computer algebra and cryptography - unitrentosala/workshopcry09/perret.pdf · computer algebra and...

Computer Algebra and Cryptography

Ludovic Perret(joint work with Jean-Charles Faugère)

SALSALIP6, Université Paris 6 & INRIA Paris-Rocquencourt

ludovic.perret@lip6.fr

Workshop on block ciphers and their security

Outline

1 Algebraic CryptanalysisHow to Solve it : Gröbner basics

2 Cryptanalysis of Multivariate SchemesMultivariate Public Key CryptographyAlgebraic Cryptanalysis of UOVMinRank

A Fresh Look at Kipnis-Shamir’s AttackExperimental ResultsTheoretical Analysis

3 Algebraic Aspects of Block CiphersBasic IdeaFlurry : a Family of Toy CiphersToward an Efficient Cryptanalysis of Flurry

4 Conclusion

General Context

C.E. Shannon

Communication Theory of Secrecy Systems (1949)

“Breaking a good cipher should require as much work assolving a system of simultaneous equations in a large numberof unknowns of a complex type.”

Algebraic Cryptanalysis

Principle

Model a cryptosystem as a set of algebraic equationsTry to solve this system (or estimate the difficulty of solving)

Pioneers

J. Patarin, A. Shamir, N. Courtois, W. Meier, J.-C. Faugère, . . .

Approach

Difficulties

Model a cryptosystemas a set of algebraic ofequations

“universal" approach(PoSSo is NP-Hard)⇒ several models are

possible !!!

Solving⇒ Minimize the number

of variables/degree⇒ Maximize the number

of equations

Specificity

Solving algebraic systems:use the cryptographic contextGröbner bases

Outline

1 Algebraic CryptanalysisHow to Solve it : Gröbner basics

2 Cryptanalysis of Multivariate SchemesMultivariate Public Key CryptographyAlgebraic Cryptanalysis of UOVMinRank

A Fresh Look at Kipnis-Shamir’s AttackExperimental ResultsTheoretical Analysis

3 Algebraic Aspects of Block CiphersBasic IdeaFlurry : a Family of Toy CiphersToward an Efficient Cryptanalysis ofFlurry

4 Conclusion

W. Gröbner

System Solving

Problem

f1(x1, . . . , xn), . . . , fm(x1, . . . , xn) ∈ K[x1, . . . , xn]

Compute VK(f1, . . . , fm) ={z = (z1, . . . , zn) ∈ Kn : f1(z) = 0, . . . , fm(z) = 0

}Lemma

Let I =⟨f1, . . . , fm, x

p1 − x1, . . . , x

pn − xn〉, with p = Char(K).

A LEX Gröbner basis of a zero-dimensional system is alwaysas follows :{

g1(x1),g2(x1, x2), . . . ,gk2(x1, x2),gk2+1(x1, x2, x3), . . . , . . .}

Change of ordering

Computing LEX is much more slower than computing DRL

J.-C. Faugère , P. Gianni, D. Lazard, T. Mora.Efficient Computation of Zero-dimensional Gröbner Basesby Change of Ordering.J. Symb. Comp., 1993.

Fact

D : the nb. of zeroes (with multiplicities) of I ⊂ K[x1, . . . , xn].FGLM computes a DRL-Gröbner basis of I knowing a LEXGröbner basis in :

O(nD3).

Zero-dim solving : a two steps process

Compute a DRL Gröbner basisBuchberger’s algorithm (1965)F4 (J.-C. Faugère, 1999)F5 (J.-C. Faugère, 2002)

⇒ For a zero-dim system (n variables) :

O(n3·dreg

),

dreg being the max. degree reached during thecomputation.

If #eq.= #var :dreg is gen. equal to n + 1.#Sol ≤

∏ni=1 degreei (Bezout’s bound)

Complexity of F5

For a semi-regular system of m (> n) quadratic equations overK[x1, . . . , xn] the degree of regularity is given by:∑

i≥0

aiz i =(1− z2)m

(1− z)n .

M. Bardet, J-C. Faugère, B. Salvyand B-Y. Yang.Asymptotic Behaviour of the Degreeof Regularity of Semi-RegularPolynomial Systems.MEGA 2005.

If m = n + 1,dreg ∼n→∞

⌈(n+1)

2

⌉.

Complexity of F5

For a semi-regular system of m (> n) quadratic equations overK[x1, . . . , xn] the degree of regularity is given by:

∑i≥0

aiz i =(1− z2)m

(1− z)n .

If m = n + 1 :

dreg =

⌈(n + 1)

2

⌉.

A. Szanto.Multivariate Subresultants usingJouanolou’s Resultant Matrices.Journal of Pure and Applied Algebra.

Outline

1 Algebraic CryptanalysisHow to Solve it : Gröbner basics

2 Cryptanalysis of Multivariate SchemesMultivariate Public Key CryptographyAlgebraic Cryptanalysis of UOVMinRank

A Fresh Look at Kipnis-Shamir’s AttackExperimental ResultsTheoretical Analysis

3 Algebraic Aspects of Block CiphersBasic IdeaFlurry : a Family of Toy CiphersToward an Efficient Cryptanalysis of Flurry

4 Conclusion

Motivation

A. Bogdanov, T. Eisenbarth, A. Rupp and C. WolfTime-Area Optimized Public-Key Engines:MQ-Cryptosystems as Replacement for Elliptic Curves?CHES 2008

Multivariate Public Key Cryptography (MPKC)

General Idea (Matsumoto–Imai, 88/83)

Let f = (f1, . . . , fm) ∈ K[x1, . . . , xn]m be s. t. ∀c = (c1, . . . , cm) ∈ Km:

VK(f1−c1, . . . , fm−cm

)= {z ∈ Kn : f1(z)−c1 = 0, . . . , fm(z)−cm = 0},

can be computed efficiently.Secret key

(S,U) ∈ GLn(K)×GLn(K) & f = (f1, . . . , fm) ∈ K[x1, . . . , xn]m.

Public key

p(x) =(p1(x), . . . ,pm(x)

)=(f1(x·S), . . . , fm(x · S)

)U = f(x · S) · U,

with x = (x1, . . . , xn).

Encryption

To encrypt m ∈ Kn, compute :

c = p(m) =(p1(m), . . . ,pm(m)

).

To decrypt, compute m′ ∈ Kn s.t. :

f(m′) = c · U−1.

We then have m = m′ · S−1, if #VK(〈f− c · U−1〉

)= 1.

Proof.

p(m′ · S−1) = f(m′ · S−1 · S) · U = c · U−1 · U = c.

Signature

To verify the signature s ∈ Kn of a digest H ∈ Km :

p(s) = H.

To generate s ∈ Kn from a digest H ∈ Km, we apply thedecryption process to H, i.e. we compute s′ ∈ Kn s.t. :

f(s′) = H · U−1.

The signature is then s = s′ · S−1.

Proof.

p(s) = f(s′ · S−1 · S) · U = H · U−1 · U = H.

Outline

1 Algebraic CryptanalysisHow to Solve it : Gröbner basics

2 Cryptanalysis of Multivariate SchemesMultivariate Public Key CryptographyAlgebraic Cryptanalysis of UOVMinRank

A Fresh Look at Kipnis-Shamir’s AttackExperimental ResultsTheoretical Analysis

3 Algebraic Aspects of Block CiphersBasic IdeaFlurry : a Family of Toy CiphersToward an Efficient Cryptanalysis of Flurry

4 Conclusion

Unbalanced Oil and Vinegar Scheme

Principle

The set f = (f1, . . . , fm) ∈ K[x1, . . . , xn]m is constructed bysplitting the variables x1, . . . , xn into :

{xi}i∈V , with V = {1, . . . ,n −m} the set of vinegar indices{xi}i∈O, with O = {n −m + 1, . . . ,n} the set of oil indices

For all k ,1 ≤ k ≤ m, the polynomial fk are :∑{(i,j)∈V×V :i≤j}

αi,j · xi · xj +∑

(i,j)∈V×O

βi,j · xi · xj .

A. Kipnis, J. Patarin, and L. Goubin.Unbalanced Oil and Vinegar Signature Schemes.EUROCRYPT 1999.

Property of the Secret key

Fact

Let c1, . . . , cn−m ∈ K. For all k ,1 ≤ k ≤ m :

fk (c1, . . . , cn−m, xn−m+1, . . . , xn),

is linear in the oil variables.fk (c1, . . . , cn−m, xn−m+1, . . . , xn) =∑

{(i,j)∈V×V :i≤j}

αi,j · ci · cj +∑

(i,j)∈V×O

βi,j · ci · xj .

Previous Security Result

Recommended Values for UOV

UOV is not secure when m = n.

A. Kipnis, and A. Shamir.Cryptanalysis of the Oil and Vinegar Signature Scheme.CRYPTO 1999.

We must have n ≥ 2mIn particular, K = F24 ,m = 16,n = 32 (or 48).

Signature Forgery Attack

Specific Context

Given H ∈ Km, find z ∈ Kn such that :

p1(z)− H1 = 0, . . . ,pm(z)− Hm = 0.

nb. of polynomials (m) is smaller than nb. of variables (n)

K = F24 ⇒ we have not included the field equ. (x24

i − xi)

DRL-GB difficult to computecomplexity of FGLM very high

DRL-GB + LEX-GB with FGLM : automatic in almost allcomputer algebra systems

For instance : Variety in Magma

Specifying Variables – (I)

One can randomly fix n −m variables.

A. Braeken, C. Wolf, B. Preneel.A Study of the Security of Unbalanced Oil and VinegarSignature Schemes.CT’RSA 2005.

Working Hypothesis

new system behaves like a (semi-)regular system.

dreg = m + 1 (17)

VK(.) ≈ 2m (Bézout’s bound)

Specifying Variables – (II)

You can randomly fix n −m − r variables (r > 0).

decrease the degree of regularity (r = 1,dreg =⌈m

2

⌉)

decrease the size of the varietyincrease the number of Gröbner bases to compute (#K)r

Experimental Results

m m − r r dreg (theoretical) dreg (observed)16 15 1 8 916 14 2 7 716 13 3 6 6

m m − r r TF5 Mem NopF5N

16 15 1 ≈ 1 h. 3532 Mb. 236.9 240.9

16 14 2 126 s. 270 Mb. 232.3 240.5

16 13 3 9.41 s. 38 Mb. 228.7 240.7

Remark

L. Bettale, J.-C. Faugère, and L. Perret,Hybrid approach for solving multivariate systems over finitefields.Journal of Mathematical Cryptology, 2009 (to appear).

Evaluation of the complexity of the attack for differentvalues of the parametersPositive result for the security of UOVA systematic method (quasi automatic) for evaluating thesecurity of multivariate systems

A. Braeken, C. Wolf, B. Preneel.A Study of the Security of Unbalanced Oil and VinegarSignature Schemes.CT’RSA 2005.

Outline

1 Algebraic CryptanalysisHow to Solve it : Gröbner basics

2 Cryptanalysis of Multivariate SchemesMultivariate Public Key CryptographyAlgebraic Cryptanalysis of UOVMinRank

A Fresh Look at Kipnis-Shamir’s AttackExperimental ResultsTheoretical Analysis

3 Algebraic Aspects of Block CiphersBasic IdeaFlurry : a Family of Toy CiphersToward an Efficient Cryptanalysis of Flurry

4 Conclusion

The MinRank problem

MR

Input : n, k ∈ N∗; M1, . . . ,Mk ∈Mn×n(K), r ∈ N∗.Question : decide if there exists λ = (λ1, . . . , λk ) ∈ Kk s. t. :

Rk

k∑j=1

λjMj

= r .

Theorem (Courtois, ASIACRYPT 2001)

MR is NP-Complete.

Applications of MinRank

Zero-Knowledge authentication protocol based on MR

N. Courtois.Efficient Zero-knowledge Authentication Based on aLinear Algebra Problem MinRank. ASIACRYPT 2001.

Security of Multivariate Public Key Cryptosystems

A. Kipnis and A. Shamir.Cryptanalysis of the HFE Public Key Cryptosystem byRelinearization. CRYPTO 99.

N. Courtois and L. Goubin.Cryptanalysis of the TTM Cryptosystem. ASIACRYPT2000.

O. Billet, and H. Gilbert.Cryptanalysis of Rainbow. SCN 2006

Kipnis-Shamir’s approach – (I)

A. Kipnis and A. Shamir.Cryptanalysis of the HFE Public Key Cryptosystem byRelinearization. CRYPTO 99.

Given n, k ∈ N∗; M1, . . . ,Mk ∈Mn×n(K), r ∈ N∗; the goal is tofind λ = (λ1, . . . , λk ) ∈ Kk s. t. :

Rk

k∑j=1

λjMj

= r .

Set Eλ =∑k

j=1 λjMj . Thus :

Rk(Eλ) = r ⇔ ∃(n−r) linearly indep. vectors X (i) ∈ Ker(Eλ).

We have then : k∑j=1

λjMj

X (i) = 0n, ∀1 ≤ i ≤ n − r .

Kipnis-Shamir’s approach – (II)

Set Eλ =∑k

j=1 λjMj . Thus :

Rk(Eλ) = r ⇔ ∃(n−r) linearly indep. vectors X (i) ∈ Ker(Eλ).

Let X (i) = (x (i)1 , . . . , x (i)

n ), where x (i)j s are variables. Then :

k∑j=1

yjMj

x (1)1 · · · x (n−r)

1x (1)

2 · · · x (n−r)2

......

...x (1)

n · · · x (n−r)n

=

0 · · · 00 · · · 0...

......

0 · · · 0

Kipnis-Shamir’s approach – (III)

Write X (i) = (ei , x(i)1 , . . . , x (i)

r ) , where ei ∈ Kn−r and x (i)j s

are variables

k∑j=1

yjMj

1 0 · · · 00 1 · · · 0...

......

...0 0 · · · 1

x (1)1 · · · · · · x (n−r)

1...

......

...x (1)

r · · · · · · x (n−r)r

=

0 · · · 00 · · · 0...

......

0 · · · 0

is a quadratic system of (n − r)n equations in r(n − r) + kunknowns.IKS : the ideal generated by these equations.

Properties of KS equations

Theorem

Let (n, k ,M1, . . . ,Mk , r) be an instance of MR and IKS be theideal generated by the KS equations. There is (generically) aone-to-one correspondence between Sol(n, k ,M1, . . . ,Mk , r) –the set of solutions of MinRank – and :

VK(IKS) = {z ∈ Kr ·(n−r)+k : f (z) = 0, for all f ∈ IKS}.

Courtois’ Authentication Scheme – Challenges

F65521

A: n = 6, k = 10, r = 318 eq., 19 var.

B: n = 7, k = 10, r = 421 eq., 22 variables

C: n = 11, k = 10, r = 833 eq., 35 variables

Courtois’ Authentication Scheme – Challenges

F65521

A: n = 6, k = 10, r = 3⇒ n = 6, k = 9, r = 318 eq., 19 var. ⇒ 18 eq., 18 var.

B: n = 7, k = 10, r = 4⇒ n = 7, k = 9, r = 421 eq., 22 variables⇒ 21 eq., 21 var.

C: n = 11, k = 10, r = 8⇒ n = 11, k = 9, r = 834 eq., 35 variables⇒ 34 eq., 34 var.

Experimental results with FGb

K = F65521

n k r TFGb Mem NFGb [Cou]

A 6 9 3 1 min. 400 Mb. 230.5 2106

B 7 9 4 1h45min. 3 Gb. 237.1 2122

8 9 5 91 h. 58.5 Gb. 243.4

C 11 9 8 264.4 2136

“not rigorous"

n k r dreg (theor.) dreg (observed) Bezout #SolA 6 9 3 19 5 218 210

B 7 9 4 22 6 221 212

8 9 5 28 8 227 213

C 11 9 8 33 ? 234 ?

Efficient attack but no theoretical explanation !!

Theoretical Complexity – (I)

Definition

Let S = {f1(x1, . . . , xn) = 0, . . . , fm(x1, . . . , xn) = 0} be analgebraic system of equations, and T = {X (1), . . . ,X (k)} be apartition of X = {x1, . . . , xn} s.t. :

X (j) = {xj1 , . . . , xjkj}.

S is multi-homogeneous if the polynomials fi are homogenousw.r.t. the X (j)’s.

Property

The ideal IKS is multi-homogeneous.new bounds for the degree of regularitymulti-homogeneous Bézout bound

Theoretical Complexity – (I)

Definition

Let S = {f1(x1, . . . , xn) = 0, . . . , fm(x1, . . . , xn) = 0} be analgebraic system of equations, and T = {X (1), . . . ,X (k)} be apartition of X = {x1, . . . , xn} s.t. :

X (j) = {xj1 , . . . , xjkj}.

S is multi-homogeneous if the polynomials fi are homogenousw.r.t. the X (j)’s.

Property

The ideal IKS is multi-homogeneous.new bounds for the degree of regularitymulti-homogeneous Bézout boundwork in progress

Multi-Homogeneous Structure

k∑j=1

yjMj

1 0 · · · 00 1 · · · 0...

......

...0 0 · · · 1

x (1)1 · · · · · · x (n−r)

1...

......

...x (1)

r · · · · · · x (n−r)r

=

0 · · · 00 · · · 0...

......

0 · · · 0

Theoretical Complexity – (II)

Theorem

Let r ′ = n − r be a constant. We consider instances of MR withparameters

(n, k = r ′2, r = n − r ′

). For those particular

instances, we can compute the variety of IKS using Gröbnerbases in :

O(

ln (#K) n3 r ′2),

The complexity of our attack is polynomial for instances ofMinRank with

(n, k = r ′2, r = n − r ′

).

(n, k , r) A = (6,9,3) B = (7,9,4) C = (11,9,8)#Sol (MH Bézout bound) 213 215 222

Experimental #Sol 210 212

Complexity bound 238.9 246.2 266.3

Experimental Bound 230.5 237.1 264.3

Remark

Efficient attack supported by theoretical resultsMost interesting parameters of the MinRank authenticationscheme have been broken, but :

A second set of parameters (over K = F2) proposed byCourtois remains secure :

(n, k , r) (19,81,10) (21,121,10) (29,190,15)

Outline

1 Algebraic CryptanalysisHow to Solve it : Gröbner basics

2 Cryptanalysis of Multivariate SchemesMultivariate Public Key CryptographyAlgebraic Cryptanalysis of UOVMinRank

A Fresh Look at Kipnis-Shamir’s AttackExperimental ResultsTheoretical Analysis

3 Algebraic Aspects of Block CiphersBasic IdeaFlurry : a Family of Toy CiphersToward an Efficient Cryptanalysis of Flurry

4 Conclusion

Algebraic Attacks against Block Ciphers – Theory

General principle

x0 ← m ∈ Kt

For i from 0 to r − 1 doxi+1 ←T(Ki , xi ) # Ki ∈ Kt subkey at round i

EndForc ← xr

Courtois, Pieprzyk, ASIACRYPT 2002

Fix a pair (m,c) ∈ Kt ×Kt variables :intermediate states {xi}1≤i≤r−1

components of the master key K

coefficient ring : KCipher Crisis !!!

Algebraic Attacks against Block Ciphers – Practice

[Bardet, Ph.D. Thesis 2004]

Cryposystem #unk . #Eq.quad . dreg #MatrixKhazad 4800 6000 379 22076

Mysti1 1848 1845 179 21040

Kasumi 2000 2000 193 21129

Camelia-128 1664 4304 78 2538

AES-128 1600 4600 69 2479

Serpent-128 8320 9360 703 24196

The degree of regularity dreg is obtained from:

(1 + z)n

(1 + z2)m .

Flurry : a Family of Feistel ciphers

[Buchmann, Pyshkin, Weinmann, CT-RSA’06]

The parameters of Flurry(n, t , r , f ,D) :#K = k = 2n,n ∈ {8,16,32,64}t ∈ N∗ is the size of a message blockr ∈ N∗ is the number of roundsf is a non-linear function describing theSbox. Here :

the power function f (x) = fp(x) = xp,with p ∈ {3,5,7, k − 2},

D ∈Mm×m(K) is a matrix describingthe linear diffusion layer

A Gröbner Basis without Computation !

Property [Buchmann, Pyshkin, and Weinmann, CT-RSA’06]

Let PFlurry be the system describing Flurry(n, t , r , f ,D).variables : intermediate states; components of the keycoefficient ring : K a degree n extension of F2

There exists a (degree) order ≺∗ for which PFlurry is already aGröbner basis. Moreover, it holds that #VK

(PFlurry

)= deg(f )

t2 ·r .

Complexity of FGLM

O(deg(f )3· t2 ·r

).

Remark

The same result holds for AES-128.

Toward an Efficient Cryptanalysis of Flurry

[Faugère, P. – 2008]

PNFlurry ← ∅

For j from 1 to N do“Randomly" select a pair (mj,cj) ∈ Kt ×Kt

PNFlurry ← PN

Flurry ∪ PFlurry(mj,cj)EndForTry to solve PN

Flurry

variables : intermediate states; components of the keycoefficient ring : K a degree n extension of F2

Toward an Efficient Cryptanalysis of Flurry

[Faugère, P. – 2008]

PNFlurry ← ∅

For j from 1 to N doSelect a “correlated" pair (mj,cj) ∈ Kt ×Kt

PNFlurry ← PN

Flurry ∪ PFlurry(mj,cj)EndForTry to solve PN

Flurry

variables : intermediate states; components of the keycoefficient ring : K a degree n extension of F2

How to Select the Sequence – Intuition

Let N > 1 be an integer. We fix :m0 = (0, . . . ,0), and r1 = (1, . . . ,0).We define ri , for all i ,2 ≤ i ≤ N, s.t. ri+1 = θ · ri .

We then solve :

PNFlurry =

⋃r∈L[r1,...,rN ]

PFlurry(m0 + r , cr ).

Rationale

∆(i)r1,...,ri

TK =∑

δ∈L[r1,...,ri ]

TK(x + δ).

Experimental Results

Flurry(n, t , r , f ,D) N Dmax T Nbop MemFlurry(16,2,6, f−1, I1) 3 3 0.6 s. 225 1.8 Gb.Flurry(16,2,7, f−1, I1) 3 4 0.4 s. 224 1 Gb.Flurry(16,2,8, f−1, I1) 4 4 37.6 s. 231 1.4 Gb.Flurry(16,2,9, f−1, I1) 10 4 37296 s. 241 6.4 Gb.Flurry(16,4,5, f−1,D2) 2 4 0.5 s. 224.2 1.7 Gb.Flurry(16,4,6, f−1,D2) 4 4 810.3 s. 236.0 4.6 Gb.Flurry(16,8,5, f−1,D4) 3 4 3755.2 s. 237.5 5.4 Gb.Flurry(16,4,6, f3,D2) 14 3 3.4 s. 227.4 1.3 Gb.Flurry(16,4,8, f3,D2) 90 3 1952 s. 236.1 117 Gb.

100 3 2058 s. 236.2 130 Gb.Flurry(16,8,6, f3,D4) 20 3 35.8 s. 226.1 47 Gb.

Outline

1 Algebraic CryptanalysisHow to Solve it : Gröbner basics

2 Cryptanalysis of Multivariate SchemesMultivariate Public Key CryptographyAlgebraic Cryptanalysis of UOVMinRank

A Fresh Look at Kipnis-Shamir’s AttackExperimental ResultsTheoretical Analysis

3 Algebraic Aspects of Block CiphersBasic IdeaFlurry : a Family of Toy CiphersToward an Efficient Cryptanalysis of Flurry

4 Conclusion

Cryptanalysis of multivariate schemesAlgebraic cryptanalysis of block ciphersAlgebraic cryptanalysis of stream ciphers

Algebraic immunityEstream candidates (Trivium,. . .)

Algebraic cryptanalysis of hash functions (new trend)Factorization with know bitsDesign

Stream cipherHash function

Lattice Polly Cracker

Gröbner Basis in Cryptography : Overview

Guest Editors : D. Augot, J.-C. Faugère, L. Perret.

Gröbner bases in Coding Theory and Cryptography.

Special Issue Journal of Symbolic Computation; In press.

Editors : M. Sala., T. Mora, L. Perret, S. Sakata, and C.Traverso.

Bases, Coding, and Cryptography.

Springer, RISC Book Series, In press.