Abstract
In the last few years multivariate public key cryptography has experienced an infusion of new ideas for encryption. Among these new strategies is the ABC Simple Matrix family of encryption schemes which utilize the structure of a large matrix algebra to construct effectively invertible systems of nonlinear equations hidden by an isomorphism of polynomials. The cubic version of the ABC Simple Matrix Encryption was developed with provable security in mind and was published including a heuristic security argument claiming that an attack on the scheme should be at least as difficult as solving a random system of quadratic equations over a finite field.
In this work, we prove that these claims are erroneous. We present a complete key recovery attack breaking full sized instances of the scheme. Interestingly, the same attack applies to the quadratic version of ABC, but is far less efficient; thus, the enhanced security scheme is less secure than the original.
You have full access to this open access chapter, Download conference paper PDF
Similar content being viewed by others
Keywords
1 Introduction
Classical public key cryptography is mainly based on arithmetic constructions on Abelson groups. Since the discovery by Shor in the 1990s of efficient algorithms for factoring and computing discrete logarithms with quantum computers, see [1], there has been a growing interest in the international community in the task of constructing algorithms resistant to cryptanalysis with quantum computers. Indeed, in light of the announcement [?] by the National Institute of Standards and Technology (NIST) of an imminent call for proposals for post-quantum standards, the challenge of migrating from the homogeneous heritage of public key cryptography to a more diverse collection of tools has become mainstream.
One possible candidate for practical, efficient, and nonconforming solutions to some of the most consequential public key applications is Multivariate Public Key Cryptography (MPKC). Multivariate schemes are attractive in certain applications because of the maleability of the schemes. Different modifications of similar ideas can make a scheme more suited to lightweight architectures, enhance security, or parametrize various aspects of performance.
In addition, MPKC is one among a few serious candidates to have risen to prominence as post-quantum options. The fundamental problem of solving a system of quadratic equations is known to be NP-hard, and so in the worst case, solving a system of generic quadratic equations is unfeasible for a classical computer; neither is there any indication that the task is easier in the quantum computing paradigm.
MPKC has experienced a fair amount of success in the realm of digital signatures. Some trustworthy schemes that have survived for almost two decades include UOV [2], HFE- [3], and HFEv- [4]. Moreover, some of these schemes have optimizations which have strong theoretical support or have stood unbroken in the literature for some time. Specifically, UOV has a cyclic variant [5] which reduces the key size dramatically, and Gui, a new HFEv- scheme, see [6], has parameters far more appealing than QUARTZ due to greater confidence in the complexity of algebraically solving the underlying system of equations [7].
The situation with multivariate public key encryption is quite different, however. Many attempts at multivariate encryption, see [8, 9] for example, have been shown to be weak based on rank or differential weaknesses. Recently, a few interesting attempts to achieve multivariate encryption have surfaced. ZHFE, see [10], and the ABC Simple Matrix Scheme, see [11], both use fundamentally new structures for the derivation of an encryption system. While it was shown that the best attack known on the Simple Matrix structure, see [12]—which relies on the differential invariant structure of the central map—supports the claimed security level of the scheme, a subset of the original authors proposed a cubic version of the scheme, [13], as a step towards provable security.
In this article, we present a key recovery attack on a full scale version of the Cubic Simple Matrix encryption scheme, having a complexity on the order of \(q^{s\,+\,2}\) for characteristic \(p\,>\,3\), \(q^{s\,+\,3}\) for characteristic 3 and \(q^{2s\,+\,6}\) for characteristic 2. Here s is the dimension of the matrices in the scheme, and q is the cardinality of the finite field used. This technique is an extension and augmentation of the technique of [12], and, similarly, exploits a differential invariant property of the core map to perform a key recovery attack. We can show that the attack uses a property which uniquely distinguishes the isomorphism class of the central map from that of a random collection of formulae.
Specifically, our attack breaks CubicABC (\(q\,=\,127\), \(s\,=\,7\)), designed for 80-bit security, in approximately \(2^{76}\) operations (or around \(2^{80}\) if one pessimistically uses \(\omega \,=\,3\) as the linear algebra constant). More convincingly, our attack completely breaks CubicABC (\(q\,=\,127\), \(s\,=\,8\)), designed for 100-bit security, in approximately \(2^{84}\) operations (or \(2^{88}\) for \(\omega \,=\,3\)). Furthermore, the attack is fully parallelizable and requires very little memory; hence, the differential invariant attack is far more efficient than algebraic attacks, the basis for the original security estimation. Thus, the security claims in [13] are clearly unfounded; in fact, the cubic version of the scheme, whose security was claimed to be closely related to an NP-complete problem, is actually less secure than the quadratic case.
The paper is organized as follows. In the next section, we present the structure of the Cubic ABC Simple Matrix encryption scheme. In the following section, we recall differential invariants and present a natural extension of this notion to the case of cubic polynomials. The differential invariant structure of the ABC scheme is derived in the subsequent section and the effect of this structure on minrank calculations is determined. We next calculate the complexity of the full attack including the linear algebra steps required to extend the distinguisher into a key recovery mechanism. Finally, we review these results and discuss the surprising relationship between the practical security of the Cubic ABC scheme and its quadratic counterpart.
2 The Cubic ABC Matrix Encryption Scheme
In [13], the Cubic ABC Matrix encryption scheme is proposed. The motivation behind the scheme is to use a large matrix algebra over a finite field to construct an easily invertible cubic map. The construction uses matrix multiplication to combine random quadratic formulae and random linear formula into cubic formulae in a way that allows a user with knowledge of the structure of the matrix algebra and polynomial isomorphism used to compose the scheme to invert the map.
Let \(k\,=\,\mathbb {F}_q\) be a finite field. Linear forms and variables over k will be denoted with lower case letters. Vectors of any dimension over k will be denoted with bold font, \(\mathbf {v}\). Fix \(s\in \mathbb {N}\) and set \(n\,=\,s^2\) and \(m\,=\,2s^2\). An element of \(M_s(k)\), \(M_n(k)\) or \(M_m(k)\), or the linear transformations they represent, will be denoted by upper case letters, such as M. When the entries of the matrix are being considered functions of a variable, the matrix will be denoted \(M(\mathbf {x})\). Let \(\phi \) represent the vector space isomorphism from \(M_{s\times 2s}(k)\) to \(k^{2s^2}\) sending a matrix to the column vector consisting of the concatenation of its rows. The output of this map, being a vector, will be written with bold font; however, to indicate the relationship to its matrix preimage, it will be denoted with an upper case letter, such as \(\mathbf {M}\).
The scheme utilizes an isomorphism of polynomials to hide the internal structure. Let \(\mathbf {x}\,=\,\left[ \begin{matrix}x_1,x_2,\ldots ,x_n\end{matrix}\right] ^{\top }\in k^n\) denote plaintext while \(\mathbf {y}\,=\,\left[ \begin{matrix}y_1,\ldots ,y_m\end{matrix}\right] \in k^m\) denotes ciphertext. Fix two invertible linear transformations \(T\in M_m(k)\) and \(U\in M_n(k)\) (One may use affine transformations, but there is no security or performance benefit in doing so.) Denote the input and output of the central map by \(\mathbf {u}\,=\,U\mathbf {x}\) and \(\mathbf {v}\,=\,T^{-1}(\mathbf {y})\).
The construction of the central map is as follows. Define three \(s\times s\) matrices A, B, and C in the following way:
and
Here the \(p_i\) are quadratic forms on \(\mathbf {u}\) chosen independently and uniformly at random from among all quadratic forms and the \(b_i\) and \(c_i\) are linear forms on \(\mathbf {u}\) chosen independently and uniformly at random from among all linear forms.
We define two \(s\times s\) matrices \(E_1\,=\,AB\) and \(E_2\,=\,AC\). Since A is quadratic and B and C are linear in \(u_i\), \(E_1\) and \(E_2\) are cubic in the \(u_i\). The central map \(\mathcal {E}\) is defined by
Thus \(\mathcal {E}\) is an m dimensional vector of cubic forms in \(\mathbf {u}\). Finally, the public key is given by \(\mathcal {F}=T\circ \mathcal {E}\circ U\).
Encryption with this system is standard: given a plaintext \((x_1,\ldots ,x_n)\), compute \((y_1,\ldots ,y_m)\,=\,\mathcal {F}(x_1,\ldots ,x_n)\). Decryption is somewhat more complicated.
To decrypt, one inverts each of the private maps in turn: apply \(T^{-1}\), invert \(\mathcal {E}\), and apply \(U^{-1}\). To “invert” \(\mathcal {E}\), one assumes that \(A(\mathbf {u})\) is invertible, and forms a matrix
where the \(w_i\) are indeterminants. Then using the relations \(A^{-1}(\mathbf {u})E_1(\mathbf {u})\,=\,B(\mathbf {u})\) and \(A^{-1}(\mathbf {u})E_2(\mathbf {u})\,=\,C(\mathbf {u})\), we have \(m\,=\,2s^2\) linear equations in \(2n\,=\,2s^2\) unknowns \(w_i\) and \(u_i\). Using, for example, Gaussian elimination one can eliminate all of the variables \(w_i\) and most of the \(u_i\). The resulting relations can be substituted back into \(E_1(\mathbf {u})\) and \(E_2(\mathbf {u})\) to obtain a large system of equations in very few variables which can be solved efficiently in a variety of ways.
3 Subspace Differential Invariants for Cubic Maps
Let \(f : k^n \rightarrow k^m\) be an arbitrary fixed function on \(k^n\). Consider the discrete differential \(Df(\mathbf {a}, \mathbf {x})\,=\,f(\mathbf {a}\,+\,\mathbf {x})\,-\,f(\mathbf {a})\,-\,f(\mathbf {x})\,+\,f(\mathbf {0})\).
If f is quadratic, we can express the differential as an n-tuple of bilinear differential coordinate forms in the following way: \([Df(\mathbf {a}, \mathbf {x})]_i\,=\,\mathbf {a}^{\top }Df_i\mathbf {x}\), where \(Df_i\) is a symmetric matrix representation of the action on the ith coordinate of the bilinear differential. If the function f is cubic \(Df(\mathbf {a}, \mathbf {x})\) is a symmetric bi-quadratic function. By the symmetry, it is well defined to compute a second differential \(D^2f(\mathbf {a}, \mathbf {b}, \mathbf {x})\) by computing the discrete differential of Df with respect to either \(\mathbf {a}\) or \(\mathbf {x}\). In this case, we may consider the second differential as an n-tuple of trilinear differential coordinate forms by letting \(D^2f_i\) be the symmetric 3-tensor representing the action on the ith coordinate of the trilinear differential.
In [12], the following definition of a subspace differential invariant was provided:
Definition 1
A subspace differential invariant of a quadratic map \(f:k^n\rightarrow k^m\) with respect to a subspace \(X\subseteq k^m\) is a subspace \(V\subseteq k^n\) with the property that there exists a \(W\subseteq k^n\) of dimension at most dim(V) such that simultaneously \(AV\subseteq W\) for all \(A\,=\,\sum _{i\,=\,1}^mx_iDf_i\) where \((x_1,\ldots ,x_m)\in X\), i.e. \(A\in \text{ Span }_X(Df_i)\).
This definition captures the idea of a subspace of the span of the public polynomials acting linearly on a subspace of the plaintext space in the same way. Such behavior is strange for quadratic maps in general. Furthermore, as shown in [12], this behavior is computable regardless of the rank of the maps involved.
A natural generalization of this definition is the following:
Definition 2
A subspace differential invariant of a cubic map \(f:k^n\rightarrow k^m\) with respect to a subspace \(X\subseteq k^m\) is a pair of subspaces \((V_1,V_2)\subseteq \left( k^n\right) ^2\) for which there exists a subspace \(W\subseteq k^n\) with \(dim(W)\le mindim(V_i)\) such that for all \(A=\sum _{i\,=\,1}^mx_iD^2f_i\) where \((x_1,\ldots ,x_m)\in X\), for all \(\mathbf {a}\in V_2\), for all \(\mathbf {b}\in V_2\) and for all \(\mathbf {x}\in W^{\perp }\) we have that \(A(\mathbf {a},\mathbf {b},\mathbf {x})\,=\,0\).
This definition captures the notion of a subspace of the span of the public cubic polynomials acting quadratically on a subspace of the plaintext space in the same way. Such behavior is strange for cubic maps in general.
4 The Differential Invariant Structure of the Cubic ABC Scheme
4.1 Column Band Spaces
Each component of the central \(\mathcal {E}(\mathbf {u})\,=\,E_1(\mathbf {u})||E_2(\mathbf {u})\) map may be written as:
for the \(E_1\) equations, and likewise, for the \(E_2\) equations:
where i and j run from 1 to s.
Consider the s sets of s polynomials that form the columns of \(E_1\), i.e. for each \(j\in \{1,\ldots ,s\}\) consider \((\mathcal {E}_{ j}, \mathcal {E}_{s+j}, \ldots , \mathcal {E}_{s^2-s+ j})\). With high probability, the linear forms \(b_{ j}, b_{s+j}, \ldots , b_{s^2-s+ j}\) are linearly independent, and if so the polynomials may be re-expressed, using a linear change of variables to \((u'_1, \ldots u'_{s^2})\) where \(u'_i\,=\,b_{(i-1)s\,+\,j}\) for \(i\,=\,1, \ldots , s\). After the change of variables, the only cubic monomials contained in \((\mathcal {E}_{ j}, \mathcal {E}_{s\,+\,j}, \ldots , \mathcal {E}_{s^2\,-\,s\,+\,j})\) will be those containing at least one factor of \(u'_1, \ldots , u'_s\). We can make a similar change of variables to reveal structure in the s sets of s polynomials that form the columns of \(E_2\): Setting \(u'_i\,=\,c_{(i-1)s+j}\) for \(i\,=\,1, \ldots , s\) and a fixed j, the only cubic monomials contained in \((\mathcal {E}_{s^2\,+\,j}, \mathcal {E}_{s^2\,+\,s\,+\,j}, \ldots , \mathcal {E}_{2s^2\,-\,s\,+\,j})\) will be those containing at least one factor of \(u'_1, \ldots , u'_s\).
More generally, we can make a similar change of variables to reveal structure in any of a large family of s dimensional subspaces of the span of the component polynomials of \(E_1\) and \(E_2\), which we will call column band spaces in analogy to the band spaces used to analyze the quadratic ABC cryptosystem in [12]. Each family is defined by a fixed linear combination, \((\beta , \gamma )\), of the columns of \(E_1\) and \(E_2\):
Definition 3
The column band space defined by the 2s-dimensional linear form \((\beta , \gamma )\) is the space of cubic maps, \(\mathcal {B}_{\beta , \gamma }\), given by:
where
Theorem 1
There is a pair of subspaces \((V_1, V_2)\in \left( k^n\right) ^2\) which is a subspace differential invariant with respect to \(\mathcal {B}_{\beta , \gamma }\) for all \((\beta , \gamma )\). Moreover, there exists an \(\mathbf {x}_1\in k^n\) such that \(rank(D^2\mathcal {E}(\mathbf {x}_1))\le 2s\) for all \(\mathcal {E}\in \mathcal {B}_{\beta , \gamma }\).
Proof
Note that under a change of variables , where \(u'_i = \sum _{j=1}^s\left( \beta _j b_{(i-1)s+j} + \gamma _j c_{(i-1)s+j}\right) \) for \(i = 1, \ldots , s\), the only cubic monomials contained in the elements of \(\mathcal {B}_{\beta , \gamma }\) will be those containing at least one factor of \(u'_1, \ldots , u'_s\). In such a basis, the second differential of any map in \(\mathcal {B}_{\beta , \gamma }\), and thus the second differential of \(\mathcal {E}\) can be visualized as a 3-tensor with a special block form, see Fig. 1.
Let V be the \((s^2-s)\)-dimensional preimage \(M^{-1}(\text{ Span }(u'_1,\ldots ,u'_s)^{\perp })\). This 3-tensor \(D^2\mathcal {E}\) may be thought of as a bilnear map which takes two vectors \(\mathbf {x}_1, \mathbf {x}_2\in V\), i.e. of the form:
to a covector of the form:
Thus, in this basis \(D^2\mathcal {E}(\mathbf {x}_1)\) is a symmetric matrix which is zero on \(V\times V\). Therefore, \(rank(D^2\mathcal {E}(\mathbf {x}))\le 2s\). One checks that (V, V) is a subspace differential with respect to \(\mathcal {B}_{\beta ,\gamma }\) with \(W:=V^{\perp }\), since \(dim(W)=s< s^2-s = dim(V)\).
We will define the term “band-kernel” to describe the space of vectors of the same form as \(x_1\) and \(x_2\) in the proof above, i.e.:
Definition 4
The band kernel of \(\mathcal {B}_{\beta , \gamma }\), denoted \(\mathcal {BK}_{\beta , \gamma }\), is the space of vectors, x, such that
for \(i=1, \ldots , s\).
5 A Variant of MinRank Exploiting the Column Band Space Structure
A minrank-like attack may be used to locate the column band-space maps defined in the previous section. In this case, the attack proceeds by selecting \(s^2\)-dimensional vectors \(\mathbf {x}_1\), \(\mathbf {x}_2\), \(\mathbf {x}_3\), and \(\mathbf {x}_4\), setting
and solving for the \(t_i\). The attack succeeds when \(\sum _{i=1}^{2s^2}t_i\mathcal {E}_i \in \mathcal {B}_{\beta ,\gamma }\) and \(\mathbf {x}_1\), \(\mathbf {x}_2\), \(\mathbf {x}_3\), and \(\mathbf {x}_4\) are all within the corresponding band kernel. If these conditions are met, then the rank of the 2-tensor \(\sum _{i=1}^{2s^2}t_iD^2\mathcal {E}_i(\mathbf {x}_k)\) for \(k = 1, 2, 3, 4\) will be at most 2s, and this will be easily detectable.
The attack complexity will be significantly reduced if several of the \(\mathbf {x}_k\) are set equal to one another. In odd characteristic fields, we can reduce the number of independently chosen vectors to 2, (for example, by setting \(\mathbf {x}_1=\mathbf {x}_2\) and \(\mathbf {x}_3=\mathbf {x}_4\).) In characteristic 2, however, the antisymmetry of the 2nd differential prevents the equation \(\sum _{i=1}^{2s^2}t_iD^2\mathcal {E}_i(\mathbf {x}_1,\mathbf {x}_1) = 0\) from imposing a nontrivial constraint on the \(t_i\). Even in characteristic 2, though, the number of independently chosen vectors can be reduced to 3 (e.g. by setting \(\mathbf {x}_1 = \mathbf {x}_4\)).
Theorem 2
The probability that 2 randomly chosen vectors, \(\mathbf {x}_1\) and \(\mathbf {x}_2\), are both in the band kernel of some band-space \(\mathcal {B}_{\beta ,\gamma }\) is approximately \(\frac{1}{q-1}\); The probability that 3 randomly chosen vectors, \(\mathbf {x}_1\), \(\mathbf {x}_2\), and \(\mathbf {x}_3\), are all in the band kernel of some band-space \(\mathcal {B}_{\beta ,\gamma }\) is approximately \(\frac{1}{(q-1)q^s}\).
Proof
The condition that the \(\mathbf {x}_k\) are all contained within a band kernel is that there be a nontrivial linear combination of the columns of the following matrix equal to zero (i.e. that the matrix has nonzero column corank):
In the case with 2 randomly chosen vectors, the matrix is a uniformly random \(2s \times 2s\) matrix, which has nonzero column corank with probability approximately \(\frac{1}{q-1}\). In the case with 3 randomly chosen vectors, the matrix is a uniformly random \(3s \times 2s\) matrix, which has nonzero column corank with probability approximately \(\frac{1}{(q-1)q^s}\).
Theorem 3
If \(\mathbf {x}_1\), \(\mathbf {x}_2\), \(\mathbf {x}_3\), and \(\mathbf {x}_4\) are chosen in such a way that all four vectors are in the band kernel of a column band space \(\mathcal {B}_{\beta ,\gamma }\) and also that the symmetric tensor products \(\mathbf {x}_1\odot \mathbf {x}_2\) and \(\mathbf {x}_3\odot \mathbf {x}_4\) are linearly independent from one another and statistically independent from the private quadratic forms, \(p_{(i-1)s+ j}\) in the matrix A, then the tensor products \(\mathbf {x}_1\otimes \mathbf {x}_2\) and \(\mathbf {x}_3\otimes \mathbf {x}_4\) are both in the kernel of some column band-space differential \(D^2\mathcal {E} = \sum _{\mathcal {E}_{\beta ,\gamma ,i}\in \mathcal {B}_{\beta ,\gamma }}\tau _i D^2\mathcal {E}_{\beta ,\gamma ,i}\) with probability approximately \(\frac{1}{(q-1)q^s}\).
Proof
A \(D\mathcal {E}\) meeting the above condition exists iff there is a nontrivial solution to the following system of equations
Expressed in a basis (e.g. the \(u'_i\) basis used in Definition 4) where the first s basis vectors are chosen to be outside the band kernel, and the remaining \(s^2-s\) basis vectors are chosen from within the band kernel, the column band-space differentials, \( D^2\mathcal {E}_{\beta ,\gamma ,i}\) are 3-tensors of the form shown in Fig. 1.
Likewise \(\mathbf {x}_1\), \(\mathbf {x}_2\), \(\mathbf {x}_3\), and \(\mathbf {x}_4\) take the form \((0|~\mathbf {x}_k~)\). The 2-tensors \( D^2\mathcal {E}_{\beta ,\gamma ,i}(\mathbf {x}_k)\) can then be represented by matrices of the form:
where \(R_{k,i}\) is a random \(s \times s^2-s\) matrix and \(S_{k,i}\) is a random symmetric \(s\times s\) matrix. Removing the redundant degrees of freedom we have the system of 2s equations in s variables:
This has a nontrivial solution precisely when the following \(2s\times s\) matrix has nonzero column corank:
This is a random matrix over \(k=\mathbb {F}_q\), which has nonzero column corank with probability approximately \(\frac{1}{(q-1)q^s}\), for practical parameters.
To verify that the conditions given in the theorem are sufficient to establish the randomness of the matrix M, we can give the following explicit expression for the matrix M, which is most easily derived by applying the product rule for the discrete differential to Definition 3:
Combining the results of Theorems 2 and 3, we find that for each choice of the vectors \(\mathbf {x}_k\), there is a column band-space map among the solutions of Eq. (3) with probability approximately \(\frac{1}{(q-1)^2q^{2s}}\) for even characteristic and \(\frac{1}{(q-1)^2q^s}\) for odd characteristic. Equation (3) is a system of \(2s^2\) equations in \(2s^2\) variables; one might expect it to generally have a 0-dimensional space of solutions. In some cases, however, there are linear dependencies among the equations, due to the fact that the \(D^2\mathcal {E}_i\) are symmetric tensors. In even characteristic, we get 4 linear dependencies: \(D^2\mathcal {E}_i(\mathbf {x}_1,\mathbf {x}_2)(\mathbf {x}_1) = 0\), \(D^2\mathcal {E}_i(\mathbf {x}_1,\mathbf {x}_2)(\mathbf {x}_2)=0\), \(D^2\mathcal {E}_i(\mathbf {x}_3,\mathbf {x}_4)(\mathbf {x}_3)=0\), and \(D^2\mathcal {E}_i(\mathbf {x}_3,\mathbf {x}_4)(\mathbf {x}_4)=0\), and an additional linear dependency when we reduce the number of independent vectors to 3 by setting \(\mathbf {x}_1=\mathbf {x}_4\): \(D^2\mathcal {E}_i(\mathbf {x}_1,\mathbf {x}_2)(\mathbf {x}_3) + D^2\mathcal {E}_i(\mathbf {x}_3,\mathbf {x}_4)(\mathbf {x}_2)=0\), resulting in a 5-dimensional space of solutions. In characteristic 3, reducing the number of independent vectors to 2 results in 2 linear dependencies among the equations: e.g. setting \(\mathbf {x}_1 = \mathbf {x}_2\) and \(\mathbf {x}_3=\mathbf {x}_4\), we have \(D^2\mathcal {E}_i(\mathbf {x}_1,\mathbf {x}_2)(\mathbf {x}_1)=0\) and \(D^2\mathcal {E}_i(\mathbf {x}_3,\mathbf {x}_4)(\mathbf {x}_3)=0\). In higher characteristic, there are no linear dependencies imposed on the equations by setting \(\mathbf {x}_1 = \mathbf {x}_2\) and \(\mathbf {x}_3=\mathbf {x}_4\).
For characteristic 2, finding the expected 1-dimensional space of band-space solutions in a 5-dimensional space costs \(q^4+q^3+q^2+q+1\) rank operations, which in turn cost \((s^2)^{\omega }\) field operations, where \(\omega \approx 2.373\) is the linear algebra constant. Likewise, for characteristic 3, finding the expected 1-dimensional space of band-space solutions in a 2-dimensional space costs \(q+1\) rank operations. Thus the total cost of finding a column band-space map using our variant of MinRank is approximately \(q^{2s+6}s^{2\omega }\) for charactersitic 2, \(q^{s+3}s^{2\omega }\) for characteristic 3, and \(q^{s+2}s^{2\omega }\) for higher characteristic.
6 Complexity of Invariant Attack
The detection of a low rank induced bilinear form \(D^2\mathcal {E}(x)\) already constitutes a distinguisher from a random system of equations. Extending this calculation to a full key recovery requires further use of the differential invariant structure of the public key.
First, note that U is not a critical element of the scheme. If A is a random matrix of quadratic forms and B and C are random matrices of linear forms, so are \(A\circ U\), \(B\circ U\) and \(C\circ U\) for any full rank map U. Thus, since clearly \(T\circ \phi (AB||AC)\circ U = T\circ \phi ((A\circ U)(B\circ U)||(A\circ U)(C\circ U))\), we may absorb the action of U into A, B, and C, and consider the public key to be of the form:
Next, consider a trilinear form \(D^2\mathcal {E}\) in the band space generated by \(\mathcal {B}_{\beta , \gamma }\). Since the coefficients of \(D^2\mathcal {E}\) are products of coefficients of A and coefficients of an element of Im(B||C), both of which are uniform i.i.d., there is a change of basis M in which \(D^2\mathcal {E}\) has the form in Fig. 1 and the nonzero coefficients are uniform i.i.d.
Consider \(D^2\mathcal {E}(\mathbf {x}_1)\) and \(D^2\mathcal {E}(\mathbf {x}_2)\) for \(\mathbf {x}_1,\mathbf {x}_2\) in the band kernel corresponding to \(\mathcal {B}_{\beta , \gamma }\). Being maps from the same band space, there is a basis in which both \(D^2\mathcal {E}(\mathbf {x}_1)\) and \(D^2\mathcal {E}(\mathbf {x}_2)\) have the form in Fig. 2. Thus, with high probability for \(s \ge 2\), the kernels of both maps are contained in the corresponding band kernel, \(\mathcal {B}_{\beta , \gamma }\), and .
Remark 1
Here we have utilized a property which explicitly distinguishes differential invariant structure from rank structure.
Given the basis for an \(s^2-s\) dimensional band kernel \(\mathcal {BK}\), we may choose a basis \(\{v_1,\ldots , v_s\}\) for the subspace of the dual space vanishing on \(\mathcal {BK}\). We can also find a basis \(\mathcal {E}_{v_1},\ldots ,\mathcal {E}_{v_s}\) for the band space itself by solving the linear system
where \(t\approx 2s^2\) and \(\mathbf {x}_{ij}\) is in the band kernel.
Since the basis \(\mathcal {E}_{v_1},\ldots ,\mathcal {E}_{v_s}\) is in a single band space, there exists an element \(\left[ \begin{matrix}b_1'&\cdots&b_s'\end{matrix}\right] ^{\top }\in ColSpace(B||C)\) and two matrices \(\varOmega _1\) and \(\varOmega _2\) such that
Solving the above system of equations over \(\mathbb {F}_q[x_1,\ldots ,x_{s^2}]\) uniquely determines \(A'\) in . To recover all of \(A'\), note that the above system is part of an equivalent key
where \(\left[ \begin{matrix}v_1&\cdots&v_s\end{matrix}\right] ^{\top }\) is the first column of \(B'\).
Applying \(T'^{-1}\) to both sides and inserting the information we know we may construct the system
Solving this system of equations modulo for \(B'\), \(C'\) and \(T'^{-1}\) we can recover a space of solutions, which we will restrict by arbitrarily fixing the value of \(T'^{-1}\). Note that the elements of \(T'^{-1}\) are constant polynomials, and therefore is the same as \(T'^{-1}\). Thus, for any choice of \(T'^{-1}\) in this space, the second column of \(T'^{-1}\mathcal {F}\) is a basis for a band space. Moreover, the elements \(v'_{s+1},\ldots ,v'_{2s}\) of the second column of are the image, modulo , of linear forms vanishing on the corresponding band kernel. Therefore, the intersection is the intersection \(\mathcal {BK}_2 \cap \mathcal {BK}_1\) of the band kernels of our two band spaces.
We can reconstruct the full band kernel of this second band space using the same method we used to obtain our first band kernel: We take a map \(\mathcal {E}_2\) from the second column of \(T'^{-1}\mathcal {F}\), and two vectors \(x_a\) and \(x_b\) from \(\mathcal {BK}_2 \cap \mathcal {BK}_1\), and we compute . We can now solve for the second column of \(B'\), \(\left[ \begin{matrix}v_{s+1}&\cdots&v_{2s}\end{matrix}\right] ^{\top }\), uniquely over \(\mathbb {F}_q[x_1,\ldots ,x_{s^2}]\) (NOT modulo ) by solving the following system of linear equations:
where \( i=s+1, \ldots , 2s\), and \((\mathbf {x}_1, \ldots , \mathbf {x}_{s^2-s})\) is a basis for \(\mathcal {BK}_2\). We can now solve for \(A'\) (again, uniquely over \(\mathbb {F}_q[x_1,\ldots ,x_{s^2}]\)) by solving:
where is the second column of \(T'^{-1}\mathcal {F}\). This allows us to solve Eq. 10 for the rest of \(B'\) and \(C'\), completing the attack.
The primary cost of the attack involves finding the band space map. The rest of the key recovery is additive in complexity and dominated by the band space map recovery; thus, the total complexity of the attack is of the same order as band space map recovery. Hence, the cost of private key extraction is approximately \(q^{2s+6}s^{2\omega }\) for characteristic 2, \(q^{s+3}s^{2\omega }\) for characteristic 3, and \(q^{s+2}s^{2\omega }\) for higher characteristic. We note that with these parameters we can break full sized instances of this scheme with parameters chosen for the 80-bit and 100-bit security levels via the criteria presented in [13].
Specifically, our attack breaks CubicABC(\(q=127\), \(s=7\)), designed for 80-bit security, in approximately \(2^{76}\) operations (or around \(2^{80}\) if one pessimistically uses \(\omega =3\) as the linear algebra constant). More convincingly, our attack completely breaks CubicABC(\(q=127\), \(s=8\)), designed for 100-bit security, in approximately \(2^{84}\) operations (or \(2^{88}\) for \(\omega =3\)). Furthermore, the attack is fully parallelizable and requires very little memory; hence, the differential invariant attack is far more efficient than algebraic attacks, the basis for the original security estimation. Thus, the security claims in [13] are clearly unfounded; in fact, the cubic version of the scheme, whose security was claimed to be closely related to an NP-complete problem, is actually less secure than the quadratic case.
We can explain this dramatic discrepancy on the fact that the parameters in [13] are derived by assuming that the algebraic attack is the most effective. In the case of the quadratic ABC scheme, for the proposed parameters, the attack of [12] was slower than the algebraic attack, though asymptotically faster. In the case of the Cubic scheme, the attack is actually more efficient, in asymptotics as well as for practical parameters.
7 Experiments
Using SAGE [14], we performed some minrank computations on small scale variants of the Cubic ABC scheme. The computations were done on a computer with a 64 bit quad-core Intel i7 processor, with clock cycle 2.8 GHz. We were interested in verifying our complexity estimates on the most costly step in the attack, the MinRank instance, rather than the full attack on the ABC scheme. Given as input the finite field size q, and the scheme parameter s, we computed the average number of vectors v required to be sampled in order for the rank of the 2-tensor \(D^2\mathcal {E}(v)\) to fall to 2s. As explained in Sect. 5, when the rank falls to this level, we have identified the subspace differential invariant structure of the scheme and can exploit this structure to attack the scheme. Our results for odd q are given in Table 1.
For higher values of q and s the computations took too long to produce sufficiently many data points and obtain meaningful results with SAGE. When q is odd, our analysis predicted the number of vectors needed would be on the order of \((q-1)^2q^s\). Table 1 shows the comparison between our experiments and the expected value. We see that for \(s=3\), the rank fell quicker than expected, while for \(s>3\) the results are quite near the predicted value. This is because when \(s=3\) our complexity estimates given in Sect. 5 are simply not accurate enough, which happens for small values of q and/or s.
For even q, we also ran some experiments. We found that for \(s=3\) and \(q=2,4\), or 8, with high probability only a single vector was needed before the rank fell to 2s. For \(s=4\) and \(s=5\), the computations were only feasible in SAGE for \(q=2\). The average number of vectors needed in the \(s=4\) case was 244, with the expected value being \((q-1)^2q^{2s}=256\). With \(s=5\), the average number in our experiments was 994 (although the number of trials was small), with the expected value 1024. For higher values of q and s the computations took too long to obtain meaningful results.
8 Conclusion
The ABC schemes are very interesting new ideas for multivariate public key schemes. Essentially all of MPKC can be bisected into big field schemes, utilizing the structure of an extension of the field used for public calculations, and small field schemes which require no such extension. (For the purpose of this comment we consider “medium” field schemes to be big field schemes.)
The ABC cryptosystems present a fundamentally new structure for the development of schemes. In fact, if we consider the structure of simple algebras over the public field (which are surely the only such structures we should consider for secure constructions) then “big field” and “big matrix algebra” complete the picture of possible large structure schemes.
It is interesting to note that the authors provide in [13] a heuristic security argument for the scheme and, as reinforced in the first presentation of the scheme at [15], suggest that with some work the scheme may be able to be shown provably secure. The idea behind their argument is at least somewhat reasonable, if not precise. Their argument essentially amounts to the following: every cubic polynomial in the public key is in the ideal generated by the quadratic forms in A under a certain basis; thus, one might expect the public key to contain a subset of the information one would obtain by applying one step of a Gröbner basis algorithm such as F4, see [16].
Unfortunately, this analysis is not very tight. In fact, we exploit the subspace differential invariant structure inherent to the ABC methodology to show that for odd characteristic the cubic scheme is less secure than its quadratic counterpart. We may therefore conclude that any attempt at a secure cubic “big matrix algebra” scheme must rely on the application of modifiers. The challenge, then, is to construct such a scheme which is still essentially injective for the purpose of encryption. Schemes such as this one can never compete with the secure multivariate options for digital signatures we already know.
We are thus left with the same lingering question that has been asked for the last two decades: Is secure multivariate encryption possible? Currently there is a small list of candidates none of which has both been extensively reviewed and has existed for longer than a few years. If we are to discover a secure multivariate encryption scheme with a convincing security proof or some other security metric, it will require some new techniques and new science. Only time will tell.
References
Shor, P.W.: Polynomial-time algorithms for prime factorization and discrete logarithms on a quantum computer. SIAM J. Sci. Stat. Comp. 26, 1484 (1997)
Kipnis, A., Patarin, J., Goubin, L.: Unbalanced oil and vinegar signature schemes. In: Stern, J. (ed.) EUROCRYPT 1999. LNCS, vol. 1592, pp. 206–222. Springer, Heidelberg (1999). doi:10.1007/3-540-48910-X_15
Patarin, J., Goubin, L., Courtois, N.: \(C_{-+}^{*}\), and HM: variations around two schemes of T. Matsumoto and H. Imai. In: Ohta, K., Pei, D. (eds.) ASIACRYPT 1998. LNCS, vol. 1514, pp. 35–50. Springer, Heidelberg (1998). doi:10.1007/3-540-49649-1_4
Patarin, J., Courtois, N., Goubin, L.: QUARTZ, 128-bit long digital signatures. In: Naccache, D. (ed.) CT-RSA 2001. LNCS, vol. 2020, pp. 282–297. Springer, Heidelberg (2001). doi:10.1007/3-540-45353-9_21
Petzoldt, A., Bulygin, S., Buchmann, J.: CyclicRainbow – a multivariate signature scheme with a partially cyclic public key. In: Gong, G., Gupta, K.C. (eds.) INDOCRYPT 2010. LNCS, vol. 6498, pp. 33–48. Springer, Heidelberg (2010). doi:10.1007/978-3-642-17401-8_4
Petzoldt, A., Chen, M., Yang, B., Tao, C., Ding, J.: Design principles for HFEv- based multivariate signature schemes. In: Iwata, T., Cheon, J.H. (eds.) ASIACRYPT 2015. LNCS, vol. 9452, pp. 311–334. Springer, Heidelberg (2015). doi:10.1007/978-3-662-48797-6_14
Ding, J., Yang, B.: Degree of regularity for HFEv and HFEv-. In: Gaborit, P. (ed.) PQCrypto 2013. LNCS, vol. 7932, pp. 52–66. Springer, Heidelberg (2013). doi:10.1007/978-3-642-38616-9_4
Goubin, L., Courtois, N.T.: Cryptanalysis of the TTM cryptosystem. In: Okamoto, T. (ed.) ASIACRYPT 2000. LNCS, vol. 1976, pp. 44–57. Springer, Heidelberg (2000). doi:10.1007/3-540-44448-3_4
Tsujii, S., Gotaishi, M., Tadaki, K., Fujita, R.: Proposal of a signature scheme based on STS trapdoor. In: Sendrier, N. (ed.) PQCrypto 2010. LNCS, vol. 6061, pp. 201–217. Springer, Heidelberg (2010). doi:10.1007/978-3-642-12929-2_15
Porras, J., Baena, J., Ding, J.: ZHFE, a new multivariate public key encryption scheme. In: Mosca, M. (ed.) PQCrypto 2014. LNCS, vol. 8772, pp. 229–245. Springer, Cham (2014). doi:10.1007/978-3-319-11659-4_14
Tao, C., Diene, A., Tang, S., Ding, J.: Simple matrix scheme for encryption. In: Gaborit, P. (ed.) PQCrypto 2013. LNCS, vol. 7932, pp. 231–242. Springer, Heidelberg (2013). doi:10.1007/978-3-642-38616-9_16
Moody, D., Perlner, R.A., Smith-Tone, D.: An asymptotically optimal structural attack on the ABC multivariate encryption scheme. In: Mosca, M. (ed.) PQCrypto 2014. LNCS, vol. 8772, pp. 180–196. Springer, Cham (2014). doi:10.1007/978-3-319-11659-4_11
Ding, J., Petzoldt, A., Wang, L.: The cubic simple matrix encryption scheme. In: Mosca, M. (ed.) PQCrypto 2014. LNCS, vol. 8772, pp. 76–87. Springer, Cham (2014). doi:10.1007/978-3-319-11659-4_5
Sage, S.: The Sage Mathematics Software System (Version x.y.z). (YYYY) http://www.sagemath.org
Mosca, M. (ed.): PQCrypto 2014. LNCS, vol. 8772. Springer, Cham (2014). doi:10.1007/978-3-319-11659-4
Faugere, J.C.: A new efficient algorithm for computing grobner bases (f4). J. Pure Appl. Algebra 139, 61–88 (1999)
Gaborit, P. (ed.): PQCrypto 2013. LNCS, vol. 7932. Springer, Heidelberg (2013). doi:10.1007/978-3-642-38616-9
Author information
Authors and Affiliations
Corresponding author
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2017 Springer International Publishing AG
About this paper
Cite this paper
Moody, D., Perlner, R., Smith-Tone, D. (2017). Key Recovery Attack on the Cubic ABC Simple Matrix Multivariate Encryption Scheme. In: Avanzi, R., Heys, H. (eds) Selected Areas in Cryptography – SAC 2016. SAC 2016. Lecture Notes in Computer Science(), vol 10532. Springer, Cham. https://doi.org/10.1007/978-3-319-69453-5_29
Download citation
DOI: https://doi.org/10.1007/978-3-319-69453-5_29
Published:
Publisher Name: Springer, Cham
Print ISBN: 978-3-319-69452-8
Online ISBN: 978-3-319-69453-5
eBook Packages: Computer ScienceComputer Science (R0)