Some new aspects concerning the Analysis of HFE type Cryptosystems

1
Some new aspects concerning the Analysis of HFE
type Cryptosystems

• Magnus Daum Patrick Felke

2
Overview

• What is HFE?
• Some Experimental Results on Attacking HFE with
  Buchberger Algorithm
• An improved Algorithm for Separating Branches

3
What is HFE?
4
Basic HFE
one-way trapdoor function
Trapdoor
5
Basic HFE Example
6
Basic HFE Example
7
Basic HFE Example
Encryption
8
Basic HFE Example
Decryption
9
Basic HFE Example
/
Signing
Verifying
10
Parameters of HFE

• n Number of unknowns and equations
• q Size of smaller finite field K
• d Degree of hidden polynomial ?

11
Overview

• General Approach with Buchberger Algorithm
• Why HFE systems are special
• Simulations
• Perturbations

• What is HFE?
• Some Experimental Results on Attacking HFE with
  Buchberger Algorithm
• An improved Algorithm for Separating Branches

12
General Approach
13
General Approach Example
/
Signing
Decryption
14
General Approach Example
15
General Approach Problems

• degree of output poly-nomials may get very big
• Buchberger algorithm has exponential worst case
  complexity
• compute all solutions in algebraic closure

16
HFE Systems are Special
17
HFE Systems are Special

• defined over a very small finite field

• include only quadratic polynomials

• need only solutions in the base field Fq

• hidden polynomial of low degree

18
Solutions in the Base Field
19
Solutions in the Base Field

• Advantages
• we compute only information we need
• degree of polynomials involved in this
  computation is bounded

20
HFE Systems are Special

• defined over a very small finite field

• include only quadratic polynomials

• need only solutions in the base field Fq

• hidden polynomial of low degree

21
Hidden Polynomial

• One main idea of Buchberger Algorithm can be
  described as making use of relations between the
  input polynomials in a sophisticated way

• Attack on C (Patarin / Dobbertin)
• For C-systems there are many linear relations
  between the public polynomials.

• Courtois
• For general HFE there are also some relations,
  but they are more complex.
• lower degree d ? more relations

22
HFE Systems are Special

• defined over a very small finite field

• include only quadratic polynomials

• need only solutions in the base field Fq

• hidden polynomial of low degree

23
Simulations
24
Simulations

• about 100.000 simulations in SINGULAR
• parameters mostly
• HFE systems and random quadratic systems

• in each simulation
• generate system of quadratic equations
• (HFE or random)
• add polynomials
• solve by applying Buchberger Algorithm (with FGLM)

25
Simulations Dependence on n
26
Simulations Dependence on n
log(time)
q2, C
n
27
Simulations Dependence on d
28
Simulations Dependence on dlogqde
and usually logq(d)ltltn (e.g. HFE Challenge 1
q2, n80, d96 ! dlogq(d)e7 ltlt 40)
29
Simulations Dependence on dlogqde

• Usually dlogq(d)eltltn
• e.g. HFE Challenge 1 q2, n80, d96
  dlogq(d)e7 ltlt 80 )
• Extrapolating the times needed for d96,solving
  this challenge seems out of reach

• By applying a highly optimized variant of
  theBuchberger Algorithm in the future it might
  bepossible to solve certain instances of HFE
  with very small d in some feasible time.

• By applying F5/2 now it is possible to solve HFE
  Challenge 1 in 96 h.

30
Perturbations
31
Perturbations

• Little changes on the multivariate side of the
  cryptosystem which are used to hide the
  underlying algebraic structure
• e.g. - (i.e. removing polynomials)

Public Key
32
Perturbations

• Little changes on the multivariate side of the
  cryptosystem which are used to hide the
  underlying algebraic structure
• e.g. (i.e. adding some random polynomials)

Public Key(after mixing with S and T)
33
Perturbations

• Little changes on the multivariate side of the
  cryptosystem which are used to hide the
  underlying algebraic structure
• Perturbated HFE systems are claimed to be more
  secure than Basic HFE systems
• All proposed HFE systems (e.g. SFLASH, QUARTZ)
  use perturbations

34
Simulations on Perturbations

• Simulations in the case q2, n15
• included systems generated
• from HFE with d2 5,9,17
• randomly
• added / removed / replaced between 0 and 5
  polynomials

35
Simulations on Perturbations
Better consider the ratio of needed times for HFE
systems to that for random systems
36
Simulations on Perturbations
Better consider the ratio of needed times for HFE
systems to that for random systems

• adding/removing just some few polynomials makes
  solving HFE systems significantly more difficult
• Perturbated HFE seems to be more secure than
  Basic HFE

37
Conclusion of this part

• Time complexity of solving HFE systems by
  applying Buchberger Algorithm depends
• nearly exponentially on number n of unknowns
• strongly on dlogq(d)e
• Security of HFE depends significantly on the
  degree of the hidden polynomial
• Perturbations seem to make HFE more secure

38
Overview

• What is HFE?
• Some Experimental Results on Attacking HFE with
  Buchberger Algorithm
• An improved Algorithm for Separating Branches