 Some new aspects concerning the Analysis of HFE type Cryptosystems
Conclusion of this partConclusion of this part
• Time complexity of solving HFE systems by applying Buchberger Algorithm depends …– nearly exponentially on number n of unknowns
– strongly on dlogq(d)e
• Security of HFE depends significantly on the degree of the hidden polynomial
• Perturbations seem to make HFE more secure
![Page 38: Some new aspects concerning the Analysis of HFE type Cryptosystems](https://reader035.vdocuments.us/reader035/viewer/2022062423/56814dd1550346895dbb2e82/html5/thumbnails/38.jpg)
RuhrRuhrUniversityUniversityBochumBochumFaculty of MathematicsFaculty of MathematicsInformation-Security and CryptologyInformation-Security and Cryptology
06.06.2002 Some new aspects concerning the Analysis of HFE type Cryptosystems
• What is HFE?
• Some Experimental Results on Attacking HFE with Buchberger Algorithm
• An improved Algorithm for Separating Branches
OverviewOverview