Sieve Method for Polynomial Linear Equivalence

We consider the polynomial linear equivalence (PLE) problem arising from the multivariate public key cryptography, which is defined as to find an invertible linear transformation L satisfying P = S ∘ L for given nonlinear polynomial maps P and S over a finite field F q . Some cryptographic and algebraic properties of PLE are discussed, and from the properties we derive three sieves called multiplicative, differential, and additive sieves. By combining the three sieves, we propose a sieve method for the PLE problem. As an application of our sieve method, we show that it is infeasible to construct public key encryption schemes from the PLE problem.


Introduction
With the rapid development of information technology, privacy and authentication have become two important issues that we must resolve in communication networks.Public key cryptography is undoubtedly one of the most important tools to resolve both problems in the area of information and network security engineering.Tremendous efforts had been made to achieve more practical and efficient public key ciphers in the cryptographic literature [1].However, we should note that only a small number of them survived the serious security scrutiny, amongst which are the two widelyused cryptosystems RSA based on the integer factorization problem [1] and ECC based on the discrete logarithm problem on elliptic curves over finite fields [1,2].However, there exist polynomial-time algorithms for factoring large integers and solving the discrete logarithm problems on any finite cyclic group [3,4].Therefore, RSA and ECC are at the risk of being totally broken by quantum algorithms if practical quantum computing devices are available.Based on the considerations, cryptographers began to construct some alternative postquantum (i.e., quantum-resistant) public key cryptosystems from other mathematically intractable problems, especially those proven NP-complete or NP-hard problems.
Multivariate public key cryptography (MPKC) is an important kind of postquantum public key ciphers [5].The security of MPKC resides in the proven fact that it is NPhard to solve a random system of nonlinear equations over finite fields [6].MPKC was once considered very attractive and interesting also due to its high speed in key generation, encryption, and decryption, easy implementation on both hardware and software, and its simple mathematical description [5].In a multivariate public key cryptosystem, we first define a nonlinear easy-to-invert map S called central map, then we randomly choose two invertible affine transformations L 1 and L 2 , and finally we publish the nonlinear map P = L 2 ∘ S ∘ L 1 as the public key and keep L 1 , L 2 , and S as the secret key.Sometimes the central map S may have a very special structure, which makes it useless to keep the central map S secret.One important problem in MPKC is the problem of isomorphism of polynomials (IP) [7][8][9][10][11][12][13][14][15]; namely, given nonlinear maps S and P, find two invertible linear transformations L 1 and L 2 such that P = L 2 ∘ S ∘ L 1 .The IP problem lies at the core of MPKC in which many multivariate cryptosystems were constructed based on the assumed intractability of IP problem [16][17][18][19][20][21][22].The IP problem is widely believed as an intractable problem, and known algorithms for the IP problem achieve exponential complexity [7][8][9][10][11][12][13][14][15].
In the IP problem, if L 2 is known or equal to the identity transformation, the IP problem turns out to be the isomorphism of polynomials with one secret (IP1s) problem [7,8,12,13,15,[23][24][25], which had been used in MPKC [7,17,[26][27][28].The IP1s problem was shown to be at least as difficult as the graph isomorphism problem [8,29].The graph isomorphism problem had been extensively studied for about half century, and no efficient algorithm was known for it, so the IP1s problem was also widely believed to be an intractability problem.When we restrict the invertible affine transformation L 1 to be a linear one, the special IP1s problem was renamed as polynomial linear equivalence (PLE) problem in [24].In [24], it was shown that the PLE problem is not a restriction on IP1s, and in fact PLE and IP1s are polynomial-time equivalent.In [23], an algorithm was developed to solve the IP1s problem used in the construction of the identification scheme in [7], and the algorithm breaks some challenges of the scheme in [7].In [24], the differential properties of PLE were fully explored to derive an algorithm for PLE, which transforms the PLE problem into a linear algebraic problem.Some other algorithms were also developed to solve the IP1s problem [12,13,15,25].These algorithms perform efficiently in some special cases of the IP1s problem.
Previous results about the IP and IP1s problems were established by considering the underlying problems as mathematical problems.However, some cryptographic properties of the cryptographic IP1s problem are maybe overlooked.For example, the central map used in MPKC is required to be easy-to-invertible, and the cryptographic property may help us establish some other algorithms for solving the IP1s problem.In this paper, we utilize the cryptographic property to develop an algorithm for solving the PLE problem and hence the IP1s problem.We fully explore the multiplicative, differential, and additive cryptographic properties existing in the PLE problem.Based on the three properties, we provide a sieve algorithm for the PLE problem.Assume that the central map only has polynomially bounded pre-images; the proposed sieve algorithm is a polynomial-time algorithm.Apart from previously known algorithms based on differential analysis, Gröbner basis, exhaustive search, and linear algebraic methods, we provide a new type of algorithm.The sieve method may be of independent interests and may provide some new insights into the IP-like problems.
The rest of the paper is organized as follows.In Section 2, we formalize the notations, review MPKC in a conceptual level, and define IP-like problems.In Section 3, we elaborate on the proposed sieve method for the PLE problem.Section 4 provides some concluding remarks.

Preliminaries
2.1.Notations.Throughout this paper, the following notations will be used.We use F  to denote a finite field with order  being a prime power.In this paper, we only consider the PLE problem over F  with  > 2. We use bold lowercase letters for vectors and bold capital letters for matrices.The generalized linear group over F  is denoted as GL(F  , ) which consists of all -dimensional invertible matrices over F  .For two sets  and , we define  +  = { +  :  ∈ ,  ∈ } and  −  = { −  :  ∈ ,  ∈ }.For a set  ⊂ F   and a nonzero element  ∈ F  , we define  = {s : s ∈ } and / = { −1 s : s ∈ }, where  −1 stands for the inverse of  in F  .For a map S : F   → F   and a vector s ∈ F   , we use the symbol S −1 (s) to denote the preimages set of s under the map S; namely, S −1 (s) = {x ∈ F   : S(x) = s}.

Multivariate Public Key Cryptosystems.
The multivariate public key cryptosystems almost always follow the following designs [5]; namely, first define an easy-to-invert central map and then disguise the central map as a seeminglyhard nonlinear map via two invertible affine transformations.
Key Generation.Let F  be a finite field with order  being a prime power.Firstly, define a nonlinear central map S : In case of a public key encryption scheme, we require that for any b ∈ F   , all the solutions x ∈ F   (if the solutions exist) to the system of nonlinear equations S(x) = b can be efficiently determined; namely, S −1 (b) = {x ∈ F   : S(x) = b}.In case of a digital signature scheme, we require that for any b ∈ F   , we can efficiently find one solution x ∈ S −1 (b) (if the solutions exist) to the system of nonlinear equations S(x) = b.Secondly, randomly choose two invertible affine transformations L 1 : F   → F   and L 2 : F   → F   ; namely, choose invertible matrices M 1 (M 2 , resp.) uniformly and at random from GL(F  , ) (GL(F  , ), resp.) and two vectors k 1 (k 2 , resp.) uniformly and at random from F   (F   , resp.), and define the two affine transformations L 1 : The public key is the nonlinear map P, and the secret key consists of S, L −1 1 , and L −1 2 .
Encryption.For a plaintext m ∈ F   , the corresponding ciphertext is computed via c = P(m) ∈ F   .
Decryption.Given a ciphertext c ∈ F   , we firstly compute Secondly, compute all the preimages of y ∈ F   under the nonlinear map S; namely, S −1 (y) = {x ∈ F   : S(x) = y}.Thirdly, for all the vectors x ∈ S −1 (y), we compute m = L −1 1 (x) = (x − k 1 )M −1 1 to obtain a set of candidate plaintexts.Finally, we use some redundant information to exactly pick out the plaintext m.
The design also applies to digital signature schemes.
Signature.To sign a message m ∈ F   , we firstly compute z = L −1 2 (m) then invert S to get a pre-image y ∈ S −1 (z) and finally compute x = L −1 1 (y).The vector x ∈ F   is the signature on the message m.
Verification.The verifier decides whether m = P(x) or not.If the equations are satisfied, the verifier accepts x as the valid signature of m.Otherwise, the verifier refuses to accept x as the valid signature of m.
Remarks.The central map S always has a special structure in that it allows us to efficiently find the pre-images.So in some cases, it is useless to keep the central map secret.For example, the MI [16] central map is S() =    +1 , which makes it meaningless to keep S secret.Several paddings were suggested on the basic construction of MPKC in order to obtain a higher level of security [30], for example, the plus method [30], the minus method [30], and so on.

Definitions.
The following definitions are closely related to the key recovery attacks on multivariate public key cryptosystems.
Definition 1 (IP [7]).Given two nonlinear polynomial maps S : F   → F   and P : F   → F   , find two invertible affine transformations L 1 : F   → F   and L 2 : F   → F   such that P = L 2 ∘ S ∘ L 1 .Equivalently, find two invertible matrices M 1 ∈ GL(F  , ) and M 2 ∈ GL(F  , ) and two vectors When L 2 is known or equal to the identity transformation, we get the definition of the IP1s problem [8,23].
Definition 2 (IP1s).Given two nonlinear polynomial maps S : F   → F   and P : F   → F   , find an invertible affine transformation L : F   → F   such that P = S ∘ L. Equivalently, find an invertible matrix M ∈ GL(F  , ) and a vector k ∈ F   such that P(x) = S(xM + k).
It was shown in [24] that the IP1s problem and the PLE problem are polynomial-time equivalent.So we only need to discuss the following PLE problem in order to discuss the IP1s problem.
Definition 3 (PLE).Given two nonlinear polynomial maps S : F   → F   and P : F   → F   , find an invertible linear transformation L : F   → F   such that P = S ∘ L. Equivalently, find an invertible matrix M ∈ GL(F  , ) such that P(x) = S(xM).

The Proposed Sieve Method for PLE
We pay our attention to a special case of the PLE problem: the preimages of the central map S are easy to determine.Namely, we are given two nonlinear polynomial maps S : F   → F   and P : F   → F   and an efficient algorithm A to solve the preimages of the central map S. We want to find an invertible matrix M ∈ GL(F  , ) such that ( 1 (x) , . . .,   (x)) = P (x) = S (xM) = ( 1 (xM) , . . .,   (xM)) . (1) 3.1.Case of S Being Injective.If S is an easy-to-invert injective polynomial map, the PLE problem turns out to be very easy.We randomly choose  linearly dependent row vectors x 1 , . . ., x  ∈ F   and denote the matrix consisting of the  vectors as . . .

x 𝑛
) . ( For  = 1, . . ., , we compute P(x  ) = ( 1 (x  ), . . .,   (x  )).Note that P(x  ) = S(x  M) = ( 1 (x  M), . . .,   (x  M)), so y  = x  M is a solution to the system of equations S(y) = P(x  ).Further noting that S is an easy-to-invert injective polynomial map, we conclude that y  = x  M is the unique solution to the system of equations S(y) = P(x  ).So we can apply the algorithm A to determine the unique solution y  to the system of equations S(y) = P(x  ).We denote the matrix consisting of the  row vectors y 1 , . . ., y  ∈ F   as Y = ( y 1 . . .

y 𝑛
) . ( We rewrite the equations y  = x  M for  = 1, . . .,  in terms of matrix, so we have Y = XM, from which we immediately get M = X −1 Y.

General Case.
We consider a more general case; namely, S is an easy-to-invertible noninjective polynomial map.

Basic Idea.
The basic idea for the sieve method to solve the PLE problem is to firstly randomly choose  linearly dependent row vectors x 1 , . . ., x  ∈ F   , and then for  = 1, . . ., , compute P(x  ).Note that the system of nonlinear equations S(y) = P(x  ) must have at least a solution y  = x  M in that S(y  ) = S(x  M) = P(x  ).Secondly, we apply the algorithm A to get the nonempty set of the solutions to S(y) = P(x  ); namely, However, the noninjectivity of the central polynomial map S says that the solutions set S −1 (P(x  )) may include some other solutions except y  = x  M. We are only interested in the targeted solution y  = x  M and want to develop a method to pick out the vector y  = x  M from all the solutions in S −1 (P(x  )).If for  = 1, . . .,  we can determine the corresponding y  = x  M, we just denote the matrices consisting of the row vectors x  and y  as X and Y, respectively.Similarly to the discussions in Section 3.1, we can solve the PLE problem just by computing In what follows, we will design three types of sieves called multiplicative sieve, differential sieve, and additive sieve, respectively.When we apply the three sieves to S −1 (P(x  )), we hope that the targeted solution y  =x  M can pass the sieves, and other useless solutions in S −1 (P(x  )) are distilled out as many as possible.Now we discuss some properties of the PLE problem.

Sieve Strategies.
Let x 1 , . . ., x  ∈ F   be  linearly dependent row vectors, the set of solutions to the equations S(y) = P(x  ) be S −1 (P(x  )), and y  = x  M ∈ S −1 (P(x  )).We have the following results.
The theorem of Multiplicative Strategy implies a method to sieve out some useless vectors from a set of vectors containing the targeted vector y  = x  M.More precisely, we let   ⊂ S −1 (P(x  )) such that the targeted vector y  = x  M ∈   .The multiplicative sieve algorithm MulSieve given in Algorithm 1 takes input as (F  , S, P, x  ,   ) and outputs a subset  ×  of   ; namely,  ×  = MulSieve (F  , S, P, x  ,   ).From the proof of Multiplicative Strategy theorem, we know that the targeted vector y  = x  M can pass the multiplicative sieve.So the set  ×  output by MulSieve is not empty.We note that if S and hence P are homogeneous polynomials, all the preimages in   can pass the multiplicative sieve.So in this case, we must have  ×  =   .In general cases, S is not homogeneous, and the multiplicative sieve method can sieve out some preimages of   .
From the proof of Multiplicative Strategy theorem, we know that the targeted vectors y  = x  M and y  = x  M can pass the additive sieve.So the sets  +  and  +  output by AddSieve are not empty.
In lines 6-8 of Algorithm 2, if y () or y () had been put into  +  or  +  , the algorithm does nothing.
The theorem of Differential Strategy implies another sieve method called differential sieve method DifSieve in Algorithm 3. The input of the differential sieve algorithm DifSieve consists of (F  , S, P, x  ,   ), where   is a subset of S −1 (P(x  )) and y  ∈   .The output of DifSieve is a nonempty set  −  ⊂   ; namely,  −  = DifSieve (F  , S, P, x  ,   ).From the proof of Differential Strategy theorem, we know that the targeted vectors y  = x  M can pass the differential sieve.So the set  −  output by the DifSieve algorithm is nonempty.

The Sieve Method.
We elaborate on the novel sieve algorithm SieAlg for solving the PLE problem as in Algorithm 4. The input for the sieve algorithm contains the description of the finite field F  and two multivariate nonlinear polynomial