Multivariate Public Key Cryptography
or
Why is there a rainbow hidden behind fields
full of oil and vinegar?
Christian Eder, Jean-Charles Faugère and Ludovic Perret
Seminar on Fundamental Algorithms, University of Kaiserslautern
June 25, 2015
1 / 36
1 Introduction to public key cryptography
2 Construction of MPKC
3 Examples of MPKC schemes: Hidden fields
4 Examples of MPKC schemes: Oil & Vinegar
2 / 36
General idea of public key cryptography
complete key
(set of data)
3 / 36
General idea of public key cryptography
complete key
(set of data)
public key P
(subset of complete key)
private key Q
(complete key \ public key)
3 / 36
General idea of public key cryptography
complete key
(set of data)
public key P
(subset of complete key)
message M
private key Q
(complete key \ public key)
ciphertext C
3 / 36
General idea of public key cryptography
complete key
(set of data)
public key P
(subset of complete key)
private key Q
(complete key \ public key)
original message M
message M
ciphertext C
3 / 36
General idea of signature schemes
original message M
4 / 36
General idea of signature schemes
original message M
hash function h:
H = h(M )
4 / 36
General idea of signature schemes
original message M
hash function h:
H = h(M )
signature S = Q (H ) with
private key Q
send tuple (M , S )
4 / 36
General idea of signature schemes
compute hash
H = h(M ) of
message M
original message M
hash function h:
H = h(M )
signature S = Q (H ) with
private key Q
compute H 0 = P (S )
with public key P
send tuple (M , S )
4 / 36
General idea of signature schemes
compute hash
H = h(M ) of
message M
original message M
hash function h:
H = h(M )
verify sender via
testing H = H 0
signature S = Q (H ) with
private key Q
compute H 0 = P (S )
with public key P
send tuple (M , S )
4 / 36
1 Introduction to public key cryptography
2 Construction of MPKC
3 Examples of MPKC schemes: Hidden fields
4 Examples of MPKC schemes: Oil & Vinegar
5 / 36
Trapdoors of MPKC
PKC depends on the existence of a class of trapdoor one-way functions
6 / 36
Trapdoors of MPKC
PKC depends on the existence of a class of trapdoor one-way functions
Example
I Elliptic curve crypto depends on the elliptic curve group.
I NTRU depends on the structure of an integral lattice.
6 / 36
Trapdoors of MPKC
PKC depends on the existence of a class of trapdoor one-way functions
Example
I Elliptic curve crypto depends on the elliptic curve group.
I NTRU depends on the structure of an integral lattice.
In MPKC the trapdoor one-way function is of the form of a multivariate
non-linear polynomial map over a finite field.
6 / 36
Trapdoors of MPKC
PKC depends on the existence of a class of trapdoor one-way functions
Example
I Elliptic curve crypto depends on the elliptic curve group.
I NTRU depends on the structure of an integral lattice.
In MPKC the trapdoor one-way function is of the form of a multivariate
non-linear polynomial map over a finite field.
Note
Usually non-linear means quadratic. Thus people often speak about
MQ systems referring to multivariate quadratic.
6 / 36
Basis of security of MPKC
MQ Problem
Given m quadratic polynomials
p1 (x1 , . . . , xn ), . . . , pm (x1 , . . . , xn )
in n variables x = x1 , . . . , xn over a finite field Fq , find a vector x0 such
that
p1 (x0 ) = . . . = pm (x0 ) = 0.
7 / 36
Basis of security of MPKC
MQ Problem
Given m quadratic polynomials
p1 (x1 , . . . , xn ), . . . , pm (x1 , . . . , xn )
in n variables x = x1 , . . . , xn over a finite field Fq , find a vector x0 such
that
p1 (x0 ) = . . . = pm (x0 ) = 0.
Solving MQ polynomial systems is worst case NP-hard and in general doubly
exponential over any finite field.
7 / 36
Construction of the MPKC
F
1. Get a trapdoor, e.g. non-linear function F : Fnq → Fnq , easily invertible.
2. Represent F as multivariate polynomials F over Fq .
8 / 36
Construction of the MPKC
T
◦
F
◦
S
1. Get a trapdoor, e.g. non-linear function F : Fnq → Fnq , easily invertible.
2. Represent F as multivariate polynomials F over Fq .
3. Take invertible secret matrices S and T .
8 / 36
Construction of the MPKC
P
=
T
◦
F
◦
S
1. Get a trapdoor, e.g. non-linear function F : Fnq → Fnq , easily invertible.
2. Represent F as multivariate polynomials F over Fq .
3. Take invertible secret matrices S and T .
4. Distribute your public key P = T ◦ F ◦ S as polynomials P .
8 / 36
Public keys of MPKC
We use a MQ polynomial map over Fq : P : Fnq −→ Fm
q
P = p1 (x), . . . , pm (x)
with
pk (x) =
∑
1≤i ≤j ≤n
αijk xi xj + ∑ βik xi + γk ,
i
for x = (x1 , . . . , xn ), αijk , βik , γk ∈ Fq .
9 / 36
Public keys of MPKC
We use a MQ polynomial map over Fq : P : Fnq −→ Fm
q
P = p1 (x), . . . , pm (x)
with
pk (x) =
∑
1≤i ≤j ≤n
αijk xi xj + ∑ βik xi + γk ,
i
for x = (x1 , . . . , xn ), αijk , βik , γk ∈ Fq .
Note
The constant and linear terms of the pk do not provide any further
security, so we can neglect them in our discussion:
9 / 36
Public keys of MPKC
We use a MQ polynomial map over Fq : P : Fnq −→ Fm
q
P = p1 (x), . . . , pm (x)
with
pk (x) =
∑
1≤i ≤j ≤n
αijk xi xj + ∑ βik xi + γk ,
i
for x = (x1 , . . . , xn ), αijk , βik , γk ∈ Fq .
Note
The constant and linear terms of the pk do not provide any further
security, so we can neglect them in our discussion:
pk (x) =
∑
αijk xi xj ,
1≤i ≤j ≤n
9 / 36
Public keys of MPKC
In other words: pk ←→ (n × n) matrix Pk
(x1 , . . . , xn ) ·
Pk
· (x1 , . . . , xn )T
10 / 36
Public keys of MPKC
In other words: pk ←→ (n × n) matrix Pk
(x1 , . . . , xn ) ·
pk (x) =
Pk
∑
· (x1 , . . . , xn )T
αijk xi xj = x Pk xT
1≤i ≤j ≤n
10 / 36
Public keys of MPKC
In other words: pk ←→ (n × n) matrix Pk
(x1 , . . . , xn ) ·
pk (x) =
Pk
∑
· (x1 , . . . , xn )T
αijk xi xj = x Pk xT
1≤i ≤j ≤n
Clearly, P should be a random (mostly dense) system of MQ polynomial
equations. But is it really?
10 / 36
Main ideas for attacking MPKC
I Try to retrieve secret S and T in order to get F .
I The used MPKC variant is known, thus try to exploit knowledge of
general trapdoor / shape of private map.
11 / 36
Main ideas for attacking MPKC
I Try to retrieve secret S and T in order to get F .
I The used MPKC variant is known, thus try to exploit knowledge of
general trapdoor / shape of private map.
What are possible instantiations of MPKC?
or
What settings for F , S and T are used?
11 / 36
1 Introduction to public key cryptography
2 Construction of MPKC
3 Examples of MPKC schemes: Hidden fields
4 Examples of MPKC schemes: Oil & Vinegar
12 / 36
Matsumoto-Imai scheme (MI or C ∗ ) – 1988
In general:
I Utilize vector space and hidden field structure of (Fq )n .
I Instead of searching for invertible maps over the vector space (Fq )n
. Look for invertible maps on the extension field Fq n (F ).
. Transform to an invertible map over (Fq )n applying secret S and T (P ).
I A single univariate polynomial F over Fq n is represented by n
multivariate polynomials P = (pi (x1 , . . . , xn ))1≤i ≤n over Fq .
13 / 36
Matsumoto-Imai scheme (MI or C ∗ ) – 1988
In general:
I Utilize vector space and hidden field structure of (Fq )n .
I Instead of searching for invertible maps over the vector space (Fq )n
. Look for invertible maps on the extension field Fq n (F ).
. Transform to an invertible map over (Fq )n applying secret S and T (P ).
I A single univariate polynomial F over Fq n is represented by n
multivariate polynomials P = (pi (x1 , . . . , xn ))1≤i ≤n over Fq .
Note
For C ∗ let us assume q = 2 or q = 2k for some k. Makes the following
discussion easier, generalization is rather trivial.
13 / 36
Matsumoto-Imai scheme (MI or C ∗ ) – 1988
In particular:
I E = Fq [x ]/g (x ) for an irreducible polynomial g (x ) ∈ Fq [x ] of degree n.
14 / 36
Matsumoto-Imai scheme (MI or C ∗ ) – 1988
In particular:
I E = Fq [x ]/g (x ) for an irreducible polynomial g (x ) ∈ Fq [x ] of degree n.
I φ : E → (Fq )n an Fq -linear isomorphism given by
φ (ao + a1 x + · · · + an−1 x n−1 ) = (a0 , . . . , an−1 ).
14 / 36
Matsumoto-Imai scheme (MI or C ∗ ) – 1988
In particular:
I E = Fq [x ]/g (x ) for an irreducible polynomial g (x ) ∈ Fq [x ] of degree n.
I φ : E → (Fq )n an Fq -linear isomorphism given by
φ (ao + a1 x + · · · + an−1 x n−1 ) = (a0 , . . . , an−1 ).
I Choose 0 < θ < n such that gcd(q θ + 1, q n − 1) = 1. Define map F in
E[X ] via
θ
F (X ) = X 1+q .
14 / 36
Matsumoto-Imai scheme (MI or C ∗ ) – 1988
In particular:
I E = Fq [x ]/g (x ) for an irreducible polynomial g (x ) ∈ Fq [x ] of degree n.
I φ : E → (Fq )n an Fq -linear isomorphism given by
φ (ao + a1 x + · · · + an−1 x n−1 ) = (a0 , . . . , an−1 ).
I Choose 0 < θ < n such that gcd(q θ + 1, q n − 1) = 1. Define map F in
E[X ] via
θ
F (X ) = X 1+q .
I Choice of θ ensures F being invertible:
ξ (1 + q θ ) ≡ 1 mod (q n − 1) =⇒ F −1 (X ) = X ξ .
14 / 36
Matsumoto-Imai scheme (MI or C ∗ ) – 1988
In particular:
I E = Fq [x ]/g (x ) for an irreducible polynomial g (x ) ∈ Fq [x ] of degree n.
I φ : E → (Fq )n an Fq -linear isomorphism given by
φ (ao + a1 x + · · · + an−1 x n−1 ) = (a0 , . . . , an−1 ).
I Choose 0 < θ < n such that gcd(q θ + 1, q n − 1) = 1. Define map F in
E[X ] via
θ
F (X ) = X 1+q .
I Choice of θ ensures F being invertible:
ξ (1 + q θ ) ≡ 1 mod (q n − 1) =⇒ F −1 (X ) = X ξ .
I Go back to (Fq )n : P 0 = φ ◦ F ◦ φ −1 (x1 , . . . , xn ) = (p10 (x), . . . , pn0 (x)).
I Apply secret transformations S and T :
P = T ◦ P 0 ◦ S = T ◦ φ ◦ F ◦ φ −1 ◦ S .
14 / 36
Matsumoto-Imai scheme (MI or C ∗ ) – 1988
Note 1
Raising X to a power of the form q i is linear in E.
⇒ P is a system of MQ polynomials over Fq .
15 / 36
Matsumoto-Imai scheme (MI or C ∗ ) – 1988
Note 1
Raising X to a power of the form q i is linear in E.
⇒ P is a system of MQ polynomials over Fq .
Note 2
There are not so many choices for θ thus we can assume θ to be
publicly known.
15 / 36
Matsumoto-Imai scheme (MI or C ∗ ) – 1988
Broken by Patarin (1995):
16 / 36
Matsumoto-Imai scheme (MI or C ∗ ) – 1988
Broken by Patarin (1995):
If Y = X q
θ +1
θ
2θ
⇒ XY q = X q Y .
16 / 36
Matsumoto-Imai scheme (MI or C ∗ ) – 1988
Broken by Patarin (1995):
If Y = X q
θ +1
θ
2θ
⇒ XY q = X q Y .
I From this one receives a system of equations of type
∑ αij xi yj + ∑ βi xi + ∑ γi yi + δ = 0.
16 / 36
Matsumoto-Imai scheme (MI or C ∗ ) – 1988
Broken by Patarin (1995):
If Y = X q
θ +1
θ
2θ
⇒ XY q = X q Y .
I From this one receives a system of equations of type
∑ αij xi yj + ∑ βi xi + ∑ γi yi + δ = 0.
I Taking enough cipher texts from the original system one can determine
the coefficients.
16 / 36
Matsumoto-Imai scheme (MI or C ∗ ) – 1988
Broken by Patarin (1995):
If Y = X q
θ +1
θ
2θ
⇒ XY q = X q Y .
I From this one receives a system of equations of type
∑ αij xi yj + ∑ βi xi + ∑ γi yi + δ = 0.
I Taking enough cipher texts from the original system one can determine
the coefficients.
I For a given y (cipher text) we can then solve the linear equations to get
x (plain text).
16 / 36
(C ∗ )− or SFLASH
Construction
Remove r public polys: P = (p1 (x), . . . , pn−r (x)) = R ◦ T ◦ P 0 ◦ S .
17 / 36
(C ∗ )− or SFLASH
Construction
Remove r public polys: P = (p1 (x), . . . , pn−r (x)) = R ◦ T ◦ P 0 ◦ S .
How to attack this? (Dubious, Fouque, Shamir, Stern; 2007)
I T randomly samples linear space V spanned by the n quadratic
equations generated via P 0 ◦ S.
I Only n − r of the n samples ⇒ Recover the missing ones?
17 / 36
(C ∗ )− or SFLASH
Construction
Remove r public polys: P = (p1 (x), . . . , pn−r (x)) = R ◦ T ◦ P 0 ◦ S .
How to attack this? (Dubious, Fouque, Shamir, Stern; 2007)
I T randomly samples linear space V spanned by the n quadratic
equations generated via P 0 ◦ S.
I Only n − r of the n samples ⇒ Recover the missing ones?
I Transform T : T 0 = T ◦ A applying matrices A.
⇒ Several samples of V , several different linearly independent
equations!
17 / 36
(C ∗ )− or SFLASH
Construction
Remove r public polys: P = (p1 (x), . . . , pn−r (x)) = R ◦ T ◦ P 0 ◦ S .
How to attack this? (Dubious, Fouque, Shamir, Stern; 2007)
I T randomly samples linear space V spanned by the n quadratic
equations generated via P 0 ◦ S.
I Only n − r of the n samples ⇒ Recover the missing ones?
I Transform T : T 0 = T ◦ A applying matrices A.
⇒ Several samples of V , several different linearly independent
equations!
I Only have the public polynomials ⇒ How to compute T ◦ A?
17 / 36
(C ∗ )− or SFLASH
Construction
Remove r public polys: P = (p1 (x), . . . , pn−r (x)) = R ◦ T ◦ P 0 ◦ S .
How to attack this? (Dubious, Fouque, Shamir, Stern; 2007)
I T randomly samples linear space V spanned by the n quadratic
equations generated via P 0 ◦ S.
I Only n − r of the n samples ⇒ Recover the missing ones?
I Transform T : T 0 = T ◦ A applying matrices A.
⇒ Several samples of V , several different linearly independent
equations!
I Only have the public polynomials ⇒ How to compute T ◦ A?
I Multiply input of F by α ⇒ multiply output by β := F (α) = α q + 1.
θ
17 / 36
(C ∗ )− or SFLASH
Construction
Remove r public polys: P = (p1 (x), . . . , pn−r (x)) = R ◦ T ◦ P 0 ◦ S .
How to attack this? (Dubious, Fouque, Shamir, Stern; 2007)
I T randomly samples linear space V spanned by the n quadratic
equations generated via P 0 ◦ S.
I Only n − r of the n samples ⇒ Recover the missing ones?
I Transform T : T 0 = T ◦ A applying matrices A.
⇒ Several samples of V , several different linearly independent
equations!
I Only have the public polynomials ⇒ How to compute T ◦ A?
I Multiply input of F by α ⇒ multiply output by β := F (α) = α q + 1.
θ
I Find matrix B such that R ◦ T ◦ A ◦ P 0 ◦ S = R ◦ T ◦ P 0 ◦ S ◦ B.
17 / 36
(C ∗ )− or SFLASH
How to get B?
W = linear space spanned by all possible quadratic expressions
V = linear space spanned by quadratic expressions of T ◦ P 0 ◦ S
VR = linear space spanned by quadratic expressions of R ◦ T ◦ P 0 ◦ S
18 / 36
(C ∗ )− or SFLASH
How to get B?
W = linear space spanned by all possible quadratic expressions
V = linear space spanned by quadratic expressions of T ◦ P 0 ◦ S
VR = linear space spanned by quadratic expressions of R ◦ T ◦ P 0 ◦ S
Example: SFLASHv3
n = 67, r = 11 ⇒ dim(VR ) = 56, dim(V ) = 67, dim(W ) = 2278.
18 / 36
(C ∗ )− or SFLASH
How to get B?
W = linear space spanned by all possible quadratic expressions
V = linear space spanned by quadratic expressions of T ◦ P 0 ◦ S
VR = linear space spanned by quadratic expressions of R ◦ T ◦ P 0 ◦ S
Example: SFLASHv3
n = 67, r = 11 ⇒ dim(VR ) = 56, dim(V ) = 67, dim(W ) = 2278.
⇒ Not so many good choices for B.
18 / 36
(C ∗ )− or SFLASH
How to get B?
W = linear space spanned by all possible quadratic expressions
V = linear space spanned by quadratic expressions of T ◦ P 0 ◦ S
VR = linear space spanned by quadratic expressions of R ◦ T ◦ P 0 ◦ S
Example: SFLASHv3
n = 67, r = 11 ⇒ dim(VR ) = 56, dim(V ) = 67, dim(W ) = 2278.
⇒ Not so many good choices for B.
In particular
2
∃q n possible matrices over Fq but only q n elements in E.
⇒ “good matrices” corresponding to extension field multiplication form
tiny linear subspace.
18 / 36
(C ∗ )− or SFLASH
Last step
Find “good matrices” using the fact that they preserve the membership
of the output quadratic equations in V . (“Bad matrices” are extremely
unlikely to have this property as V is very sparse in W .)
19 / 36
(C ∗ )− or SFLASH
Last step
Find “good matrices” using the fact that they preserve the membership
of the output quadratic equations in V . (“Bad matrices” are extremely
unlikely to have this property as V is very sparse in W .)
I Either solve quadratic equations in n2 variables, not so efficient.
I Or use the differential operator to get bivariate bilinear equations from
θ
univariate quadratic ones (working since F (X ) = X q +1 ):
D F (a, X ) = F (a + X ) − F (a) − F (X ) + F (0)
θ
θ
= aX q + aq X .
19 / 36
Other generalizations of C ∗
I Generalize F to a univariate polynomial of a given degree d (HFE).
F (X ) =
∑
αi X q
θi +q ηi
i ,q θi +q ηi ≤d
⇒ Broken by Faugère and Joux in 2002.
I HFE with removing equations (HFE-).
I Use more than one polynomial for F (multi-C ∗ , multi-HFE).
I Use intermediate field equations (IFS).
I Perturb polynomials or add some auxiliary variable Y (vinegar variable).
I ...
20 / 36
Other generalizations of C ∗
I Generalize F to a univariate polynomial of a given degree d (HFE).
F (X ) =
∑
αi X q
θi +q ηi
i ,q θi +q ηi ≤d
⇒ Broken by Faugère and Joux in 2002.
I HFE with removing equations (HFE-).
I Use more than one polynomial for F (multi-C ∗ , multi-HFE).
I Use intermediate field equations (IFS).
I Perturb polynomials or add some auxiliary variable Y (vinegar variable).
I ...
All those schemes are based on hidden fields and extensions.
20 / 36
1 Introduction to public key cryptography
2 Construction of MPKC
3 Examples of MPKC schemes: Hidden fields
4 Examples of MPKC schemes: Oil & Vinegar
21 / 36
Oil and Vinegar scheme (OV)
In general:
I Trapdoor achieved by special structure of private polynomials, not by
field extensions.
I Structure given by distinguishing set of variables: n = v + o variables,
V := {u1 , . . . , uv } (vinegar) and O := {uv +1 , . . . , un } (oil)
22 / 36
Oil and Vinegar scheme (OV)
In general:
I Trapdoor achieved by special structure of private polynomials, not by
field extensions.
I Structure given by distinguishing set of variables: n = v + o variables,
V := {u1 , . . . , uv } (vinegar) and O := {uv +1 , . . . , un } (oil)
I V and O are balanced: v = o, n = 2v = 2o.
I There are v = o private polynomials in F .
22 / 36
Oil and Vinegar scheme (OV)
In general:
I Trapdoor achieved by special structure of private polynomials, not by
field extensions.
I Structure given by distinguishing set of variables: n = v + o variables,
V := {u1 , . . . , uv } (vinegar) and O := {uv +1 , . . . , un } (oil)
I V and O are balanced: v = o, n = 2v = 2o.
I There are v = o private polynomials in F .
Structure of private polynomials
fk (u) =
∑
i ∈V ,j ∈V
i ≤j
αijk ui uj +
∑
βijk ui uj .
i ∈V ,j ∈O
There are no quadratic terms in two oil variables.
22 / 36
Oil and Vinegar scheme (OV)
In matrix representation the private polynomials look like the following:
V ×V
V ×O
for 1 ≤ k ≤ o
Fk =
O ×V
Om×m
23 / 36
Oil and Vinegar scheme (OV)
In matrix representation the private polynomials look like the following:
V ×V
V ×O
for 1 ≤ k ≤ o
Fk =
O ×V
Om×m
Having a message of length v we fix variables u1 , . . . , uv in F and receive
linear equations in the remaining o variables.
23 / 36
Oil and Vinegar scheme (OV)
In matrix representation the private polynomials look like the following:
V ×V
V ×O
for 1 ≤ k ≤ o
Fk =
O ×V
Om×m
Having a message of length v we fix variables u1 , . . . , uv in F and receive
linear equations in the remaining o variables.
Those linear equations are invertible with high probability.
23 / 36
Oil and Vinegar scheme (OV)
In matrix representation the private polynomials look like the following:
V ×V
V ×O
for 1 ≤ k ≤ o
Fk =
O ×V
Om×m
Having a message of length v we fix variables u1 , . . . , uv in F and receive
linear equations in the remaining o variables.
Those linear equations are invertible with high probability.
Public polynomials
Apply secret transformations S and T to receive P as “random” MQ
polynomials. In this setting T does not add any further security, so we
can assume the identity.
23 / 36
Attacking OV (Kipnis, Shamir; 1998)
I Try to separate vinegar and oil variables in the public polynomials.
I Search for an equivalent representation F 0 ◦ S 0 = P = F ◦ S.
24 / 36
Attacking OV (Kipnis, Shamir; 1998)
I Try to separate vinegar and oil variables in the public polynomials.
I Search for an equivalent representation F 0 ◦ S 0 = P = F ◦ S.
I Exploit balance between v and o: v = o.
I Due to this each Fi maps the oil subspace u1 = . . . = uv = 0 to the
vinegar subspace uv +1 = . . . = un = 0.
24 / 36
Attacking OV (Kipnis, Shamir; 1998)
I Try to separate vinegar and oil variables in the public polynomials.
I Search for an equivalent representation F 0 ◦ S 0 = P = F ◦ S.
I Exploit balance between v and o: v = o.
I Due to this each Fi maps the oil subspace u1 = . . . = uv = 0 to the
vinegar subspace uv +1 = . . . = un = 0.
I If Fj is invertible (high probability) then Fi Fj−1 maps the vinegar space
on itself.
24 / 36
Attacking OV (Kipnis, Shamir; 1998)
I Try to separate vinegar and oil variables in the public polynomials.
I Search for an equivalent representation F 0 ◦ S 0 = P = F ◦ S.
I Exploit balance between v and o: v = o.
I Due to this each Fi maps the oil subspace u1 = . . . = uv = 0 to the
vinegar subspace uv +1 = . . . = un = 0.
I If Fj is invertible (high probability) then Fi Fj−1 maps the vinegar space
on itself.
I Thus the image V of the vinegar subspace under S is a common
eigenspace for each Pi Pj−1 , 1 ≤ i < j ≤ o.
24 / 36
Attacking OV (Kipnis, Shamir; 1998)
I Try to separate vinegar and oil variables in the public polynomials.
I Search for an equivalent representation F 0 ◦ S 0 = P = F ◦ S.
I Exploit balance between v and o: v = o.
I Due to this each Fi maps the oil subspace u1 = . . . = uv = 0 to the
vinegar subspace uv +1 = . . . = un = 0.
I If Fj is invertible (high probability) then Fi Fj−1 maps the vinegar space
on itself.
I Thus the image V of the vinegar subspace under S is a common
eigenspace for each Pi Pj−1 , 1 ≤ i < j ≤ o.
I Efficient algorithms for computing eigenspaces by Kipnis and Shamir
⇒ Get V , find O such that O + V = Fnq (separating vinegar and oil).
⇒ Get (F 0 , S 0 ) isomorphic to (F , S ).
24 / 36
Unbalancing OV – UOV
I This attack works due to v = o ⇒ “unbalance” v and o: v > o.
I In general: n = v + o, m = n − v , v > m, m polynomials.
25 / 36
Unbalancing OV – UOV
I This attack works due to v = o ⇒ “unbalance” v and o: v > o.
I In general: n = v + o, m = n − v , v > m, m polynomials.
Be careful
The previous attack works in a probabilistic fashion also for v > o.
It has complexity O (q v −m−1 m4 ) = O (q n−2m−1 m4 ). Thus one should
take at least v ≥ 3m.
25 / 36
Unbalancing OV – UOV
I This attack works due to v = o ⇒ “unbalance” v and o: v > o.
I In general: n = v + o, m = n − v , v > m, m polynomials.
Be careful
The previous attack works in a probabilistic fashion also for v > o.
It has complexity O (q v −m−1 m4 ) = O (q n−2m−1 m4 ). Thus one should
take at least v ≥ 3m.
Size problem
Enlarging v and o the key sizes get, at some point, too big for practical
applications.
25 / 36
Why do we need big values for v and o?
Due to another attack by Kipnis and Shamir that we can interpret as a
Minrank problem (NP-complete).
Minrank (n, k , r ) problem
Given M0 , . . . , Mk ∈ Mn×n (Fq ), find (λ1 , . . . , λk ) ∈ Fkq such that
k
rank
∑ λ i Mi − M0
!
≤ r.
i =1
26 / 36
Why do we need big values for v and o?
Due to another attack by Kipnis and Shamir that we can interpret as a
Minrank problem (NP-complete).
Minrank (n, k , r ) problem
Given M0 , . . . , Mk ∈ Mn×n (Fq ), find (λ1 , . . . , λk ) ∈ Fkq such that
k
rank
∑ λ i Mi − M0
!
≤ r.
i =1
Often the rank of the matrices corresponding to F is restricted (e.g. in HFE
via degree, in UOV by the choice of v and o.)
26 / 36
Why do we need big values for v and o?
Due to another attack by Kipnis and Shamir that we can interpret as a
Minrank problem (NP-complete).
Minrank (n, k , r ) problem
Given M0 , . . . , Mk ∈ Mn×n (Fq ), find (λ1 , . . . , λk ) ∈ Fkq such that
!
k
rank
∑ λ i Mi − M0
≤ r.
i =1
Often the rank of the matrices corresponding to F is restricted (e.g. in HFE
via degree, in UOV by the choice of v and o.)
m
⇒ rank
∑ λi P i
!
≤ r.
i =1
26 / 36
Somewhere over the Rainbow . . .
Try to improve security by using several layers of UOV
27 / 36
Somewhere over the Rainbow . . .
Try to improve security by using several layers of UOV
Rainbow scheme with L layers
I Defined by a tuple (q , v1 , . . . , vL+1 )
I Preset 0 < v1 < v2 < . . . < vL+1 = n, # vinegar variables of the
different layers.
I # oil variables o` = v`+1 − v` for 1 ≤ ` ≤ L.
I Each layer ` consists of o` polynomials fv` −v1 +1 , . . . , fv`+1 −v1
where we set m := ∑L`=1 o` .
I For each such level we have vinegar variables
V` = {u1 , . . . , uv` } and oil variables O` = {uv` +1 , . . . , uv`+1 }.
27 / 36
Rainbow (q , 6, 12, 17, 22, 33)
4-layered Rainbow with
m = (12 − 6) + (17 − 12) + (22 − 17) + (33 − 22) = 27 polynomials.
Classical Minrank attack
6 polynomials in first layer of rank r = 12.
I Prob (random vector in ker (∑m
i =1 λi Pi )) =
1
qr
.
I For such a vector w we have (∑m
i =1 λi Pi ) w = 0. Linear in
λ1 , . . . , λm . Since n > m we can just use linear algebra.
I Complexity O (q r m3 ) = O (q 12 273 ).
28 / 36
Rainbow (q , 6, 12, 17, 22, 33)
Improved attack (Billet, Gilbert; 2006)
6
For 1 ≤ k ≤ 6 : Fk =
Rainbow (q , 6, 12, 17, 22, 33)
Improved attack (Billet, Gilbert; 2006)
6
6
For 1 ≤ k ≤ 6 : Fk =
w=
27
Rainbow (q , 6, 12, 17, 22, 33)
Improved attack (Billet, Gilbert; 2006)
6
6
6
⇒ w1 = F1 w T , . . . , w6 = F6 w T =
ˆ
27
w=
For 1 ≤ k ≤ 6 : Fk =
27
T
Rainbow (q , 6, 12, 17, 22, 33)
Improved attack (Billet, Gilbert; 2006)
6
6
6
⇒ w1 = F1 w T , . . . , w6 = F6 w T =
ˆ
27
w=
For 1 ≤ k ≤ 6 : Fk =
27
T
i
I Prob (wi linearly independent) = ∏5i =0 1 − qq6 < 1 − q1 .
Rainbow (q , 6, 12, 17, 22, 33)
Improved attack (Billet, Gilbert; 2006)
6
6
6
⇒ w1 = F1 w T , . . . , w6 = F6 w T =
ˆ
27
w=
For 1 ≤ k ≤ 6 : Fk =
27
T
i
I Prob (wi linearly independent) = ∏5i =0 1 − qq6 < 1 − q1 .
I Prob ∑6i =1 λi Fi w = 0 > q1 .
Rainbow (q , 6, 12, 17, 22, 33)
Improved attack (Billet, Gilbert; 2006)
6
6
6
⇒ w1 = F1 w T , . . . , w6 = F6 w T =
ˆ
27
w=
For 1 ≤ k ≤ 6 : Fk =
27
T
i
I Prob (wi linearly independent) = ∏5i =0 1 − qq6 < 1 − q1 .
I Prob ∑6i =1 λi Fi w = 0 > q1 .
I Prob (random vector of type w ) = q16
I Afterwards linear algebra as in standard Minrank attack: O 273
29 / 36
Rainbow (q , 6, 12, 17, 22, 33)
Improved attack (Billet, Gilbert; 2006)
6
6
27
w=
For 1 ≤ k ≤ 6 : Fk =
6
27
⇒ w1 = F1 w T , . . . , w6 = F6 w T =
ˆ
T
i
I Prob (wi linearly independent) = ∏5i =0 1 − qq6 < 1 − q1 .
I Prob ∑6i =1 λi Fi w = 0 > q1 .
I Prob (random vector of type w ) = q16
I Afterwards linear algebra as in standard Minrank attack: O 273
O q 7 273
29 / 36
Rainbow (28 , 18, 30, 42)
O18×12
Fk =
O12×12 O12×12
O12×18
O12×12 O12×12
for 1 ≤ k ≤ 12
(first layer)
Fk =
O12×12
for 13 ≤ k ≤ 24
(second layer)
30 / 36
Rainbow (28 , 18, 30, 42)
O18×12
Fk =
O12×12 O12×12
O12×18
Fk =
O12×12 O12×12
for 1 ≤ k ≤ 12
(first layer)
O12×12
for 13 ≤ k ≤ 24
(second layer)
Direct key recovery attack
I 24 “random” public polynomials, need to find
S ∈ Mat(42 × 42, Fq ) and T ∈ Mat(24 × 24, Fq ).
I Structure of F =⇒ System of polynomial equations in entries of
S and T for corresponding zero coefficients.
I (v1 + o1 + o2 )2 + (o1 + o2 )2 = 422 + 242 = 2340 variables.
I (o1 + o2 ) · |O2 × O2 | + o1 · (|(V1 ∪ O1 ) × O2 |) +
o1 · (|O1 × O1 |) = 7128 (non-linear )equations.
I Complexity: O 23608 (or: forget it!)
30 / 36
Rainbow (28 , 18, 30, 42)
Again idea of equivalent keys
31 / 36
Rainbow (28 , 18, 30, 42)
Again idea of equivalent keys
118×18
112×12
S0 =
O12×12
112×12
O12×18
O12×12 112×12
T0 =
O12×12
112×12
31 / 36
Rainbow (28 , 18, 30, 42)
Again idea of equivalent keys
118×18
112×12
S0 =
O12×12
112×12
O12×18
O12×12 112×12
T0 =
O12×12
112×12
Equivalent key attack (T ◦ F ◦ S = P = T 0 ◦ F 0 ◦ S 0 )
I 24 “random” public polynomials, need to find
S 0 ∈ Mat(42 × 42, Fq ) and T 0 ∈ Mat(24 × 24, Fq ).
I v1 · o1 + v1 · o2 + o1 · o2 + o1 · o2 = 720 variables.
I # equations stays the same, but o1 × |V1 × O2 | are no longer
cubic, but quadratic (first v1 variables in S 0 are set!)
I 2592 quadratic (bihomogeneous in sij and tkl ) and 4536 cubic
equations.
I Complexity: O 2374 (or: still, forget it!)
31 / 36
Rainbow (28 , 18, 30, 42)
Remove information: good keys resp. Rainbow band separation attack
32 / 36
Rainbow (28 , 18, 30, 42)
Remove information: good keys resp. Rainbow band separation attack
Sn00 =
118×18
O18×12 O18×11
O12×12
112×12 O12×11
O12×18
O12×12 112×12
112×12
O11×12
O12×12
112×12
T100 =
32 / 36
Rainbow (28 , 18, 30, 42)
Remove information: good keys resp. Rainbow band separation attack
Sn00 =
118×18
O18×12 O18×11
O12×12
112×12 O12×11
O12×18
O12×12 112×12
112×12
O11×12
O12×12
112×12
T100 =
We can only recover zero coefficients for xn2 terms (for all private polynomials)
and for xk xn terms (for 1 ≤ k ≤ n − 1 and only for first private polynomial).
32 / 36
Rainbow (28 , 18, 30, 42)
Remove information: good keys resp. Rainbow band separation attack
Sn00 =
118×18
O18×12 O18×11
O12×12
112×12 O12×11
O12×18
O12×12 112×12
112×12
O11×12
O12×12
112×12
T100 =
We can only recover zero coefficients for xn2 terms (for all private polynomials)
and for xk xn terms (for 1 ≤ k ≤ n − 1 and only for first private polynomial).
I (v1 + o1 ) + o2 = 42 variables
I (n, n, 1) 1 cubic equation.
I (n, n, k ) o1 + o2 − 1 quadratic equations for 2 ≤ k ≤ o1 + o2
I (k , n, 1) v1 + o1 + o2 − 1 quadratic equations for 1 ≤ k ≤ n − 1
32 / 36
Rainbow (28 , 18, 30, 42)
Remove information: good keys resp. Rainbow band separation attack
Sn00 =
118×18
O18×12 O18×11
O12×12
112×12 O12×11
O12×18
O12×12 112×12
112×12
O11×12
O12×12
112×12
T100 =
We can only recover zero coefficients for xn2 terms (for all private polynomials)
and for xk xn terms (for 1 ≤ k ≤ n − 1 and only for first private polynomial).
I (v1 + o1 ) + o2 = 42 variables
I (n, n, 1) 1 cubic equation.
I (n, n, k ) o1 + o2 − 1 quadratic equations for 2 ≤ k ≤ o1 + o2
I (k , n, 1) v1 + o1 + o2 − 1 quadratic equations for 1 ≤ k ≤ n − 1
=⇒ 42 variables in 65 equations ?
32 / 36
Rainbow (28 , 18, 30, 42)
Metacryptography
Not breaking a system, but breaking an attack :)
33 / 36
Rainbow (28 , 18, 30, 42)
Metacryptography
Not breaking a system, but breaking an attack :)
We can recover zero coefficients for xn2 terms only for the last o2 private
polynomials
and for xk xn terms only for 1 ≤ k ≤ v1 and only for the first private polynomial.
33 / 36
Rainbow (28 , 18, 30, 42)
Metacryptography
Not breaking a system, but breaking an attack :)
We can recover zero coefficients for xn2 terms only for the last o2 private
polynomials
and for xk xn terms only for 1 ≤ k ≤ v1 and only for the first private polynomial.
I (v1 + o1 ) + o2 = 42 variables
I (n, n, 1) 1 cubic equation.
I (n, n, k ) o2 quadratic equations for o1 + 1 ≤ k ≤ o1 + o2
I (k , n, 1) v1 quadratic equations for 1 ≤ k ≤ v1
=⇒ 42 variables in 31 equations.
33 / 36
Rainbow (28 , 18, 30, 42)
Fix attack by adding more rows to T 00 :
34 / 36
Rainbow (28 , 18, 30, 42)
Fix attack by adding more rows to T 00 :
I Minimal system received with 3 rows in T 00 and Sn00 .
I v1 + o1 + 3 · o2 = 66 variables.
I 3 cubic equations, 66 quadratic equations.
I Complexity: Still O 2231 (or: well, you know)
34 / 36
Rainbow (28 , 18, 30, 42)
Metametacryptography
Not breaking a system, but breaking the attack on an attack :)
35 / 36
Rainbow (28 , 18, 30, 42)
Metametacryptography
Not breaking a system, but breaking the attack on an attack :)
The Rainbow band separation attack is really working out!
35 / 36
Rainbow (28 , 18, 30, 42)
Metametacryptography
Not breaking a system, but breaking the attack on an attack :)
The Rainbow band separation attack is really working out!
I (v1 + o1 ) + o2 = 42 variables
I (n, n, 1) 1 cubic equation.
I (n, n, k ) o1 + o2 − 1 quadratic equations for 2 ≤ k ≤ o1 + o2
I (k , n, 1) v1 + o1 + o2 − 1 quadratic equations for 1 ≤ k ≤ n − 1
I 65 equations in 42 variables
I Complexity: O 295
35 / 36
Rainbow (28 , 18, 30, 42)
Metametacryptography
Not breaking a system, but breaking the attack on an attack :)
The Rainbow band separation attack is really working out!
I (v1 + o1 ) + o2 = 42 variables
I (n, n, 1) 1 cubic equation.
I (n, n, k ) o1 + o2 − 1 quadratic equations for 2 ≤ k ≤ o1 + o2
I (k , n, 1) v1 + o1 + o2 − 1 quadratic equations for 1 ≤ k ≤ n − 1
I 65 equations in 42 variables
I Complexity: O 295
Still not feasible, but now we have new ideas.
35 / 36
References
[1]
Bettale, L., Faugère, J.-C., and Perret, L. Cryptanalysis of HFE, Multi-HFE and Variants for Odd and Even
Characteristic, 2011. PKC 2011
[2]
Billet, O. and Gilbert, H. Cryptanalysis of Rainbow, 2006. Security and Cryptography for Networks
[3]
Ding, J. and Schmidt, D. Rainbow, a new multivariable polynomial signature scheme, 2005. Conference
on Applied Cryptography and Network Security
[4]
Ding, J. and Yang, B.-Y. Multivariate Public Key Cryptography, 2009.
[5]
Kipnis, A. and Shamir, A. Cryptanalysis of the Oil and Vinegar Signature Scheme, 1998. Crypto 1998
[6]
Matsumoto, T. and Imai, H. Public Quadratic Polynomial Tuples for Efficient Signature Verification and
Message Encryption, 1988. Eurocrypt 1988
[7]
Patarin, J. Cryptanalysis of the Matsumoto and Imai Public Key Scheme of Eurocrypt 88, 1995. Crypto
1995
[8]
Patarin, J. Hidden Field Equations (HFE) and Isomorphisms of Polynomials, 1996. Eurocrypt 1996
[9]
Patarin, J. The Oil and Vinegar Algorithm for Signatures, 1997. presented at Dagstuhl workshop on
Cryptography 1997
[10] Thomae, E. About the Security of Multivariate Quadratic Public Key Schemes, 2013. PhD thesis, Ruhr
Universtiy Bochum, Germany
[11] Wolf, C. and Preneel, B. Superfluous keys in Multivariate Quadratic asymmetric systems, 2004. PKC
2004
36 / 36
© Copyright 2025 Paperzz