Ruhr University Bochum Faculty of Mathematics Information-Security and Cryptology On the Security of HFE, HFEv- and Quartz Nicolas T. CourtoisMagnus DaumPatrick Felke This talk is supported by STORK Ruhr University Bochum Faculty of Mathematics Information-Security and Cryptology Courtois, Daum, Felke: On the Security of HFE, HFEv- and Quartz What is HFE? Solving HFE systems with Grbner Bases Algorithms Results from Simulations Conclusion Overview What is HFE? Ruhr University Bochum Faculty of Mathematics Information-Security and Cryptology Courtois, Daum, Felke: On the Security of HFE, HFEv- and Quartz Basic HFE: Example Ruhr University Bochum Faculty of Mathematics Information-Security and Cryptology Courtois, Daum, Felke: On the Security of HFE, HFEv- and Quartz Basic HFE: Example Ruhr University Bochum Faculty of Mathematics Information-Security and Cryptology Courtois, Daum, Felke: On the Security of HFE, HFEv- and Quartz Basic HFE: Example Verifying Ruhr University Bochum Faculty of Mathematics Information-Security and Cryptology Courtois, Daum, Felke: On the Security of HFE, HFEv- and Quartz Basic HFE: Example Signing Ruhr University Bochum Faculty of Mathematics Information-Security and Cryptology Courtois, Daum, Felke: On the Security of HFE, HFEv- and Quartz Perturbations Little changes on the multivariate side of the cryptosystem which are used to hide the underlying algebraic structure e.g. - (i.e. removing polynomials): Public Key Ruhr University Bochum Faculty of Mathematics Information-Security and Cryptology Courtois, Daum, Felke: On the Security of HFE, HFEv- and Quartz Perturbations Little changes on the multivariate side of the cryptosystem which are used to hide the underlying algebraic structure e.g. v (i.e. adding variables): ( after mixing with S and T) Public Key Ruhr University Bochum Faculty of Mathematics Information-Security and Cryptology Courtois, Daum, Felke: On the Security of HFE, HFEv- and Quartz Perturbations Little changes on the multivariate side of the cryptosystem which are used to hide the underlying algebraic structure Perturbations can be combined, e.g. to HFEv- systems Quartz is a special instance of an HFEv- system Ruhr University Bochum Faculty of Mathematics Information-Security and Cryptology Courtois, Daum, Felke: On the Security of HFE, HFEv- and Quartz Parameters of HFEv- qsize of smaller finite field K hextension degree of L (i.e. |L|=q h ) ddegree of hidden polynomial rnumber of removed equations (-) vnumber of added variables (v) m=h-r number of equations in the public key n=h+v number of variables in the public key Ruhr University Bochum Faculty of Mathematics Information-Security and Cryptology Courtois, Daum, Felke: On the Security of HFE, HFEv- and Quartz General Approach with Buchberger Algorithm Characteristics of HFE systems Faugres Attack on HFE Challenge 1 What is HFE? Solving HFE systems with Grbner Bases Algorithms Results from Simulations Conclusion Overview General Approach Ruhr University Bochum Faculty of Mathematics Information-Security and Cryptology Courtois, Daum, Felke: On the Security of HFE, HFEv- and Quartz General Approach: Example Signing Ruhr University Bochum Faculty of Mathematics Information-Security and Cryptology Courtois, Daum, Felke: On the Security of HFE, HFEv- and Quartz Buchberger Algorithm General Approach: Example Ruhr University Bochum Faculty of Mathematics Information-Security and Cryptology Courtois, Daum, Felke: On the Security of HFE, HFEv- and Quartz General Approach: Example Buchberger Algorithm Advantages: we compute only information we need degree of polynomials involved in this computation is bounded Buchberger Algorithm Ruhr University Bochum Faculty of Mathematics Information-Security and Cryptology Courtois, Daum, Felke: On the Security of HFE, HFEv- and Quartz General Approach In general Buchberger algorithm has exponential worst case complexity ) only feasible for very few unknowns But HFE systems are special: ) Optimized variants of Buchberger algorithm might be able to solve Basic HFE systems - very small finite field - quadratic polynomials - solutions in the base field F q - hidden polynomial Ruhr University Bochum Faculty of Mathematics Information-Security and Cryptology Courtois, Daum, Felke: On the Security of HFE, HFEv- and Quartz General Approach Best known Attack on Basic HFE: Faugres Algorithm F5/2 (April 2002) succesfully attacked HFE challenge 1 (n=80, d=96) in 96h on 833 MHz Alpha workstation On perturbated HFE systems: No feasible attacks known, but e.g. F5/2 can be applied to such systems Complexity is not known Simulations Ruhr University Bochum Faculty of Mathematics Information-Security and Cryptology Courtois, Daum, Felke: On the Security of HFE, HFEv- and Quartz simulations were done in SINGULAR using the stdfglm function Parameters: Finite Field K with HFE systems with and systems of random quadratic equations both with, equations unknowns Simulations Ruhr University Bochum Faculty of Mathematics Information-Security and Cryptology Courtois, Daum, Felke: On the Security of HFE, HFEv- and Quartz Improvements A perturbated system consists of equations and unkowns. The following steps speed up the computations: Fix variables with values not chosen before. Apply stdfglm to the resulting system. If the resulting system has no solution, repeat the above step until the resulting system has a solution. Ruhr University Bochum Faculty of Mathematics Information-Security and Cryptology Courtois, Daum, Felke: On the Security of HFE, HFEv- and Quartz Improvements Number of tries is 1.6 on average. For our experiments we define Usually we have Ruhr University Bochum Faculty of Mathematics Information-Security and Cryptology Courtois, Daum, Felke: On the Security of HFE, HFEv- and Quartz What to Measure? Forging a signature of an HFEv- system means to solve a system of m quadratic equations in n un- knowns, i.e. to solve an instance of the MQ-Problem. The MQ-Problem seems to be hard on average. A randomly chosen system is hard to solve. Randomness Security We define (randomness). is the value of T obtained for random systems of quadratic equations. Ruhr University Bochum Faculty of Mathematics Information-Security and Cryptology Courtois, Daum, Felke: On the Security of HFE, HFEv- and Quartz Experimental Results 33332 h=15, d=5, q=2 Ruhr University Bochum Faculty of Mathematics Information-Security and Cryptology Courtois, Daum, Felke: On the Security of HFE, HFEv- and Quartz Experimental Results R depends mainly on the total number v+r of perturbations. - may decrease the total time. Use more v. If, for an unperturbated HFE-system, then The more, the more is the increase in the relative security when v+r is increased. e.g. if, d the degree of the HFE polynomial, is small compared to h as in case of Quartz. Ruhr University Bochum Faculty of Mathematics Information-Security and Cryptology Courtois, Daum, Felke: On the Security of HFE, HFEv- and Quartz Conclusions for Quartz Faugre`s attack computes a Grbner Basis, so applying our results to his attack gives: For Quartz with d=129 and v+r=7 his attack will probably need. For Quartz with d=257 we estimate a complexity of Ruhr University Bochum Faculty of Mathematics Information-Security and Cryptology Courtois, Daum, Felke: On the Security of HFE, HFEv- and Quartz Conclusions for Quartz The parameter d of Quartz probably needs to be increased from d=129 to d=257. Signatures with Quartz will then take 6 seconds on average (on PC with 2GHZ). Compared to other schemes slowness is currently the price to pay for short signatures.