1. Introduction
Public key cryptography [1] built from the NP-hardness of solving multivariate quadratic equations over finite filed [2, 3] was conceived as a plausible candidate to traditional factorization and discrete logarithm based public key cryptosystems due to its high performance and the resistance to quantum attacks [4]. The hidden field equations (HFE) scheme [5] may be the most famous cryptosystem amongst all multivariate public key cryptographic schemes. The HFE scheme firstly defines a univariate map over an extension field Fqn:(1)FX=∑0≤i≤j<n,qi+qj≤DaijXqi+qj+∑0≤i<n,qi≤DbiXqi+c,where the degree bound D chosen cannot be very large in order that the user can use the Berlekamp algorithm [6] to efficiently compute the roots of F(X). Then two invertible affine transformations are applied to hide the special structure of the central map [2, 5]. However, the central map F(X) can be represented with a low-rank matrix [7], which makes it vulnerable to MinRank attacks [7–9]. So some modifications are needed to repair the basic HFE scheme [10–14]. However, all known modification methods only can impose partial nonlinear transformation on the special structure of the HFE central map, and hence they are still vulnerable to some attacks [15–17].
We consider the HFE scheme over finite fields with characteristic 3. We impose some restrictions on the plaintext space and can use the restriction to merge the coefficients of the linear part and the square part. By doing this, we can impose a fully nonlinear transformation on the central map of the HFE encryption scheme. Performance analysis shows that the modification can save the public key storage by O(n2) bits and reduces the encryption costs by about O(n2) bit operations. It is shown that the modification can defend the known attacks including the MinRank attack, the linearization equations attack, and the direct algebraic attacks.
2. Proposal
2.1. Notations
Let Fq be a q-order finite field with q being a prime power. Let f(x) be an irreducible polynomial with degree n over Fq; then Fqn=Fq[x]/f(x) forms a degree-n extension field. The construction admits a standard isomorphism ϕ between the extension field Fqn and the vector space Fqn; namely, for an element g(x)=∑i=0n-1gixi∈Fqn, we have ϕg(x)=g0,…,gn-1∈Fqn. We denote the inverse of map ϕ as ϕ-1. Note that the Frobenius maps T(X)=Xqi for i=0,1,…,n-1 defined over Fqn are Fq-linear; namely, when expressed in the base field Fq, T(X) will be n-dimensional linear functions over Fq.
2.2. Description
The encryption scheme consists of three subalgorithms: key generation, encryption, and decryption.
Key Generation. The system parameters consist of an irreducible polynomial f(x) with degree n over F3, the extension field F3n=F3[x]/f(x), and the isomorphism ϕ between F3n and F3n. Firstly, we define an HFE map F(X) in (1) and randomly choose two invertible affine transformations L1:F3n→F3n and L2:F3n→F3n. Then we compute their inverses L1-1 and L2-1 and the n-variable quadratic polynomials P=L1∘ϕ∘F∘ϕ-1∘L2=(p0,p1,…,pn-1). For x=(x0,x1,…,xn-1), we set (2)pkx=∑i=0n-1αikxi2+∑i=0n-2 ∑j=i+1n-1βijkxixj+∑i=0n-1γikxi+δk,where all the coefficients are in F3 for k=0,…,n-1. Then we merge the coefficients of the square and linear terms of pk, that is, ρi(k)=αi(k)+γi(k) for i,k=0,1,…,n-1, and get the public key of the modified HFE scheme, namely, n quadratic polynomials Q=(q0,q1,…,qn-1), where, for k=0,…,n-1, (3)qkx=∑i=0n-2 ∑j=i+1n-1βijkxixj+∑i=0n-1ρikxi+δk.The secret key consists of F(X), L1-1, and L2-1.
Encryption. The plaintext space is M={0,1}n. For a plaintext m∈M, we just compute c=(c0,…,cn-1)=Q(m)∈F3n as the ciphertext.
Decryption. Given a ciphertext c∈F3n, we compute y=L1-1(c) and Y=ϕ-1(y)∈F3n, and we use the Berlekamp algorithm [6] to compute all the preimages X∈F3n such that F(X)=Y, and, for each X, we compute x=ϕX∈F3n. Finally, we compute m=L2-1(x). If m∈M; then we output m as the plaintext. If we fail to derive a vector in M form all the preimages X, we output the symbol ⊥ designating an invalid ciphertext.
Why Decryption Works. We just observe that mi=0,1, so mi2=mi. Hence, for k=0,1,…,n-1, (4)ck=qkm=∑i=0n-2 ∑j=i+1n-1βijkmimj+∑i=0n-1ρikmi+δk=∑i=0n-2 ∑j=i+1n-1βijkmimj+∑i=0n-1αik+γikmi+δk=∑i=0n-1αikmi2+∑i=0n-2 ∑j=i+1n-1βijkmimj+∑i=0n-1γikmi+δk=pkm.So c=Q(m)=P(m)=L1∘ϕ∘F∘ϕ-1∘L2(m). The modified HFE decryption recovers the plaintext m by peeling off the composition one by one from the leftmost side.
Remarks. The original HFE scheme [5] works on any field Fq and its extension Fqn. In fact, the quadratic polynomial map P is exactly the public key of the original HFE scheme, and the secret key of the original scheme also consists of F(X), L1-1, and L2-1. The encryption of the original HFE scheme is just to compute c=P(m), where the plaintext m is in Fqn but not necessarily in M={0,1}n. The decryption algorithm of the modified HFE scheme is exactly the original HFE decryption.
2.3. Performance and Comparisons
To make a comparison between the proposed HFE modification and the original HFE schemes in a uniform platform, we consider the HFE scheme defined over F3 and its extension field F3n. It can be easily seen that both the modified and the original HFE schemes share a common secret key and decryption algorithm. So both schemes have the same secret key sizes and decryption costs. In the modified scheme, the public key is Q, and hence we need not to store the coefficients of the square terms of the public key P. So the proposed scheme reduces the public key size by O(n2) bits. During encryption, the proposed modification HFE scheme does not need to do the square computations, so the proposed encryption reduces the computational costs by O(n2) bit operations.
3. Security
We analyze the security of the proposed HFE modified encryption scheme. We first review the basic idea of known attacks and then illustrate why the proposal is secure against these attacks.
3.1. Linearization Equations Attack
Basic Idea. Linearization equations attack [18] was found by Patarin on the Matsumoto-Imai scheme [19]. In the Matsumoto-Imai scheme, a permutation F(X)=Xqθ+1 over Fqn with characteristic 2 is defined such that gcdqn-1,qθ+1=1, then using two invertible affine transformations L1 and L2 to disguise the central map F into a quadratic map P over Fq, namely, (5)P=L1∘ϕ∘F∘ϕ-1∘L2.The basic idea of the attack is as follows. Note that Y=F(X)=Xqθ+1 implies XYqθ-Xq2θY=0. By setting (6)x=x0,…,xn-1=ϕX,y=y0,…,yn-1=ϕY=ϕFX=ϕFϕ-1x,we can express XYqθ-Xq2θY=0 as n bilinear equations about input x and output y of function ϕ∘F∘ϕ-1: (7)∑i=0n-1 ∑j=0n-1aijkxiyj=0,where i,j,k=0,…,n-1 and aij(k)∈Fq. Given a ciphertext c=(c0,…,cn-1)=P(m), we want to recover the corresponding plaintext m=(m0,…,mn-1). Note that m (c, resp.) is an affine transformation L2 (L1, resp.) on the input (output, resp.) of the function ϕ∘F∘ϕ-1. So m and c satisfy the following n equations derived from the n bilinear equations, namely, (8)∑i=0n-1 ∑j=0n-1αijkmicj+∑i=0n-1βikmi+∑i=0n-1γikci+δk=0,where i,j,k=0,…,n-1 and all the coefficients in Fq. These n equations are called linearization equations and can be efficiently computed from the public polynomials P. It was shown that the linearization equations have a rank of at least n-gcd(n,θ) [20]. So given a ciphertext c=(c0,…,cn-1)=P(m), we only need to solve the n linearization equations to obtain the corresponding plaintext m=(m0,…,mn-1).
Why the Proposal Is Secure against the Linearization Equations Attack. We first note that the HFE scheme [5] was proposed by Patarin to thwart the linearization equations attack and no known evidence was reported on the existence of linearization equations in the HFE scheme. So the HFE scheme is secure against linearization equations attack. As far as the proposed HFE modification scheme is concerned, we just note that, for any plaintext m∈M={0,1}n, c=Q(m)=P(m) is a valid ciphertext for both the original FHE scheme and the proposed modification HFE scheme. Therefore, we cannot hope to derive linearization equations from the modified HFE scheme.
3.2. MinRank Attacks
Basic Idea. Without loss of generality, we assume that the two invertible affine transformations L1 and L2 are linear [21] and define the terms of (9)F∗X=∑0≤i≤j<n,qi+qj≤DaijXqi+qjin F(X) in (1). We then can look at F∗ as a quadratic form about (10)X=X,Xq,…,Xqn-1;then we associate with F∗ a symmetric n-dimensional square matrix F such that (11)F∗X=XFXT.The symmetric matrix F is of low rank, and it is the special structure of the symmetric matrix F that makes the original HFE scheme insecure. We recall 0≤i≤j<n, qi+qj≤D and denote the smallest integer smaller than or equal to logq(D-1)+1 as r, and we will find that all the elements of the last n-r columns (rows, resp.) of F are zero. So the rank of the symmetric matrix F is at most r. Loosely speaking, when we apply two linear transformations on the input and output of the map F∗, the rank of the corresponding matrix remains at most r. We define the quadratic part of P=L1∘ϕ∘F∘ϕ-1∘L2 as P∗=(p0∗,…,pn-1∗), namely, for k=0,…,n-1, (12)pk∗x=∑i=0n-1αikxi2+∑i=0n-2 ∑j=i+1n-1βijkxixj.Note that F∗(X) can be expressed as n homogeneous quadratic polynomials over the base field Fq; then the application of two linear transformations on the input and output of F∗(X) will also give n homogeneous quadratic polynomials over the base field Fq. That is to say (13)P∗=L1∘ϕ∘F∗∘ϕ-1∘L2.Or equivalently, (14)F∗=ϕ-1∘L1-1∘P∗∘L2-1∘ϕ.The above equation says that we can lift the quadratic part P∗ of the public key P to the extension field Fqn under some unknown linear transformations to derive F∗ and hence F. Kipnis and Shamir noted [7] that, by lifting the quadratic part P∗ of the public key P of the HFE scheme to the extension field Fqn, they can find a collection of matrices. The matrix F is then determined by finding a linear combination of these matrices such that F has a minimum rank (at most r). Thus by solving the MinRank problem we can determine the matrix F and the coefficients of the linear transformation L1. Though the MinRank problem is proven to be NP-complete [22, 23], the reduction to the MinRank problem does impose a serious security threat on the security of the HFE scheme [7, 8].
Why the Proposal Is Secure against the MinRank Attack. To illustrate why the proposed modification of the HFE scheme is secure against the MinRank attack [7, 8], we just need to show that when lifted to the extension field F3n, the quadratic part of the public key Q is not connected with a low-rank matrix. We set the quadratic part of the public key Q as Q∗=q0∗,q1∗,…,qn-1∗ with (15)qk∗=x=∑i=0n-2 ∑j=i+1n-1βijkxixjfor k=0,…,n-1. If we lift Q∗ to the extension field and find that the corresponding matrix is not of low rank, we can claim our proposal is secure against the MinRank attack [7, 8]. So we define (16)F1X=ϕ-1∘L1-1∘Q∗∘L2-1∘ϕX=XF1XT.Now we show that the corresponding matrix F1 is of not necessarily low rank. We define S=(s0,s1,…,sn-1) with (17)skx=∑i=0n-1αikxi2for k=0,…,n-1, and (18)F2X=ϕ-1∘L1-1∘S∘L2-1∘ϕX=XF2XT.It is obvious that P∗(x)=Q∗(x)+S(x). Thus we can easily verify that (19)XFXT=F∗X=ϕ-1∘L1-1∘P∗∘L2-1∘ϕX=ϕ-1∘L1-1∘Q∗+S∘L2-1∘ϕX=ϕ-1∘L1-1∘Q∗∘L2-1∘ϕX+ϕ-1∘L1-1∘S∘L2-1∘ϕX=F1X+F2X=XF1XT+XF2XT=XF1+F2XT.So we get F1=F-F2. In this matrix equation, we only know that F is of low rank (at most r). However, the rank of the matrix F2 is unknown, and hence the rank of the matrix F1 is not necessarily low. So the adversary cannot derive from the publicly known map Q∗ a low-rank matrix. So the MinRank attack does not apply to cryptanalyzing the proposed HFE modification scheme.
3.3. Algebraic Attacks
Basic Idea. One straightforward way to attack multivariate public key cryptosystems is to directly solve the multivariate quadratic equations by utilizing some algorithms to compute the Gröbner basis of some ideals. Given the ciphertext c=Q(m), we want to solve the plaintext m from the quadratic equations: (20)q0m0,m1,…,mn-1=c0,q1m0,m1,…,mn-1=c1,⋮qn-1m0,m1,…,mn-1=cn-1.The algebraic or the direct attacks can use some Gröbner basis algorithms such as F5 [24] and the XL [25] algorithms to solve the generators for the ideal I=q0-c0,q1-c1,…,qn-1-cn-1 generated by q0-c0,q1-c1,…,qn-1-cn-1. It is observed [26] that the field equations miq-mi=0 for i=0,1,…,n-1 will be useful to simplify the computations, so we also can add the n field equations to the generators; namely, we solve the Gröbner basis of the ideal (21)I∗=q0-c0,…,qn-1-cn-1,m0q-m0,…,mn-1q-mn-1.Why the Proposal Is Secure against the Algebraic Attack. In the proposed modification HFE encryption scheme, we impose some restrictions on the plaintext space. The plaintext space is M={0,1}n but not F3n. Thus we have some additional equations that associate with the plaintext m=(m0,m1,…,mn-1); namely, for i=0,q,…,n-1, we have mi2-mi=0. The plaintext block mi also satisfies the field equation mi3-mi=0. However, we can derive the field equations mi3-mi=0 from the equations mi2-mi=0. So in the proposed modification encryption scheme, we need to find the Gröbner basis for the ideal (22)I′=q0-c0,…,qn-1-cn-1,m02-m0,…,mn-12-mn-1.To evaluate the difficulty of the Gröbner basis algorithms to recover the plaintext, we can use the degree of regularity Dreg of the quadratic equations [27] to estimate the computational costs. The computational costs are at least O(n2Dreg) bit operations, according to the results given on page 219 in [2]. Under the suggested parameters n=256 and D=144, the degree of regularity of the quadratic equations is Dreg=5. So the computational overhead is about 25610=280 bit operations. So under the algebraic attacks, the proposed modification HFE encryption scheme can obtain a security level of 80 bits under the suggested parameters.
3.4. Suggested Parameters
Considering the aforementioned discussions, we suggest choosing n=256 and D=144. We can see from the security analysis that the proposed HFE modification encryption scheme can obtain a security level of 80 bits under the suggested parameters.