Ruhr University Bochum Faculty of Mathematics Information-Security and Cryptology On the Security of HFE, HFEv- and Quartz Nicolas T. CourtoisMagnus DaumPatrick Felke This talk is supported by STORK

Ruhr University Bochum Faculty of Mathematics Information-Security and Cryptology Courtois, Daum, Felke: On the Security of HFE, HFEv- and Quartz What is HFE? Solving HFE systems with Gröbner Bases Algorithms Results from Simulations Conclusion Overview

What is HFE?

Ruhr University Bochum Faculty of Mathematics Information-Security and Cryptology Courtois, Daum, Felke: On the Security of HFE, HFEv- and Quartz Basic HFE: Example

Ruhr University Bochum Faculty of Mathematics Information-Security and Cryptology Courtois, Daum, Felke: On the Security of HFE, HFEv- and Quartz Basic HFE: Example

Ruhr University Bochum Faculty of Mathematics Information-Security and Cryptology Courtois, Daum, Felke: On the Security of HFE, HFEv- and Quartz Basic HFE: Example Verifying

Ruhr University Bochum Faculty of Mathematics Information-Security and Cryptology Courtois, Daum, Felke: On the Security of HFE, HFEv- and Quartz Basic HFE: Example Signing

Ruhr University Bochum Faculty of Mathematics Information-Security and Cryptology Courtois, Daum, Felke: On the Security of HFE, HFEv- and Quartz Perturbations Little changes on the multivariate side of the cryptosystem which are used to hide the underlying algebraic structure e.g. „-“ (i.e. removing polynomials): Public Key

Ruhr University Bochum Faculty of Mathematics Information-Security and Cryptology Courtois, Daum, Felke: On the Security of HFE, HFEv- and Quartz Perturbations Little changes on the multivariate side of the cryptosystem which are used to hide the underlying algebraic structure e.g. „v“ (i.e. adding variables): ( after „mixing“ with S and T) Public Key

Ruhr University Bochum Faculty of Mathematics Information-Security and Cryptology Courtois, Daum, Felke: On the Security of HFE, HFEv- and Quartz Perturbations Little changes on the multivariate side of the cryptosystem which are used to hide the underlying algebraic structure Perturbations can be combined, e.g. to HFEv- systems Quartz is a special instance of an HFEv- system

Ruhr University Bochum Faculty of Mathematics Information-Security and Cryptology Courtois, Daum, Felke: On the Security of HFE, HFEv- and Quartz Parameters of HFEv- qsize of smaller finite field K hextension degree of L (i.e. |L|=q h ) ddegree of hidden polynomial  rnumber of removed equations („-“) vnumber of added variables („v“) m=h-r number of equations in the public key n=h+v number of variables in the public key

Ruhr University Bochum Faculty of Mathematics Information-Security and Cryptology Courtois, Daum, Felke: On the Security of HFE, HFEv- and Quartz –General Approach with Buchberger Algorithm –Characteristics of HFE systems –Faugère‘s Attack on HFE Challenge 1 What is HFE? Solving HFE systems with Gröbner Bases Algorithms Results from Simulations Conclusion Overview

General Approach

Ruhr University Bochum Faculty of Mathematics Information-Security and Cryptology Courtois, Daum, Felke: On the Security of HFE, HFEv- and Quartz General Approach: Example Signing

Ruhr University Bochum Faculty of Mathematics Information-Security and Cryptology Courtois, Daum, Felke: On the Security of HFE, HFEv- and Quartz Buchberger Algorithm General Approach: Example

Ruhr University Bochum Faculty of Mathematics Information-Security and Cryptology Courtois, Daum, Felke: On the Security of HFE, HFEv- and Quartz General Approach: Example Buchberger Algorithm Advantages: we compute only information we need degree of polynomials involved in this computation is bounded Buchberger Algorithm

Ruhr University Bochum Faculty of Mathematics Information-Security and Cryptology Courtois, Daum, Felke: On the Security of HFE, HFEv- and Quartz General Approach In general Buchberger algorithm has exponential worst case complexity ) only feasible for very few unknowns But HFE systems are special: ) Optimized variants of Buchberger algorithm might be able to solve Basic HFE systems - very small finite field - quadratic polynomials - solutions in the base field F q - hidden polynomial

Ruhr University Bochum Faculty of Mathematics Information-Security and Cryptology Courtois, Daum, Felke: On the Security of HFE, HFEv- and Quartz General Approach Best known Attack on Basic HFE: Faugère’s Algorithm F5/2 (April 2002) succesfully attacked HFE challenge 1 (n=80, d=96) in 96h on 833 MHz Alpha workstation On perturbated HFE systems: –No feasible attacks known, but –e.g. F5/2 can be applied to such systems –Complexity is not known

Simulations

Ruhr University Bochum Faculty of Mathematics Information-Security and Cryptology Courtois, Daum, Felke: On the Security of HFE, HFEv- and Quartz simulations were done in SINGULAR using the stdfglm function Parameters: Finite Field K with HFE systems with and systems of random quadratic equations both with, equations unknowns Simulations

Ruhr University Bochum Faculty of Mathematics Information-Security and Cryptology Courtois, Daum, Felke: On the Security of HFE, HFEv- and Quartz Improvements A perturbated system consists of equations and unkowns. The following steps speed up the computations: –Fix variables with values not chosen before. Apply stdfglm to the resulting system. –If the resulting system has no solution, repeat the above step until the resulting system has a solution.

Ruhr University Bochum Faculty of Mathematics Information-Security and Cryptology Courtois, Daum, Felke: On the Security of HFE, HFEv- and Quartz Improvements Number of tries is 1.6 on average. For our experiments we define Usually we have

Ruhr University Bochum Faculty of Mathematics Information-Security and Cryptology Courtois, Daum, Felke: On the Security of HFE, HFEv- and Quartz What to Measure? Forging a signature of an HFEv- system means to solve a system of m quadratic equations in n un- knowns, i.e. to solve an instance of the MQ-Problem. The MQ-Problem seems to be hard on average. A randomly chosen system is hard to solve. Randomness Security We define (randomness). is the value of T obtained for random systems of quadratic equations.

Ruhr University Bochum Faculty of Mathematics Information-Security and Cryptology Courtois, Daum, Felke: On the Security of HFE, HFEv- and Quartz Experimental Results ∙3∙3∙3∙3∙2 h=15, d=5, q=2

Ruhr University Bochum Faculty of Mathematics Information-Security and Cryptology Courtois, Daum, Felke: On the Security of HFE, HFEv- and Quartz Experimental Results R depends mainly on the total number v+r of perturbations. „-“ may decrease the total time. Use more „v“. If, for an unperturbated HFE-system, then The more, the more is the increase in the relative security when v+r is increased. –e.g. if, d the degree of the HFE polynomial, is small compared to h as in case of Quartz.

Ruhr University Bochum Faculty of Mathematics Information-Security and Cryptology Courtois, Daum, Felke: On the Security of HFE, HFEv- and Quartz Conclusions for Quartz Faugère`s attack computes a Gröbner Basis, so applying our results to his attack gives: –For Quartz with d=129 and v+r=7 his attack will probably need. –For Quartz with d=257 we estimate a complexity of

Ruhr University Bochum Faculty of Mathematics Information-Security and Cryptology Courtois, Daum, Felke: On the Security of HFE, HFEv- and Quartz Conclusions for Quartz The parameter d of Quartz probably needs to be increased from d=129 to d=257. Signatures with Quartz will then take 6 seconds on average (on PC with 2GHZ). Compared to other schemes slowness is currently the price to pay for short signatures.