Building Secure Public Key Encryption Scheme from Hidden Field Equations

Multivariate public key cryptography is a set of cryptographic schemes built from the NP-hardness of solving quadratic equations over finite fields, amongst which the hidden field equations (HFE) family of schemes remain the most famous. However, the original HFE scheme was insecure, and the follow-up modifications were shown to be still vulnerable to attacks. In this paper, we propose a new variant of the HFE scheme by considering the special equation 𝑥 2 = 𝑥 defined over the finite field F 3 when 𝑥 = 0, 1 . We observe that the equation can be used to further destroy the special structure of the underlying central map of the HFE scheme. It is shown that the proposed public key encryption scheme is secure against known attacks including the MinRank attack, the algebraic attacks, and the linearization equations attacks. The proposal gains some advantages over the original HFE scheme with respect to the encryption speed and public key size.


Introduction
Public key cryptography [1] built from the NP-hardness of solving multivariate quadratic equations over finite filed [2,3] was conceived as a plausible candidate to traditional factorization and discrete logarithm based public key cryptosystems due to its high performance and the resistance to quantum attacks [4].The hidden field equations (HFE) scheme [5] may be the most famous cryptosystem amongst all multivariate public key cryptographic schemes.The HFE scheme firstly defines a univariate map over an extension field F   : where the degree bound  chosen cannot be very large in order that the user can use the Berlekamp algorithm [6] to efficiently compute the roots of F().Then two invertible affine transformations are applied to hide the special structure of the central map [2,5].However, the central map F() can be represented with a low-rank matrix [7], which makes it vulnerable to MinRank attacks [7][8][9].So some modifications are needed to repair the basic HFE scheme [10][11][12][13][14].However, all known modification methods only can impose partial nonlinear transformation on the special structure of the HFE central map, and hence they are still vulnerable to some attacks [15][16][17].We consider the HFE scheme over finite fields with characteristic 3. We impose some restrictions on the plaintext space and can use the restriction to merge the coefficients of the linear part and the square part.By doing this, we can impose a fully nonlinear transformation on the central map of the HFE encryption scheme.Performance analysis shows that the modification can save the public key storage by O( 2 ) bits and reduces the encryption costs by about O( 2 ) bit operations.It is shown that the modification can defend the known attacks including the MinRank attack, the linearization equations attack, and the direct algebraic attacks.

Proposal
2.1.Notations.Let F  be a -order finite field with  being a prime power.Let () be an irreducible polynomial with degree  over F  ; then F   = F  []/⟨()⟩ forms a degree- extension field.The construction admits a standard isomorphism  between the extension field F   and the vector space F   ; namely, for an element () = ∑ −1 =0     ∈ F   , we have (()) = ( 0 , . . .,  −1 ) ∈ F   .We denote the inverse of map  as  −1 .Note that the Frobenius maps T() =    for  = 0, 1, . . .,  − 1 defined over F   are F  -linear; namely, when expressed in the base field F  , T() will be -dimensional linear functions over F  .
Decryption.Given a ciphertext c ∈ F  3 , we compute y = L −1 1 (c) and  =  −1 (y) ∈ F 3  , and we use the Berlekamp algorithm [6] to compute all the preimages  ∈ F 3  such that F() = , and, for each , we compute x = () ∈ F  3 .Finally, we compute m = L −1 2 (x).If m ∈ M; then we output m as the plaintext.If we fail to derive a vector in M form all the preimages , we output the symbol ⊥ designating an invalid ciphertext.
Why Decryption Works.We just observe that   = 0, 1, so  2  =   .Hence, for  = 0, 1, . . .,  − 1, =   (m) . ( The modified HFE decryption recovers the plaintext m by peeling off the composition one by one from the leftmost side. Remarks.The original HFE scheme [5] works on any field F  and its extension F   .In fact, the quadratic polynomial map P is exactly the public key of the original HFE scheme, and the secret key of the original scheme also consists of F(), L −1 1 , and L −1 2 .The encryption of the original HFE scheme is just to compute c = P(m), where the plaintext m is in F   but not necessarily in M = {0, 1}  .The decryption algorithm of the modified HFE scheme is exactly the original HFE decryption.

Performance and Comparisons.
To make a comparison between the proposed HFE modification and the original HFE schemes in a uniform platform, we consider the HFE scheme defined over F 3 and its extension field F 3  .It can be easily seen that both the modified and the original HFE schemes share a common secret key and decryption algorithm.So both schemes have the same secret key sizes and decryption costs.In the modified scheme, the public key is Q, and hence we need not to store the coefficients of the square terms of the public key P.So the proposed scheme reduces the public key size by O( 2 ) bits.During encryption, the proposed modification HFE scheme does not need to do the square computations, so the proposed encryption reduces the computational costs by O( 2 ) bit operations.

Security
We analyze the security of the proposed HFE modified encryption scheme.We first review the basic idea of known attacks and then illustrate why the proposal is secure against these attacks.
Why the Proposal Is Secure against the Linearization Equations Attack.We first note that the HFE scheme [5] was proposed by Patarin to thwart the linearization equations attack and no known evidence was reported on the existence of linearization equations in the HFE scheme.So the HFE scheme is secure against linearization equations attack.As far as the proposed HFE modification scheme is concerned, we just note that, for any plaintext m ∈ M = {0, 1}  , c = Q(m) = P(m) is a valid ciphertext for both the original FHE scheme and the proposed modification HFE scheme.Therefore, we cannot hope to derive linearization equations from the modified HFE scheme.

MinRank Attacks
Basic Idea.Without loss of generality, we assume that the two invertible affine transformations L 1 and L 2 are linear [21] and define the terms of in F() in (1).We then can look at F * as a quadratic form about X = (,   , . . .,   −1 ) ; then we associate with F * a symmetric -dimensional square matrix F such that The symmetric matrix F is of low rank, and it is the special structure of the symmetric matrix F that makes the original HFE scheme insecure.We recall 0 ≤  ≤  < ,   +   ≤  and denote the smallest integer smaller than or equal to log  ( − 1) + 1 as , and we will find that all the elements of the last − columns (rows, resp.) of F are zero.So the rank of the symmetric matrix F is at most .Loosely speaking, when we apply two linear transformations on the input and output of the map F * , the rank of the corresponding matrix remains at most .We define the quadratic part of P = L 1 ∘  ∘ F ∘  −1 ∘ L 2 as P * = ( * 0 , . . .,  * −1 ), namely, for  = 0, . . .,  − 1, Note that F * () can be expressed as  homogeneous quadratic polynomials over the base field F  ; then the application of two linear transformations on the input and output of F * () will also give  homogeneous quadratic polynomials over the base field F  .That is to say Or equivalently, The above equation says that we can lift the quadratic part P * of the public key P to the extension field F   under some unknown linear transformations to derive F * and hence F. Kipnis and Shamir noted [7] that, by lifting the quadratic part P * of the public key P of the HFE scheme to the extension field F   , they can find a collection of matrices.The matrix F is then determined by finding a linear combination of these matrices such that F has a minimum rank (at most ).Thus by solving the MinRank problem we can determine the matrix F and the coefficients of the linear transformation L 1 .Though the MinRank problem is proven to be NP-complete [22,23], the reduction to the MinRank problem does impose a serious security threat on the security of the HFE scheme [7,8].
Why the Proposal Is Secure against the MinRank Attack.To illustrate why the proposed modification of the HFE scheme is secure against the MinRank attack [7, 8], we just need to show that when lifted to the extension field F 3  , the quadratic part of the public key Q is not connected with a low-rank matrix.We set the quadratic part of the public key Q as Q * = ( * 0 ,  * 1 , . . .,  * −1 ) with for  = 0, . . ., −1.If we lift Q * to the extension field and find that the corresponding matrix is not of low rank, we can claim our proposal is secure against the MinRank attack [7,8].So we define Now we show that the corresponding matrix F 1 is of not necessarily low rank.We define S = ( 0 ,  1 , . . .,  −1 ) with for  = 0, . . .,  − 1, and It is obvious that P * (x) = Q * (x) + S(x).Thus we can easily verify that So we get F 1 = F − F 2 .In this matrix equation, we only know that F is of low rank (at most ).However, the rank of the matrix F 2 is unknown, and hence the rank of the matrix F 1 is not necessarily low.So the adversary cannot derive from the publicly known map Q * a low-rank matrix.So the MinRank attack does not apply to cryptanalyzing the proposed HFE modification scheme.

Algebraic Attacks
Basic Idea.One straightforward way to attack multivariate public key cryptosystems is to directly solve the multivariate quadratic equations by utilizing some algorithms to compute the Gröbner basis of some ideals.Given the ciphertext c = Q(m), we want to solve the plaintext m from the quadratic equations: The algebraic or the direct attacks can use some Gröbner basis algorithms such as F5 [24] and the XL [25] algorithms to solve the generators for the ideal I = ⟨ 0 − 0 ,  1 − 1 , . . .,  −1 − −1 ⟩ generated by  0 −  0 ,  1 −  1 , . . .,  −1 −  −1 .It is observed [26] that the field equations    −   = 0 for  = 0, 1, . . .,  − 1 will be useful to simplify the computations, so we also can add the  field equations to the generators; namely, we solve the Gröbner basis of the ideal Why the Proposal Is Secure against the Algebraic Attack.
In the proposed modification HFE encryption scheme, we impose some restrictions on the plaintext space.The plaintext space is M = {0,1}  but not F  3 .Thus we have some additional equations that associate with the plaintext m = ( 0 ,  1 , . . .,  −1 ); namely, for  = 0, , . . .,  − 1, we have  2   −   = 0.The plaintext block   also satisfies the field equation  3   −   = 0.However, we can derive the field equations  3   −   = 0 from the equations  2  −   = 0.So in the proposed modification encryption scheme, we need to find the Gröbner basis for the ideal To evaluate the difficulty of the Gröbner basis algorithms to recover the plaintext, we can use the degree of regularity  reg of the quadratic equations [27] to estimate the computational costs.The computational costs are at least O( 2 reg ) bit operations, according to the results given on page 219 in [2].Under the suggested parameters  = 256 and  = 144, the degree of regularity of the quadratic equations is  reg = 5.So the computational overhead is about 256 10 = 2 80 bit operations.So under the algebraic attacks, the proposed modification HFE encryption scheme can obtain a security level of 80 bits under the suggested parameters.

Suggested Parameters.
Considering the aforementioned discussions, we suggest choosing  = 256 and  = 144.We can see from the security analysis that the proposed HFE modification encryption scheme can obtain a security level of 80 bits under the suggested parameters.

Conclusions
In this paper, we proposed a novel modified HFE encryption scheme.The proposed HFE modification has the following features: (i) Universal padding scheme for multivariate public key encryptions: the proposed HFE variant can merge the square and linear terms by imposing some restrictions on the plaintext space.The proposed method is a universal padding scheme and hence can be used to other multivariate cryptographic constructions.
(ii) Fully nonlinear transformation on the central map: the proposed method can remove all the square terms in the public multivariate quadratic polynomials and thus impose a nonlinear transformation on all the polynomials.
(iii) Security against known attacks: we illustrated that the proposed HFE modification encryption scheme is secure against known attacks including the linearization equation attack, the MinRank attack, and the algebraic attacks.
(iv) More efficient encryption and smaller public key size: the proposed modification encryption scheme does not store the square terms in the public key and hence can reduce the encryption costs by O( 2 ) bit operations and saves the public key storage by O( 2 ) bits.
As a new multivariate public key encryption, the security of the proposal needs to be furthered.So we encourage the readers to examine the security of the proposal.