some new aspects concerning the analysis of hfe type cryptosystems
DESCRIPTION
Some new aspects concerning the Analysis of HFE type Cryptosystems. Magnus DaumPatrick Felke. Overview. What is HFE? Some Experimental Results on Attacking HFE with Buchberger Algorithm An improved Algorithm for Separating Branches. What is HFE?. Public Key. Secret Key. Basic HFE. - PowerPoint PPT PresentationTRANSCRIPT
RuhrRuhrUniversityUniversityBochumBochum
Faculty of MathematicsFaculty of MathematicsInformation-Security and CryptologyInformation-Security and Cryptology
Some new aspects concerning the Some new aspects concerning the
Analysis ofAnalysis of
HFE type CryptosystemsHFE type Cryptosystems
Magnus DaumMagnus Daum Patrick FelkePatrick Felke
RuhrRuhrUniversityUniversityBochumBochumFaculty of MathematicsFaculty of MathematicsInformation-Security and CryptologyInformation-Security and Cryptology
RuhrRuhrUniversityUniversityBochumBochum
Faculty of MathematicsFaculty of MathematicsInformation-Security and CryptologyInformation-Security and Cryptology
06.06.2002 Some new aspects concerning the Analysis of HFE type Cryptosystems
• What is HFE?
• Some Experimental Results on Attacking HFE with Buchberger Algorithm
• An improved Algorithm for Separating Branches
OverviewOverview
What is HFE?What is HFE?
RuhrRuhrUniversityUniversityBochumBochumFaculty of MathematicsFaculty of MathematicsInformation-Security and CryptologyInformation-Security and Cryptology
06.06.2002 Some new aspects concerning the Analysis of HFE type Cryptosystems
Secret Key
Public Key
Trapdoor
Basic HFEBasic HFE
one-way trapdoor function
RuhrRuhrUniversityUniversityBochumBochumFaculty of MathematicsFaculty of MathematicsInformation-Security and CryptologyInformation-Security and Cryptology
06.06.2002 Some new aspects concerning the Analysis of HFE type Cryptosystems
Basic HFE: ExampleBasic HFE: Example
RuhrRuhrUniversityUniversityBochumBochumFaculty of MathematicsFaculty of MathematicsInformation-Security and CryptologyInformation-Security and Cryptology
06.06.2002 Some new aspects concerning the Analysis of HFE type Cryptosystems
Basic HFE: ExampleBasic HFE: Example
RuhrRuhrUniversityUniversityBochumBochumFaculty of MathematicsFaculty of MathematicsInformation-Security and CryptologyInformation-Security and Cryptology
06.06.2002 Some new aspects concerning the Analysis of HFE type Cryptosystems
Basic HFE: ExampleBasic HFE: Example
Encryption
RuhrRuhrUniversityUniversityBochumBochumFaculty of MathematicsFaculty of MathematicsInformation-Security and CryptologyInformation-Security and Cryptology
06.06.2002 Some new aspects concerning the Analysis of HFE type Cryptosystems
Basic HFE: ExampleBasic HFE: Example
Decryption
RuhrRuhrUniversityUniversityBochumBochumFaculty of MathematicsFaculty of MathematicsInformation-Security and CryptologyInformation-Security and Cryptology
06.06.2002 Some new aspects concerning the Analysis of HFE type Cryptosystems
Basic HFE: ExampleBasic HFE: Example
Signing Verifying/
RuhrRuhrUniversityUniversityBochumBochumFaculty of MathematicsFaculty of MathematicsInformation-Security and CryptologyInformation-Security and Cryptology
06.06.2002 Some new aspects concerning the Analysis of HFE type Cryptosystems
Parameters of HFEParameters of HFE
• n Number of unknowns and equations
• q Size of smaller finite field K
• d Degree of hidden polynomial
RuhrRuhrUniversityUniversityBochumBochumFaculty of MathematicsFaculty of MathematicsInformation-Security and CryptologyInformation-Security and Cryptology
06.06.2002 Some new aspects concerning the Analysis of HFE type Cryptosystems
– General Approach with Buchberger Algorithm– Why HFE systems are special– Simulations– Perturbations
• What is HFE?
• Some Experimental Results on Attacking HFE with Buchberger Algorithm
• An improved Algorithm for Separating Branches
OverviewOverview
General ApproachGeneral Approach
RuhrRuhrUniversityUniversityBochumBochumFaculty of MathematicsFaculty of MathematicsInformation-Security and CryptologyInformation-Security and Cryptology
06.06.2002 Some new aspects concerning the Analysis of HFE type Cryptosystems
General Approach: ExampleGeneral Approach: Example
Signing Decryption/
RuhrRuhrUniversityUniversityBochumBochumFaculty of MathematicsFaculty of MathematicsInformation-Security and CryptologyInformation-Security and Cryptology
06.06.2002 Some new aspects concerning the Analysis of HFE type Cryptosystems
Buchberger Algorithm
General Approach: ExampleGeneral Approach: Example
RuhrRuhrUniversityUniversityBochumBochumFaculty of MathematicsFaculty of MathematicsInformation-Security and CryptologyInformation-Security and Cryptology
06.06.2002 Some new aspects concerning the Analysis of HFE type Cryptosystems
General Approach: ProblemsGeneral Approach: Problems
• degree of output poly-nomials may get very big
• Buchberger algorithm has exponential worst case complexity
• compute all solutions in algebraic closure
• …
in general only feasible for very few unknowns
HFE SystemsHFE Systemsare Specialare Special
RuhrRuhrUniversityUniversityBochumBochumFaculty of MathematicsFaculty of MathematicsInformation-Security and CryptologyInformation-Security and Cryptology
06.06.2002 Some new aspects concerning the Analysis of HFE type Cryptosystems
HFE Systems are SpecialHFE Systems are Special
•defined over a very small finite field
•include only quadratic polynomials
•need only solutions in the base field Fq
•hidden polynomial of low degree
RuhrRuhrUniversityUniversityBochumBochumFaculty of MathematicsFaculty of MathematicsInformation-Security and CryptologyInformation-Security and Cryptology
06.06.2002 Some new aspects concerning the Analysis of HFE type Cryptosystems
Solutions in the Base FieldSolutions in the Base Field
solutions we are looking for fulfil
Proposition:
RuhrRuhrUniversityUniversityBochumBochumFaculty of MathematicsFaculty of MathematicsInformation-Security and CryptologyInformation-Security and Cryptology
06.06.2002 Some new aspects concerning the Analysis of HFE type Cryptosystems
Solutions in the Base FieldSolutions in the Base Field
Buchberger
AlgorithmAdvantages:
• we compute only information we need
• degree of polynomials involved in this computation is bounded
Buchberger Algorithm
RuhrRuhrUniversityUniversityBochumBochumFaculty of MathematicsFaculty of MathematicsInformation-Security and CryptologyInformation-Security and Cryptology
06.06.2002 Some new aspects concerning the Analysis of HFE type Cryptosystems
HFE Systems are SpecialHFE Systems are Special
•defined over a very small finite field
•include only quadratic polynomials
•need only solutions in the base field Fq
•hidden polynomial of low degree
RuhrRuhrUniversityUniversityBochumBochumFaculty of MathematicsFaculty of MathematicsInformation-Security and CryptologyInformation-Security and Cryptology
06.06.2002 Some new aspects concerning the Analysis of HFE type Cryptosystems
• Attack on C* (Patarin / Dobbertin):– For C*-systems there are many linear relations
between the public polynomials.
Hidden PolynomialHidden Polynomial
• Courtois:– For general HFE there are also some relations,
but they are more complex.– lower degree d more relations
• One main idea of Buchberger Algorithm can be described as making use of relations between the input polynomials in a sophisticated way
RuhrRuhrUniversityUniversityBochumBochumFaculty of MathematicsFaculty of MathematicsInformation-Security and CryptologyInformation-Security and Cryptology
06.06.2002 Some new aspects concerning the Analysis of HFE type Cryptosystems
HFE Systems are SpecialHFE Systems are Special
•defined over a very small finite field
•include only quadratic polynomials
•need only solutions in the base field Fq
•hidden polynomial of low degree
SimulationsSimulations
RuhrRuhrUniversityUniversityBochumBochumFaculty of MathematicsFaculty of MathematicsInformation-Security and CryptologyInformation-Security and Cryptology
06.06.2002 Some new aspects concerning the Analysis of HFE type Cryptosystems
• in each simulation:– generate system of quadratic equations
(HFE or random)– add polynomials – solve by applying Buchberger Algorithm (with
FGLM)
• about 100.000 simulations in SINGULAR• parameters: mostly• HFE systems and random quadratic systems
SimulationsSimulations
RuhrRuhrUniversityUniversityBochumBochumFaculty of MathematicsFaculty of MathematicsInformation-Security and CryptologyInformation-Security and Cryptology
06.06.2002 Some new aspects concerning the Analysis of HFE type Cryptosystems
Simulations: Dependence on Simulations: Dependence on nn
RuhrRuhrUniversityUniversityBochumBochumFaculty of MathematicsFaculty of MathematicsInformation-Security and CryptologyInformation-Security and Cryptology
06.06.2002 Some new aspects concerning the Analysis of HFE type Cryptosystems
Simulations: Dependence on Simulations: Dependence on nn
q=3, random
q=3, d=12
q=2, d=20
q=3, d=30
q=2, d=128
q=2, random
20,0019,00
18,0017,00
16,0015,00
14,0013,00
12,0011,00
10,009,00
8,007,00
6,00
log(time)
n
exponential time complexity !?
20,0019,00
18,0017,00
16,0015,00
14,0013,00
12,0011,00
10,009,00
8,007,00
6,00
log(time)
26,0025,00
24,0023,00
22,0021,00
q=2, C*
RuhrRuhrUniversityUniversityBochumBochumFaculty of MathematicsFaculty of MathematicsInformation-Security and CryptologyInformation-Security and Cryptology
06.06.2002 Some new aspects concerning the Analysis of HFE type Cryptosystems
Simulations: Dependence on Simulations: Dependence on dd
time depends on rather than on d
RuhrRuhrUniversityUniversityBochumBochumFaculty of MathematicsFaculty of MathematicsInformation-Security and CryptologyInformation-Security and Cryptology
06.06.2002 Some new aspects concerning the Analysis of HFE type Cryptosystems
and usually logq(d)<<n (e.g. HFE Challenge 1: q=2, n=80, d=96 ! dlogq(d)e=7 << 40)
if d is large (approx. )HFE systems behave like systems of random quadratic equations (random systems correspond to dlogqde=n)
if d is small (approx. )Solving HFE systems becomes much easier !!
Simulations: Dependence on Simulations: Dependence on ddloglogqqddee
∙3 ∙3 ∙3
∙8 ∙11 ∙7
RuhrRuhrUniversityUniversityBochumBochumFaculty of MathematicsFaculty of MathematicsInformation-Security and CryptologyInformation-Security and Cryptology
06.06.2002 Some new aspects concerning the Analysis of HFE type Cryptosystems
Simulations: Dependence on Simulations: Dependence on ddloglogqqddee
• Usually dlogq(d)e<<n– e.g. HFE Challenge 1: q=2, n=80, d=96
dlogq(d)e=7 << 80 )
• Extrapolating the times needed for d=96,solving this challenge seems out of reach
20,0019,00
18,0017,00
16,0015,00
14,0013,00
12,0011,00
10,009,00
8,007,00
6,00
log(time)
26,0025,00
24,0023,00
22,0021,00
• By applying a highly optimized variant of theBuchberger Algorithm in the future it might bepossible to solve certain instances of HFE with very small d in some feasible time.
• By applying F5/2 now it is possible to solve HFE Challenge 1 in 96 h.
RuhrRuhrUniversityUniversityBochumBochumFaculty of MathematicsFaculty of MathematicsInformation-Security and CryptologyInformation-Security and Cryptology
06.06.2002 Some new aspects concerning the Analysis of HFE type Cryptosystems
PerturbationsPerturbations
RuhrRuhrUniversityUniversityBochumBochumFaculty of MathematicsFaculty of MathematicsInformation-Security and CryptologyInformation-Security and Cryptology
06.06.2002 Some new aspects concerning the Analysis of HFE type Cryptosystems
PerturbationsPerturbations
• Little changes on the multivariate side of the cryptosystem which are used to hide the underlying algebraic structure
• e.g. „-“ (i.e. removing polynomials):Public Key
RuhrRuhrUniversityUniversityBochumBochumFaculty of MathematicsFaculty of MathematicsInformation-Security and CryptologyInformation-Security and Cryptology
06.06.2002 Some new aspects concerning the Analysis of HFE type Cryptosystems
PerturbationsPerturbations
• Little changes on the multivariate side of the cryptosystem which are used to hide the underlying algebraic structure
• e.g. „+“ (i.e. adding some random polynomials):
Public Key(after „mixing“ with S and T)
RuhrRuhrUniversityUniversityBochumBochumFaculty of MathematicsFaculty of MathematicsInformation-Security and CryptologyInformation-Security and Cryptology
06.06.2002 Some new aspects concerning the Analysis of HFE type Cryptosystems
PerturbationsPerturbations
• Little changes on the multivariate side of the cryptosystem which are used to hide the underlying algebraic structure
• Perturbated HFE systems are claimed to be more secure than Basic HFE systems
• All proposed HFE systems (e.g. SFLASH, QUARTZ) use perturbations
RuhrRuhrUniversityUniversityBochumBochumFaculty of MathematicsFaculty of MathematicsInformation-Security and CryptologyInformation-Security and Cryptology
06.06.2002 Some new aspects concerning the Analysis of HFE type Cryptosystems
Simulations on PerturbationsSimulations on Perturbations
• Simulations in the case q=2, n=15
• included systems generated– from HFE with d2{ 5,9,17 }– randomly
• added / removed / replaced between 0 and 5 polynomials
RuhrRuhrUniversityUniversityBochumBochumFaculty of MathematicsFaculty of MathematicsInformation-Security and CryptologyInformation-Security and Cryptology
06.06.2002 Some new aspects concerning the Analysis of HFE type Cryptosystems
Simulations on PerturbationsSimulations on Perturbations
0
12
34
5
plus
1000,00
2000,00
3000,00
4000,00
tim
e_1
5
4
3
2minus
1
0
random
01
23
45
plus
0,00
1000,00
2000,00
3000,00ti
me_
1
5
4
3
2minus
1
0
d=5
Better consider the ratio of needed times for HFE systems to that for random systems
RuhrRuhrUniversityUniversityBochumBochumFaculty of MathematicsFaculty of MathematicsInformation-Security and CryptologyInformation-Security and Cryptology
06.06.2002 Some new aspects concerning the Analysis of HFE type Cryptosystems
Simulations on PerturbationsSimulations on Perturbations
01
23
45
plus
0,20
0,40
0,60
0,80
1,00
rati
o
5
4
3
2minus1
0 d=5
01
23
45
plus
0,20
0,40
0,60
0,80
1,00
rati
o
5
4
3
2minus1
0 d=90
12
34
plus
0,20
0,40
0,60
0,80
1,00
rati
o
5
4
3
2minus
1
0 d=17
Better consider the ratio of needed times for HFE systems to that for random systems
• adding/removing just some few polynomials makes solving HFE systems significantly more difficult
• Perturbated HFE seems to be more secure than Basic HFE
RuhrRuhrUniversityUniversityBochumBochumFaculty of MathematicsFaculty of MathematicsInformation-Security and CryptologyInformation-Security and Cryptology
06.06.2002 Some new aspects concerning the Analysis of HFE type Cryptosystems
Conclusion of this partConclusion of this part
• Time complexity of solving HFE systems by applying Buchberger Algorithm depends …– nearly exponentially on number n of unknowns
– strongly on dlogq(d)e
• Security of HFE depends significantly on the degree of the hidden polynomial
• Perturbations seem to make HFE more secure
RuhrRuhrUniversityUniversityBochumBochumFaculty of MathematicsFaculty of MathematicsInformation-Security and CryptologyInformation-Security and Cryptology
06.06.2002 Some new aspects concerning the Analysis of HFE type Cryptosystems
• What is HFE?
• Some Experimental Results on Attacking HFE with Buchberger Algorithm
• An improved Algorithm for Separating Branches
OverviewOverview