Download - Some new aspects concerning the Analysis of HFE type Cryptosystems

RuhrRuhrUniversityUniversityBochumBochum

Faculty of MathematicsFaculty of MathematicsInformation-Security and CryptologyInformation-Security and Cryptology

Some new aspects concerning the Some new aspects concerning the

Analysis ofAnalysis of

HFE type CryptosystemsHFE type Cryptosystems

Magnus DaumMagnus Daum Patrick FelkePatrick Felke

RuhrRuhrUniversityUniversityBochumBochumFaculty of MathematicsFaculty of MathematicsInformation-Security and CryptologyInformation-Security and Cryptology

RuhrRuhrUniversityUniversityBochumBochum

Faculty of MathematicsFaculty of MathematicsInformation-Security and CryptologyInformation-Security and Cryptology

06.06.2002 Some new aspects concerning the Analysis of HFE type Cryptosystems

• What is HFE?

• Some Experimental Results on Attacking HFE with Buchberger Algorithm

• An improved Algorithm for Separating Branches

OverviewOverview

What is HFE?What is HFE?



Secret Key

Public Key

Trapdoor

Basic HFEBasic HFE

one-way trapdoor function



Basic HFE: ExampleBasic HFE: Example




Encryption




Decryption




Signing Verifying/



Parameters of HFEParameters of HFE

• n Number of unknowns and equations

• q Size of smaller finite field K

• d Degree of hidden polynomial



– General Approach with Buchberger Algorithm– Why HFE systems are special– Simulations– Perturbations

• What is HFE?



OverviewOverview

General ApproachGeneral Approach



General Approach: ExampleGeneral Approach: Example

Signing Decryption/



Buchberger Algorithm

General Approach: ExampleGeneral Approach: Example



General Approach: ProblemsGeneral Approach: Problems

• degree of output poly-nomials may get very big

• Buchberger algorithm has exponential worst case complexity

• compute all solutions in algebraic closure

• …

in general only feasible for very few unknowns

HFE SystemsHFE Systemsare Specialare Special



HFE Systems are SpecialHFE Systems are Special

•defined over a very small finite field

•include only quadratic polynomials

•need only solutions in the base field Fq

•hidden polynomial of low degree



Solutions in the Base FieldSolutions in the Base Field

solutions we are looking for fulfil

Proposition:



Solutions in the Base FieldSolutions in the Base Field

Buchberger

AlgorithmAdvantages:

• we compute only information we need

• degree of polynomials involved in this computation is bounded

Buchberger Algorithm



• Attack on C* (Patarin / Dobbertin):– For C*-systems there are many linear relations

between the public polynomials.

Hidden PolynomialHidden Polynomial

• Courtois:– For general HFE there are also some relations,

but they are more complex.– lower degree d more relations

• One main idea of Buchberger Algorithm can be described as making use of relations between the input polynomials in a sophisticated way

SimulationsSimulations



• in each simulation:– generate system of quadratic equations

(HFE or random)– add polynomials – solve by applying Buchberger Algorithm (with

FGLM)

• about 100.000 simulations in SINGULAR• parameters: mostly• HFE systems and random quadratic systems

SimulationsSimulations



Simulations: Dependence on Simulations: Dependence on nn



Simulations: Dependence on Simulations: Dependence on nn

q=3, random

q=3, d=12

q=2, d=20

q=3, d=30

q=2, d=128

q=2, random

20,0019,00

18,0017,00

16,0015,00

14,0013,00

12,0011,00

10,009,00

8,007,00

6,00

log(time)

n

exponential time complexity !?

20,0019,00

18,0017,00

16,0015,00

14,0013,00

12,0011,00

10,009,00

8,007,00

6,00

log(time)

26,0025,00

24,0023,00

22,0021,00

q=2, C*



Simulations: Dependence on Simulations: Dependence on dd

time depends on rather than on d



and usually logq(d)<<n (e.g. HFE Challenge 1: q=2, n=80, d=96 ! dlogq(d)e=7 << 40)

if d is large (approx. )HFE systems behave like systems of random quadratic equations (random systems correspond to dlogqde=n)

if d is small (approx. )Solving HFE systems becomes much easier !!

Simulations: Dependence on Simulations: Dependence on ddloglogqqddee

∙3 ∙3 ∙3

∙8 ∙11 ∙7



Simulations: Dependence on Simulations: Dependence on ddloglogqqddee

• Usually dlogq(d)e<<n– e.g. HFE Challenge 1: q=2, n=80, d=96

dlogq(d)e=7 << 80 )

• Extrapolating the times needed for d=96,solving this challenge seems out of reach

20,0019,00

18,0017,00

16,0015,00

14,0013,00

12,0011,00

10,009,00

8,007,00

6,00

log(time)

26,0025,00

24,0023,00

22,0021,00

• By applying a highly optimized variant of theBuchberger Algorithm in the future it might bepossible to solve certain instances of HFE with very small d in some feasible time.

• By applying F5/2 now it is possible to solve HFE Challenge 1 in 96 h.



PerturbationsPerturbations




• Little changes on the multivariate side of the cryptosystem which are used to hide the underlying algebraic structure

• e.g. „-“ (i.e. removing polynomials):Public Key





• e.g. „+“ (i.e. adding some random polynomials):

Public Key(after „mixing“ with S and T)





• Perturbated HFE systems are claimed to be more secure than Basic HFE systems

• All proposed HFE systems (e.g. SFLASH, QUARTZ) use perturbations



Simulations on PerturbationsSimulations on Perturbations

• Simulations in the case q=2, n=15

• included systems generated– from HFE with d2{ 5,9,17 }– randomly

• added / removed / replaced between 0 and 5 polynomials




0

12

34

5

plus

1000,00

2000,00

3000,00

4000,00

tim

e_1

5

4

3

2minus

1

0

random

01

23

45

plus

0,00

1000,00

2000,00

3000,00ti

me_

1

5

4

3

2minus

1

0

d=5

Better consider the ratio of needed times for HFE systems to that for random systems




01

23

45

plus

0,20

0,40

0,60

0,80

1,00

rati

o

5

4

3

2minus1

0 d=5

01

23

45

plus

0,20

0,40

0,60

0,80

1,00

rati

o

5

4

3

2minus1

0 d=90

12

34

plus

0,20

0,40

0,60

0,80

1,00

rati

o

5

4

3

2minus

1

0 d=17

Better consider the ratio of needed times for HFE systems to that for random systems

• adding/removing just some few polynomials makes solving HFE systems significantly more difficult

• Perturbated HFE seems to be more secure than Basic HFE



Conclusion of this partConclusion of this part

• Time complexity of solving HFE systems by applying Buchberger Algorithm depends …– nearly exponentially on number n of unknowns

– strongly on dlogq(d)e

• Security of HFE depends significantly on the degree of the hidden polynomial

• Perturbations seem to make HFE more secure



• What is HFE?



OverviewOverview

Download - Some new aspects concerning the Analysis of HFE type Cryptosystems

Top Related