Title: Some new aspects concerning the Analysis of HFE type Cryptosystems
1Some new aspects concerning the Analysis of HFE
type Cryptosystems
- Magnus Daum Patrick Felke
2Overview
- What is HFE?
- Some Experimental Results on Attacking HFE with
Buchberger Algorithm - An improved Algorithm for Separating Branches
3What is HFE?
4Basic HFE
one-way trapdoor function
Trapdoor
5Basic HFE Example
6Basic HFE Example
7Basic HFE Example
Encryption
8Basic HFE Example
Decryption
9Basic HFE Example
/
Signing
Verifying
10Parameters of HFE
- n Number of unknowns and equations
- q Size of smaller finite field K
- d Degree of hidden polynomial ?
11Overview
-
- General Approach with Buchberger Algorithm
- Why HFE systems are special
- Simulations
- Perturbations
- What is HFE?
- Some Experimental Results on Attacking HFE with
Buchberger Algorithm - An improved Algorithm for Separating Branches
12General Approach
13General Approach Example
/
Signing
Decryption
14General Approach Example
15General Approach Problems
- degree of output poly-nomials may get very big
- Buchberger algorithm has exponential worst case
complexity - compute all solutions in algebraic closure
16HFE Systems are Special
17HFE Systems are Special
- defined over a very small finite field
- include only quadratic polynomials
- need only solutions in the base field Fq
- hidden polynomial of low degree
18Solutions in the Base Field
19Solutions in the Base Field
- Advantages
- we compute only information we need
- degree of polynomials involved in this
computation is bounded
20HFE Systems are Special
- defined over a very small finite field
- include only quadratic polynomials
- need only solutions in the base field Fq
- hidden polynomial of low degree
21Hidden Polynomial
- One main idea of Buchberger Algorithm can be
described as making use of relations between the
input polynomials in a sophisticated way
- Attack on C (Patarin / Dobbertin)
- For C-systems there are many linear relations
between the public polynomials.
- Courtois
- For general HFE there are also some relations,
but they are more complex. - lower degree d ? more relations
22HFE Systems are Special
- defined over a very small finite field
- include only quadratic polynomials
- need only solutions in the base field Fq
- hidden polynomial of low degree
23Simulations
24Simulations
- about 100.000 simulations in SINGULAR
- parameters mostly
- HFE systems and random quadratic systems
- in each simulation
- generate system of quadratic equations
- (HFE or random)
- add polynomials
- solve by applying Buchberger Algorithm (with FGLM)
25Simulations Dependence on n
26Simulations Dependence on n
log(time)
q2, C
n
27Simulations Dependence on d
28Simulations Dependence on dlogqde
and usually logq(d)ltltn (e.g. HFE Challenge 1
q2, n80, d96 ! dlogq(d)e7 ltlt 40)
29Simulations Dependence on dlogqde
- Usually dlogq(d)eltltn
- e.g. HFE Challenge 1 q2, n80, d96
dlogq(d)e7 ltlt 80 ) - Extrapolating the times needed for d96,solving
this challenge seems out of reach
- By applying a highly optimized variant of
theBuchberger Algorithm in the future it might
bepossible to solve certain instances of HFE
with very small d in some feasible time.
- By applying F5/2 now it is possible to solve HFE
Challenge 1 in 96 h.
30Perturbations
31Perturbations
- Little changes on the multivariate side of the
cryptosystem which are used to hide the
underlying algebraic structure - e.g. - (i.e. removing polynomials)
Public Key
32Perturbations
- Little changes on the multivariate side of the
cryptosystem which are used to hide the
underlying algebraic structure - e.g. (i.e. adding some random polynomials)
Public Key(after mixing with S and T)
33Perturbations
- Little changes on the multivariate side of the
cryptosystem which are used to hide the
underlying algebraic structure - Perturbated HFE systems are claimed to be more
secure than Basic HFE systems - All proposed HFE systems (e.g. SFLASH, QUARTZ)
use perturbations
34Simulations on Perturbations
- Simulations in the case q2, n15
- included systems generated
- from HFE with d2 5,9,17
- randomly
- added / removed / replaced between 0 and 5
polynomials
35Simulations on Perturbations
Better consider the ratio of needed times for HFE
systems to that for random systems
36Simulations on Perturbations
Better consider the ratio of needed times for HFE
systems to that for random systems
- adding/removing just some few polynomials makes
solving HFE systems significantly more difficult - Perturbated HFE seems to be more secure than
Basic HFE
37Conclusion of this part
- Time complexity of solving HFE systems by
applying Buchberger Algorithm depends - nearly exponentially on number n of unknowns
- strongly on dlogq(d)e
- Security of HFE depends significantly on the
degree of the hidden polynomial - Perturbations seem to make HFE more secure
38Overview
- What is HFE?
- Some Experimental Results on Attacking HFE with
Buchberger Algorithm - An improved Algorithm for Separating Branches