A multivariate cryptosystem inspired by random linear codes
Introduction
In the mid 1990s Peter Shor broke the cryptographic schemes that we currently use for information security in the public key setting, see [1]. If we accept that the construction of the technology to implement his attacks is an engineering challenge as opposed to a physical impossibility, then we admit that our current public key infrastructure is a paper tiger waiting to be crushed.
Since that time, several communities have emerged, devoted to various promising avenues to security in a post-quantum world, that is, a world with the large scale quantum computing devices required to undermine current public key cryptography by Shor's techniques. We can largely place these communities in four classes: code-based, isogeny-based, lattice-based and multivariate.
These families are all disparate, though there are sometimes some similarities between code-based and lattice-based techniques. Isogeny-based and multivariate cryptosystems, however, typically use tools that are far removed from those employed in the code-based and lattice-based camps.
An interesting though impractical scheme was presented at PKC 2012, see [2], which hacked a lattice technique for use as a multivariate cryptosystem. The main idea is to separate a multivariate quadratic system of formulae into a linear part L and a quadratic part Q playing the roles of the matrix A and the error distribution χ, respectively, in standard LWE, see [3]. The coefficients of L are very large, whereas the coefficients of Q are very small. When a small input x is introduced, a small vector is sampled and the “lattice point” is perturbed. As long as the parameters are quite large, and under some additional assumptions, the distribution of is close to that of where e is drawn from an appropriate Gaussian distribution, so that the security of the scheme is based on the LWE assumption and the MQ problem, that is, the problem of solving quadratic systems of equations over a field.
A natural question to ask is whether it is possible to breed a hybrid code-based multivariate scheme and what properties is might possess. In this work, we present a new multivariate encryption scheme inspired and derived from linear codes. While the connection to code-based schemes is not so direct and apparent as the connection to LWE in [2], the construction appears versatile and amenable to adjustment for various security and performance properties. As an example of this malleability, we propose, in addition to the fundamental scheme, a variant with a decryption algorithm approximately 1600 times faster than the original, and, in fact, much faster than any multivariate encryption scheme targeting CCA security at the 128-bit security level, see Table 1 for a comparison with recently credibly secure multivariate encryption schemes including Simple Matrix, Extension Field Cancellation, HFERP and EFLASH, see [4], [5], [6], [7]. One should note that all of these other multivariate encryption schemes have required parameter increases to adjust for new cryptanalytic techniques or tighter analyses that have been discovered in the last few years, see [8], [9], [10], [11], [12]. In particular, EFLASH, EFC and HFERP are rendered completely unusable at the 128-bit level by [10], [11].
This manuscript is organized as follows. In Section 3 we present the framework for the new scheme. Then, in Section 4 we examine the decryption failure rate and set constraints on parameters to satisfy reasonable bounds. In Section 5 we introduce modifications, allowing fine tuning of security properties as well as dramatically improving performance, both in decryption time and in key size. We then conduct a security analysis against the known attack vectors in Section 6. In Section 7, we introduce some concrete parameters for future scrutiny at the 128-bit security levels. Next, we discuss the algebraic and algorithmic relationship between our new construction, its modifications, and the schemes UOV and HFERP in Section 8. In Section 9, we compare our new encryption scheme with the ABC Simple Matrix scheme and note that while our scheme appears to be the only plausible candidate for CCA-secure applications, it appears to be superior for CPA-secure applications as well. Finally, we conclude, discussing future directions for this line of reasoning and reflecting on the current state of multivariate encryption.
Section snippets
Multivariate encryption schemes
Multivariate cryptography relies on a few critical assumptions. First, we assume that the problem of solving a system of quadratic equations over a finite field— the multivariate quadratic (MQ) problem, a well-known NP-complete problem— is hard on average. Second, we assume that there are families of quadratic maps for which the computation of preimages is efficient but which can be hidden by morphisms of polynomials, that is, by the left and right composition of affine maps. The main quest in
Nonlinear multivariate system from a linear code
Let be a finite field with q elements and let C be a rank k random linear code of length n over . Let G be the generator matrix for C in standard form and let H be the corresponding parity check matrix.
We construct a quadratic system of formulae as follows. First, randomly select k matrices in . Next form the products . Finally, let be defined by , where is given by
Given knowledge of the code C, preimages under F may be
Decryption failure rate
The hidden map F from Section 3 deviates significantly from a random function in that there is a large dimensional subspace on which it is identically zero. This property is not the only manner in which F behaves differently.
One would expect a random function from to to collide in every value approximately times; moreover, one would expect the distribution of multiplicities for each output to be centered at . The value, is small by design, however, and the output 0 occurs
Modifications
One clear problem with CBM is the poor decryption failure rate. Since the legitimate user needs to perform linear algebra steps to invert F, this quantity must remain small; however, inversion is infeasible even with an unique preimage when . Also, as will be shown in Section 6, the linear algebra search method of MinRank attack has a complexity that is only a factor of greater in the exponent than decryption by a legitimate user. Thus, to achieve a high level of security, extremely
Security analysis
Attacks on multivariate cryptosystems largely fall into a few categories: algebraic, rank, differential, statistical and ad hoc. We here analyze the scheme presented in Section 3 with respect to the first three of these categories. For space reasons, the statistical and ad-hoc techniques are addressed in Appendix B.
Parameter selection
In selecting parameters, we consider the analyses of the previous section as well as efficiency. The most inefficient operation is inversion of the hidden map ; therefore, we begin by describing an efficient approach.
In key generation we fix the values of our coset representatives, and precompute the constants and the linear forms for each . Collectively, these values form an affine map . Inversion of is then accomplished by finding all preimages of
Connections with UOV and HFERP
As noted in [33], the CBM scheme is algebraically the same structure as the Unbalanced Oil-Vineger (UOV) scheme with additional random polynomials added and a linear output transformation applied. This equivalence is due to the fact that extending the generator matrix G to a full rank matrix provides a change of basis that transforms each of the k maps into the form of UOV maps— maps which are simultaneously zero on an -dimensional subspace. Thus the portion of the private key F is
Comparison with ABC simple matrix scheme
As mentioned in Table 1, each of EFLASH, EFC and HFERP are harmed to the point that they are completely unusable by the Support Minors approach to MinRank presented in [10] in conjunction with previous results, see [35], [11], [23]. Thus, the only plausibly useful multivariate encryption schemes currently are the ABC Simple Matrix scheme of [4] and the variants of CBM presented here.
Of these two, only CBM has modes of operation that can possibly claim CCA security due to the high failure rate
Conclusion
The multivariate encryption schemes inspired by linear codes presented here, CBM' and PCBM, form an interesting and novel avenue to explore in the attempt to find an efficient and secure multivariate public key encryption scheme. While the literature contains a few multivariate encryption schemes with a claim to solid theoretical foundations, none of these schemes have achieved noteworthy performance at the security levels necessary for future public key applications.
Without modification, the
References (45)
- et al.
Simple matrix - a multivariate public key cryptosystem (MPKC) for encryption
Finite Fields Appl.
(2015) - et al.
The magma algebra system I: the user language
J. Symb. Comput.
(1997) Polynomial-time algorithms for prime factorization and discrete logarithms on a quantum computer
SIAM J. Sci. Stat. Comput.
(1997)- et al.
Public-key cryptography from new multivariate quadratic assumptions
On lattices, learning with errors, random linear codes, and cryptography
- et al.
Extension field cancellation: a new central trapdoor for multivariate quadratic systems
- Y. Ikematsu, R.A. Perlner, D. Smith-Tone, T. Takagi, J. Vates, HFERP - a new multivariate encryption scheme, [40], pp....
- et al.
EFLASH: a new multivariate encryption scheme
- et al.
A crossbred algorithm for solving Boolean polynomial systems
- et al.
Combinatorial rank attacks against the rectangular simple matrix encryption scheme
Improvements of algebraic attacks for solving the rank decoding and minrank problems
A rank attack against extension field cancellation
All in the c* family
Des. Codes Cryptogr.
An asymptotically optimal structural attack on the ABC multivariate encryption scheme
Hidden fields equations (HFE) and isomorphisms of polynomials (IP): two new families of asymmetric algorithms
Cryptanalysis of HFE, multi-HFE and variants for odd and even characteristic
Des. Codes Cryptogr.
A method for obtaining digital signatures and public-key cryptosystems
Commun. ACM
Could sflash be repaired?
Autom. Lang. Program.
Pflash - secure asymmetric signatures on smart cards
An updated security analysis of PFLASH
Practical cryptanalysis of SFLASH
Properties of the discrete differential with cryptographic applications
Cited by (4)
Progress in Multivariate Cryptography: Systematic Review, Challenges, and Research Directions
2023, ACM Computing Surveys2F - A New Method for Constructing Efficient Multivariate Encryption Schemes
2022, Lecture Notes in Computer Science (including subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics)New Practical Multivariate Signatures from a Nonlinear Modifier
2021, Lecture Notes in Computer Science (including subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics)GPU implementation of quantum secure ABC cryptosystem on CUDA
2021, CEUR Workshop Proceedings