TWO-FACE New Public Key Multivariate Schemes AfricaCrypt 2018 Jacques Patarin Gilles Macario-Rat

Motivations Search for new multivariate schemes for post-quantum cryptography, particularly for encryption. (At present multivariate public key schemes are more efficient in signature than in encryption). Perturbed HFE and UOV still valid Search for new multivariate quadratic permutations

Generic scheme for Quadratic Multivariate Cryptography Trapdoor P : multivariate quadratic polynomial P(x) = y Efficient way to solve in x Secret structure T,S linear Public = T o P o S Set of quadratic multivariate equations

Two-Face : Basic Idea Trapdoor Face n° 1 E1(x) = y : Multivariate quadratic polynomial Not efficient for solving (high degree in x) Public = T o E1 o S Set of quadratic multivariate equations Face n° 2 E2(x,y) = 0 Efficient way to solve in x Not quadratic (high degree in y) E1 and E2 are of course related ( E1(x) = y ) => ( E2(x,y) = 0 )

Two-Face, initial Flavor: Dob Dobbertin Permutation Polynomial is a simple 2Face ! This is the original family from which we imagined the Two-face public key schemes. Dobbertin in 1999 proved that for any integer m, and with n = 2m -1, the polynomial P(x) = x2 m + 1 + x3 + x is a permutation over GF(2n). Moreover, from (Face 1): y = E1(x) = x2m + 1 + x3 + x (1) we can get this equation (Face 2): E2(x,y) = x9 + x6 y + x4 y + x5 + x3 y2m + x3 y2 + x y2 + y3 = 0 (2) From (2), when y is given, we can easily find x by solving this equation of degree only 9.

Cryptanalysis of the “nude Dob” If we used directly (1) into a “nude Dob” scheme, i.e. without any perturbation, we would get a weak scheme, totally broken by Gröbner basis computations. More precisely the degree of regularity obtained in a Gröbner basis attack is always only 3 in the experiments we conducted. (The degree of regularity is the highest degree that must be used in order to the Gröbner basis computation to succeed). However, with adequate perturbations the modified scheme resists so far all the attacks we know.

Examples of perturbations, examples of parameters for Dob+ Some perturbations are better for signatures, ans some are better for encryption. For encryption with Dob, we suggest to use the two perturbations: + and . +: we mix the public key with a small number r of random secret quadratic equations in all the n variables. : we mix the public key with n random secret quadratic equations in a small number s of variables. Example of parameters for Dob+ For example the parameters n = 129, r = s = 6 give a very efficient multivariate public key encryption scheme. Decryption costs 212 root computations of a 9 degree polynomial. At present our best known attacks require 280 computations, or more.

Two-Face, first Variant: Simple PAT Deriving new relations E1/E2 E1(x) = x^{1+q^m} + Q(x) = y ; over GF(qn) with n = 2m - 1 New Inner relation between x and y by introducing a new variable z z = x^{q^m} Elimination of z between E1(x) - y and (E1(x) - y)^{q^m} E2(x,y) is the Resultant The degree of E2 in x is ≤ ( the degree of Q)²

Examples of Simple PAT Example 1. (Face 1): y = E1(x) = x2m + 1 + x5 + x3 (1) (Face 2): E2(x,y) = x25 + x23 + x20 y + x13 + x9 + x8 y + x7y2 + x6y + x5y4 + x5y2+ x5 y2m + x3 y4 + x2 y3 + y5 = 0 (2) Example 2. (Face 1): y = E1(x) = x2m + 1 + x6 + x5 (1) (Face 2): E2(x,y) = x36 + x34 + x32 + x31 + x27 + x26+ x25 y + x24y2 + x21y + x20y2 + x13 + x12y4 + x12 + x10y4 + x7y4 + x7y + x6y4 + x6 y2m + xy5 + y6 = 0 (2)

Simple PAT versus HFE (Nude) Simple PAT (Nude) HFE dreg 9 81 39 4 10 100 5 12 144 23 20 400 25 24 576 32 1024 33 1089 6 34 1156 d n dreg 36 25 4 32 41 81 128 129 5 257 513 6

Two-Face, next Variant: General PAT Deriving new relations E1/E2 More complex expressions but with a similar pattern E1(x) = B(x,x^{2^m})= y ; over GF(2n) with n=2m-1 Again z = x^{2^m} Elimination of z between B(x,z)-y and (B(x,z)-y)^{2^m} E2(x,y) is the Resultant its degree is bounded by the degree of B

General PAT versus HFE (Nude) General PAT (Nude) HFE dreg 9 162 25 5 10 200 14 17 578 6 18 648 20 800 30 1152 33 50 4608 7 d n dreg 36 25 4 129 5 257 513 6 1025 32 2049 33 3072 4097 7

Two-Face, Need for perturbations All nude Two-Face schemes are weak (sub exponential attacks), same as for HFE Circle Plus, Plus, Minus, Circle v : Suitable perturbations (only known exponential attacks) Generally require a small amount qk of exhaustive search Some are suitable for encryption and or signature The perturbations should be considered as a fundamental part of the schemes

Two-Face, Variant: MAC We have found 7 new families of Multivariate Quadratic Permutation Polynomials! E1(x) = B(x,z) with z = x^{q^m} Exhaustive search on B. Open problem : Are multivariate permutation polynomials more suitable for Multivariate Quadratic schemes?

Examples of MAC Example 1. Let z = x2m and t = y2m (Face 1): y = E1(x) = x2 z2 + x2z + xz (1) (Face 2): E2(x,y) = x4y2 + x4y + x4t + x3y+ x2 t + x y + x t + y2 + t2 + t = 0 (2) Example 2. (Face 1): y = E1(x) = x4 z2 + x2z + xz (1) (Face 2): E2(x,y) = x8y + x8t2 + x8t + x7t + x6y+ x6 t + x5 y + x4 y + x3y2+ x3 y + x2y2 + x2 y + xy + y4 + y2 + t = 0 (2)

Conclusions, Perspectives, Open Questions Degree of regularity seems behave as much as like in HFE case. Why? This is not clear yet. We have found 7 new families of multivariate quadratic permutations. Why did we found so many new families by looking for 2Faces properties? This is not clear yet. Is it possible to find more families (non isomorphic)? Why permutations generally have much smaller degree of regularity ? Undergoing work on cubic schemes (instead of quadratic)

Thank you