A multivariate cryptosystem inspired by random linear codes

https://doi.org/10.1016/j.ffa.2020.101778Get rights and content

Abstract

We introduce a new multivariate encryption scheme inspired by random linear codes. The construction is similar to that of UOV, one of the oldest and most trusted multivariate signature schemes, but with a parameterization nothing like that of UOV. The structure of the scheme admits many generic modifications providing an array of security and performance properties. The scheme also supports an embedding modifier which allows any efficiently invertible multivariate system to be incorporated into the scheme. The product of this methodology is the fastest secure multivariate encryption scheme targeting CCA security at the 128-bit level.

Introduction

In the mid 1990s Peter Shor broke the cryptographic schemes that we currently use for information security in the public key setting, see [1]. If we accept that the construction of the technology to implement his attacks is an engineering challenge as opposed to a physical impossibility, then we admit that our current public key infrastructure is a paper tiger waiting to be crushed.

Since that time, several communities have emerged, devoted to various promising avenues to security in a post-quantum world, that is, a world with the large scale quantum computing devices required to undermine current public key cryptography by Shor's techniques. We can largely place these communities in four classes: code-based, isogeny-based, lattice-based and multivariate.

These families are all disparate, though there are sometimes some similarities between code-based and lattice-based techniques. Isogeny-based and multivariate cryptosystems, however, typically use tools that are far removed from those employed in the code-based and lattice-based camps.

An interesting though impractical scheme was presented at PKC 2012, see [2], which hacked a lattice technique for use as a multivariate cryptosystem. The main idea is to separate a multivariate quadratic system of formulae into a linear part L and a quadratic part Q playing the roles of the matrix A and the error distribution χ, respectively, in standard LWE, see [3]. The coefficients of L are very large, whereas the coefficients of Q are very small. When a small input x is introduced, a small vector Q(x) is sampled and the “lattice point” L(x) is perturbed. As long as the parameters are quite large, and under some additional assumptions, the distribution of (L,Q(x)+L(x)) is close to that of (L,L(s)+e) where e is drawn from an appropriate Gaussian distribution, so that the security of the scheme is based on the LWE assumption and the MQ problem, that is, the problem of solving quadratic systems of equations over a field.

A natural question to ask is whether it is possible to breed a hybrid code-based multivariate scheme and what properties is might possess. In this work, we present a new multivariate encryption scheme inspired and derived from linear codes. While the connection to code-based schemes is not so direct and apparent as the connection to LWE in [2], the construction appears versatile and amenable to adjustment for various security and performance properties. As an example of this malleability, we propose, in addition to the fundamental scheme, a variant with a decryption algorithm approximately 1600 times faster than the original, and, in fact, much faster than any multivariate encryption scheme targeting CCA security at the 128-bit security level, see Table 1 for a comparison with recently credibly secure multivariate encryption schemes including Simple Matrix, Extension Field Cancellation, HFERP and EFLASH, see [4], [5], [6], [7]. One should note that all of these other multivariate encryption schemes have required parameter increases to adjust for new cryptanalytic techniques or tighter analyses that have been discovered in the last few years, see [8], [9], [10], [11], [12]. In particular, EFLASH, EFC and HFERP are rendered completely unusable at the 128-bit level by [10], [11].

This manuscript is organized as follows. In Section 3 we present the framework for the new scheme. Then, in Section 4 we examine the decryption failure rate and set constraints on parameters to satisfy reasonable bounds. In Section 5 we introduce modifications, allowing fine tuning of security properties as well as dramatically improving performance, both in decryption time and in key size. We then conduct a security analysis against the known attack vectors in Section 6. In Section 7, we introduce some concrete parameters for future scrutiny at the 128-bit security levels. Next, we discuss the algebraic and algorithmic relationship between our new construction, its modifications, and the schemes UOV and HFERP in Section 8. In Section 9, we compare our new encryption scheme with the ABC Simple Matrix scheme and note that while our scheme appears to be the only plausible candidate for CCA-secure applications, it appears to be superior for CPA-secure applications as well. Finally, we conclude, discussing future directions for this line of reasoning and reflecting on the current state of multivariate encryption.

Section snippets

Multivariate encryption schemes

Multivariate cryptography relies on a few critical assumptions. First, we assume that the problem of solving a system of quadratic equations over a finite field— the multivariate quadratic (MQ) problem, a well-known NP-complete problem— is hard on average. Second, we assume that there are families of quadratic maps for which the computation of preimages is efficient but which can be hidden by morphisms of polynomials, that is, by the left and right composition of affine maps. The main quest in

Nonlinear multivariate system from a linear code

Let Fq be a finite field with q elements and let C be a rank k random linear code of length n over Fq. Let G be the generator matrix for C in standard form and let H be the corresponding parity check matrix.

We construct a quadratic system of formulae as follows. First, randomly select k matrices Ai in Mn×(nk)(Fq). Next form the products Bi=AiH. Finally, let F:FqnFqk be defined by F(x)=(F1(x),,Fk(x)), where Fi(x) is given byxBix.

Given knowledge of the code C, preimages under F may be

Decryption failure rate

The hidden map F from Section 3 deviates significantly from a random function in that there is a large dimensional subspace on which it is identically zero. This property is not the only manner in which F behaves differently.

One would expect a random function from Fqn to Fqk to collide in every value approximately qnk times; moreover, one would expect the distribution of multiplicities for each output to be centered at qnk. The value, nk is small by design, however, and the output 0 occurs

Modifications

One clear problem with CBM is the poor decryption failure rate. Since the legitimate user needs to perform qnk linear algebra steps to invert F, this quantity must remain small; however, inversion is infeasible even with an unique preimage when xC. Also, as will be shown in Section 6, the linear algebra search method of MinRank attack has a complexity that is only a factor of 2pn greater in the exponent than decryption by a legitimate user. Thus, to achieve a high level of security, extremely

Security analysis

Attacks on multivariate cryptosystems largely fall into a few categories: algebraic, rank, differential, statistical and ad hoc. We here analyze the scheme presented in Section 3 with respect to the first three of these categories. For space reasons, the statistical and ad-hoc techniques are addressed in Appendix B.

Parameter selection

In selecting parameters, we consider the analyses of the previous section as well as efficiency. The most inefficient operation is inversion of the hidden map FQ; therefore, we begin by describing an efficient approach.

In key generation we fix the values of our coset representatives, A and precompute the constants xBx and the linear forms GBx for each 1k. Collectively, these values form an affine map B:FqkFqk. Inversion of FQ is then accomplished by finding all preimages x of B

Connections with UOV and HFERP

As noted in [33], the CBM scheme is algebraically the same structure as the Unbalanced Oil-Vineger (UOV) scheme with additional random polynomials added and a linear output transformation applied. This equivalence is due to the fact that extending the generator matrix G to a full rank matrix provides a change of basis that transforms each of the k maps F into the form of UOV maps— maps which are simultaneously zero on an nk-dimensional subspace. Thus the portion of the private key F is

Comparison with ABC simple matrix scheme

As mentioned in Table 1, each of EFLASH, EFC and HFERP are harmed to the point that they are completely unusable by the Support Minors approach to MinRank presented in [10] in conjunction with previous results, see [35], [11], [23]. Thus, the only plausibly useful multivariate encryption schemes currently are the ABC Simple Matrix scheme of [4] and the variants of CBM presented here.

Of these two, only CBM has modes of operation that can possibly claim CCA security due to the high failure rate

Conclusion

The multivariate encryption schemes inspired by linear codes presented here, CBM' and PCBM, form an interesting and novel avenue to explore in the attempt to find an efficient and secure multivariate public key encryption scheme. While the literature contains a few multivariate encryption schemes with a claim to solid theoretical foundations, none of these schemes have achieved noteworthy performance at the security levels necessary for future public key applications.

Without modification, the

References (45)

  • C. Tao et al.

    Simple matrix - a multivariate public key cryptosystem (MPKC) for encryption

    Finite Fields Appl.

    (2015)
  • W. Bosma et al.

    The magma algebra system I: the user language

    J. Symb. Comput.

    (1997)
  • P.W. Shor

    Polynomial-time algorithms for prime factorization and discrete logarithms on a quantum computer

    SIAM J. Sci. Stat. Comput.

    (1997)
  • Y. Huang et al.

    Public-key cryptography from new multivariate quadratic assumptions

  • O. Regev

    On lattices, learning with errors, random linear codes, and cryptography

  • A. Szepieniec et al.

    Extension field cancellation: a new central trapdoor for multivariate quadratic systems

  • Y. Ikematsu, R.A. Perlner, D. Smith-Tone, T. Takagi, J. Vates, HFERP - a new multivariate encryption scheme, [40], pp....
  • R. Cartor et al.

    EFLASH: a new multivariate encryption scheme

  • A. Joux et al.

    A crossbred algorithm for solving Boolean polynomial systems

  • D. Apon et al.

    Combinatorial rank attacks against the rectangular simple matrix encryption scheme

  • M. Bardet et al.

    Improvements of algebraic attacks for solving the rank decoding and minrank problems

  • D. Smith-Tone et al.

    A rank attack against extension field cancellation

  • R. Cartor et al.

    All in the c* family

    Des. Codes Cryptogr.

    (2020)
  • D. Moody et al.

    An asymptotically optimal structural attack on the ABC multivariate encryption scheme

  • J. Patarin

    Hidden fields equations (HFE) and isomorphisms of polynomials (IP): two new families of asymmetric algorithms

  • L. Bettale et al.

    Cryptanalysis of HFE, multi-HFE and variants for odd and even characteristic

    Des. Codes Cryptogr.

    (2013)
  • R.L. Rivest et al.

    A method for obtaining digital signatures and public-key cryptosystems

    Commun. ACM

    (1978)
  • J. Ding et al.

    Could sflash be repaired?

    Autom. Lang. Program.

    (2009)
  • M.S. Chen et al.

    Pflash - secure asymmetric signatures on smart cards

  • R. Cartor et al.

    An updated security analysis of PFLASH

  • V. Dubois et al.

    Practical cryptanalysis of SFLASH

  • D. Smith-Tone

    Properties of the discrete differential with cryptographic applications

  • Cited by (4)

    View full text