A Ciphertext-Only Attack on Polly Two

1
A Ciphertext-Only Attack on Polly Two

• Rainer Steinwandt

(Florida Atlantic University)
2
Polly Cracker

• Conceptual public key encryption scheme
  introduced by Fellows and Koblitz (94)
• Basic idea over FqxFqx1,,xn
• Public key finite basis of ideal I Fqx
• Secret key common root ??V(I)
• Encrypting m?Fq choose representative of mI
• Decrypting c?Fqx evaluate c at ?
• Can we get an encryption scheme out of this?

3
Security of Polly Cracker

• Polly Cracker by definition homomorphic ? we
  cant expect IND-CCA
• (S., Geiselmann CCA easily reveals ?)
• IND-CPA has not been achieved so far
• no security proofs for encryption, various
  successful attacks, e.g.,
• intelligent linear algebra (Lenstra)
• differential attack (Hofheinz, S.)
• improved diff. attack (Levy-dit-Vehel,
  Perret)
• Can we obtain an efficient heuristic scheme?

4
A Proposal Resistant to Lin. Alg.

• Levy-dit-Vehel, Perret 04
• Reasonably efficient Polly Cracker system based
  on 3-SAT
• elaborate key generation
• encryption procedure designed to resist
  intelligent linear algebra attack,
• but the authors note that
• the attack and the improvement we have
  described apply to our system too.

5
Polly Two

• Ly (02) proposes a new related scheme
• Domain parameters g1,,gt?Fqx s.t. kernel of
  f Fqy ? Fqx
• yi ? gi
• can be computed easily (syzygies of the gi)
• Public key sparse generators of I Fqy
• Secret key ??Fqn with (gi(?))i?V(I) and
• (g1
  gt)(?)?0

Challenge example n4, t11, q223,
tdeg(gi)2
6
Polly Two (cntd.)

• Encrypting m?Fq with public basis f1,,fs
• Fix random hi aiy?i with monomials in
• cShifi
• getting canceled.
• 2. For each monomial of c find a ker(f)-element
  canceling it. In
• ccr (with
  r?ker(f))
• none of c s monomials should occur.
• 3. Choose monomial y? in c to get ciphertext
• c(cmy?, ?)
• Decryption evaluate at g(?) divide by g(?)?

7
Design Rationale

• sparse high-degree public polynomials impede
  direct Gröbner basis computation
• (cf. ENROOT)
• addition of ker(f)-element hampers linear algebra
  attack
• message expansion more or less acceptable
• promising proposal to dodge known attacks
• is the list complete? ? Grassl, S. 04
  low-degree elements in radical of public ideal
  allow to solve 1st challenge

8
Challenge 2

• Domain param. 11 quadratic binomials
  over F223
• Public basis 4 trinomials, total deg. 128,
• 11 indeterminates
• Ciphertext c 126 terms, total deg. 256
• (indermediate ciphertext c 6 terms)
• Goal of attack reconstruct encryption step
• no recovery of secret (or equivalent) key

9
Recovering the ker(f)-Part

• All terms of the ker(f)-elements canceling
• terms in Shifi should occur in c up to
• the canceled term
• (- a term involving y? )
• omit y? term from ciphertext c
• identify terms of the 6 ker(f)-elements
• How can we find the terms of a syzygy?

10
Choice of ker(f)-Polynomials

• Likely construction for ker(f)-elements used in
  encryption multiply low-degree syzygy with a
  term ay?
• fix a term ßys of y? free ciphertext c and
  compute multiset
• gcd(ys, yp) yp?ys a monomial in c
• high multiplicity (say gt10) yields y?-candidate
• Challenge 137 candidates for y?
  only 22 after
  removing multiples

11
Finding the Terms of a Syzygy

• Given a y?-candidate, we can find the terms
• ßys ßys is a term of c divisible by
  y?.
• summing (almost) all of them up should yield a
  ker(f)-element up to one term.
• How can we check whether a polynomial is
  a syzygy up to one term?

12
Validating an Almost Syzygy r

• in principle evaluate r at g(x)
• check whether r(g1(x),,gt(x)) is
• (up to a const.) a power product of the gi
• in practice specialize some xjs to
• constants before trial division.
• In this way we find the missing term, too
• ( can validate through repeated evaluation).

13
Indeed It Works

• Applying the idea to the challenge
• Candidate term sets have 20 terms
• adding one of these sets up yields 1st syzygy
• subtract syzygy from c iterate
• Five syzygies can be found easily, leaving us
• with a simplified c consisting of 27 terms.

14
Recovering the Secret Terms hi

• Tempting Apply differential attack of
• Hofheinz and S. to simplified c
• yields only one term h2
• but a simple approach turns out to suffice
• Remaining public key polynomials contain term
  with only two multiples in simplified c.
• recovery of all secret terms hi

15
Getting the Plaintext

• Subtracting Shifi found ker(f)-part from the
  ciphertext, yields (short) polynomial that up to
  the term -my? is a syzygy.
• Complete missing term as before to get m.
• Plaintext underlying the example 308834

16
Conclusion?

• Ample evidence that present form of
• Polly Two not cryptographically secure.
• Do we want Polly Two with a longer list ,
  linear algebra, differential attack, small degree
  in radical, this attack?
• Need the assumptions underlying the encryption
  algorithm to be clarified?

17
Stronger Attacks?

• Design of encryption algorithm
• hide cShifi (by adding a syzygy)
• This attack Playing with terms reveals c
• Better approaches, e.g.,interpolation?
• c sparse multivariate polynomial over Fq
• terms in c can be guessed
• bounding tdeg(c) not implausible

18
Sparse Interpolation?

• Evaluation of cmy?
• possible on the variety parameterized by
• the domain parameters g1,,gt.
• Question
• Under which assumptions is this kind of
• interpolation problem feasible?