On the Security of HFE, HFEv and Quartz - PowerPoint PPT Presentation

About This Presentation
Title:

On the Security of HFE, HFEv and Quartz

Description:

Nicolas T. Courtois Magnus Daum Patrick Felke. This talk is supported by STORK. What is HFE? ... Little changes on the multivariate side of the cryptosystem ... – PowerPoint PPT presentation

Number of Views:38
Avg rating:3.0/5.0
Slides: 27
Provided by: Magnu4
Category:
Tags: hfe | hfev | quartz | security | stork

less

Transcript and Presenter's Notes

Title: On the Security of HFE, HFEv and Quartz


1
On the Security of HFE, HFEv- and Quartz
  • Nicolas T. Courtois Magnus Daum Patrick Felke

This talk is supported by STORK
2
Overview
  • What is HFE?
  • Solving HFE systems with Gröbner Bases
    Algorithms
  • Results from Simulations
  • Conclusion

3
What is HFE?
4
Basic HFE Example
5
Basic HFE Example
6
Basic HFE Example
Verifying
7
Basic HFE Example
Signing
8
Perturbations
  • Little changes on the multivariate side of the
    cryptosystem which are used to hide the
    underlying algebraic structure
  • e.g. - (i.e. removing polynomials)

Public Key
9
Perturbations
  • Little changes on the multivariate side of the
    cryptosystem which are used to hide the
    underlying algebraic structure
  • e.g. v (i.e. adding variables)

Public Key
(after mixing with S and T)
10
Perturbations
  • Little changes on the multivariate side of the
    cryptosystem which are used to hide the
    underlying algebraic structure
  • Perturbations can be combined,e.g. to HFEv-
    systems
  • Quartz is a special instance of an HFEv- system

11
Parameters of HFEv-
  • q size of smaller finite field K
  • h extension degree of L (i.e. Lqh)
  • d degree of hidden polynomial ?
  • r number of removed equations (-)
  • v number of added variables (v)
  • mh-r number of equations in the public key
  • nhv number of variables in the public key

12
Overview
  • General Approach with Buchberger Algorithm
  • Characteristics of HFE systems
  • Faugères Attack on HFE Challenge 1
  • What is HFE?
  • Solving HFE systems with Gröbner Bases
    Algorithms
  • Results from Simulations
  • Conclusion

13
General Approach
14
General Approach Example
Signing
15
General Approach Example
16
General Approach Example
  • Advantages
  • we compute only information we need
  • degree of polynomials involved in this
    computation is bounded

17
General Approach
  • In general Buchberger algorithm has exponential
    worst case complexity
  • ) only feasible for very few unknowns
  • But HFE systems are special
  • ) Optimized variants of Buchberger algorithm
    might be able to solve Basic HFE systems
  • very small finite field
  • quadratic polynomials
  • solutions in the base field Fq
  • hidden polynomial

18
General Approach
  • Best known Attack on Basic HFE
  • Faugères Algorithm F5/2 (April 2002)
  • succesfully attacked HFE challenge 1 (n80,
    d96) in 96h on 833 MHz Alpha workstation
  • On perturbated HFE systems
  • No feasible attacks known, but
  • e.g. F5/2 can be applied to such systems
  • Complexity is not known

19
Simulations
20
Simulations
  • simulations were done in SINGULAR using the
    stdfglm function
  • Parameters
  • Finite Field K with
  • HFE systems withand systems of random quadratic
    equations
  • both with ,
  • equations
  • unknowns

21
Improvements
  • A perturbated system consists of
  • equations and unkowns.
  • The following steps speed up the computations
  • Fix variables with
    values not chosen before. Apply stdfglm to the
    resulting system.
  • If the resulting system has no solution, repeat
    the above step until the resulting system has a
    solution.

22
Improvements
  • Number of tries is 1.6 on average.
  • For our experiments we define
  • Usually we have

23
What to Measure?
  • Forging a signature of an HFEv- system means to
    solve a system of m quadratic equations in n
    un-knowns, i.e. to solve an instance of the
    MQ-Problem.
  • The MQ-Problem seems to be hard on average.
  • A randomly chosen system is hard to
    solve.
  • Randomness Security
  • We define (randomness) .
  • is the value of T obtained for
    random systems of quadratic equations.

24
Experimental Results
h15, d5, q2
25
Experimental Results
  • R depends mainly on the total number vr of
    perturbations.
  • - may decrease the total time.
  • Use more v.
  • If , for an unperturbated
    HFE-system, then
  • The more , the more is the increase
    in the relative security when vr is
    increased.
  • e.g. if , d the degree of the HFE
    polynomial, is small compared to h as in case of
    Quartz.

26
Conclusions for Quartz
  • Faugères attack computes a Gröbner Basis,
  • so applying our results to his attack gives
  • For Quartz with d129 and vr7 his attack will
  • probably need
    .
  • For Quartz with d257 we estimate a complexity
    of

27
Conclusions for Quartz
  • The parameter d of Quartz probably needs to be
    increased from d129 to d257.
  • Signatures with Quartz will then take 6 seconds
    on average (on PC with 2GHZ).
  • Compared to other schemes slowness is
    currently the price to pay for short signatures.
Write a Comment
User Comments (0)
About PowerShow.com