1 / 38

Some new aspects concerning the Analysis of HFE type Cryptosystems

Some new aspects concerning the Analysis of HFE type Cryptosystems. Magnus Daum Patrick Felke. Overview. What is HFE? Some Experimental Results on Attacking HFE with Buchberger Algorithm An improved Algorithm for Separating Branches. What is HFE?. Public Key. Secret Key. Basic HFE.

bette
Download Presentation

Some new aspects concerning the Analysis of HFE type Cryptosystems

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Some new aspects concerning the Analysis of HFE type Cryptosystems Magnus Daum Patrick Felke

  2. Overview • What is HFE? • Some Experimental Results on Attacking HFE with Buchberger Algorithm • An improved Algorithm for Separating Branches Some new aspects concerning the Analysis of HFE type Cryptosystems

  3. What is HFE?

  4. Public Key Secret Key Basic HFE one-way trapdoor function Trapdoor Some new aspects concerning the Analysis of HFE type Cryptosystems

  5. Basic HFE: Example Some new aspects concerning the Analysis of HFE type Cryptosystems

  6. Basic HFE: Example Some new aspects concerning the Analysis of HFE type Cryptosystems

  7. Basic HFE: Example Encryption Some new aspects concerning the Analysis of HFE type Cryptosystems

  8. Basic HFE: Example Decryption Some new aspects concerning the Analysis of HFE type Cryptosystems

  9. Basic HFE: Example / Signing Verifying Some new aspects concerning the Analysis of HFE type Cryptosystems

  10. Parameters of HFE • n Number of unknowns and equations • q Size of smaller finite field K • d Degree of hidden polynomial  Some new aspects concerning the Analysis of HFE type Cryptosystems

  11. Overview • General Approach with Buchberger Algorithm • Why HFE systems are special • Simulations • Perturbations • What is HFE? • Some Experimental Results on Attacking HFE with Buchberger Algorithm • An improved Algorithm for Separating Branches Some new aspects concerning the Analysis of HFE type Cryptosystems

  12. General Approach

  13. General Approach: Example / Signing Decryption Some new aspects concerning the Analysis of HFE type Cryptosystems

  14. Buchberger Algorithm General Approach: Example Some new aspects concerning the Analysis of HFE type Cryptosystems

  15. degree of output poly-nomials may get very big Buchberger algorithm has exponential worst case complexity compute all solutions in algebraic closure … in general only feasible for very few unknowns General Approach: Problems Some new aspects concerning the Analysis of HFE type Cryptosystems

  16. HFE Systems are Special

  17. HFE Systems are Special • defined over a very small finite field • include only quadratic polynomials • need only solutions in the base field Fq • hidden polynomial of low degree Some new aspects concerning the Analysis of HFE type Cryptosystems

  18. solutions we are looking for fulfil Proposition: Solutions in the Base Field Some new aspects concerning the Analysis of HFE type Cryptosystems

  19. Buchberger Algorithm Buchberger Algorithm Solutions in the Base Field • Advantages: • we compute only information we need • degree of polynomials involved in this computation is bounded Some new aspects concerning the Analysis of HFE type Cryptosystems

  20. HFE Systems are Special • defined over a very small finite field • include only quadratic polynomials • need only solutions in the base field Fq • hidden polynomial of low degree Some new aspects concerning the Analysis of HFE type Cryptosystems

  21. Hidden Polynomial • One main idea of Buchberger Algorithm can be described as making use of relations between the input polynomials in a sophisticated way • Attack on C* (Patarin / Dobbertin): • For C*-systems there are many linear relations between the public polynomials. • Courtois: • For general HFE there are also some relations, but they are more complex. • lower degree d  more relations Some new aspects concerning the Analysis of HFE type Cryptosystems

  22. HFE Systems are Special • defined over a very small finite field • include only quadratic polynomials • need only solutions in the base field Fq • hidden polynomial of low degree Some new aspects concerning the Analysis of HFE type Cryptosystems

  23. Simulations

  24. Simulations • about 100.000 simulations in SINGULAR • parameters: mostly • HFE systems and random quadratic systems • in each simulation: • generate system of quadratic equations (HFE or random) • add polynomials • solve by applying Buchberger Algorithm (with FGLM) Some new aspects concerning the Analysis of HFE type Cryptosystems

  25. Simulations: Dependence on n Some new aspects concerning the Analysis of HFE type Cryptosystems

  26. q=3, random log(time) q=3, d=30 q=3, d=12 q=2, random q=2, d=128 q=2, d=20 6,00 8,00 10,00 12,00 14,00 16,00 18,00 20,00 22,00 24,00 26,00 7,00 9,00 11,00 13,00 15,00 17,00 19,00 21,00 23,00 25,00 6,00 8,00 10,00 12,00 14,00 16,00 18,00 20,00 7,00 9,00 11,00 13,00 15,00 17,00 19,00 exponential time complexity !? Simulations: Dependence on n log(time) q=2, C* n Some new aspects concerning the Analysis of HFE type Cryptosystems

  27.      time depends on rather than on d Simulations: Dependence on d Some new aspects concerning the Analysis of HFE type Cryptosystems

  28. ∙3 ∙3 ∙3 ∙8 ∙7 ∙11 if d is small (approx. ) Solving HFE systems becomes much easier !! if d is large (approx. ) HFE systems behave like systems of random quadratic equations (random systems correspond to dlogqde=n) Simulations: Dependence on dlogqde and usually logq(d)<<n (e.g. HFE Challenge 1: q=2, n=80, d=96 !dlogq(d)e=7 << 40) Some new aspects concerning the Analysis of HFE type Cryptosystems

  29. log(time) 6,00 8,00 10,00 12,00 14,00 16,00 18,00 20,00 22,00 24,00 26,00 7,00 9,00 11,00 13,00 15,00 17,00 19,00 23,00 25,00 21,00 Simulations: Dependence on dlogqde • Usually dlogq(d)e<<n • e.g. HFE Challenge 1: q=2, n=80, d=96dlogq(d)e=7 << 80 ) • Extrapolating the times needed for d=96,solving this challenge seems out of reach • By applying F5/2 now it is possible to solve HFE Challenge 1 in 96 h. • By applying a highly optimized variant of theBuchberger Algorithm in the future it might bepossible to solve certain instances of HFE with very small d in some feasible time. Some new aspects concerning the Analysis of HFE type Cryptosystems

  30. Perturbations Some new aspects concerning the Analysis of HFE type Cryptosystems

  31. Perturbations • Little changes on the multivariate side of the cryptosystem which are used to hide the underlying algebraic structure • e.g. „-“ (i.e. removing polynomials): Public Key Some new aspects concerning the Analysis of HFE type Cryptosystems

  32. Perturbations • Little changes on the multivariate side of the cryptosystem which are used to hide the underlying algebraic structure • e.g. „+“ (i.e. adding some random polynomials): Public Key(after „mixing“ with S and T) Some new aspects concerning the Analysis of HFE type Cryptosystems

  33. Perturbations • Little changes on the multivariate side of the cryptosystem which are used to hide the underlying algebraic structure • Perturbated HFE systems are claimed to be more secure than Basic HFE systems • All proposed HFE systems (e.g. SFLASH, QUARTZ) use perturbations Some new aspects concerning the Analysis of HFE type Cryptosystems

  34. Simulations on Perturbations • Simulations in the case q=2, n=15 • included systems generated • from HFE with d2{ 5,9,17 } • randomly • added / removed / replaced between 0 and 5 polynomials Some new aspects concerning the Analysis of HFE type Cryptosystems

  35. d=5 random 3000,00 4000,00 3000,00 2000,00 time_1 time_1 2000,00 1000,00 1000,00 0,00 5 5 4 4 3 3 minus 5 2 minus 5 4 2 1 3 4 1 2 3 0 1 plus 2 0 0 1 plus 0 Simulations on Perturbations Better consider the ratio of needed times for HFE systems to that for random systems Some new aspects concerning the Analysis of HFE type Cryptosystems

  36. 1,00 1,00 1,00 0,80 0,80 0,80 0,60 0,60 0,60 ratio ratio ratio 0,40 0,40 0,40 0,20 0,20 0,20 5 4 3 5 5 minus 5 2 4 4 4 1 3 0 2 0 1 plus 0 3 3 0 minus minus 5 5 2 2 d=5 4 4 1 1 3 3 2 2 d=9 d=17 plus 1 1 plus 0 0 Simulations on Perturbations Better consider the ratio of needed times for HFE systems to that for random systems • adding/removing just some few polynomials makes solving HFE systems significantly more difficult • Perturbated HFE seems to be more secure than Basic HFE Some new aspects concerning the Analysis of HFE type Cryptosystems

  37. Conclusion of this part • Time complexity of solving HFE systems by applying Buchberger Algorithm depends … • nearly exponentially on number n of unknowns • strongly on dlogq(d)e • Security of HFE depends significantly on the degree of the hidden polynomial • Perturbations seem to make HFE more secure Some new aspects concerning the Analysis of HFE type Cryptosystems

  38. Overview • What is HFE? • Some Experimental Results on Attacking HFE with Buchberger Algorithm • An improved Algorithm for Separating Branches Some new aspects concerning the Analysis of HFE type Cryptosystems

More Related