On the security of biquadratic C∗ public-key cryptosystems and its generalizations

Public key cryptosystems based on multivariate polynomials have been studied since the eighties. One of them, called C∗, was introduced in 1988 by Imai and Matsumoto, and broken in 1993 by Dobbertin in classified work he did for the German Federal Office for Information Security and later by Patarin (see Dobbertin et al. 2005, Patarin 1995). Since then, the construction of multivariate systems sharing a great deal of the C∗ properties have become of particular interest. Dobbertin introduced in a series of classified papers and later in a challenge of the MysteryTwister-Competition hosted by the Horst-Görtz-Institute in 2005, (see Dobbertin et al. 2005) together with the author, a system where the central mapping is a power mapping of degree 4 and shares almost all the properties of C∗. It was therefore called biquadratic C∗. The challenge remained unbroken and the security of these systems an open problem. As its key size is rather large, the interest in such systems became low during the last years. Due to the initiative of the European Telecommunications Standards Institute and the National Institute for Standards and Technology in creating standards for post-quantum cryptography, systems with bigger key sizes have become of interest for practical applications. In this paper we will consider biquadratic C∗ and more general systems based on hidden monomials of degree k called k-ary C∗. We will prove a lower bound for the running time of attacks based on Gröbner basis algorithms like F4 or F5. We will compute the first fall degree for k-ary C∗ and give a counterexample to the first fall degree assumption. We will derive an estimate for the complexity of breaking the above mentioned cryptochallenge and give parameter sizes for secure systems by taking into account all known types of attacks. It will turn out that the security requirements yield systems with impractical key sizes even for applications in post-quantum cryptography. Although k-ary C∗ is not of practical interest the results presented here give some insight in understanding the complexity of attacks on multivariate cryptosystems, especially based on Gröbner basis algorithms, and show that these systems are very promising objects for conducting further research in this direction.

[1]  Adi Shamir,et al.  Cryptanalysis of the HFE Public Key Cryptosystem by Relinearization , 1999, CRYPTO.

[2]  Jacques Patarin,et al.  Asymmetric Cryptography with a Hidden Monomial , 1996, CRYPTO.

[3]  Pierre-Alain Fouque,et al.  Practical Key-recovery For All Possible Parameters of SFLASH , 2011, IACR Cryptol. ePrint Arch..

[4]  Hideki Imai,et al.  Public Quadratic Polynominal-Tuples for Efficient Signature-Verification and Message-Encryption , 1988, EUROCRYPT.

[5]  Ming-Deh A. Huang,et al.  Last Fall Degree, HFE, and Weil Descent Attacks on ECDLP , 2015, CRYPTO.

[6]  Christophe Petit,et al.  First fall degree and Weil descent , 2014, Finite Fields Their Appl..

[7]  Jean-Jacques Quisquater,et al.  On Polynomial Systems Arising from a Weil Descent , 2012, ASIACRYPT.

[8]  J. Faugère A new efficient algorithm for computing Gröbner bases (F4) , 1999 .

[9]  Jean-Charles Faugère,et al.  Comparison of XL and Gröbner basis algorithms over Finite Fields , 2004 .

[10]  Rudolf Lide,et al.  Finite fields , 1983 .

[11]  Patrick Felke,et al.  On the Affine Transformations of HFE-Cryptosystems and Systems with Branches , 2005, WCC.

[12]  Neal Koblitz,et al.  Algebraic aspects of cryptography , 1998, Algorithms and computation in mathematics.

[13]  Hideki Imai,et al.  Comparison Between XL and Gröbner Basis Algorithms , 2004, ASIACRYPT.

[14]  Louis Goubin,et al.  Asymmetric cryptography with S-Boxes , 1997, ICICS.

[15]  John Baena,et al.  Rank Analysis of Cubic Multivariate Cryptosystems , 2018, IACR Cryptol. ePrint Arch..

[16]  Jacques Patarin,et al.  Cryptanalysis of the Matsumoto and Imai Public Key Scheme of Eurocrypt'88 , 1995, CRYPTO.

[17]  Antoine Joux,et al.  Algebraic Cryptanalysis of Hidden Field Equation (HFE) Cryptosystems Using Gröbner Bases , 2003, CRYPTO.

[18]  Daniel Smith-Tone,et al.  Differential Properties of the HFE Cryptosystem , 2014, PQCrypto.

[19]  K. Conrad,et al.  Finite Fields , 2018, Series and Products in the Development of Mathematics.

[20]  J. Faugère A new efficient algorithm for computing Gröbner bases (F4) , 1999 .

[21]  Jintai Ding,et al.  Inverting HFE Systems Is Quasi-Polynomial for All Fields , 2011, CRYPTO.