Efficient Key Recovery for All HFE Signature Variants

Abstract

The HFE cryptosystem is one of the most popular multi- variate schemes. Especially in the area of digital signatures, the HFEv- variant offers short signatures and high performance. Recently, an instance of the HFEv- signature scheme called GeMSS was selected as one of the alternative candidates for signature schemes in the third round of the NIST Post-Quantum Crypto (PQC) Standardization Project.

In this paper, we propose a new key recovery attack on the HFEv- signature scheme. Our attack shows that both the Minus and the Vinegar modification do not enhance the security of the basic HFE scheme significantly. This shows that it is very difficult to build a secure and efficient signature scheme on the basis of HFE. In particular, we use our attack to show that the proposed parameters of the GeMSS scheme are not as secure as claimed.

A Example of the Attack

To illustrate our new attack method, we present a complete key recovery for a toy example of the HFEv- scheme over a small field. Let the parameters of our HFEv- instance be \((q,n,v,D,a)=(7,7,2,14,2)\). Then we have \(d = \lceil \log _{q}(D)\rceil =2\). We construct the degree n extension field \(\mathbb {F}_{q^n} = \mathbb {F}_{q}[x]/\langle x^7 + 6x + 4\rangle \). Let \(\theta \) be a primitive root of the irreducible polynomial \(p(x) = x^7 + 6x + 4\).

We randomly generate central map \(F =\theta ^{176932}X^{14} + \theta ^{461287}X^{8} + \theta ^{199902}X^{2} + (\theta ^{270502}x_{1} + \theta ^{358630}x_{2})X +(\theta ^{65557}x_{1} + \theta ^{2597}x_{2})X^{7} + \theta ^{811326}x_{1}^{2} + \theta ^{14415}x_{1}x_{2} + \theta ^{151050}x_{2}^{2}\). The linear transformations \(\mathcal S\) and \(\mathcal T\) are given by the matrices

$$\begin{aligned} S = \begin{pmatrix} {\begin{matrix} 3&{}1&{}1&{}6&{}4&{}2&{}0&{}1&{}6\\ 6&{}2&{}4&{}5&{}3&{}3&{}2&{}6&{}0\\ 6&{}1&{}3&{}4&{}4&{}2&{}4&{}5&{}3\\ 0&{}1&{}4&{}6&{}4&{}2&{}2&{}3&{}1\\ 2&{}0&{}0&{}5&{}2&{}4&{}2&{}1&{}3\\ 0&{}5&{}1&{}2&{}4&{}2&{}1&{}4&{}3\\ 3&{}3&{}5&{}0&{}2&{}6&{}4&{}6&{}6\\ 5&{}2&{}0&{}2&{}5&{}6&{}3&{}1&{}2\\ 6&{}2&{}5&{}5&{}5&{}4&{}3&{}6&{}1\\ \end{matrix}} \end{pmatrix} \mathrm{~and~} T = \begin{pmatrix} {\begin{matrix} 1&{}4&{}4&{}6&{}5\\ 0&{}6&{}5&{}3&{}2\\ 0&{}2&{}0&{}2&{}2\\ 1&{}3&{}1&{}0&{}1\\ 2&{}4&{}2&{}5&{}3\\ 3&{}4&{}1&{}0&{}6\\ 6&{}5&{}6&{}5&{}0\\ \end{matrix}} \end{pmatrix}. \end{aligned}$$

We compute the public key as \(\mathcal {P = T \circ F \circ S}\). The quadratic forms representing the public key polynomials are given as

$$\begin{aligned} P_0 =\begin{pmatrix} {\begin{matrix} 1&{}2&{}0&{}3&{}3&{}6&{}1&{}3&{}3\\ 2&{}6&{}0&{}4&{}4&{}3&{}4&{}4&{}3\\ 0&{}0&{}3&{}5&{}4&{}4&{}4&{}5&{}3\\ 3&{}4&{}5&{}2&{}1&{}1&{}3&{}2&{}1\\ 3&{}4&{}4&{}1&{}0&{}2&{}1&{}6&{}2\\ 6&{}3&{}4&{}1&{}2&{}5&{}0&{}5&{}1\\ 1&{}4&{}4&{}3&{}1&{}0&{}6&{}0&{}0\\ 3&{}4&{}5&{}2&{}6&{}5&{}0&{}3&{}2\\ 3&{}3&{}3&{}1&{}2&{}1&{}0&{}2&{}1\\ \end{matrix}} \end{pmatrix}, P_1 =\begin{pmatrix} {\begin{matrix} 4&{}0&{}3&{}3&{}5&{}6&{}6&{}3&{}2\\ 0&{}3&{}0&{}6&{}1&{}1&{}0&{}4&{}4\\ 3&{}0&{}3&{}3&{}5&{}4&{}5&{}5&{}4\\ 3&{}6&{}3&{}1&{}6&{}6&{}2&{}3&{}5\\ 5&{}1&{}5&{}6&{}1&{}6&{}3&{}6&{}4\\ 6&{}1&{}4&{}6&{}6&{}5&{}3&{}3&{}1\\ 6&{}0&{}5&{}2&{}3&{}3&{}0&{}0&{}5\\ 3&{}4&{}5&{}3&{}6&{}3&{}0&{}2&{}1\\ 2&{}4&{}4&{}5&{}4&{}1&{}5&{}1&{}6\\ \end{matrix}} \end{pmatrix}, P_2 =\begin{pmatrix} {\begin{matrix} 3&{}2&{}6&{}4&{}5&{}2&{}6&{}6&{}2\\ 2&{}5&{}1&{}0&{}6&{}4&{}1&{}5&{}4\\ 6&{}1&{}6&{}0&{}0&{}5&{}0&{}3&{}3\\ 4&{}0&{}0&{}5&{}5&{}5&{}5&{}2&{}2\\ 5&{}6&{}0&{}5&{}1&{}2&{}1&{}6&{}0\\ 2&{}4&{}5&{}5&{}2&{}4&{}1&{}5&{}0\\ 6&{}1&{}0&{}5&{}1&{}1&{}4&{}4&{}5\\ 6&{}5&{}3&{}2&{}6&{}5&{}4&{}4&{}4\\ 2&{}4&{}3&{}2&{}0&{}0&{}5&{}4&{}0\\ \end{matrix}} \end{pmatrix}, \end{aligned}$$

$$\begin{aligned} P_3 = \begin{pmatrix} {\begin{matrix} 2&{}6&{}4&{}5&{}4&{}1&{}6&{}0&{}1\\ 6&{}6&{}6&{}1&{}2&{}1&{}0&{}6&{}3\\ 4&{}6&{}2&{}6&{}1&{}5&{}0&{}4&{}6\\ 5&{}1&{}6&{}0&{}0&{}0&{}0&{}3&{}5\\ 4&{}2&{}1&{}0&{}6&{}1&{}6&{}0&{}4\\ 1&{}1&{}5&{}0&{}1&{}2&{}6&{}3&{}5\\ 6&{}0&{}0&{}0&{}6&{}6&{}5&{}6&{}1\\ 0&{}6&{}4&{}3&{}0&{}3&{}6&{}2&{}0\\ 1&{}3&{}6&{}5&{}4&{}5&{}1&{}0&{}1\\ \end{matrix}} \end{pmatrix} P_4 =\begin{pmatrix} {\begin{matrix} 3&{}0&{}5&{}4&{}5&{}6&{}0&{}5&{}2\\ 0&{}3&{}0&{}3&{}3&{}5&{}4&{}2&{}2\\ 5&{}0&{}4&{}2&{}4&{}6&{}1&{}1&{}3\\ 4&{}3&{}2&{}3&{}4&{}3&{}2&{}6&{}1\\ 5&{}3&{}4&{}4&{}1&{}2&{}3&{}3&{}6\\ 6&{}5&{}6&{}3&{}2&{}4&{}0&{}0&{}2\\ 0&{}4&{}1&{}2&{}3&{}0&{}6&{}5&{}1\\ 5&{}2&{}1&{}6&{}3&{}0&{}5&{}5&{}0\\ 2&{}2&{}3&{}1&{}6&{}2&{}1&{}0&{}3\\ \end{matrix}} \end{pmatrix}, \end{aligned}$$

Let \( M = \begin{pmatrix} {\begin{matrix} 1 &{}1 &{}1 &{}1 &{}1 &{}1 &{} 1\\ \theta &{}\theta ^{7} &{}\theta ^{49} &{}\theta ^{343} &{}\theta ^{2401} &{}\theta ^{16807} &{} \theta ^{117649}\\ \theta ^{2}&{}\theta ^{14}&{}\theta ^{98} &{}\theta ^{686} &{}\theta ^{4802} &{}\theta ^{33614} &{} \theta ^{235298}\\ \theta ^{3}&{}\theta ^{21}&{}\theta ^{147}&{}\theta ^{1029}&{}\theta ^{7203} &{}\theta ^{50421} &{} \theta ^{352947}\\ \theta ^{4}&{}\theta ^{28}&{}\theta ^{196}&{}\theta ^{1372}&{}\theta ^{9604} &{}\theta ^{67228} &{} \theta ^{470596}\\ \theta ^{5}&{}\theta ^{35}&{}\theta ^{245}&{}\theta ^{1715}&{}\theta ^{12005}&{}\theta ^{84035} &{} \theta ^{588245}\\ \theta ^{6}&{}\theta ^{42}&{}\theta ^{294}&{}\theta ^{2058}&{}\theta ^{14406}&{}\theta ^{100842} &{} \theta ^{705894}\\ \end{matrix}} \end{pmatrix} \mathrm {and}~~ \widetilde{ M} = \begin{pmatrix} {\begin{matrix} M &{} 0 \\ 0 &{} I_v \\ \end{matrix}} \end{pmatrix} \) In the following we demonstrate our method to recover the private key from \(\mathcal P\).

1.1 A.1 Recovering \(\mathcal S\)

Let the first row of matrix \(U=\widetilde{M}^{-1}S^{-1}\) be \((u_0, u_1, \cdots , u_{n+v-1})\). Fix \(u_0 = 1\) and let \(u_1, \cdots , u_{n+v-1}\) be unknowns. Set \(\mathbf {b}_i = (1, u_1, \cdots , u_{n+v-1})P_i, i = 0,1,\cdots ,n-a-1.\) Let \(\mathbf {b}_i\) be the i-th row of the matrix Z. Then the rank of Z is 2. This implies that all minors of order 3 are 0. Solving the MinRank Problem for matrix Z gives us a solution \(\mathbf{u}=(1,\theta ^{2689},\theta ^{240750},\theta ^{393451},\theta ^{682468},\theta ^{184068},\theta ^{218176},\theta ^{85224},\theta ^{760002})\). Then we have

$$\begin{aligned} U = \begin{pmatrix} {\begin{matrix} 1&{}\theta ^{2689}&{}\theta ^{240750}&{}\theta ^{393451}&{}\theta ^{682468}&{}\theta ^{184068}&{}\theta ^{218176}&{}\theta ^{85224}&{}\theta ^{760002}\\ 1&{}\theta ^{18823}&{}\theta ^{38166}&{}\theta ^{283531}&{}\theta ^{659566}&{}\theta ^{464934}&{}\theta ^{703690}&{}\theta ^{596568}&{}\theta ^{378762}\\ 1&{}\theta ^{131761}&{}\theta ^{267162}&{}\theta ^{337633}&{}\theta ^{499252}&{}\theta ^{783912}&{}\theta ^{808120}&{}\theta ^{58266}&{}\theta ^{180708}\\ 1&{}\theta ^{98785}&{}\theta ^{223050}&{}\theta ^{716347}&{}\theta ^{200596}&{}\theta ^{546132}&{}\theta ^{715588}&{}\theta ^{407862}&{}\theta ^{441414}\\ 1&{}\theta ^{691495}&{}\theta ^{737808}&{}\theta ^{73177}&{}\theta ^{580630}&{}\theta ^{528756}&{}\theta ^{67864}&{}\theta ^{384408}&{}\theta ^{619272}\\ 1&{}\theta ^{722755}&{}\theta ^{223404}&{}\theta ^{512239}&{}\theta ^{770242}&{}\theta ^{407124}&{}\theta ^{475048}&{}\theta ^{220230}&{}\theta ^{217194}\\ 1&{}\theta ^{118033}&{}\theta ^{740286}&{}\theta ^{291505}&{}\theta ^{450442}&{}\theta ^{379242}&{}\theta ^{31168}&{}\theta ^{718068}&{}\theta ^{696816}\\ 1 &{} 5 &{} 1 &{} 0 &{} 1 &{} 3 &{} 0 &{} 3 &{} 2\\ 4 &{} 6 &{} 1 &{} 5 &{} 4 &{} 5 &{} 5 &{} 6 &{} 6\\ \end{matrix}} \end{pmatrix}, \end{aligned}$$

where the last v rows of U are randomly chosen from \(\mathbb {F}_q\), such that U is invertible.

Thus we can recover an equivalent linear transformation \(\mathcal S\) as

$$\begin{aligned} S' =U^{-1}\widetilde{M}^{-1}= \begin{pmatrix} {\begin{matrix} 0&{} 1&{} 1&{} 2&{} 3&{} 6&{} 6&{} 0&{} 6\\ 1&{} 4&{} 5&{} 3&{} 1&{} 6&{} 0&{} 4&{} 6\\ 4&{} 5&{} 3&{} 1&{} 5&{} 6&{} 0&{} 6&{} 4\\ 5&{} 0&{} 1&{} 2&{} 5&{} 6&{} 0&{} 2&{} 0\\ 2&{} 3&{} 1&{} 3&{} 5&{} 6&{} 0&{} 3&{} 1\\ 1&{} 6&{} 5&{} 0&{} 4&{} 1&{} 0&{} 4&{} 1\\ 0&{} 4&{} 6&{} 4&{} 2&{} 2&{} 0&{} 6&{} 2\\ 2 &{} 1 &{} 5 &{} 2 &{} 5 &{} 1 &{} 2 &{} 1 &{} 2\\ 6 &{} 0 &{} 2 &{} 6 &{} 4 &{} 6 &{} 1 &{} 5 &{} 6\\ \end{matrix}} \end{pmatrix}. \end{aligned}$$

Recovering \(\mathcal F\) and \(\mathcal T\). Step 1. Once \(\mathcal S\) is known, let \(w_0,w_1,\cdots , w_{n-a-1}\) be unknowns and \(w_0=1\). We generate a linear system with \(d(n-d-a)\) equations in the \(n-a-1\) variables \(w_i, (1 \le i < n-a-1)\) using the matrix Eq. (6). By solving this linear system we obtain a solution \( (1, \theta ^{558954}, \theta ^{326166}, \theta ^{142979}, \theta ^{806014})\).

Step 2. Let \( l_1, \cdots ,l_{a}\) and the nonzero entries of \(F^{*0}\) be variables in matrix Eq. (7). By using the first \(d+a\) rows of matrix Eq. (7) we get \((d+a) \cdot (n+v)\) bilinear equations as follows:

From the first row, we obtain \(\alpha _{00}=\theta ^{188027}, \alpha _{01} = \theta ^{87748}, \gamma _{00}=\theta ^{12513}, \gamma _{01}=\theta ^{253288}\). Once \(\alpha _{00}, \alpha _{01}\) are known, we get from the second row \(\alpha _{10} = \theta ^{87748}, \alpha _{11} = \theta ^{10485}, \gamma _{10}=\theta ^{581451}, \gamma _{11}=\theta ^{606062}, l_1 = \theta ^{146620}\). From the third row we can obtain \(l_2 = \theta ^{754380}\).

Once \(l_1,l_2\) are known, we get from the last v rows of matrix Eq. (7), \(\left( {\begin{array}{c}v+1\\ 2\end{array}}\right) \) univariate polynomial equations as follows:

$$\begin{aligned} \begin{array}{l} \theta ^{754380}\delta _{00}^{49} + \theta ^{146620}\delta _{00}^7 + \delta _{00} + \theta ^{81317} = 0,\\ \theta ^{754380}\delta _{01}^{49} + \theta ^{146620}\delta _{01}^7 + \delta _{01} + \theta ^{689914} = 0,\\ \theta ^{754380}\delta _{11}^{49} + \theta ^{146620}\delta _{11}^7 + \delta _{11} + \theta ^{162754} = 0. \end{array} \end{aligned}$$

Each of these equations has 49 solutions. We choose one of them as the value of \(\delta _{ij}\). Thus we have \(\delta _{00}= \theta ^{27191}, \delta _{01}=\delta _{10}=\theta ^{19044}, \delta _{11}=\theta ^{9718}\) and

$$\begin{aligned} F^{*0}=\begin{pmatrix} {\begin{matrix} \theta ^{188027}&{}\theta ^{87748}&{}0&{}0&{}0&{}0&{}0&{}\theta ^{12513}&{}\theta ^{253288}\\ \theta ^{87748}&{}\theta ^{10485}&{}0&{}0&{}0&{}0&{}0&{}\theta ^{581451}&{}\theta ^{606062}\\ 0&{}0&{}0&{}0&{}0&{}0&{}0&{}0&{}0\\ 0&{}0&{}0&{}0&{}0&{}0&{}0&{}0&{}0\\ 0&{}0&{}0&{}0&{}0&{}0&{}0&{}0&{}0\\ 0&{}0&{}0&{}0&{}0&{}0&{}0&{}0&{}0\\ 0&{}0&{}0&{}0&{}0&{}0&{}0&{}0&{}0\\ \theta ^{12513}&{}\theta ^{581451}&{}0&{}0&{}0&{}0&{}0&{}\theta ^{27191}&{}\theta ^{19044}\\ \theta ^{253288}&{}\theta ^{606062}&{}0&{}0&{}0&{}0&{}0&{}\theta ^{19044}&{}\theta ^{9718}\\ \end{matrix}} \end{pmatrix} \end{aligned}$$

Therefore we get an equivalent central map as \(F' = \theta ^{10485}X^{14} + \theta ^{362262}X^8 + \theta ^{188027}X^2 + (\theta ^{287027}x_{1} + \theta ^{527802}x_{2})X +( \theta ^{32423}x_{1}+ \theta ^{57034}x_{2})X^7 + \theta ^{27191}x_{1}^2 + \theta ^{293558}x_{1}x_{2} + \theta ^{9718}x_{2}^2 \) for F.

Let \((t_{1k},t_{2k}, \cdots , t_{nk})\) be entries of the k-th \((k=1,2,\cdots , n-a)\) column of T. Get \(n-a\) linear systems from matrix Eq. (8) as shown by Proposition 7. By solving these linear systems we can recover a equivalent key of T as follows

$$\begin{aligned} T' = \begin{pmatrix} {\begin{matrix} 1&{}1&{}6&{}0&{}5&{}\\ 3&{}3&{}2&{}0&{}2&{}\\ 1&{}3&{}2&{}5&{}6&{}\\ 6&{}6&{}6&{}0&{}2&{}\\ 2&{}2&{}3&{}3&{}6&{}\\ 2&{}2&{}1&{}0&{}5&{}\\ 0&{}5&{}1&{}3&{}0&{}\\ \end{matrix}} \end{pmatrix}. \end{aligned}$$

It is easy to check that \(\mathcal {P}=\mathcal {T}\circ \mathcal {F}\circ \mathcal {S} = \mathcal {T'}\circ \mathcal {F'}\circ \mathcal {S'} \). Therefore the adversary can use the three maps \(\mathcal{T}'\), \(\mathcal{F}'\) and \(\mathcal{S}'\) to forge signatures for arbitrary messages.