Some Experimental Results on Attacking HFE with Buchberger
Download
Report
Transcript Some Experimental Results on Attacking HFE with Buchberger
Ruhr
University
Bochum
Faculty of Mathematics
Information-Security and Cryptology
On the Security of
HFE, HFEv- and Quartz
Nicolas T. Courtois
Magnus Daum
Patrick Felke
This talk is supported by STORK
Ruhr
University
Bochum
Overview
Faculty of Mathematics
Information-Security and Cryptology
• What is HFE?
• Solving HFE systems with
Gröbner Bases Algorithms
• Results from Simulations
• Conclusion
07.11.2002
Courtois, Daum, Felke: On the Security of HFE, HFEv- and Quartz
What is HFE?
Basic HFE: Example
07.11.2002
Ruhr
University
Bochum
Faculty of Mathematics
Information-Security and Cryptology
Courtois, Daum, Felke: On the Security of HFE, HFEv- and Quartz
Basic HFE: Example
07.11.2002
Ruhr
University
Bochum
Faculty of Mathematics
Information-Security and Cryptology
Courtois, Daum, Felke: On the Security of HFE, HFEv- and Quartz
Basic HFE: Example
Ruhr
University
Bochum
Faculty of Mathematics
Information-Security and Cryptology
Verifying
07.11.2002
Courtois, Daum, Felke: On the Security of HFE, HFEv- and Quartz
Basic HFE: Example
Ruhr
University
Bochum
Faculty of Mathematics
Information-Security and Cryptology
Signing
07.11.2002
Courtois, Daum, Felke: On the Security of HFE, HFEv- and Quartz
Perturbations
Ruhr
University
Bochum
Faculty of Mathematics
Information-Security and Cryptology
• Little changes on the multivariate side of the
cryptosystem which are used to hide the
underlying algebraic structure
e.g. „-“ (i.e. removing polynomials):
Public Key
07.11.2002
Courtois, Daum, Felke: On the Security of HFE, HFEv- and Quartz
Perturbations
Ruhr
University
Bochum
Faculty of Mathematics
Information-Security and Cryptology
• Little changes on the multivariate side of the
cryptosystem which are used to hide the
underlying algebraic structure
e.g. „v“ (i.e. adding variables):
Public Key
(after „mixing“
with S and T)
07.11.2002
Courtois, Daum, Felke: On the Security of HFE, HFEv- and Quartz
Perturbations
Ruhr
University
Bochum
Faculty of Mathematics
Information-Security and Cryptology
• Little changes on the multivariate side of the
cryptosystem which are used to hide the
underlying algebraic structure
• Perturbations can be combined,
e.g. to HFEv- systems
• Quartz is a special instance of an HFEvsystem
07.11.2002
Courtois, Daum, Felke: On the Security of HFE, HFEv- and Quartz
Parameters of HFEv-
Ruhr
University
Bochum
Faculty of Mathematics
Information-Security and Cryptology
• q
size of smaller finite field K
• h
extension degree of L (i.e. |L|=qh)
• d
degree of hidden polynomial
• r
number of removed equations („-“)
• v
number of added variables („v“)
• m=h-r number of equations in the public key
• n=h+v number of variables in the public key
07.11.2002
Courtois, Daum, Felke: On the Security of HFE, HFEv- and Quartz
General Approach
General Approach: Example
Ruhr
University
Bochum
Faculty of Mathematics
Information-Security and Cryptology
Signing
07.11.2002
Courtois, Daum, Felke: On the Security of HFE, HFEv- and Quartz
General Approach: Example
Ruhr
University
Bochum
Faculty of Mathematics
Information-Security and Cryptology
Buchberger Algorithm
07.11.2002
Courtois, Daum, Felke: On the Security of HFE, HFEv- and Quartz
General Approach: Example
Ruhr
University
Bochum
Faculty of Mathematics
Information-Security and Cryptology
Buchberger Buchberger Algorithm
Algorithm
Advantages:
• we compute only information
we need
• degree of polynomials
involved in this computation is
bounded
07.11.2002
Courtois, Daum, Felke: On the Security of HFE, HFEv- and Quartz
General Approach
Ruhr
University
Bochum
Faculty of Mathematics
Information-Security and Cryptology
• In general Buchberger algorithm has exponential
worst case complexity
) only feasible for very few unknowns
• But HFE systems are special:
- very small finite field
- quadratic polynomials
- solutions in the base field Fq
- hidden polynomial
) Optimized variants of Buchberger algorithm
might be able to solve Basic HFE systems
07.11.2002
Courtois, Daum, Felke: On the Security of HFE, HFEv- and Quartz
General Approach
Ruhr
University
Bochum
Faculty of Mathematics
Information-Security and Cryptology
• Best known Attack on Basic HFE:
Faugère’s Algorithm F5/2 (April 2002)
succesfully attacked HFE challenge 1 (n=80, d=96)
in 96h on 833 MHz Alpha workstation
• On perturbated HFE systems:
– No feasible attacks known, but
– e.g. F5/2 can be applied to such systems
– Complexity is not known
07.11.2002
Courtois, Daum, Felke: On the Security of HFE, HFEv- and Quartz
Simulations
Ruhr
University
Bochum
Simulations
Faculty of Mathematics
Information-Security and Cryptology
• simulations were done in SINGULAR using the
stdfglm function
• Parameters:
• Finite Field K with
• HFE systems with
and systems of random quadratic equations
• both with
,
•
•
07.11.2002
equations
unknowns
Courtois, Daum, Felke: On the Security of HFE, HFEv- and Quartz
Improvements
Ruhr
University
Bochum
Faculty of Mathematics
Information-Security and Cryptology
• A perturbated system consists of
equations and
unkowns.
• The following steps speed up the
computations:
– Fix
variables with values not
chosen before. Apply stdfglm to the resulting
system.
– If the resulting system has no solution, repeat the
above step until the resulting system has a
solution.
07.11.2002
Courtois, Daum, Felke: On the Security of HFE, HFEv- and Quartz
Improvements
Ruhr
University
Bochum
Faculty of Mathematics
Information-Security and Cryptology
• Number of tries is 1.6 on average.
• For our experiments we define
• Usually we have
07.11.2002
Courtois, Daum, Felke: On the Security of HFE, HFEv- and Quartz
What to Measure?
Ruhr
University
Bochum
Faculty of Mathematics
Information-Security and Cryptology
• Forging a signature of an HFEv- system means to
solve a system of m quadratic equations in n unknowns, i.e. to solve an instance of the MQ-Problem.
• The MQ-Problem seems to be hard on average.
A randomly chosen system is hard to solve.
Randomness
Security
• We define (randomness)
.
is the value of T obtained for random systems of
quadratic equations.
07.11.2002
Courtois, Daum, Felke: On the Security of HFE, HFEv- and Quartz
Experimental Results
∙3
∙3
Ruhr
University
Bochum
Faculty of Mathematics
Information-Security and Cryptology
∙2
h=15, d=5, q=2
07.11.2002
Courtois, Daum, Felke: On the Security of HFE, HFEv- and Quartz
Experimental Results
Ruhr
University
Bochum
Faculty of Mathematics
Information-Security and Cryptology
• R depends mainly on the total number v+r of
perturbations.
• „-“ may decrease the total time.
Use more „v“.
If
, for an unperturbated HFE-system, then
• The more
relative security
, the more is the increase in the
when v+r is increased.
– e.g. if
, d the degree of the HFE polynomial, is small
compared to h as in case of Quartz.
07.11.2002
Courtois, Daum, Felke: On the Security of HFE, HFEv- and Quartz
Conclusions for Quartz
Ruhr
University
Bochum
Faculty of Mathematics
Information-Security and Cryptology
• Faugère`s attack computes a Gröbner Basis,
so applying our results to his attack gives:
– For Quartz with d=129 and v+r=7 his attack will
probably need
.
– For Quartz with d=257 we estimate a complexity
of
07.11.2002
Courtois, Daum, Felke: On the Security of HFE, HFEv- and Quartz
Conclusions for Quartz
Ruhr
University
Bochum
Faculty of Mathematics
Information-Security and Cryptology
• The parameter d of Quartz probably needs to
be increased from d=129 to d=257.
• Signatures with Quartz will then take 6
seconds on average (on PC with 2GHZ).
Compared to other schemes slowness
is currently the price to pay for short
signatures.
07.11.2002
Courtois, Daum, Felke: On the Security of HFE, HFEv- and Quartz