On the Security of HFE, HFEv- and Quartz - PowerPoint PPT Presentation

About This Presentation
Title:

On the Security of HFE, HFEv- and Quartz

Description:

On the Security of HFE, HFEv- and Quartz Nicolas T. Courtois Magnus Daum Patrick Felke – PowerPoint PPT presentation

Number of Views:61
Avg rating:3.0/5.0
Slides: 28
Provided by: Magn113
Category:

less

Transcript and Presenter's Notes

Title: On the Security of HFE, HFEv- and Quartz


1
On the Security of HFE, HFEv- and Quartz
  • Nicolas T. Courtois Magnus Daum Patrick Felke

2
Overview
  • HFE Hidden Field Equations
  • Solving HFE systems with Gröbner Bases
    Algorithms
  • Simulations
  • Conclusion
  • Basic HFE
  • Signing/Verifying with HFE
  • Perturbations
  • Parameters

3
HFEHidden Field Equations
4
Basic HFE
one-way trapdoor function
Trapdoor
5
Basic HFE Example
6
Basic HFE Example
7
Basic HFE Example
Verifying
P(S) M ?
8
Basic HFE Example
Signing
9
Perturbations
10
Perturbations
  • Little changes on the multivariate side of the
    cryptosystem which are used to hide the
    underlying algebraic structure
  • e.g. - (i.e. removing polynomials)

Public Key
11
Perturbations
  • Little changes on the multivariate side of the
    cryptosystem which are used to hide the
    underlying algebraic structure
  • e.g. v (i.e. adding variables)

Public Key
(after mixing with S and T)
12
Perturbations
  • Other perturbations
  • Adding random polynomials ()
  • Fixing some variables (f )
  • Perturbations can be combined (e.g. to HFEv-
    systems)
  • Perturbated systems are claimed to be more secure
  • Quartz, Flash, SFlash are all perturbated HFE
    systems

13
Parameters
perturbations and secret key
  • q size of smaller finite field K
  • h extension degree of L (i.e. Lqh)
  • d degree of hidden polynomial ?
  • number of added/removed
    polynomials/unknowns

14
Overview
  • General Approach with Buchberger Algorithm
  • Characteristics of HFE systems
  • Faugères Attack on HFE Challenge 1
  • What is HFE?
  • Solving HFE systems with Gröbner Bases
    Algorithms
  • Simulations
  • Conclusion

15
General Approach Example
Signing
16
General Approach Example
17
General Approach
  • exponential worst case complexity in general
  • ) only feasible for very few unknowns
  • HFE systems are special
  • very small finite field
  • quadratic polynomials
  • solutions in the base field Fq

18
General Approach Example
  • Advantages
  • we compute only information we need
  • degree of polynomials involved in this
    computation is bounded

19
General Approach
  • exponential worst case complexity in general
  • ) only feasible for very few unknowns
  • But HFE systems are special
  • ! Optimized variants of Buchberger algorithm
    might be able to solve Basic HFE systems
  • very small finite field
  • quadratic polynomials
  • solutions in the base field Fq
  • hidden polynomial

20
General Approach
  • Best known Attack on Basic HFE
  • Faugères Algorithm F5/2 (April 2002)
  • succesfully attacked HFE challenge 1 (h80,
    d96) in 96h on 833 MHz Alpha workstation
  • On perturbated HFE systems
  • No feasible attacks known yet
  • Algorithms like F5/2 can be applied to such
    systems
  • Complexity is not known

21
Overview
  • What to measure?
  • Special Case of Signing
  • Results
  • What is HFE?
  • Solving HFE systems with Gröbner Bases
    Algorithms
  • Simulations
  • Conclusion

22
Simulations
  • in SINGULAR using the stdfglm function
  • Parameters
  • finite field K F2
  • h 2 15,19,21
  • HFE systems with d 2 5,9,17 and randomly
    generated quadratic systems
  • Signing
  • Perturbations v and -( removed 0 to 3
    polynomials and and added 0 to 5
    unknowns)

23
What to measure?
  • How well can the trapdoor be hidden by applying
    perturbations?
  • How much can perturbations ensure that an HFE
    system with a trapdoor seems to be a random
    system (without a trapdoor)?
  • 0 R 1
  • Randomness Security

24
Special Case of Signing
  • Each solution of a given HFE system is a valid
    signature
  • ! it suffices to find one solution
  • Gröbner bases algorithms give all solutions at
    the same time
  • Complexity seems to grow with increasing number
    of solutions
  • - and v increase number of solutions

25
Special Case of Signing
  • ! decrease number of solutions
  • Fix some variables, such that the expected number
    of solutions of the system is 1
  • Try to solve the resulting system
  • If it was not solvable, repeat this until a
    solution is found

26
Experimental Results
h15, d5, q2
27
Experimental Results
  • R depends mainly on the total number vr of
    applied perturbations
  • - may even decrease the total time
  • ! use more v
  • d very small, i.e. Rltlt1vr perturbations make
    the complexity increase by a factor of about qvr
  • The smaller R is, the stronger is the effect of
    the perturbations

28
Conclusion
  • HFE can be attacked with Gröbner bases algorithms
  • Complexity is very high
  • and can be increased by applying perturbations
  • In Quartz better take d257 (instead of 129) but
    that slows down Quartz

29
Thank you!Questions ?
Write a Comment
User Comments (0)
About PowerShow.com