Graph-Theoretic Algorithms for the "Isomorphism of Polynomials" Problem

We give three new algorithms to solve the “isomorphism of polynomial” problem, which was underlying the hardness of recovering the secret-key in some multivariate trapdoor one-way functions. In this problem, the adversary is given two quadratic functions, with the promise that they are equal up to linear changes of coordinates. Her objective is to compute these changes of coordinates, a task which is known to be harder than Graph-Isomorphism. Our new algorithm build on previous work in a novel way. Exploiting the birthday paradox, we break instances of the problem in time q 2n/3 (rigorously) and q n/2 (heuristically), where q n is the time needed to invert the quadratic trapdoor function by exhaustive search. These results are obtained by turning the algebraic problem into a combinatorial one, namely that of recovering partial information on an isomorphism between two exponentially large graphs. These graphs, derived from the quadratic functions, are new tools in multivariate cryptanalysis.

[1]  Nitin Saxena,et al.  Equivalence of F-Algebras and Cubic Forms , 2006, STACS.

[2]  Jacques Patarin,et al.  Hidden Fields Equations (HFE) and Isomorphisms of Polynomials (IP): Two New Families of Asymmetric Algorithms , 1996, EUROCRYPT.

[3]  Antoine Joux,et al.  Cryptanalysis of the Tractable Rational Map Cryptosystem , 2005, Public Key Cryptography.

[4]  John J. Cannon,et al.  The Magma Algebra System I: The User Language , 1997, J. Symb. Comput..

[5]  Koichi Sakumoto,et al.  Public-Key Identification Schemes Based on Multivariate Cubic Polynomials , 2012, Public Key Cryptography.

[6]  Jacques Stern,et al.  A New Identification Scheme Based on Syndrome Decoding , 1993, CRYPTO.

[7]  Antoine Joux,et al.  Cryptanalysis of the Hidden Matrix Cryptosystem , 2010, LATINCRYPT.

[8]  Shmuel Friedland,et al.  On the graph isomorphism problem , 2008, ArXiv.

[9]  Ronald Cramer,et al.  Advances in Cryptology - EUROCRYPT 2005, 24th Annual International Conference on the Theory and Applications of Cryptographic Techniques, Aarhus, Denmark, May 22-26, 2005, Proceedings , 2005, EUROCRYPT.

[10]  David Pointcheval,et al.  A New Identification Scheme Based on the Perceptrons Problem , 1995, EUROCRYPT.

[11]  Jacques Patarin,et al.  Improved Algorithms for Isomorphisms of Polynomials – Extended Version – , 1998 .

[12]  Bo-Yin Yang,et al.  l-Invertible Cycles for Multivariate Quadratic (MQ) Public Key Cryptography , 2007, Public Key Cryptography.

[13]  Jean-Charles Faugère,et al.  Practical Cryptanalysis of the Identification Scheme Based on the Isomorphism of Polynomial with One Secret Problem , 2011, International Conference on Theory and Practice of Public Key Cryptography.

[14]  Neeraj Kayal,et al.  Efficient algorithms for some special cases of the polynomial equivalence problem , 2011, SODA '11.

[15]  Adi Sbamir,et al.  An Efficient Identification Scheme Based on Permuted Kernels ( extended abstract ) , 2022 .

[16]  Olivier Billet,et al.  A Traceable Block Cipher , 2003, ASIACRYPT.

[17]  Willi Meier,et al.  An attack on the isomorphisms of polynomials problem with one secret , 2003, International Journal of Information Security.

[18]  Jacques Stern,et al.  Practical Cryptanalysis of SFLASH , 2007, CRYPTO.

[19]  Doron Zeilberger,et al.  An algorithmic proof theory for hypergeometric (ordinary and “q”) multisum/integral identities , 1992 .

[20]  Alex Biryukov,et al.  A Toolbox for Cryptanalysis: Linear and Affine Equivalence Algorithms , 2003, EUROCRYPT.

[21]  Jintai Ding,et al.  Algebraic Attack on the MQQ Public Key Cryptosystem , 2009, CANS.

[22]  László Babai,et al.  Computational complexity and the classification of finite simple groups , 1983, 24th Annual Symposium on Foundations of Computer Science (sfcs 1983).

[23]  Jacques Stern,et al.  Designing Identification Schemes with Keys of Short Size , 1994, CRYPTO.

[24]  Jintai Ding,et al.  Square-Vinegar Signature Scheme , 2008, PQCrypto.

[25]  Serge Vaudenay A classical introduction to cryptography - applications for communications security , 2005 .

[26]  Yishay Mansour,et al.  A Construction of a Cioher From a Single Pseudorandom Permutation , 1991, ASIACRYPT.

[27]  Jean-Charles Faugère,et al.  Polynomial Equivalence Problems: Algorithmic and Theoretical Aspects , 2006, EUROCRYPT.

[28]  Takunari Miyazaki,et al.  The complexity of McKay's canonical labeling algorithm , 1995, Groups and Computation.

[29]  Joan Daemen,et al.  Limitations of the Even-Mansour Construction , 1991, ASIACRYPT.

[30]  Louis Goubin,et al.  Improved Algorithms for Isomorphisms of Polynomials , 1998, EUROCRYPT.

[31]  Jacques Stern,et al.  Key Recovery on Hidden Monomial Multivariate Schemes , 2008, EUROCRYPT.

[32]  Louis Goubin,et al.  C*-+ and HM: Variations Around Two Schemes of T. Matsumoto and H. Imai , 1998, ASIACRYPT.

[33]  Adi Shamir,et al.  Minimalism in Cryptography: The Even-Mansour Scheme Revisited , 2012, EUROCRYPT.

[34]  Luk Bettale,et al.  Cryptanalysis of the TRMS Signature Scheme of PKC'05 , 2008, AFRICACRYPT.

[35]  J. Faugère,et al.  On the complexity of Gröbner basis computation of semi-regular overdetermined algebraic equations , 2004 .

[36]  Danilo Gligoroski,et al.  Multivariate quadratic trapdoor functions based on multivariate quadratic quasigroups , 2008 .

[37]  Serge Vaudenay Public Key Cryptography - PKC 2005, 8th International Workshop on Theory and Practice in Public Key Cryptography, Les Diablerets, Switzerland, January 23-26, 2005, Proceedings , 2005, Public Key Cryptography.

[38]  J. Geiger,et al.  Elementary new proofs of classical limit theorems for Galton–Watson processes , 1999, Journal of Applied Probability.

[39]  Yishay Mansour,et al.  A construction of a cipher from a single pseudorandom permutation , 1997, Journal of Cryptology.

[40]  Feipei Lai,et al.  Tractable Rational Map Signature , 2005, Public Key Cryptography.

[41]  Silvio Micali,et al.  Proofs that yield nothing but their validity and a methodology of cryptographic protocol design , 1986, 27th Annual Symposium on Foundations of Computer Science (sfcs 1986).

[42]  Jacques Stern,et al.  An Efficient Provable Distinguisher for HFE , 2006, ICALP.

[43]  Jacques Stern,et al.  Differential Cryptanalysis for Multivariate Schemes , 2005, EUROCRYPT.

[44]  Jacques Stern,et al.  Cryptanalysis of SFLASH with Slightly Modified Parameters , 2007, EUROCRYPT.

[45]  Olivier Billet,et al.  Cryptanalysis of the Square Cryptosystems , 2009, ASIACRYPT.

[46]  Mikko Alava,et al.  Branching Processes , 2009, Encyclopedia of Complexity and Systems Science.

[47]  László Babai,et al.  Canonical labelling of graphs in linear average time , 1979, 20th Annual Symposium on Foundations of Computer Science (sfcs 1979).

[48]  Bo-Yin Yang,et al.  Square, a New Multivariate Encryption Scheme , 2009, CT-RSA.

[49]  Jacques Stern,et al.  Total Break of the l-IC Signature Scheme , 2008, Public Key Cryptography.

[50]  R. Rivest,et al.  Advances in Cryptology - ASIACRYPT '91: International Conference on the Theory and Application of Cryptology, Fujiyoshida, Japan, November 11-14, 1991. Proceedings , 1993 .

[51]  Taizo Shirai,et al.  Public-Key Identification Schemes Based on Multivariate Quadratic Polynomials , 2011, CRYPTO.

[52]  Ludovic Perret,et al.  A Fast Cryptanalysis of the Isomorphism of Polynomials with One Secret Problem , 2005, EUROCRYPT.

[53]  A. Pakes,et al.  Some limit theorems for the total progeny of a branching process , 1971, Advances in Applied Probability.

[54]  Alfred V. Aho,et al.  The Design and Analysis of Computer Algorithms , 1974 .

[55]  Noga Alon,et al.  Testing Boolean Function Isomorphism , 2010, APPROX-RANDOM.

[56]  Brendan D. McKay,et al.  Computing automorphisms and canonical labellings of graphs , 1978 .