Oil-Vinegar signature cryptosystems
Jintai Ding
University of Cincinnati
Workshop on multivariate public key cryptosystems, 2006
Taiwan Information Security Center
The National Taiwan University of Science and Technology
1
1. Introduction
2. The Oil-Vinegar signature schemes ( balanced and unbalanced )
3. The attacks
4. The generalizations
2
1
Introduction
Multivariable public key signature cryptosystems:
• The public key - verifier is given as:
G(x1 , ..., xn ) = (G1 (x1 , ..., xn ), ..., Gm (x1 , ..., xn )),
which is the public key.
0
Any document (its hash value) D = (y10 , ..., ym
) has a signature
S = (x01 , ..., x0n ), and accpet it only if G(S) = D.
• The secret key is something that allows one to find S once we
are given D.
3
The first one of Ong-Schnorr-Shamir ( OSS ) 1985:
y 2 − ax2 = b mod(p1 p2 )
b the message ot its hash.
But it is defeated in 1987 by Pollard-Schnorr.
4
• The origin of Oil-Vinegar.
• The inspiration is from the linearization equations (LEs)
satisfied by the MI system:
X
aij xi yj +
X
bi xi +
X
ci yj + d = 0,
where (x1 , ..., xn ) is the plaintext, and (y1 , ..., yn ) the
ciphertext.
• Patarin transformed an attack method into a method to build
cryptosystems.
5
2
Oil-Vinegar
• Oil-Vinegar is a design for signatures
• Oil and Vinegar construction (Patarin, Kipnis, Goubin) uses
the idea that certain quadratic equations can be easily solved if
we are allowed to guess a few variables like the case of LE
attack.
6
• Let k be a finite field. The key construction is a map F from
k o+v to k o :
F (x1 , .., xo , x01 , .., x0v ) =
(F1 (x1 , .., xo , x01 , .., x0v ), . . . , Fo (x1 , .., xo , x01 , .., x0v )),
and each Fl is in the form:
7
Fl (x1 , . . . , xo , x01 , . . . , x0v ) =
X
X
X
X
0
0 0
al,i,j xi xj +
bl,i,j xi xj +
cl,i xi +
dl,j x0j + el
where xi , i = 1, . . . , o, are the Oil variables and x0j ,
j = 1, . . . , v, are the Vinegar variables in the finite field k.
8
• We call such a type of polynomial an ‘Oil and Vinegar
polynomial’. The reason that it is called Oil and Vinegar
scheme is due to the fact that in the quadratic terms the Oil
and Vinegar variables are not fully mixed (like oil and vinegar).
9
• This allows us to find one solution easily for any equation of
the form
F (x1 , . . . , xo , x01 , . . . , x0v ) = (y1 , . . . , yo ),
when (y1 , . . . , yo ) is given.
To find one solution, one just needs to randomly choose values
for the Vinegar variables and plug them into the equations
above, which will produce a set of o linear equations with o
variables.
10
• This should, with a good probability, give us a solution. If it
does not, one can try again by selecting different values for the
Vinegar variables, until one succeeds in finding a solution.
• Roughly the probability is near 1 − 1/q, but bigger in general.
11
• Toy example
• We use the finite field k = GF [2]/(x2 + x + 1) with 22 elements.
• We denote the elements of the field by the set {0 , 1 , 2 , 3 } to
simplify the notation.
Here 0 represent the 0 in k, 1 for 1, 2 for x, and 3 for 1 + x.
In this case, 1 + 3 = 2 and 2 ∗ 3 = 1 .
12
F1 (x1 , x2 , x01 , x02 ) = 1 + x1 + x02 + 2 x1 x02 + 3 x01 x02 + x02
2
F2 (x1 , x2 , x01 , x02 ) = 3 + 3 x01 + 2 x2 + 3 x1 x02 + x2 x02 + x01 x02 + x01
2
Let x01 = 0 , x02 = 1 :
F1 =
3 x1 + 1
F2 = 2 + 3 x2 + 3 x1
13
• This family of cryptosystems is designed specifically for
signature schemes, where we need only to find one solution for
a given set of equations and not a unique solution.
14
• Once we have this map F , we “hide” it by composing it from
the left and the right sides by two invertible affine linear maps
L1 and L2 , in the same way as it was done in the construction
of MI cryptosystem. Since L1 is on k o and L2 on k o+v , this
generates a quadratic map
F̄ = L1 ◦ F ◦ L2
from k o+v to k o (◦ means composition of two maps).
• L1 is not necessary due to randomness of F .
• The pubic key
F̄ = F ◦ L
15
3
Attack
• The balanced Oil and Vinegar scheme is characterized by
o = v, but it was defeated by Kipnis and Shamir using matrices
related to the bilinear forms defined by quadratic polynomials.
• For the unbalanced Oil and Vinegar scheme, v > o, it was
shown (Kipnis, Patarin, Goubin) that a specific attack has a
complexity of roughly q v−o−1 o4 , when v ≈ o. This means, that
if o is not too large (< 100) and a given fixed field of size q,
then v − o should be large enough, but also not too large, to
ensure the security of the scheme.
16
3.1
Balanced case, o=v
• The basis idea:
Given any quadratic polynomial, we can associate a symmetric
matrix.
Let
f (x1 , ..., xn ) =
X
aij xi xj + ....
H 0 = (aij ).
H = H 0 + H 0t .
For casesa that is not of characteristic 2,
2f (x1 , ..., xn ) = (x1 , ..., xn )H(x1 , ..., xn )t .
17
• Base change
If
f 0 (x1 , ..., xn ) = f ◦ L̄(x1 , .., xn ),
L̄(x1 , ..., xn ) = (x1 , ..., xn ) × T,
then
H̄ = T HT t ,
wher H̄ is the matrix for f 0 .
18
• To simplify the exposition, let’s assume that k to be a field of
odd characteristic and the case of characteristic 2 is essentially
the same, but subtle.
• Let’s now assume that an attacker has the public key, namely
the set of polynomials F̄i , i = 1, ..., v with 2v variables,
z1 , ..., z2v and the field structure of k.
• Let
Z = (z1 , ..., z2v )
be the 2v dimensional vector.
19
• For each F̄i , let’s look at its quadratic part, which we denote
by F̄i0 . We know that there exists an unique 2v × 2v symmetric
square matrix M̄i such that
F̄i0 (Z) = Z × M̄i × Z t ,
where Z t is the transpose of Z.
• For each Fi , we will denote its quadratic part by Fi0 . Similarly
we have
Fi0 (Z) = Z × Mi × Z t .
0
are the
where z1 , ..., zv are the Oil variables, zv+1 , ..., z2v
Vinegar variables and Mi as a matrix is in the special form:
Mi = (
0
Bi1
t
Bi1
Bi2
),
where 0 here is a v × v zero matrix and Bij are v × v matrices.
20
• Let u1 and u2 be any two vectors in O = {(z1 , .., zv , 0, .., 0)},
the Oil-space , then
u1 Mi ut2 = 0.
• V = {(0, ..., 0, zv+1 , .., z2v )}
21
• Let L(Z) = Z × A + a, where A is a 2v × 2v matrix and a a
vector in k 2v .
• The matrix relations
F̄i0 (Z) = Z × M̄i × Z t = Fi0 (L(Z)) = Z × A × Mi × At × Z t ,
which implies that
M̄i = A × Mi × At .
Therefore
Mi = A−1 × M̄i × (A−1 )t .
• The M̄i are all known, this implies that we break the system,
essentially if we can find this matrix A−1 such that we can
change all the M̄i into the form just like Mi , where the
submatrix consisting elements of all the first v rows and
columns are all zero.
22
• Let U be an invertible linear map on k 2v such that
U (Z) = Z × (
U11
0
U21
U22
).
Then we have that
F̄i0 (U (Z)) = Z × U × Mi × U t × Z t ,
and clearly we can compute to derive that
t
U × Mi × U = (
0
Ci1
t
Ci1
Ci2
).
This tells that there does not just exist one such A−1 ( or its
constant multiples) which we gives what we need to break the
system but rather there are a large family of them and we need
only to find one of them.
23
• . The problem.
If we have a set of symmetric 2v × 2v matrices M̄i , i = 1, .., v,
how do we find a matrix Ā such that all ĀM̄ Āt are in the form
of (
0
∗
∗
∗
).
• The key property of U is that O is an invariant subspace of U ,
therefore what we need to do is to find a v dimensional
subspace such that any two vectors u1 and u2 satisfies the
property u1 M̄i ut2 = 0 as the O space, which as we know is the
image subspace of O under the action of A−1 .
24
• Let M̄ be the linear subspace of matrices spanned by M̄i .
Because each Mi are randomly chosen, if we randomly choose
an element W̄1 in M , we have roughly a probability (1 − 1/q)
to derives a nonsingular matrix. Let’s assume that we have
choose two such elements W̄i , i = 1, 2.
• Let
Ŵ = W̄2 (W̄1 )−1
This is the key operator we will use.
25
Definition For the vector space k n , let H be a linear map over
V . A linear subspace S of the space is called invariant under H
if for any s ∈ S, H(s) ∈ S.
If we choose a basis in the form s1 , .., sm , v1 , ..., vl , where
s1 , ..., sm is a basis of S, then the corresponding matrix for H
is in the form of (
∗ 0
).
∗ ∗
26
• Let E be a (v + v) × v + v matrix such that E = (
where 0 is the v × v zero matrix and E22
27
0
E12
E2,1 E22
is an v × v matrix.
),
• Lemma For any matrix E1 , and E2 as in the form defined
above, as a linear operator acting on a the row space k v+v , we
have that
a) Ei maps the Oil subspace into the Vinegar subspace and if
the matrix Ei−1 exists, it maps the Oil subspace into the
Vinegar subspace;
b) If the matrix Ei−1 exists, then the image of the Vinegar
subspace by Ei−1 is eaxctly the Oil subspace in;
c) The Oil subspace is invariant under the action of E1 E2−1 .
28
• The random assumption tells that we have a very good
probability that a random element in M̄ is invertible.
• Let Ŵi be a elements in the set of elements like W̄
29
• Assume we have a number of such Ŵi , i = 1, ...l < v 2 . Let ω be
the linear space spanned by Ŵi . It is clear that all elements in
ω shares the same v dimensional invariant subspace. From
linear algebra, we know that to find such a At is equivalent to
finding a v dimension subspace Iv such that it is invariant
under the action of all the Ŵi , which in this case should be
unique once we have enough W̄i .
• The attack becomes a problem finding the common invariant
subspace of Ŵi , which can be solved.
30
• There exists a matrix Ā such that
−1
ĀŴi Ā
=(
∗
0
∗
∗
).
• Given W̄ , the basic way to find the invariant subspace is give
as Kernel(r(W )), where r(x) is a factor of the characteristic
polynomial of W .
W r(W ) = r(W )w.
31
• An example.
W =(
2
0
1
2
).
(1, 0) is the basis of the kernel of W − 2I.
• An algorithm using the fact that a randomly chosen irreducible
polynomial over a finite field of degree n is roughly 1/n.
32
• Let
D=(
D1
0
D3
D2
),
where Di and 0 are v × v matrices, then
f (λ) = f1 (λ)f2 (λ),
where f is the characteristic polynomial of D, and f1 , f2 are
the characteristic polynomials of D1 , D2 .
• Assume that one of the fi is irreducible and f1 6= f2 , then
O = kernel(f1 (D)).
33
1. The attack steps.
2. Step 1. For each F̄i , we find it associated symmetric matrix
M̄i , then we choose randomly any two matrix W̄1 and W̄2 ,
which are both nonsingular.
3. Step 2. We calculate Ŵ = W̄2 (W̄1 )−1 , compute its
characteristic polynomials C(x).
4. Step 3. We factor C(x) into irreducible components. If one of
the factors, which we call C1 (x) is an irreducible polynomial,
we move to the next step; otherwise we go back to Step 1.
34
5. Step 4 Let C2 (x) = CC(x)
. Calculate C1 (Ŵ ) and C2 (Ŵ ). For
1 (x)
each of these two matrix, we find a basis of the kernel of the
linear operator acting through a right multiplication on a row
vector. Then we establish a basis of the whole space of
dimension v where the first v vector are the basis of either of
the kernel.
6. Step 5 Then we apply a change of basis using either of the two
basis we derived above to see which one will change the basis
into the polynomials into a set of Oil-vinegar polynomials.
7. Step 6 An attacker then can use the same method as the
legitimate user to forge a signature that will be accepted as a
valid signature.
35
3.2
Unbalanced case
• The attack idea is very similar, but more subtle with a more
probabilistic argument.
• The complexity relies on q v−0 , which is probabilistic.
36
• When v too large (≥ o2 ), it is not secure for the reason that
the real O space is actually much bigger.
• Other related results (Wolf, etc. Groebner basis analysis and
linear approximation)
37
• The document to be signed is a vector in k o and the signature
is a vector in k o+v . This means that the signature is at least
twice the size of the document and with a large v + o the
system becomes less efficient.
• The next step?
38
4
Generalizations
• HFEv
• Rainbow
• TTS
• TRMS
39
Thanks and questions
40