Abstract
The HFE cryptosystem is one of the most popular multi- variate schemes. Especially in the area of digital signatures, the HFEv- variant offers short signatures and high performance. Recently, an instance of the HFEv- signature scheme called GeMSS was selected as one of the alternative candidates for signature schemes in the third round of the NIST Post-Quantum Crypto (PQC) Standardization Project.
In this paper, we propose a new key recovery attack on the HFEv- signature scheme. Our attack shows that both the Minus and the Vinegar modification do not enhance the security of the basic HFE scheme significantly. This shows that it is very difficult to build a secure and efficient signature scheme on the basis of HFE. In particular, we use our attack to show that the proposed parameters of the GeMSS scheme are not as secure as claimed.
Access this chapter
Tax calculation will be finalised at checkout
Purchases are for personal use only
Notes
- 1.
Indeed, \(a \ge n-2d+1\) implies that the number \(n-a\) of equations in the public system is bounded from above by \(2d+1\). Defending the scheme against brute force attacks would therefore require a high value of d which would make the scheme completely impractical.
References
Bardet, M., et al.: Improvements of algebraic attacks for solving the rank decoding and MinRank problems. In: Moriai, S., Wang, H. (eds.) ASIACRYPT 2020. LNCS, vol. 12491, pp. 507–536. Springer, Cham (2020). https://doi.org/10.1007/978-3-030-64837-4_17
Beullens, W.: Improved Attacks on UOV and Rainbow. IACR eprint 2020/1343 (2020)
Bettale, L., Faugere, J.C., Perret, L.: Cryptanalysis of HFE, multi-HFE and variants for odd and even characteristic. Des. Codes Crypt. 69(1), 1–52 (2013). https://doi.org/10.1007/s10623-012-9617-2
Bernstein, D., Buchmann, J., Dahmen, E. (eds.): Post Quantum Cryptography. Springer, Berlin (2009). https://doi.org/10.1007/978-3-540-88702-7_1
Buss, J.F., Frandsen, G.S., Shallit, J.O.: The computational complexity of some problems of linear algebra. J. Comput. Syst. Sci. 58(3), 572–596 (1999)
Campagna, M., Chen, K., Dagdelen, Ö., Ding, J., Ferrick, J.K., Gisin, N., et al.: Quantum safe cryptography and security. ETSI White paper 8. https://www.etsi.org/images/files/ETSIWhitePapers/QuantumSafeWhitepaper.pdf (2015)
Cartor, R., Gipson, R., Smith-Tone, D., Vates, J.: On the differential security of the HFEv- signature primitive. In: Takagi, T. (ed.) PQCrypto 2016. LNCS, vol. 9606, pp. 162–181. Springer, Cham (2016). https://doi.org/10.1007/978-3-319-29360-8_11
Casanova, A., Faugere, J.C., Macario Rat, G., Patarin, J., Perret, L., Ryckegem, J.: GeMSS: a great multivariate short signature (2019). Submission to NIST PQC competition Round-3
Courtois, N.T., Daum, M., Felke, P.: On the security of HFE, HFEv- and quartz. In: Desmedt, Y.G. (ed.) PKC 2003. LNCS, vol. 2567, pp. 337–350. Springer, Heidelberg (2003). https://doi.org/10.1007/3-540-36288-6_25
Ding, J., Clough, C., Araujo, R.: Inverting square systems algebraically is exponential. Finite Fields Appl. 26, 32–46 (2014)
Ding, J., Hodges, T.J.: Inverting HFE systems is quasi-polynomial for all fields. In: Rogaway, P. (ed.) CRYPTO 2011. LNCS, vol. 6841, pp. 724–742. Springer, Heidelberg (2011). https://doi.org/10.1007/978-3-642-22792-9_41
Ding, J., Kleinjung, T.: Degree of regularity for HFE Minus (HFE-). J. Math Ind. 4, 97–104 (2012)
Ding, J., Perlner, R., Petzoldt, A., Smith-Tone, D.: Improved cryptanalysis of HFEv- via projection. In: Lange, T., Steinwandt, R. (eds.) PQCrypto 2018. LNCS, vol. 10786, pp. 375–395. Springer, Cham (2018). https://doi.org/10.1007/978-3-319-79063-3_18
Ding, J., Petzoldt, A.: Current state of multivariate cryptography. IEEE Secur. Priv. 15(4), 28–36 (2017)
Ding, J., Petzoldt, A., Schmidt, D.S.: Multivariate Public Key Cryptosystems. AIS, vol. 80. Springer, New York (2020). https://doi.org/10.1007/978-1-0716-0987-3. ISBN 978-1-0716-0985-9
Ding, J., Yang, B.-Y.: Degree of regularity for HFEv and HFEv-. In: Gaborit, P. (ed.) PQCrypto 2013. LNCS, vol. 7932, pp. 52–66. Springer, Heidelberg (2013). https://doi.org/10.1007/978-3-642-38616-9_4
Faugère, J.C.: A new efficient algorithm for computing Gröbner bases (F4). J. Pure Appl. Algebra 139(1–3), 61–88 (1999)
Faugère, J.C., El Din, M.S., Spaenlehauer, P.J.: Computing loci of rank defects of linear matrices using Gröbner bases and applications to cryptology. In: Proceedings of the International Symposium on Symbolic and Algebraic Computation, pp. 257–264 (2010)
Gaborit, P., Ruatta, O., Schrek, J.: On the complexity of the rank syndrome decoding problem. IEEE Trans. Inf. Theor. 62(2), 1006–1019 (2016)
Garey, M.R., Johnson, D.S.: Computers and Intractability: A Guide to the Theory of NP-Completeness. W.H. Freeman and Company, New York (1979)
Goubin, L., Courtois, N.T.: Cryptanalysis of the TTM cryptosystem. In: Okamoto, T. (ed.) ASIACRYPT 2000. LNCS, vol. 1976, pp. 44–57. Springer, Heidelberg (2000). https://doi.org/10.1007/3-540-44448-3_4
Jiang, X., Ding, J., Hu, L.: Kipnis-shamir attack on HFE revisited. In: Pei, D., Yung, M., Lin, D., Wu, C. (eds.) Inscrypt 2007. LNCS, vol. 4990, pp. 399–411. Springer, Heidelberg (2008). https://doi.org/10.1007/978-3-540-79499-8_31
Kipnis, A., Shamir, A.: Cryptanalysis of the HFE public key cryptosystem by relinearization. In: Wiener, M. (ed.) CRYPTO 1999. LNCS, vol. 1666, pp. 19–30. Springer, Heidelberg (1999). https://doi.org/10.1007/3-540-48405-1_2
Macario-Rat, G., Patarin, J.: Ariadne Thread and Salt: New Multivariate Cryptographic Schemes with Public Keys in Degree 3. https://eprint.iacr.org/2021/084.pdf
Patarin, J.: Hidden fields equations (HFE) and isomorphisms of polynomials (IP): two new families of asymmetric algorithms. In: Maurer, U. (ed.) EUROCRYPT 1996. LNCS, vol. 1070, pp. 33–48. Springer, Heidelberg (1996). https://doi.org/10.1007/3-540-68339-9_4
Patarin, J., Courtois, N., Goubin, L.: QUARTZ, 128-bit long digital signatures. In: Naccache, D. (ed.) CT-RSA 2001. LNCS, vol. 2020, pp. 282–297. Springer, Heidelberg (2001). https://doi.org/10.1007/3-540-45353-9_21
Petzoldt, A., Chen, M.-S., Yang, B.-Y., Tao, C., Ding, J.: Design principles for HFEv- based multivariate signature schemes. In: Iwata, T., Cheon, J.H. (eds.) ASIACRYPT 2015. LNCS, vol. 9452, pp. 311–334. Springer, Heidelberg (2015). https://doi.org/10.1007/978-3-662-48797-6_14
Wolf, C., Preneel, B.: Equivalent keys in multivariate quadratic public key systems. J. Math. Cryptology 4(4), 375–415 (2011)
Acknowledgements
Parts of the work were done while the third author was at Cincinnati. We thank CCB Fintech Co. Ltd for partially sponsoring the work of the first and the last author with No. KT2000040. Furthermore we thank NFS for partially sponsoring this work and the anonymous reviewers of CRYPTO 2021 for their valuable comments which helped to improve the paper.
Author information
Authors and Affiliations
Editor information
Editors and Affiliations
A Example of the Attack
A Example of the Attack
To illustrate our new attack method, we present a complete key recovery for a toy example of the HFEv- scheme over a small field. Let the parameters of our HFEv- instance be \((q,n,v,D,a)=(7,7,2,14,2)\). Then we have \(d = \lceil \log _{q}(D)\rceil =2\). We construct the degree n extension field \(\mathbb {F}_{q^n} = \mathbb {F}_{q}[x]/\langle x^7 + 6x + 4\rangle \). Let \(\theta \) be a primitive root of the irreducible polynomial \(p(x) = x^7 + 6x + 4\).
We randomly generate central map \(F =\theta ^{176932}X^{14} + \theta ^{461287}X^{8} + \theta ^{199902}X^{2} + (\theta ^{270502}x_{1} + \theta ^{358630}x_{2})X +(\theta ^{65557}x_{1} + \theta ^{2597}x_{2})X^{7} + \theta ^{811326}x_{1}^{2} + \theta ^{14415}x_{1}x_{2} + \theta ^{151050}x_{2}^{2}\). The linear transformations \(\mathcal S\) and \(\mathcal T\) are given by the matrices
We compute the public key as \(\mathcal {P = T \circ F \circ S}\). The quadratic forms representing the public key polynomials are given as
Let \( M = \begin{pmatrix} {\begin{matrix} 1 &{}1 &{}1 &{}1 &{}1 &{}1 &{} 1\\ \theta &{}\theta ^{7} &{}\theta ^{49} &{}\theta ^{343} &{}\theta ^{2401} &{}\theta ^{16807} &{} \theta ^{117649}\\ \theta ^{2}&{}\theta ^{14}&{}\theta ^{98} &{}\theta ^{686} &{}\theta ^{4802} &{}\theta ^{33614} &{} \theta ^{235298}\\ \theta ^{3}&{}\theta ^{21}&{}\theta ^{147}&{}\theta ^{1029}&{}\theta ^{7203} &{}\theta ^{50421} &{} \theta ^{352947}\\ \theta ^{4}&{}\theta ^{28}&{}\theta ^{196}&{}\theta ^{1372}&{}\theta ^{9604} &{}\theta ^{67228} &{} \theta ^{470596}\\ \theta ^{5}&{}\theta ^{35}&{}\theta ^{245}&{}\theta ^{1715}&{}\theta ^{12005}&{}\theta ^{84035} &{} \theta ^{588245}\\ \theta ^{6}&{}\theta ^{42}&{}\theta ^{294}&{}\theta ^{2058}&{}\theta ^{14406}&{}\theta ^{100842} &{} \theta ^{705894}\\ \end{matrix}} \end{pmatrix} \mathrm {and}~~ \widetilde{ M} = \begin{pmatrix} {\begin{matrix} M &{} 0 \\ 0 &{} I_v \\ \end{matrix}} \end{pmatrix} \) In the following we demonstrate our method to recover the private key from \(\mathcal P\).
1.1 A.1 Recovering \(\mathcal S\)
Let the first row of matrix \(U=\widetilde{M}^{-1}S^{-1}\) be \((u_0, u_1, \cdots , u_{n+v-1})\). Fix \(u_0 = 1\) and let \(u_1, \cdots , u_{n+v-1}\) be unknowns. Set \(\mathbf {b}_i = (1, u_1, \cdots , u_{n+v-1})P_i, i = 0,1,\cdots ,n-a-1.\) Let \(\mathbf {b}_i\) be the i-th row of the matrix Z. Then the rank of Z is 2. This implies that all minors of order 3 are 0. Solving the MinRank Problem for matrix Z gives us a solution \(\mathbf{u}=(1,\theta ^{2689},\theta ^{240750},\theta ^{393451},\theta ^{682468},\theta ^{184068},\theta ^{218176},\theta ^{85224},\theta ^{760002})\). Then we have
where the last v rows of U are randomly chosen from \(\mathbb {F}_q\), such that U is invertible.
Thus we can recover an equivalent linear transformation \(\mathcal S\) as
Recovering \(\mathcal F\) and \(\mathcal T\). Step 1. Once \(\mathcal S\) is known, let \(w_0,w_1,\cdots , w_{n-a-1}\) be unknowns and \(w_0=1\). We generate a linear system with \(d(n-d-a)\) equations in the \(n-a-1\) variables \(w_i, (1 \le i < n-a-1)\) using the matrix Eq. (6). By solving this linear system we obtain a solution \( (1, \theta ^{558954}, \theta ^{326166}, \theta ^{142979}, \theta ^{806014})\).
Step 2. Let \( l_1, \cdots ,l_{a}\) and the nonzero entries of \(F^{*0}\) be variables in matrix Eq. (7). By using the first \(d+a\) rows of matrix Eq. (7) we get \((d+a) \cdot (n+v)\) bilinear equations as follows:
From the first row, we obtain \(\alpha _{00}=\theta ^{188027}, \alpha _{01} = \theta ^{87748}, \gamma _{00}=\theta ^{12513}, \gamma _{01}=\theta ^{253288}\). Once \(\alpha _{00}, \alpha _{01}\) are known, we get from the second row \(\alpha _{10} = \theta ^{87748}, \alpha _{11} = \theta ^{10485}, \gamma _{10}=\theta ^{581451}, \gamma _{11}=\theta ^{606062}, l_1 = \theta ^{146620}\). From the third row we can obtain \(l_2 = \theta ^{754380}\).
Once \(l_1,l_2\) are known, we get from the last v rows of matrix Eq. (7), \(\left( {\begin{array}{c}v+1\\ 2\end{array}}\right) \) univariate polynomial equations as follows:
Each of these equations has 49 solutions. We choose one of them as the value of \(\delta _{ij}\). Thus we have \(\delta _{00}= \theta ^{27191}, \delta _{01}=\delta _{10}=\theta ^{19044}, \delta _{11}=\theta ^{9718}\) and
Therefore we get an equivalent central map as \(F' = \theta ^{10485}X^{14} + \theta ^{362262}X^8 + \theta ^{188027}X^2 + (\theta ^{287027}x_{1} + \theta ^{527802}x_{2})X +( \theta ^{32423}x_{1}+ \theta ^{57034}x_{2})X^7 + \theta ^{27191}x_{1}^2 + \theta ^{293558}x_{1}x_{2} + \theta ^{9718}x_{2}^2 \) for F.
Let \((t_{1k},t_{2k}, \cdots , t_{nk})\) be entries of the k-th \((k=1,2,\cdots , n-a)\) column of T. Get \(n-a\) linear systems from matrix Eq. (8) as shown by Proposition 7. By solving these linear systems we can recover a equivalent key of T as follows
It is easy to check that \(\mathcal {P}=\mathcal {T}\circ \mathcal {F}\circ \mathcal {S} = \mathcal {T'}\circ \mathcal {F'}\circ \mathcal {S'} \). Therefore the adversary can use the three maps \(\mathcal{T}'\), \(\mathcal{F}'\) and \(\mathcal{S}'\) to forge signatures for arbitrary messages.
Rights and permissions
Copyright information
© 2021 International Association for Cryptologic Research
About this paper
Cite this paper
Tao, C., Petzoldt, A., Ding, J. (2021). Efficient Key Recovery for All HFE Signature Variants. In: Malkin, T., Peikert, C. (eds) Advances in Cryptology – CRYPTO 2021. CRYPTO 2021. Lecture Notes in Computer Science(), vol 12825. Springer, Cham. https://doi.org/10.1007/978-3-030-84242-0_4
Download citation
DOI: https://doi.org/10.1007/978-3-030-84242-0_4
Published:
Publisher Name: Springer, Cham
Print ISBN: 978-3-030-84241-3
Online ISBN: 978-3-030-84242-0
eBook Packages: Computer ScienceComputer Science (R0)